IT Nota

How to Delay Shutdown or Restart on a Windows Server

One client had a windows server with a memory leak problem that needed further investigation. While the application was still being checked, the production server had to be rebooted at least once a week.

What struck me was that they really assigned an FTE to log in after midnight to reboot the server manually. And this is really unnecessary.

While I understand that a highly critical system may need close supervision, most activities such as this can be done automatically using the shutdown.exe command tool. This tool is available on all Windows OS (server or desktop) and very handy for a super simple task like the case above. If needed, you can even do a more fancy automation with a script.

Nobody should do an extra work at odd hours just to reboot a server. You can always execute the shutdown command in advance by using a time-delay option.

For a server reboot with a time-delay, use the following command in Command Prompt window or Windows PowerShell:

PS H:\> shutdown /r /f /t 21600

/r – Restarts the computer after shutdown.

/f – Forces running applications to close without warning users.
Caution: Using the /f option might result in loss of unsaved data.

/t – Sets the time-out period before shutdown to xxx seconds.

In this example, the time is set to 21,600 seconds (or 6 hours).

Windows shutdown command tool - restart with parameters and confirmation

Pay attention that you get a confirmation window to check when the system will be rebooted (bottom right corner).

If you make a mistake or just want to change your mind on the parameters, you can always cancel your job by using /a parameter (abort). This only works when you use the time-delay. Otherwise the shutdown is instantly executed.

PS H:\> shutdown /a

Then you can execute a new shutdown command with the new parameters.

For more available options, you can run shutdown with a /? flag or check the link at the end of this post.

Important: If you want to really shut down a computer or server, you need to use /s parameter (instead of /r), but only use it to a local workstation or server that you can access. I personally never use this flag for any remote systems.

It’s also worth repeating from the remarks, that the user id you use to execute this command has to have the proper access level:

  • Users must be assigned the Shut down the system user right to shut down a local or remotely administered computer that is using the shutdown command.
  • Users must be members of the Administrators group to annotate an unexpected shutdown of a local or remotely administered computer. If the target computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. For more information, see:
    • Default local groups
    • Default groups

Yes, there is a situation that warrants a manual reboot when there are sensitive interconnecting processes involved, but for a simple server reboot, there’s always a smarter and more practical way to do it and we should try to utilize any tools provided to make life simpler and minimize burn out.

Further Reading

Windows Server: shutdown
How to Delay Shutdown or Restart on a Mac

How to Install a Certificate on Windows Server

Steps to Install a Certificate on a Window Server

  1. Right-click on Windows button at the bottom left corner and select Run.

  2. Type in mmc and click OK.

    Run MMC from Windows Run

  3. On the new Console window menu, click on file and select Add/Remove Snap-in… or press Ctrl+M.

  4. Select Certificates and click on Add > button. Select Computer account and click Next.

  5. Click on Local computer and click Finish. You should see Certificates (Local Computer) on the Selected snap-ins: pane. click OK.

    Add Certificates Snap-ins

  6. Under the Console Root on the left pane, expand on Personal, Certificates.

    Certificates import - All Tasks

  7. Import the certificate (pfx file) from Local Machine and click Next.

  8. Select the certificate file from the local folder and click Next.

    Certificate import wizard - pfx file

  9. Type in the password for the certificate and check on Include all extended properties and click Next.

    Certificate import wizard - certificate password

  10. Check on Place all certificates in the following storeCertificate store: and type in Personal if it’s not already filled in. Click Next.

  11. The Certificate Import Wizard will confirm all the selection. If everything is correct, just click on Finish and you should get a confirmation that the import was successful. Click OK and you’re done.

Please keep in mind if you’re installing this certificate for a website on IIS, you still need to assign the certificate to the corresponding website on IIS.

Further Reading

Installing the trusted root certificate

How to Change the Time Stamp of a File Using PowerShell

From time to time, you may need to modify the time stamp of a file for archiving or any other reasons.

This PowerShell script comes in handy when you need to do it. This is for a one-off tweak of a file. If you’re doing this in bulk, it’s probably better to use Robocopy with a /copy:T option (see an example here) to copy all the attributes including the time stamp.

PowerShell script to change the timestamp for a file

(Get-Item "C:\Temp\ITNota.txt").LastWriteTime=("6/1/2022 15:00:00")

Or

(Get-Item "C:\Temp\ITNota.txt").LastWriteTime=("1 June 2022 15:00:00")

Two versions of the script were provided to eliminate ambiguity of the date system. You just need to use one of them.

If you use the US date format, the first one will work. Otherwise, it’s always safer to spell out the date and the month.

Further Reading

How to Change File Date or Timestamp in Windows

How to Solve Intermittent 403 Error in IIS

Symptoms

You can load the page just fine, but after going through the pages quickly or by opening several tabs at once, you see a 403 error:

IIS 403 Error Forbidden Access is denied

403 - Forbidden: Access is denied.

You do not have permission to view this directory or page using the credentials that you supplied.

This is a bit misleading since you might right away think that the you do not have permission to access the web page or the folder. But you know you’re authenticated because you could see the page a few seconds ago and the problem is intermittent. So why do you get 403 Forbidden: Access is denied?

What to Check

The first thing you want to check is the IIS log and look for the specific error code (403) with the timestamp when you see the 403 error. You might see something similar to the following:

2022-02-02 22:33:58 10.20.128.70 POST /ResultPage.asp - 80 - 192.168.1.25 Mozilla/4.0... https://www.itnota.com/CheckPage.asp 403 501 0 0

Open up the IIS log in a text editor and search for ” 403″ (without quotes). A leading whitespace is added to narrow down the search. You can also use regular expression to be precise but for this exercise, I think it’s an overkill.

IIS Log Search for 403 501 error in a text editor

One key thing we need to pay attention to is to check the whole error code by looking the one next to the 403 → 501. So to be exact, the error code is actually 403.501.

If you check the definition of this error here, you’ll soon find out this error has nothing to do with permission in the traditional sense of how we understand it:

403.501 - Forbidden: Too many requests from the same client IP; Dynamic IP Restriction Concurrent request rate limit reached.

This is the real issue and it’s easier to fix once we’ve figured out that we need to look at the Dynamic IP Restriction.

So now we have three options:

  1. Disable Dynamic IP Restriction.
  2. Increase the Maximum number of concurrent requests.
  3. If your connection comes from the same IP address (i.e. F5), then you can create a whitelist based on its IP address.
  4. Maybe four, as you can combine option 2 and 3 if needed.

Whether you choose option 1, 2, or 3, all the settings are in the same location in IIS.

Steps

  1. Launch IIS Manager and on the left pane window, select the site that you want to modify.

  2. In the middle window, double-click on the IP Address and Domain Restrictions.

    IIS Settings IP Address and Domain Restrictions

  3. If you want to do either option 1 or 2, click on Edit Dynamic Restriction Settings… on the right window pane.

    IIS Edit Dynamic Restriction Settings Maximum Concurrent Requests

  4. Option 1: To disable the Dynamic IP Restrction, uncheck all the checkboxes and click OK.

  5. Option 2: Modify the number in the Maximum number of concurrent requests: and still leave the Deny IP Address based on the number of concurrent requests checked. Then click OK.

  6. Option 3: You can either leave the Dynamic Restriction Settings alone, or you may combine that setting with the whitelist as well.

  7. In IP Address and Domain Restrictions window, click on Add Allow Entry… on the right window pane.

    IIS Add Allow Entry window on IP Address and Domain Restrictions settings

    Note: All your modification is saved in applicationHost.config file in the server as indicated on the bottom of the IP Address and Domain Restrictions window.

  8. Add the IP Address you want to allow entry that’s not limited by the Dynamic Restriction Settings in the Specific IP address: textbox. Or you can enter a range of IP addresses under the IP address range: textbox. Then click OK.

    IIS IP Address and Domain Restrictions - Add Allow Entry

Additional Note

As mentioned earlier, all the settings we did above is saved applicationHost.config file. The file can be found in the following directory:

%windir%\system32\inetsrv\config

And all the steps above can be skipped if you edit the file using a text editor. I personally like to use GUI to prevent typos so just be aware of the risk of editing this file by hand.

  <location path="##Your-website-name-in-IIS##">
    <system.webServer>
      <asp appAllowClientDebug="true" appAllowDebugging="true" />
      <security>
        <ipSecurity>
          <add ipAddress="192.168.1.25" allowed="true" />
        </ipSecurity>
        <dynamicIpSecurity>
          <denyByConcurrentRequests maxConcurrentRequests="1" />
          <denyByRequestRate maxRequests="20" />
        </dynamicIpSecurity>
      </security>
    </system.webServer>
  </location>

That’s it.

Once you saved all the settings, the new change should take effect immediately.

Further Reading

The HTTP status code in IIS 7.0 and later versions
IIS 8.0 Dynamic IP Address Restrictions
Using Dynamic IP Restrictions
IIS Dynamic IP Restrictions whitelist

How to Get Application Pool Identity Password With AppCmd

Typically, web application is run using ApplicationPoolIdentity on IIS. However, for various reasons, it’s very common to find large corporations use service accounts to run the application pools.

IIS Application Pools example

Sometimes the challenge comes when you need to move the website to a different server and you’re not given the proper credential to set it up on the new environment. What’s worse, it’s also not uncommon to hear that sometimes not one soul in the company knows the password.

At that point, your options are usually to either have the password reset (a big No-No for a production application), or have a new service account created (also another headache if the service account is tied to other applications or batch jobs for logical grouping).

But there’s a simple trick that’s quite handy to get password from iis application pool by using AppCmd that is commonly used to migrate IIS websites.

Steps

  1. We know that the AppCmd can be used to export the Application Pool information to an XML file. And we can also export only a single AppPool. So in this case, just as an example, we want to export AppPool ITNOTA by typing the following in Command Prompt:

    C:\> %windir%\System32\inetsrv\appcmd list apppool "ITNOTA" /config /xml > C:\Temp\ItnotaAppPool.xml

    Export single AppPool by name to an XML file with appcmd.exe

  2. Once that was done, let’s open up ItnotaAppPool.xml file from C:\Temp folder. You would see something similar to the following:

    <?xml version="1.0" encoding="UTF-8"?>
<appcmd>
  <APPPOOL APPPOOL.NAME="ITNOTA" PipelineMode="Integrated" RuntimeVersion="4.0" state="Started">
    <add name="ITNOTA" autoStart="true" managedRuntimeVersion="v4.0">
      <processModel identityType="SpecificUser"
                    userName="ITNOTA\Admin_Service_Account"
                    password="###MyAccountPassword###"
                    idleTimeoutAction="Suspend" />
      <recycling>
        <periodicRestart>
          <schedule>
          </schedule>
        </periodicRestart>
      </recycling>
      <failure />
      <cpu />
      <environmentVariables>
      </environmentVariables>
    </add>
  </APPPOOL>
</appcmd>

    IIS AppPool export with identity password

    3. If you look at line 7 (highlighted), the password is there in clear text.

    Note: This XML is modified and compacted just to demonstrate where you can find the password ONLY if you use custom identity. If you use ApplicationPoolIdentity, there’s no password associated with it in the XML file.

In theory, you don’t need to look at the password to make the website run. Because importing the XML will transfer all the information exactly the same way as the current setting. So other than updating the IP address, the identity most of the time doesn’t need any modifications. But this trick is always useful, when you also need to retrieve a “lost” password for a service account that’s been there for years.

Further Reading

How to Migrate IIS Websites to a Different Server
Getting Started with AppCmd.exe
Exporting & Importing App Pools and Websites configuration between multiple IIS instances

Recent Posts

Tags

.NET .NET Core AdSense ASP.NET Cdonts Dll Classic ASP Code Editor ETL FSharp Genesis Framework Git Google HP Asset Manager HTML5 Hugo IIS Information Security Internet Internet Information Services iOS JAMStack Linux macOS Microsoft Microsoft SQL Server MVC PHP PowerShell Python Simple Mail Transfer Protocol Smtp Server SQL SQL Server SSIS SSMS SSRS Sublime Text Visual Studio Visual Studio Code VPN Windows Windows 8 Windows 10 Windows 2012 Windows Server