IIS6: Restoring Metabase Configuration to a New Server

lprete — Sun, 20 Jan 2008 17:15:59 GMT

I get this call quite frequently. Three times this week.

The Scenario

There was some sort of catastrophe, a hard drive crashed, a power failure, something. After recovering the OS from this catastrophe IIS is not working - The IIS Admin and/or the World Wide Web Services simply will not start.

This failure to start is accompanied by various errors in the System Event Log, the most common I have seen is:

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7024
Description:
The IIS Admin Service service terminated with service-specific error 2148073478

Some Explanation

Two things come into play here, MachineKeys & any encrypted keys in Metabase.XML. If IIS shut down abruptly one or more encrypted keys may not have been written out correctly into the Metabase. If you went as far as reinstalling Windows then the MachineKeys of the new installation will not be able to decrypt the encrypted keys in the old Metabase. In either case when IIS tries to start the IIS Admin Service and uses a MachineKey under C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys to decrypt the encrypted keys in the Metabase (usually passwords).

If this directory path is changed or the MachineKey itself changes, or if the encrypted data was not written out correctly in the Metabase during the previous shut down, IIS will fail to start and will generate an error similar to the one listed above.

The specific MachineKey will look similar to the following:

c2319c42033a5ca7f44e731bfd3fa2b5_e19f50ab-fae5-485a-8306-2d05ab2c91c0

Note: The first half of the MachineKey (up to the under-score "_") refers to the service, in this case IIS, the remainder of the MachineKey is a hash specific to the installation.

Possible Solution

To recover Site configurations:

Rename old Metabase to SiteConfig.XML
Delete all AdminACL keys and password keys from SiteConfig.XML.
With a clean Metabase (reinstall IIS if necessary) verify that IIS Admin and W3SVC start & the Default (under construction) page is working.
Open 'clean' Metabase.XML and copy the SessionKey value.
Open SiteConfig.XML and Delete SessionKey value and paste in the value from 'clean' Metabase.XML.
In IIS MMC use Create New Site (from file) wizard. Point the tool to SiteConfig.XML, click Read File, and select site to import.
Repeat for all sites (Web, FTP, SMTP) and Application Pools.

Other Notes

This entire situation becomes much simpler if you regularly create *password* encrypted backups of the Metabase. The following KB article discusses how to use iisback.vbs to create backups (although it doesn't stress the importance of backing up with a password). Password encrypted backups remove the dependency on the MachineKeys for decrypting the encrypted Metabase keys making the backup much more portable.

How To Create a Metabase Backup by Using IIS 6.0 in Windows Server 2003
http://support.microsoft.com/kb/324277

Sunday Morning Musings on IIS : MachineKeys

IIS6: Restoring Metabase Configuration to a New Server

The Scenario

Some Explanation

Possible Solution

Other Notes