Computer and Software Support


Iiscnfg.vbs: IIS configuration script

This page is from Microsoft

Updated: January 21, 2005

Imports and exports all or selected elements of an Internet Information Services (IIS) metabase on a local or remote computer, or copies the entire IIS configuration (metabase and schema) to another computer to replicate a configuration. Iiscnfg performs the following functions:

To view the command syntax, click a command:

 

iiscnfg /export

Copies all or part of an IIS metabase to an XML file, in an encrypted or unencrypted format. The XML file can then be used in an import operation to copy all or part of the metabase to another IIS configuration.
Syntax
iiscnfg[.vbs] /export /f [Path\]FileName.xml /sp MetabasePath [/d EncryptingPassword] [/inherited] [/children] [/s Computer [/u [Domain\]User [/p Password]]]
Parameters
/f [Path\]FileName.xml
Required. Specifies a unique name and location for the export file. If you specify an existing file or if the directories in the path you specify do not exist, the command fails. The file path must be local. When exporting a file from a remote computer, the /f parameter refers to a path on the remote computer.
/spMetabasePath
Required. Specifies the metabase keys to export. Enter a metabase path to identify the selected keys.
/dEncryptingPassword
Encrypts the export file with the specified password. You can use any string as the password. The /d parameter creates a secure export file by encrypting the session key and secure properties with the specified password. You must provide the password to use the file in an import operation.If you omit this parameter or the password argument, then the export file is encrypted with a blank password. As a result, only the secure properties are encrypted and any Administrator can use the export file to import a metabase configuration.
/inherited
Adds inherited properties of the exported keys to the export file. Without this parameter, the export file does not include properties inherited from higher-level keys.
/children
Recursively adds the subkeys of the specified key to the export file.
/sComputer
Runs the script on the specified remote computer. Type the computer name or IP address without backslashes. By default, the script runs on the local computer.
/u [Domain\]User
Runs the script with the permissions of the specified user account. This account must be a member of the Administrators group on the remote computer. By default, the script runs with the permissions of the current user of the local computer.
/pPassword
Specifies the password of the user account specified in the /u parameter. If you omit this parameter, the script prompts you for the password and obscures the text you type.
/?
Displays help at the command prompt.
Remarks
  • To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.
  • Use quotation marks to enclose metabase path elements that include spaces. Enclose only the element with spaces, not the entire path. For example, type "Default FTP Site"/IISAdmin, not "Default FTP Site/IISAdmin".
Examples
The following examples show how to use iiscnfg /export in specific situations.

To export a Web site configuration

The following command exports the configuration of the Finance Web site to the C:\Finance\Finance.xml file. The command uses the /sp parameter to specify the metabase path of the Web site, /lm/W3SVC/2, and the /children parameter to export all subkeys of the configuration. It also uses the /inherited parameter to include inherited properties in the export file. This assures that the Web site configuration retains these properties even if it is imported into a different system.

iiscnfg /export /f c:\finance\finance.xml /sp /lm/w3svc/2 /children /inherited

In response, Iiscnfg.vbs displays the following success message:

Configuration exported from /lm/w3svc/2 to file c:\finance\finance.xml

The resulting file includes all the keys and subkeys within the /lm/w3svc/2 path. It also includes an IisInheritedProperties key that contains the values of all inherited properties.

To export the entire IIS configuration of the local computer

The following command exports the IIS configuration of the local computer to the D:\IIStest\Config.xml file. It uses the /f parameter to specify the file name and location and the /sp parameter to specify the root key (/)of the metabase. The /children parameter adds all subkeys of the root key recursively to the export file. (Without the /children parameter, only the root key is exported.) Finally, the command uses the /d parameter and a password to encrypt the export file.

iiscnfg /export /f d:\iistest\config.xml /sp / /children /d p@sswoRd61

In response, Iiscnfg.vbs displays the following success message:

Path / has been exported to d:\iistest\config.xml

Note that even a complete export of the configuration is not identical to the Metabase.xml file for the system. The session key, access control lists (ACLs), and passwords differ.

Also, you cannot tell by looking at the export file that it is encrypted. However, if you compare an encrypted and unencrypted version of the same file, you can see that the values of secure properties are changed in the encrypted version. Therefore, the file cannot be used in an import command without the password.

 

iiscnfg /import

Adds configuration settings from an XML metabase export file to the metabase of an IIS server.
Syntax
iiscnfg[.vbs] /import /f [Path\]FileName /sp SourcePath /dp DestinationPath [/d EncryptingPassword] [/children] [/inherited] [/merge] [/s Computer [/u [Domain\]User [/p Password]]]
Parameters
/f [Path\]FileName
Required. Specifies the path and file name of the XML source file. The file path must be local. When importing a file to a remote computer, the /f parameter refers to a path on the remote computer.
/spSourcePath
Required. Specifies the location in the XML file of the keys being imported. Enter the metabase path as it appears in the XML file. To import all of the keys in the source file, enter the metabase path of the root key.
/dpDestinationPath
Required. Specifies where in the metabase where the imported keys are placed. Enter a metabase path. If you specify a path that already exists in the metabase, the imported keys overwrite and replace the keys currently in that metabase path without warning.
/dEncryptingPassword
Specifies the password that was used to encrypt the configuration data. This parameter is required when the configuration file is encrypted. If you do not provide the password for an encrypted file, or if you provide an incorrect password, the command fails.
/children
Recursively imports the subkeys of the specified key.
/inherited
Imports the inherited properties of the keys. This parameter is effective only when the source file includes inherited properties.
/merge
Combines keys in the XML file with the existing metabase keys. Without this parameter, the keys in the XML file replace existing keys in the same metabase path. The /merge parameter adds keys to the metabase that appear only in the XML file, retains keys in the metabase that are not in the XML file, and applies the values in the XML file when a key appears in both the XML file and the metabase.
/sComputer
Runs the script on the specified remote computer. Type the computer name or IP address without backslashes. By default, the script runs on the local computer.
/u [Domain\]User
Runs the script with the permissions of the specified user account. This account must be a member of the Administrators group on the remote computer. By default, the script runs with the permissions of the current user of the local computer.
/pPassword
Specifies the password of the user account specified in the /u parameter. If you omit this parameter, the script prompts you for the password and obscures the text you type.
/?
Displays help at the command prompt.
Remarks
  • To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.
  • Use quotation marks to enclose metabase path elements that include spaces. Enclose only the element with spaces, not the entire path. For example, type "Default FTP Site"/IISAdmin, not "Default FTP Site/IISAdmin".
  • The imported key must be the type expected in its new position in the metabase path. If the key is not the expected type, the configuration will not operate properly. For example, do not import the event logging configuration (/LM/Logging) to a Web site configuration path, such as /LM/W3SVC/3.
  • Changes made by using Iiscnfg.vbs are effective immediately. These changes are reflected in the MetaBase.xml file when the file is updated (every five minutes or every 50 changes).
Examples
The following examples show how to use iiscnfg /import in specific situations.

To import a Web site from an export file

The following command imports the NewSite Web site configuration from the C:\Config.xml file into the metabase.

The command uses the /f parameter to specify the name and location of the source file. It uses the /sp (source path) parameter to indicate the location in the Config.xml file of the keys that you want to import. In this case, the NewSite configuration is located in the /lm/w3svc/5 path in the Config.xml file. Then, it uses the /dp (destination path) parameter to specify the metabase location where the imported keys should be placed. In this case, the NewSite configuration keys should be imported into the /lm/w3svc/3 location in the metabase. Finally, it uses the /children parameter to include the child keys of the /lm/w3svc/5 in the import operation. Without the /children parameter, only the Web site root would be imported.

Remember that the /import operation overwrites without warning. If the metabase already has keys in the /lm/w3svc/3 position, those keys will be replaced by the imported keys.

iiscnfg.vbs /import /f c:\config.xml /sp /lm/w3svc/5/Root/NewSite /dp /lm/w3svc/3 /children

In response, Iiscnfg.vbs displays the following success message:

Configuration imported from /lm/w3svc/5 in c:\config.xml to /lm/w3svc/3 in the Metabase.

As a result of this command, the NewSite configuration now appears in IIS as the third Web site, with metabase path /lm/W3SVC/3.

To import a logging configuration into a remote computer

The following procedure imports a custom logging configuration in C:\IISLogging.xml into the IIS metabase of a remote computer. You can use this method, or an extension of this method, to propagate a configuration to a group of servers.

The procedure to import a logging configuration to a remote computer has two steps:

  1. Copy the source file to the remote computer. (Iiscnfg.vbs does not permit remote paths in the /f parameter.)
  2. Import the configuration to IIS.

The first command copies the Iislogging.xml file to the remote server, Svr126:

copy IISLogging.xml \\Svr126\c$

The second command imports Iislogging.xml into the IIS configuration of Svr126. It uses the /f parameter to identify the source file, the /sp parameter to specify the /LM/Logging/Custom Logging metabase path to import, and the /dp parameter to place the imported keys in the same location in the target configuration, /LM/Logging/Custom Logging. (Use quotation marks to enclose path elements that include spaces.) It uses the /children parameter to import all subkeys of the Logging key.

To act on Svr126, it uses the /s parameter to specify the server and the /u and /p parameters to run the script with the permissions of the user's Administrator account on the remote computer.

iiscnfg /import /f C:\IISLogging.xml /sp "/lm/logging/custom logging" /dp "/lm/logging/custom logging" /children /s Svr126 /u Svr126\Administrator /p p@ssword1#

In response, Iiscnfg.vbs displays the following success message:

Connecting to server ... Done.
Configuration imported from /lm/logging/custom logging in file C:\IISLogging.xml to
 /lm/logging/custom logging in the Metabase.

As a result, the /LM/Logging/Custom Logging key and its subkeys have been copied from the local metabase to the metabase of Svr126.

To merge a virtual directory with a Web site

This example demonstrates how the /merge parameter works by comparing a standard import operation with an import operation that uses the /merge parameter.

Both commands update the properties of the Investments virtual directory of a eb site by using the same import file, Invest_vdir.xml.

The following sample shows the Investments metabase key before any import operations are run. (This sample was taken from a backup copy of the metabase created by using Iisback.vbs: IIS backup management script ).

Metabase before import

<IIsWebVirtualDirLocation ="/LM/W3SVC/1509060625/root/
Investments"
         AccessFlags="AccessRead | AccessScript"
         AppFriendlyName="Investments"
         AppIsolated="2"
         AppRoot="/LM/W3SVC/1509060625/Root/Investments"
         DirBrowseFlags="DirBrowseShowDate | 
DirBrowseShowTime | DirBrowseShowSize | 
DirBrowseShowExtension | DirBrowseShowLongDate | 
EnableDefaultDoc"
         Path="E:\public\Download"
>
</IIsWebVirtualDir>

The following sample shows the content of the Invest_vdir.xml file that will be used in the import operations. (This sample was created by exporting the Investments metabase key and then editing the export file.)

Note that the following properties of the Investments key are changed in the XML file:

  • The value of the AccessFlags property is changed.
  • The AuthFlags property is added.
  • The DirBrowseFlags property is omitted.

Import File Content

<IIsWebVirtualDirLocation ="/LM/W3SVC/1509060625/root/
Investments"
                 AccessFlags="AccessRead"
                 AuthFlags="AuthAnonymous | AuthNTLM"
                 AppFriendlyName="Investments"
                 AppIsolated="2"
                 AppRoot="/LM/W3SVC/1509060625/Root/ 
Investments"
                 Path="E:\public\Download"
>
</IIsWebVirtualDir>

Command 1: Standard Import

The following command imports the Invest_vdir.xml file into the metabase without using the /merge parameter. The command directs IIS to replace the Investments key in the metabase with the Investments key in the XML file.

The command uses the /f parameter to specify the import file and uses the same metabase path in the source path (/sp) and destination path (/dp) parameters.

iiscnfg /import /f e:\iistest\Invest_vdir.xml /sp /LM/W3SVC/1509060625/root/Investments /dp /LM/W3SVC/1509060625/root/Investments

As a result of this command, the Investments key in the metabase is now identical to the Investments key in the Invest_vdir.xml import file.

Command 2: Import and merge

The following command merges the Investments key in the Invest_vdir.xml file into the metabase. The /merge parameter directs IIS to add new properties from the import file to the metabase, to leave metabase properties that are not in the import file unchanged, and to apply the import file value when a property appears in both the import file and in the metabase.

The command is identical to Command 1, except that the /merge parameter is added.

iiscnfg /import /f e:\iistest\Invest_vdir.xml /sp /LM/W3SVC/1509060625/root/Investments /dp /LM/W3SVC/1509060625/root/Investments /merge

As a result of this command, the content of the Investments key in the metabase is a combination of its sources, as shown in the following sample.

Note that the following properties of the Investments key in the metabase are changed:

  • The value of the AccessFlags property, which appeared in the metabase and the XML file, is changed. The value in the XML file now appears in the metabase
  • The AuthFlags property, which appeared only in the XML file, is added.
  • The DirBrowseFlags property, which appeared only in the metabase, is unchanged.
<IIsWebVirtualDirLocation ="/LM/W3SVC/1509060625/root/
Investments"
                 AccessFlags="AccessRead"
                 AppFriendlyName="Investments"
                 AppIsolated="2"
                 AppRoot="/LM/W3SVC/1509060625/Root/
Investments"
                 AuthFlags="AuthAnonymous | AuthNTLM"
                 DirBrowseFlags="DirBrowseShowDate | 
DirBrowseShowTime | DirBrowseShowSize | 
DirBrowseShowExtension | DirBrowseShowLongDate | 
EnableDefaultDoc"
                 Path="E:\public\Download"
>
</IIsWebVirtualDir>
 

iiscnfg /copy

Copies the IIS metabase and schema from one computer to another.
Syntax
iiscnfg[.vbs] /copy /ts TargetComputer /tu TargetUser /tp  TargetPassword [/s Computer [/u [Domain\]User [/p Password]]]
Parameters
/tsTargetComputer
Required. Copies the IIS metabase to the specified computer. Type the IP address or computer name without backslashes.
/tuTargetUser
Required. Specifies the account used to connect to the target computer. Type a user account in [Domain]\User format. This account must be a member of the Administrators group on the target computer. This parameter is required, even when the current user of the local computer is an Administrator of the target computer.
/tpTargetPassword
Required. Specifies the password for the account specified by the /tu parameter.
/sComputer
Copies the IIS metabase of the specified remote computer to the target computer. This parameter runs the script on the remote computer. Type the name or IP address of a remote computer without backslashes. The default is the local computer.
/u [Domain\]User
Runs the script with the permissions of the specified user account. The default is the current user of the local computer. This parameter is required when the current user is not an Administrator of the remote computer.
/pPassword
Specifies the password of the user account specified in the /u parameter. If you omit this parameter, IISCnfg prompts you for the password and obscures the text you type.
/?
Displays help at the command prompt.
Remarks
  • To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.
  • By default, IISCnfg copies the metabase of the local computer to the target computer specified by the /ts parameter. However, you can use the /s parameter to copy the metabase of another computer to the target computer.
  • The copy operation uses Iisback.vbs: IIS backup management script to make a backup copy of the source metabase and the schema. Then, it copies the backup copy files (.MDX and .SCX) to the target computer and uses Iisback.vbs: IIS backup management script to replace the metabase and schema of the target computer with the backup copy. Although you can do these operations manually, the IISCnfg copy operation provides a convenient, one-step method to replicate an IIS configuration.
  • The copy operation does not copy server content associated with the IIS configuration, such as Web pages and FTP files.
  • The copy operation changes the computer-specific and system-specific properties in the metabase so that they are valid on the target computer. However, it does not adjust the directory or file paths. As a result, paths in the configuration might not be valid on the target computer.
Examples
The following examples show how to use iiscnfg /copy in specific situations.

To copy the IIS configuration of the local computer

The following command copies the IIS configuration of the local computer to the SVR01 server. The command uses the /ts parameter to identify the target server and the /tu and tp parameters to provide the user's Administrator account and password on the SVR01 server.

iiscnfg /copy /ts SVR01 /tu SVR01\Admin06 /tp P@ssWord6

In response, Iiscnfg.vbs displays the following success message.

Backing up server 127.0.0.1
Backup complete.

The IP address, 127.0.0.1, is the loopback address and refers generically to the local computer. This address is used only when copying the configuration of the local computer.

To copy the IIS configuration of a remote computer

The following command copies the IIS configuration of a remote computer, SRV06, to the MAINBKP server. The command uses the /s command to identify the remote computer and the /u parameter to provide the user's Administrator password on the SRV06 computer. It also uses the /ts parameter to identify the target server and the /tu and tp parameters to provide the user's Administrator account and password on the MAINBKP server.

Unlike the /p parameter, which is optional, the /tp parameter is required. If you omit it, the command fails.

iiscnfg /copy /s SRV06 /u Domain01\Admin01 /ts MAINBKP /tu MAINBKP\Admin01 /tp P@ssWord6

In response, Iiscnfg.vbs prompts for the password of the account specified by the /u parameter. (It does not echo the password characters typed.) Then, after confirming the password, it copies the configuration and displays a message indicating that the copy operation was successful.

Enter the Password:
Processing...
Backing up server SRV06
Backup complete.
 

iiscnfg /save

Saves the IIS metabase and schema to disk.
Syntax
iiscnfg[.vbs] /save [/s Computer [/u [Domain\]User [/p Password]]]
Parameters
/sComputer
Copies the IIS metabase of the specified remote computer to the target computer. This parameter runs the script on the remote computer. Type the name or IP address of a remote computer without backslashes. The default is the local computer.
/u [Domain\]User
Runs the script with the permissions of the specified user account. The default is the current user of the local computer. This parameter is required when the current user is not an Administrator of the remote computer.
/pPassword
Specifies the password of the user account specified in the /u parameter. If you omit this parameter, IISCnfg prompts you for the password and obscures the text you type.
/?
Displays help at the command prompt.
Remarks
  • To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.
  • Any changes made to the metabase, using scripts or IIS Manager, are written to memory first first and to disk at the next scheduled update, which may be several minutes later. As a result, an administrator may make metabase changes and then open metabase.xml only to find the changes aren't reflected. The /save command in iiscnfg.vbs resolves the problem by saving changes to the disk immediately.
Examples
The following examples show how to use iiscnfg /save in specific situations.

To save the IIS configuration of the local computer

The following command saves the IIS configuration to disk on the local computer.

iiscnfg /save

In response, Iiscnfg.vbs displays the following success message.

Configuration saved.

To save the IIS configuration of a remote computer

The following command saves the IIS configuration to disk on the local computer.

iiscnfg /save /s SourceServer /u Administrator /p Kj30W

In response, iiscnfg.vbs displays the following message.

Configuration saved
 
 
Remarks
  • IISCnfg.vbs imports and exports all or part of the configuration information that IIS stores in the metabase of an IIS server. The /copy operation copies both the entire metabase and the schema of the IIS server to the destination computer. The /save operation copies both the entire metabase and the schema of the IIS server to disk on the destination computer.
  • Iisback.vbs: IIS backup management script , the IIS Backup Management Script, also saves and restores an IIS configuration. However, Iisback.vbs backs up the entire metabase and the schema. You cannot use it to save or restore selected elements of a configuration.
  • The IISCnfg copy operation (/copy) replaces the functionality of IISSync.vbs and IISRepl.vbs, tools formerly included in Windows.
  • Iiscnfg Requirements
    • The computer issuing the command must be running Windows XP or a Windows Server 2003 operating system. The user must be a member of the Administrators group on any computer that the command affects.
    • The computer that the command affects must be running Windows Server 2003 with Internet Information Services (IIS) 6.0.
  • The metabase of an IIS server includes system-specific and computer-specific properties. Do not import the configuration of one IIS server to another IIS server without modification. Instead, use Iisback.vbs: IIS backup management script or the IISCnfg copy operation (/copy), which replace system-specific and computer-specific properties so that the configuration is valid on the target computer. For information about importing and exporting an IIS metabase, search for Metabase Import/Export in IIS 6.0 Help.
  • Iiscfng.vbs displays a "Connecting to server" message while it connects to the IIS service on the specified computer. This message appears whenever you use Iiscnfg.vbs, whether on a local or remote computer.
  • Iiscnfg.vbs provides an option to include inherited properties in the export file. If you select this option, Iiscnfg.vbs adds the inherited properties of the exported keys to an IIsInheritedProperties key in the export file. When you import keys from this file, you can elect to import the inherited properties with the keys.

    When inherited properties are imported, the imported keys retain the properties they inherited in the exporting configuration. If inherited properties are not imported, the keys inherit the properties of the importing configuration.

  • To prevent unauthorized use of export files, IISCnfg.vbs lets you encrypt the export file with a password. The password encrypts the session key which, in turn, encrypts all properties for which the secure attribute is set.

    You can read an encrypted export file (only the session key and secure properties are encrypted) and you can delete the file. However, you cannot use the export file in a /import operation unless you provide the encrypting password. Also, you cannot remove the password encryption from an export file nor change the encrypting password.

    If you do not use password encryption, the session key and secure properties are encrypted with a blank password, which prevents you from reading them, but allows any member of the Administrators group to import the metabase from the export file. Neither IIS 5.1 nor 6.0. support machine key encryption of export files.

Formatting legend

Format Meaning
Italic Information that the user must supply
Bold Elements that the user must type exactly as shown
Ellipsis (...) Parameter that can be repeated several times in a command line
Between brackets ([]) Optional items
Between braces ({}); choices separated by pipe (|). Example: {even|odd} Set of choices from which the user must choose only one
Courier font Code or program output