Timeless Question about Installing IIS on a Non-System partition

A question was asked — Why does Microsoft still force customers to install as the webroot to the system partition (i.e. C:\inetpub) when all security-related documentation advises to not do this?

I casually grinned, then openly smiled and said…”just because.  Kidding!”  It is a very legitimate question and my response was fairly lengthy but went something like this…

Starting with Windows 2000, IIS was installed using Windows installation technology (SysOcMgr).  The technical reason we don’t allow this is based on the fact that there is no means of doing a “custom action” in SysOcMgr.  If you ever think back to anything you do in Add\Remove programs, Windows never “prompts” you to enter any information.  The only actions you take is to click a check mark and then all the magic occurs — except if you don’t have the source files from Windows still available which that is considered an error (not a custom action.)

There is actually a simple solution around this but often many think the tax is to large to do it.  The Microsoft answer to this non-system partition webroot is to automate IIS’s installation.  This often scares many of our customers as they don’t want to go down that path.  However, it should be noted though that you don’t have to do a full OS install through automation but instead just automate the install of IIS.  This is easy.

1).  Create a file called Unattend.txt and open it with Notepad

2).  Paste the following into that file:

[SetupMgr]
    DistFolder=d:\i386

[Components]
    aspnet=off
    complusnetwork=on
    dtcnetwork=on
    bitsserverextensionisapi=off
    iis_common=on
    iis_ftp=on
    fp_extensions=on
    iis_inetmgr=on
    iis_nntp=off
    iis_smtp=off
    iis_asp=on
    iis_internetdataconnector=off
    sakit_web=off
    tswebclient=off
    iis_serversideincludes=off
    iis_webdav=off
    iis_www=on
    appsrv_console=off
    inetprint=off

[InternetServer]
    PathFTPRoot={YourDesiredFTPRootPath}
    PathWWWRoot={YourDesiredWebRootPath}

3).  The next step is to open a command-prompt (Start – Run – CMD) and type the following:

 SysOcMgr.exe /i:sysoc.inf /u:$PathToUnattendFileCreatedInStep2$

This will magically install IIS based on your parameters.  The above file, unattend.txt, installs and enables the following:

  • WWW Server
  • FTP Server
  • Enables ASP & FPSE

The key is to understand that you don’t have to automate the entire OS installation in order to do this.  It can be done afterwards.  You can also cover all your bases and build a full automated installation of the OS and IIS.  This is completely an option.  The major thing that changes is that you have a couple of options -

   1).  Install from a CD

   2).  Install from a Shared UNC Location

In my case, I chose to install from a CD.  This was done by creating a winnt.sif file and placing it on a floppy drive.  The Winnt.sif had the following information:

[Data]
    AutoPartition=1
    MsDosInitiated="0"
    UnattendedInstall="Yes"

[Unattended]
    UnattendMode=FullUnattended
    OemSkipEula=Yes
    OemPreinstall=No
    TargetPath=\WINDOWS
    Repartition = Yes

[GuiUnattended]
    AdminPassword=ca8d43d0eae56d10197a3608820ae698fa3254ef3d8ce553674c94fb185
    EncryptedAdminPassword=Yes
    OEMSkipRegional=1
    TimeZone=4
    OemSkipWelcome=1

[UserData]
    ProductKey=**InsertValidKey**
    FullName="MyName"
    OrgName="MyCompany"
    ComputerName=MyComputer

[Display]
    BitsPerPel=24
    Xresolution=800
    YResolution=600
    Vrefresh=70

[LicenseFilePrintData]
    AutoMode=PerServer
    AutoUsers=5

[TapiLocation]
    CountryCode=1
    Dialing=Tone
    AreaCode=425
    LongDistanceAccess="9"

[Networking]
    InstallDefaultComponents=Yes

[Components]
    aspnet=off
    complusnetwork=on
    dtcnetwork=on
    bitsserverextensionisapi=off
    iis_common=on
    iis_ftp=on
    fp_extensions=on
    iis_inetmer=on
    iis_nntp=off
    iis_smtp=off
    iis_asp=on
    iis_internetdataconnector=off
    sakit_web=off
    tswebclient=off
    iis_serversideincludes=off
    iis_webdav=off
    iis_www=on
    appsrv_console=off
    inetprint=off

[InternetServer]
    PathFTPRoot=c:\FTPSites
    PathWWWRoot=c:\WebSites

[GUIRunOnce]
"a:\SetupIIS.Bat"

The only execution I have to do now is the following:

 Winnt32.exe /unattend:AnswerFile /s:InstallSource

I call your attention to the GUIRunOnce section as this is the most convienant means of automating the IIS installation as part of the OS.  If you are interested in also setting up and creating your entire environment with zero-effort, then this section is your friend.  For example, what if your servers have 30 websites, each with 5 applications, with 12 Application Pools, and custom configuration per-site.  You either manually do this work or you could create and\or use existing scripts and push them into this section.  In my case, here is my sample file called SetupIIS.bat -

@ECHO OFF

REM
REM Make Dir Structure for Website
cd \
cd websites
mkdir MySite

REM
REM  CREATE ADDITIONAL WEBSITES

iisweb /create c:\websites\mysite "My Site" /b 81

REM
REM  ADD ADDITIONAL VIRTUAL DIRECTORIES

iisvdir /create "My Site" Upload c:\ftpsites

REM
REM  MODIFY THE AUTHENTICATION FOR ONE OF THE NEWLY CREATED VDIR'S

CD \
CD \INETPUB\ADMINSCRIPTS
CSCRIPT /NOLOGO ADSUTIL.VBS SET W3SVC/858812021/ROOT/Upload/AUTHNTLM 0
CSCRIPT /NOLOGO ADSUTIL.VBS SET W3SVC/858812021/ROOT/Upload/AUTHBasic 1

This script creates a directory structure for my new site, creates the website and assigns to that directory just created, and bound the site to a specific port, added a virtual directory, and then customized that virtual directories authentication to Basic and turned off NTLM.

This is just a sample and there is much more powerful things you can do but in the end with the push of a power button you can truly walk away and come back to a fully functional webserver.

The time spent up front is worth thousands of time-off in the future (or spent doing better things!).  For a complete and more in-depth discussion of this, view the following webcast I did on this topic and used these scripts — http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032280620&EventCategory=5&culture=en-US&CountryCode=US.

Enjoy,

~Chris

P.S.  Thanks to the person who asked the question and spawned me thinking about this for my blog!

4 Comments

  • i have known about this option with IIS 6 for some time but the question I am seeing now if with the new unattended method for IIS 7 I don't see what parameter is used to set the root directories. the documentation here so far does not mention that parameter with the new installer.

  • There is a typo in the first section of code regarding the [COMPONENTS] section.

    iis_inetmer=on

    The correct line is

    iis_inetmgr=on

  • Hey Benedetti-
    I apologize for the long delay as your message was posted a couple days after I left Microsoft. In IIS7, there is no subsequent functionality to allow you to re-locate the webroot to a non-system partition.

    This is not because the IIS team wants to make things hard, but instead, because the Vista\2K8 installer does not allow anything to interrupt installation.

    The only option is to re-locate the webroot after install. It can't be done during unattended installs either -

    NOTE: This was current as of 2K8 Beta 2. If this was changed between B2 & RC1\RTM, please feel free to update.

    -Chris

  • Hey Mathew,

    You are correct. I will update this tonight. The correct entry is iis_inetmgr and not my typo iis_inetmer.

    Thanks,
    -Chris

Comments have been disabled for this content.