II6: Application Pool Invalid after demoting Windows Server 2003 domain controller to member server and changing server name

Posted on 2011-10-27
Last Modified: 2012-05-12
We recently upgraded our SBS 2003 server to SBS 2011 - we followed the SBS Migration process (, which essentially results in migrating the existing AD from the 'old' SBS server / domain onto the new server.  In a nutshell, here's the issue:

 In our SBS 2003 configuration, we had an additional domain controller (Windows Server 2003, *not* R2) named 'ML2' - this ran a web service that we created in-house, which has been running without incident for several years. As part of the migration, the following changes were made to the 'ML2' server:

1) It was demoted to a member server in the domain (via DCPromo) - note that the domain did not change, i.e. the active directory / domain is the same as the SBS 2003 domain.

2) The server was renamed 'ML3' (as we replaced both of the 'old' DC's).

As mentioned above, this server (ML3, formerly DC ML2) is running an IIS 6 web service used by our business partners. The service now returns the generic 'Service Unavailable' message.  Troubleshooting this further, I'm seeing the W3SVC Event 1021 : "The identity of application pool, 'PLDirectConnectAppPool' is invalid". The error number in the data field is: 80070569.

This application pool is using Configurable Identity, with the same domain user account that was working prior to our server migration. I've checked that this account is still a member of the IIS_WPG group, and also reset the password as a troubleshooting step.  

Following another suggestion, in ML3's Group Policy editor (Local Computer Policy/Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment), I added the IIS_WPG group to the following:

- Adjust memory quotas for a process

- Logon as a service

- Replace a process level token.

(Even though the web service / app pool worked fine pre-migration without these policies).

None of the above has eliminated the 'Invalid Application Pool' event, however.

As a further test, I created a new user account in the domain, and added that to the IIS_WPG group.  I then created a new 'Test' Application pool using this account, and received the same error.  As a further test, I added the test account to the Domain Admins group (same result) and then tried specifying the domain Administrator account as the Configurable Identity.  Same result.

At this point, I'm a little confused and out of ideas about what might be wrong and how to further troubleshoot this issue.

Any ideas anybody?  
Question by:janknut
    LVL 15

    Expert Comment

    Check the permissions on C:\WINDOWS\system32\inetsrv\ and subdirectory to insure the account you are using has appropriate permissions (I doubt this is the issue since you used a domain admin, but weird things can happen when IIS-enabled DCs get demoted).

    Does ML3's Local Administrators group contain the domain's Domain Administrators group?  Again - weird things can happen.

    Does the account you want to use have the local user right "Act as part of the operating system" ?

    And finally, did you restart IIS after making the changes you had previously executed?

    Author Comment

    Hi Tigger:

    I should have mentioned that I also reviewed permissions on:
    %systemroot%\system32\inetsrv\ASP Compiled Templates , and
    %systemroot%\IIS Temporary Compressed
    (as per

    ML3\Local Administrators group does contain the domain's Domain Administrators group.

    I added the account to the "Act as part of the operating system" (though the service apparently worked fine without this prior to the migration.

    And, yes, I restarted IIS repeatedly while applying the above changes and just now... alas, still "no love".
    LVL 15

    Expert Comment

    Here's a recommendation of last resort...

    Did you try promoting ML3 to be a DC again to see if this resolves the issue?

    The only other thing I can think of involves sacrificing roosters at high noon.

    Author Comment

    Also, perhaps this is also useful in diagnosis:

    Even thought I'm logging onto ML3 using the domain administrator account, I'm always asked to supply credentials when browsing the domain's AD (e.g. selecting a user / group in IIS Manager).  

    Note that I'm prompted each time I simply browse/access the AD, before applying any changes.

    Author Comment

    Hmmm... I'll consider the DCPromo route... won't have time to try that until later tomorrow or this weekend, but might be worth a shot if nothing else works...
    LVL 15

    Expert Comment

    That's interesting - that leads me to believe there is something wrong with the machine account in AD.

    I would disjoin then rejoin the machine to AD.

    Author Comment

    After a much needed nap, I realized that the prompting for credentials likely meant that I'd goofed and actually had logged on to the server using the local administrator account (which happened to have the same password). Retracing my steps that was in fact the case... so sorry for the red herring about credentials.

    Logged in as the domain admin, there's no problem browsing AD and such, but the other symptoms remain. If I change the application pool's Identity to from Configured to Predefined: Network Service then the pool 'works', and the web service returns the (expected) HTTP 403 Forbidden page. As such, I'm confident that a Hello World site will work under this scenario, but what I need is a Configurable identity as this service accesses a SQL Server DB and NTFS shared on servers in our domain.

     I'm wondering if the error data for the W3SVC Event 1021 ( 80070569 ) is significant? I saw one post where somebody claimed this was an authuntication error; but I've checked the password several times, and even using the domain administrator (checked again just now that it is the domain administrator specified) for the app pool still returns the 'Invalid App pool' Event 1021.

    My hunch is that if I can solve this app pool issue, the web service will once again operate as expected.
    LVL 15

    Accepted Solution

    Did you check permissions on


    and if so, was the IIS_WPG group granted appropriate permissions?

    Also, take a look at the suggestions given here

    Author Comment

    Okay, the service is working again... in this case, I needed to run aspnet_regiis with the -ga flag and the domain qualified user name (ie. MyDomain\TheUser). This was part of the information in the post referenced above.

    For anybody with a similar issue in the future, I did not need to perform the "Run setspn on the domain controller" step also refernced above.

    Once the application pool was once again functional, a few tweaks to the Windows Firewall (creating an exception for custom port the service uses) and granting 'read' and 'delete' permissions on c:\windows\temp for the same user that's specified in the app pool's configurable identity were the only remaining obstacles to getting things working.

    Note that I did not need (nor attempt) to remove/rejoin the server to the domain again, nor run dcpromo to resolve this issue.  Thanks to W.Tigger for helping me troubleshoot the symptoms and pointing me to the solution via the above post.
    LVL 15

    Expert Comment

    My Google-fu at work - always happy to help and thank you for your patience while working through to solution.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Debug Tools to analyse IIS process: This article focus on taking memory dumps from IIS to determine which code is taking more time and to analyse which calls hangs/causes more CPU usage. To take dumps,download the following. Install1: To st…
    When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now