janknut
asked on
II6: Application Pool Invalid after demoting Windows Server 2003 domain controller to member server and changing server name
We recently upgraded our SBS 2003 server to SBS 2011 - we followed the SBS Migration process (http://www.sbsmigration.com/), which essentially results in migrating the existing AD from the 'old' SBS server / domain onto the new server. In a nutshell, here's the issue:
In our SBS 2003 configuration, we had an additional domain controller (Windows Server 2003, *not* R2) named 'ML2' - this ran a web service that we created in-house, which has been running without incident for several years. As part of the migration, the following changes were made to the 'ML2' server:
1) It was demoted to a member server in the domain (via DCPromo) - note that the domain did not change, i.e. the active directory / domain is the same as the SBS 2003 domain.
2) The server was renamed 'ML3' (as we replaced both of the 'old' DC's).
As mentioned above, this server (ML3, formerly DC ML2) is running an IIS 6 web service used by our business partners. The service now returns the generic 'Service Unavailable' message. Troubleshooting this further, I'm seeing the W3SVC Event 1021 : "The identity of application pool, 'PLDirectConnectAppPool' is invalid". The error number in the data field is: 80070569.
This application pool is using Configurable Identity, with the same domain user account that was working prior to our server migration. I've checked that this account is still a member of the IIS_WPG group, and also reset the password as a troubleshooting step.
Following another suggestion, in ML3's Group Policy editor (Local Computer Policy/Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment), I added the IIS_WPG group to the following:
- Adjust memory quotas for a process
- Logon as a service
- Replace a process level token.
(Even though the web service / app pool worked fine pre-migration without these policies).
None of the above has eliminated the 'Invalid Application Pool' event, however.
As a further test, I created a new user account in the domain, and added that to the IIS_WPG group. I then created a new 'Test' Application pool using this account, and received the same error. As a further test, I added the test account to the Domain Admins group (same result) and then tried specifying the domain Administrator account as the Configurable Identity. Same result.
At this point, I'm a little confused and out of ideas about what might be wrong and how to further troubleshoot this issue.
Any ideas anybody?
In our SBS 2003 configuration, we had an additional domain controller (Windows Server 2003, *not* R2) named 'ML2' - this ran a web service that we created in-house, which has been running without incident for several years. As part of the migration, the following changes were made to the 'ML2' server:
1) It was demoted to a member server in the domain (via DCPromo) - note that the domain did not change, i.e. the active directory / domain is the same as the SBS 2003 domain.
2) The server was renamed 'ML3' (as we replaced both of the 'old' DC's).
As mentioned above, this server (ML3, formerly DC ML2) is running an IIS 6 web service used by our business partners. The service now returns the generic 'Service Unavailable' message. Troubleshooting this further, I'm seeing the W3SVC Event 1021 : "The identity of application pool, 'PLDirectConnectAppPool' is invalid". The error number in the data field is: 80070569.
This application pool is using Configurable Identity, with the same domain user account that was working prior to our server migration. I've checked that this account is still a member of the IIS_WPG group, and also reset the password as a troubleshooting step.
Following another suggestion, in ML3's Group Policy editor (Local Computer Policy/Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment), I added the IIS_WPG group to the following:
- Adjust memory quotas for a process
- Logon as a service
- Replace a process level token.
(Even though the web service / app pool worked fine pre-migration without these policies).
None of the above has eliminated the 'Invalid Application Pool' event, however.
As a further test, I created a new user account in the domain, and added that to the IIS_WPG group. I then created a new 'Test' Application pool using this account, and received the same error. As a further test, I added the test account to the Domain Admins group (same result) and then tried specifying the domain Administrator account as the Configurable Identity. Same result.
At this point, I'm a little confused and out of ideas about what might be wrong and how to further troubleshoot this issue.
Any ideas anybody?
ASKER
Hi Tigger:
I should have mentioned that I also reviewed permissions on:
%systemroot%\Help\iisHelp\
%systemroot%\system32\inet
%systemroot%\IIS Temporary Compressed
(as per http://support.microsoft.com/kb/842493)
ML3\Local Administrators group does contain the domain's Domain Administrators group.
I added the account to the "Act as part of the operating system" (though the service apparently worked fine without this prior to the migration.
And, yes, I restarted IIS repeatedly while applying the above changes and just now... alas, still "no love".
I should have mentioned that I also reviewed permissions on:
%systemroot%\Help\iisHelp\
%systemroot%\system32\inet
%systemroot%\IIS Temporary Compressed
(as per http://support.microsoft.com/kb/842493)
ML3\Local Administrators group does contain the domain's Domain Administrators group.
I added the account to the "Act as part of the operating system" (though the service apparently worked fine without this prior to the migration.
And, yes, I restarted IIS repeatedly while applying the above changes and just now... alas, still "no love".
Here's a recommendation of last resort...
Did you try promoting ML3 to be a DC again to see if this resolves the issue?
The only other thing I can think of involves sacrificing roosters at high noon.
Did you try promoting ML3 to be a DC again to see if this resolves the issue?
The only other thing I can think of involves sacrificing roosters at high noon.
ASKER
Also, perhaps this is also useful in diagnosis:
Even thought I'm logging onto ML3 using the domain administrator account, I'm always asked to supply credentials when browsing the domain's AD (e.g. selecting a user / group in IIS Manager).
Note that I'm prompted each time I simply browse/access the AD, before applying any changes.
Even thought I'm logging onto ML3 using the domain administrator account, I'm always asked to supply credentials when browsing the domain's AD (e.g. selecting a user / group in IIS Manager).
Note that I'm prompted each time I simply browse/access the AD, before applying any changes.
ASKER
Hmmm... I'll consider the DCPromo route... won't have time to try that until later tomorrow or this weekend, but might be worth a shot if nothing else works...
That's interesting - that leads me to believe there is something wrong with the machine account in AD.
I would disjoin then rejoin the machine to AD.
I would disjoin then rejoin the machine to AD.
ASKER
After a much needed nap, I realized that the prompting for credentials likely meant that I'd goofed and actually had logged on to the server using the local administrator account (which happened to have the same password). Retracing my steps that was in fact the case... so sorry for the red herring about credentials.
Logged in as the domain admin, there's no problem browsing AD and such, but the other symptoms remain. If I change the application pool's Identity to from Configured to Predefined: Network Service then the pool 'works', and the web service returns the (expected) HTTP 403 Forbidden page. As such, I'm confident that a Hello World site will work under this scenario, but what I need is a Configurable identity as this service accesses a SQL Server DB and NTFS shared on servers in our domain.
I'm wondering if the error data for the W3SVC Event 1021 ( 80070569 ) is significant? I saw one post where somebody claimed this was an authuntication error; but I've checked the password several times, and even using the domain administrator (checked again just now that it is the domain administrator specified) for the app pool still returns the 'Invalid App pool' Event 1021.
My hunch is that if I can solve this app pool issue, the web service will once again operate as expected.
Logged in as the domain admin, there's no problem browsing AD and such, but the other symptoms remain. If I change the application pool's Identity to from Configured to Predefined: Network Service then the pool 'works', and the web service returns the (expected) HTTP 403 Forbidden page. As such, I'm confident that a Hello World site will work under this scenario, but what I need is a Configurable identity as this service accesses a SQL Server DB and NTFS shared on servers in our domain.
I'm wondering if the error data for the W3SVC Event 1021 ( 80070569 ) is significant? I saw one post where somebody claimed this was an authuntication error; but I've checked the password several times, and even using the domain administrator (checked again just now that it is the domain administrator specified) for the app pool still returns the 'Invalid App pool' Event 1021.
My hunch is that if I can solve this app pool issue, the web service will once again operate as expected.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Okay, the service is working again... in this case, I needed to run aspnet_regiis with the -ga flag and the domain qualified user name (ie. MyDomain\TheUser). This was part of the information in the post referenced above.
For anybody with a similar issue in the future, I did not need to perform the "Run setspn on the domain controller" step also refernced above.
Once the application pool was once again functional, a few tweaks to the Windows Firewall (creating an exception for custom port the service uses) and granting 'read' and 'delete' permissions on c:\windows\temp for the same user that's specified in the app pool's configurable identity were the only remaining obstacles to getting things working.
Note that I did not need (nor attempt) to remove/rejoin the server to the domain again, nor run dcpromo to resolve this issue. Thanks to W.Tigger for helping me troubleshoot the symptoms and pointing me to the solution via the above post.
For anybody with a similar issue in the future, I did not need to perform the "Run setspn on the domain controller" step also refernced above.
Once the application pool was once again functional, a few tweaks to the Windows Firewall (creating an exception for custom port the service uses) and granting 'read' and 'delete' permissions on c:\windows\temp for the same user that's specified in the app pool's configurable identity were the only remaining obstacles to getting things working.
Note that I did not need (nor attempt) to remove/rejoin the server to the domain again, nor run dcpromo to resolve this issue. Thanks to W.Tigger for helping me troubleshoot the symptoms and pointing me to the solution via the above post.
My Google-fu at work - always happy to help and thank you for your patience while working through to solution.
Does ML3's Local Administrators group contain the domain's Domain Administrators group? Again - weird things can happen.
Does the account you want to use have the local user right "Act as part of the operating system" ?
And finally, did you restart IIS after making the changes you had previously executed?