« Previous Next »

• 01-09-2008, 7:00 PM

  DungKHoang Joined on 01-08-2008, 5:20 PM Posts 14

  Using MWA to remotely manage IIS on Server Core. Reply Contact Hi, I was playing with MWA ( Microsoft.Web.Administration) to remotely connect to a Web server, I can connect to a remote IIS server installed on a full version of WS08 using the following commands: PS C:\> [System.Reflection.Assembly]::LoadFrom(“C:\Windows\System32\inetsrv\Microsoft.Web.Administration.dll”) PS C:\> $$SrvMgr=  Microsoft.Web.Administration.ServerManager]::OpenRemote("IIS-FULL") Evrything works great! I'd like to know whether I can use MWA to connect to a remote Web server installed on Server Core. If yes, what are the IIS components that is needed to be installed on Server Core? In my environment, I only install the basic comeponent ie IIS-WebServerRole I have tried to create a remote connection. The command returns no error, I get a server manger object but it is empty (.ie. Null). I have disabled the firewall on server core just in case and have network connection to the server core machine. I can conect remotely from a MMC window to a server core box. Any help is greatly appreciated! /Dung

  Tags: Server Core MWA

• 01-10-2008, 10:50 PM

  In reply to

  steve schofield Joined on 06-10-2002, 8:54 PM MI Posts 3,831	Re: Using MWA to remotely manage IIS on Server Core. Reply Contact I personally haven't tried it and don't have my server core box handy.  Do you see the MWA.dll listed in c:\windows\system32\inetsrv on the server core box? Steve Schofield Windows Server MVP - IIS http://weblogs.asp.net/steveschofield http://www.IISLogs.com Log archival solution Install, Configure, Forget

• 01-13-2008, 6:58 PM

  In reply to

  mailant Joined on 09-21-2004, 2:58 PM Posts 49

  Re: Using MWA to remotely manage IIS on Server Core. Reply Contact If you are automating the management of IIS7 on Server Core remotely, here are your options: Microsoft.Web.Administration (MWA): Managed code can be run at master management machine, underlying COM objects are connected via DCOM WMI: All objects can be remotely accessed Microsoft.ApplicationHost.AdminManager (ahadmin): JScript/VBScript using DCOM Windows PowerShell (using WMI/MWA): Not yet directly remotable, but can use WMI and MWA from it WinRM / WinRS: Use with OCList, OCSetup, AppCmd, etc. (for running a single command remotely, but you lose your strong-typing) You can't remotely connect to the IIS UI on a Server Core installation because the Web Management Service won't work without the CLR. Can you post your code that isn't working with the remote installation of server core? Mai-lan Tomsen Bukovec Product Unit Manager IIS

• 01-23-2008, 10:59 AM

  In reply to

  DungKHoang Joined on 01-08-2008, 5:20 PM Posts 14

  Re: Using MWA to remotely manage IIS on Server Core. Reply Contact Hi Sorry for the delay to answer. Here is the configuration of my environment: Two IIS servers: IIS--FULL and IIS-FULL01 1 IIS Server Core : IIS-CORE On Server Core, I install the IIS Server Role using the default options. Same thing for IIS-Full01 On IIS-FULL, I install IIS Server Role and add the role service IIS Management and Scripting tools ( which will install MWA) Now I want to manage both IIS_FULL01 and IIS-CORE from IIS-FULL using MWA. So here is the code with PowerShell PS C:\> [System.Reflection.Assembly]::LoadFrom(“C:\Windows\System32\inetsrv\Microsoft.Web.Administration.dll”) PS C:\>  $IISFULL01 = [ Microsoft.Web.Administration.ServerManager]::OpenRemote("IIS-FULL01") PS C:\>$IISFULL01 ApplicationDefaults: Microsoft.Web.Administration.ApplicationDefaults ApplicationPoolDefaults: Microsoft.Web.Administration.ApplicationPoolDefaults ApplicationPools: {DefaultAppPool, Classic .NET AppPool,....} SiteDefaults: Microsoft.Web.Administration.SiteDefaults SItes: Default Web Site VirtualDirectoryDefaults: Microsoft.Web.Administration.VirtualDirectoryDefaults WorkerProcesses: {} Now if I do the same thing for Server Core: PS C:\>  $IISCORE = [ Microsoft.Web.Administration.ServerManager]::OpenRemote("IIS-CORE") PS C:\>$IISCORE ApplicationDefaults: ApplicationPoolDefaults: ApplicationPools: SiteDefaults: SItes: VirtualDirectoryDefaults: WorkerProcesses: To make sure that I have network connectivity and that the Default Web site  exists on Server Core, I execute the following command from IIS-FULL C:\> WinRS -r:IIS-CORE c:\windows\system32\inetsrv\appcmd.exe list Sites SITE "Default Web Site"(id:1, bindings:,state:Unknown) It seems that I can't make MWA working against Server Core. I appreciate any help you can provide Thanks in advance /Dung

• 01-23-2008, 11:30 AM

  In reply to

  mvolo Joined on 09-17-2003, 1:48 PM Philadelphia, PA Posts 584

  Re: Using MWA to remotely manage IIS on Server Core. mwatest.exe Reply Contact Hi DungKHoang, MWA uses DCOM to connect to the configuration system COM objects on the server, so it should work against server core. My guess is that your issue has to do with security (you must be running powershell under a logon identity that has administrative privileges on the target server), or with DCOM connectivity (enabled through firewall). Unfortunately the output of the powershell command you show doesnt indicate what the problem is, so can you use the attached console program to test DCOM connectivity? In case you dont trust the EXE, the code for it is below. > mwatest.exe IIS-CORE using System; using System.Collections.Generic; using System.Text; using Microsoft.Web.Administration; namespace MWATest {     class Program     {         static void Main(string[] args)         {             try             {                 string server = args[0];                 ServerManager mgr = ServerManager.OpenRemote(server);                 foreach (Site site in mgr.Sites)                 {                     Console.WriteLine(site.Name);                 }             }             catch (Exception e)             {                 Console.Error.WriteLine(e);             }         }     } }    Thanks, Mike Volodarsky Program Manager IIS Core Server Visit mvolo.com for more on IIS 7.0 and ASP.NET This posting is provided "AS IS" with no warranties, and confers no rights.

• 01-23-2008, 1:45 PM

  In reply to

  DungKHoang Joined on 01-08-2008, 5:20 PM Posts 14

  Re: Using MWA to remotely manage IIS on Server Core. Reply Contact Hi Mike,  Thanks for the tool. I am running the PS command using  the Domain Admin credential. Also I can use WMI to query WMI objects agains the remote server and can use a MMC console to remotely manage the server core box ( DNS, DHCP ...). It means that DCOM is working properly (  I'd guess so) Running your tool produces the following error: System.Runtime.InteropServices.COMException (0x800706BA): Retrieving the COM class factory for remote component with CLS ID {2B72133B-3F5B-4602-8952-803546CE3344} from machine IIS-CORE failed due to the following error: 800706ba.    at System.RuntimeTypeHandle.CreateInstance(RuntimeType type, Boolean publicOnly, Boolean noCheck, Boolean& canBeCache d, RuntimeMethodHandle& ctor, Boolean& bNeedSecurityCheck) What else should I do to configure DCOM on Server Core? Appreaciate any help you can provide,  /Dung

• 01-23-2008, 6:44 PM

  In reply to

  mvolo Joined on 09-17-2003, 1:48 PM Philadelphia, PA Posts 584	Re: Using MWA to remotely manage IIS on Server Core. Reply Contact Hmm, can you first check the firewall to make sure it allows "COM+ Network Access (DCOM-In)"? Thanks, Mike Volodarsky Program Manager IIS Core Server Visit mvolo.com for more IIS 7.0 posts, tools, and info   This posting is provided "AS IS" with no warranties, and confers no rights.

• 01-24-2008, 5:56 PM

  In reply to

  DungKHoang Joined on 01-08-2008, 5:20 PM Posts 14

  Re: Using MWA to remotely manage IIS on Server Core. Reply Contact Hi Mike, Here is what I observed: On Full Server (IIS-FULL), the rule "COM+ Network Access (DCOM-In)" exists but is NOT enabled. MWA works! On Server Core (IIS-CORE), the rule does not exist MWA does not work Here is what I did on Server Core Enable Remote admin on the firewall netsh firewall set service remoteadmin netsh advfirewall set currentprofile settings remote management enable Result:  MWA does not work Create a rule: netsh advfirewall firewall add rule name="COM+ Network Access (DCOM-In)" dir=in protocol=TCP localport=135 netsh advfirewall firewall set rule name="COM+ Network Access (DCOM-In)" new enable=Yes Result:  MWA does not work Turn off firewall netsh advfirewall set allprofiles state off Result: MWA works! I really don't want to use the 3rd option (turn the firewall off). There must be another rule to make it work. If you have an idea, I really appreciate your help on this Thanks! /Dung

• 01-24-2008, 6:02 PM

  In reply to

  mvolo Joined on 09-17-2003, 1:48 PM Philadelphia, PA Posts 584

  Re: Using MWA to remotely manage IIS on Server Core. Reply Contact Hi Dung, Try this: http://msdn2.microsoft.com/en-us/library/ms809327.aspx. I am not 100% sure this is still valid, but you can try it as I have seen very recent references to it. Let me know if it doesnt work for you. Thanks, Mike Volodarsky Program Manager IIS Core Server Visit mvolo.com for more IIS 7.0 posts, tools, and info This posting is provided "AS IS" with no warranties, and confers no rights.

• 01-25-2008, 7:58 AM

  In reply to

  DungKHoang Joined on 01-08-2008, 5:20 PM Posts 14	Re: Using MWA to remotely manage IIS on Server Core. Reply Contact   Thanks for the pointer, I have tried to add a rule for COM Accesss on UDP/ port 135 but it still does not work /Dung

• 01-25-2008, 4:36 PM

  In reply to

  mvolo Joined on 09-17-2003, 1:48 PM Philadelphia, PA Posts 584

  Re: Using MWA to remotely manage IIS on Server Core. Reply Contact Hi Dung, According to that document, you need to open port 135, but also need to open the port that the DCOM connection will use.  There are two approaches: By default, DCOM uses RPC dynamic port allocation, which randomly selects port numbers above 1024. In addition, port 135 is used by the RPC endpoint mapping service.Restrict the ports required to support DCOM on the internal firewall in two ways:    Define port ranges. This allows you to control the ports dynamically allocated by RPC. For more information about dynamic port restrictions, see Microsoft Knowledge Base article 300083, "How To: Restrict TCP/IP Ports on Windows 2000 and Windows XP."   Use static endpoint mapping. Microsoft Windows 2000 SP3 (or QFE 18.1 and later) or Windows Server 2003 allows you to configure Enterprise Services applications to use a static endpoint. Static endpoint mapping means that you only need to open two ports in the firewall: port 135 for RPC and a nominated port for your Enterprise Services application. For more information about static endpoint mapping, see Microsoft Knowledge Base article 312960, "Cannot Set Fixed Endpoint for a COM+ Application."   Thanks, Mike Volodarsky Program Manager IIS Core Server Visit mvolo.com for more on IIS 7.0 and ASP.NET   This posting is provided "AS IS" with no warranties, and confers no rights.

• 01-25-2008, 5:38 PM

  In reply to

  DungKHoang Joined on 01-08-2008, 5:20 PM Posts 14

  Re: Using MWA to remotely manage IIS on Server Core. Reply Contact Hi Mike, That's exaclty what I did as expalined in my previous replies. Create 2 rules to allow incoming access to port 135 on protocol TCP and UDP netsh advfirewall firewall add rule name="COM+ Network Access (DCOM-In)" dir=in protocol=TCP localport=135 netsh advfirewall firewall add rule name="COM+ Network Access (DCOM-In)- UDP" dir=in protocol=UDP localport=135 Sorry for not being clear, /Dung

• 01-26-2008, 8:21 PM

  In reply to

  mvolo Joined on 09-17-2003, 1:48 PM Philadelphia, PA Posts 584

  Re: Using MWA to remotely manage IIS on Server Core. Reply Contact Did you follow the KBs to restrict DCOM to specific ports? I didnt see you mention anything about doing this.  See my previous post for information. Thanks, Mike Volodarsky Program Manager IIS Core Server Visit mvolo.com for more IIS 7.0 posts, tools, and info This posting is provided "AS IS" with no warranties, and confers no rights.

• 01-27-2008, 1:55 AM

  In reply to

  colinbo Joined on 10-22-2003, 3:36 PM Toronto, Canada Posts 53

  Re: Using MWA to remotely manage IIS on Server Core. Reply Contact I have the following rule groups enabled: Core Networking  File and Printer Sharing  Remote Administration Windows Remote Management Windows Management Instrumentation (WMI) Secure World Wide Web Services (HTTPS)  World Wide Web Services (HTTP) I think I found it after watching what is happening with NETSTAT -B.  The RPC endpoint is going through dllhost.exe.  Adding the following two rules seems to enable it: NetSh AdvFirewall Firewall Add Rule Name="Remote Web Server Management (RPC)" Dir=In Action=Allow Program="C:\WINDOWS\SYSTEM32\dllhost.exe" Protocol=TCP LocalPort=RPC NetSh AdvFirewall Firewall Add Rule Name="Remote Web Server Management (RPC-EPMap)" Dir=In Action=Allow Program="C:\Windows\system32\svchost.exe" Service=RPCSS Protocol=TCP LocalPort=RPC-EPMap I can't really vouch for the security of it as it came about through trial-and-error.It's too bad that the IIS Administration doesn't flow through a custom COM surrogate so that we could lock it down to something other than DLLHost.exe.  Even SvcHost.exe would be better because it appears that Windows Firewall allows us to specify a service (we could specify IISAdmin for example).  It seems like we're opening a can of worms here, no?  Any thoughts from the PMs lurking? Cheers, Colin Blog: http://colin.rockstarguys.com --- When you ask a question, remember to click "mark as answered" when you get a reply which answers your question; this ensures the member gets credit below for being helpful.

• 01-27-2008, 12:37 PM

  In reply to

  DungKHoang Joined on 01-08-2008, 5:20 PM Posts 14

  Re: Using MWA to remotely manage IIS on Server Core. Reply Contact Mike,  I did it on the IIS-CORE machine ( server side). After adding the registry entries and reboot the system, it still doesn't work. Here is what I did: Open the registry on IIS-CORE Create a key under HKLM\Software\Microsoft\Rpc called Internet Add the following entries: Ports Multi_SZ 3000-4000 ; PortsInternetAvailable Y ; UseInternetPorts Y Reboot the server After the server reboots, Disable the firewall netsh firewall set opmode DISABLE ( to look at the ports used) Run Netstat -B ( as suggested by ColinBo) On IIS-FULL, run MWATEST.EXE IIS-CORE On IIS-CORE, I notice the following connection: Proto                     Local Address                   Foreign Address                                         State TCP                      192.168.0.111:135             192.168.0.110:49228                                  ESTABLISHED RpcSs [Svchost.exe]  Note: 192.168.0.111 is IIS-CORE and 192.168.0.110 is IIS-FULL Enable the firewall netsh firewall set opmode ENABLE   /Dung