Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

II6: Application Pool Invalid after demoting Windows Server 2003 domain controller to member server and changing server name

Posted on 2011-10-27
10
Medium Priority
?
872 Views
Last Modified: 2012-05-12
We recently upgraded our SBS 2003 server to SBS 2011 - we followed the SBS Migration process (http://www.sbsmigration.com/), which essentially results in migrating the existing AD from the 'old' SBS server / domain onto the new server.  In a nutshell, here's the issue:

 In our SBS 2003 configuration, we had an additional domain controller (Windows Server 2003, *not* R2) named 'ML2' - this ran a web service that we created in-house, which has been running without incident for several years. As part of the migration, the following changes were made to the 'ML2' server:

1) It was demoted to a member server in the domain (via DCPromo) - note that the domain did not change, i.e. the active directory / domain is the same as the SBS 2003 domain.

2) The server was renamed 'ML3' (as we replaced both of the 'old' DC's).

As mentioned above, this server (ML3, formerly DC ML2) is running an IIS 6 web service used by our business partners. The service now returns the generic 'Service Unavailable' message.  Troubleshooting this further, I'm seeing the W3SVC Event 1021 : "The identity of application pool, 'PLDirectConnectAppPool' is invalid". The error number in the data field is: 80070569.

This application pool is using Configurable Identity, with the same domain user account that was working prior to our server migration. I've checked that this account is still a member of the IIS_WPG group, and also reset the password as a troubleshooting step.  

Following another suggestion, in ML3's Group Policy editor (Local Computer Policy/Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment), I added the IIS_WPG group to the following:

- Adjust memory quotas for a process

- Logon as a service

- Replace a process level token.

(Even though the web service / app pool worked fine pre-migration without these policies).

None of the above has eliminated the 'Invalid Application Pool' event, however.

As a further test, I created a new user account in the domain, and added that to the IIS_WPG group.  I then created a new 'Test' Application pool using this account, and received the same error.  As a further test, I added the test account to the Domain Admins group (same result) and then tried specifying the domain Administrator account as the Configurable Identity.  Same result.

At this point, I'm a little confused and out of ideas about what might be wrong and how to further troubleshoot this issue.

Any ideas anybody?  
0
Comment
Question by:janknut
  • 5
  • 5
10 Comments
 
LVL 15

Expert Comment

by:WalkaboutTigger
ID: 37041520
Check the permissions on C:\WINDOWS\system32\inetsrv\ and subdirectory to insure the account you are using has appropriate permissions (I doubt this is the issue since you used a domain admin, but weird things can happen when IIS-enabled DCs get demoted).

Does ML3's Local Administrators group contain the domain's Domain Administrators group?  Again - weird things can happen.

Does the account you want to use have the local user right "Act as part of the operating system" ?

And finally, did you restart IIS after making the changes you had previously executed?
0
 

Author Comment

by:janknut
ID: 37041835
Hi Tigger:

I should have mentioned that I also reviewed permissions on:
%systemroot%\Help\iisHelp\Common,
%systemroot%\system32\inetsrv\ASP Compiled Templates , and
%systemroot%\IIS Temporary Compressed
(as per http://support.microsoft.com/kb/842493)

ML3\Local Administrators group does contain the domain's Domain Administrators group.

I added the account to the "Act as part of the operating system" (though the service apparently worked fine without this prior to the migration.

And, yes, I restarted IIS repeatedly while applying the above changes and just now... alas, still "no love".
0
 
LVL 15

Expert Comment

by:WalkaboutTigger
ID: 37041842
Here's a recommendation of last resort...

Did you try promoting ML3 to be a DC again to see if this resolves the issue?

The only other thing I can think of involves sacrificing roosters at high noon.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:janknut
ID: 37041872
Also, perhaps this is also useful in diagnosis:

Even thought I'm logging onto ML3 using the domain administrator account, I'm always asked to supply credentials when browsing the domain's AD (e.g. selecting a user / group in IIS Manager).  

Note that I'm prompted each time I simply browse/access the AD, before applying any changes.
0
 

Author Comment

by:janknut
ID: 37041895
Hmmm... I'll consider the DCPromo route... won't have time to try that until later tomorrow or this weekend, but might be worth a shot if nothing else works...
0
 
LVL 15

Expert Comment

by:WalkaboutTigger
ID: 37041924
That's interesting - that leads me to believe there is something wrong with the machine account in AD.

I would disjoin then rejoin the machine to AD.
0
 

Author Comment

by:janknut
ID: 37043567
After a much needed nap, I realized that the prompting for credentials likely meant that I'd goofed and actually had logged on to the server using the local administrator account (which happened to have the same password). Retracing my steps that was in fact the case... so sorry for the red herring about credentials.

Logged in as the domain admin, there's no problem browsing AD and such, but the other symptoms remain. If I change the application pool's Identity to from Configured to Predefined: Network Service then the pool 'works', and the web service returns the (expected) HTTP 403 Forbidden page. As such, I'm confident that a Hello World site will work under this scenario, but what I need is a Configurable identity as this service accesses a SQL Server DB and NTFS shared on servers in our domain.

 I'm wondering if the error data for the W3SVC Event 1021 ( 80070569 ) is significant? I saw one post where somebody claimed this was an authuntication error; but I've checked the password several times, and even using the domain administrator (checked again just now that it is the domain administrator specified) for the app pool still returns the 'Invalid App pool' Event 1021.

My hunch is that if I can solve this app pool issue, the web service will once again operate as expected.
0
 
LVL 15

Accepted Solution

by:
WalkaboutTigger earned 2000 total points
ID: 37045092
Did you check permissions on

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ASP.NET_2.0.50727\Names

and if so, was the IIS_WPG group granted appropriate permissions?

Also, take a look at the suggestions given here

http://gabe19.blogspot.com/2006/11/enable-domain-account-as-app-pool.html
0
 

Author Comment

by:janknut
ID: 37059560
Okay, the service is working again... in this case, I needed to run aspnet_regiis with the -ga flag and the domain qualified user name (ie. MyDomain\TheUser). This was part of the information in the post referenced above.

For anybody with a similar issue in the future, I did not need to perform the "Run setspn on the domain controller" step also refernced above.

Once the application pool was once again functional, a few tweaks to the Windows Firewall (creating an exception for custom port the service uses) and granting 'read' and 'delete' permissions on c:\windows\temp for the same user that's specified in the app pool's configurable identity were the only remaining obstacles to getting things working.

Note that I did not need (nor attempt) to remove/rejoin the server to the domain again, nor run dcpromo to resolve this issue.  Thanks to W.Tigger for helping me troubleshoot the symptoms and pointing me to the solution via the above post.
0
 
LVL 15

Expert Comment

by:WalkaboutTigger
ID: 37059579
My Google-fu at work - always happy to help and thank you for your patience while working through to solution.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Logparser is the smartest tool I have ever used in parsing IIS log files and there are many interesting things I wanted to share with everyone one of the  real-world  scenario from my current project. Let's get started with  scenario - How do w…
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
Enter Foreign and Special Characters Enter characters you can't find on a keyboard using its ASCII code ... and learn how to make a handy reference for yourself using Excel ~ Use these codes in any Windows application! ... whether it is a Micr…
Suggested Courses
Course of the Month15 days, 23 hours left to enroll

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question