I have a Windows 2012 R2 server that was configured with IIS, websites, and other supporting software while not connected to a domain. After the server was joined to a domain IIS AppPools crash when the a website is requested.
The problem I'm seeing is that any time I test a webpage I'm getting a 503 Service Unavailable error. For example, if I go to "http://localhost/dc/" I receive this error message:
I have found that the ApplicationPools are crashing when a webpage is requested. For example, the Default Web Site uses the application pool DefaultAppPool. If I make sure this is started and then request a webpage the DefaultAppPool is stopped.
Looking in the event viewer I can see this message: "The worker process failed to initialize correctly and therefore could not be started. The data is the error."
The data in the error is "80070005". Using MS's err.exe tool I looked this up and got this information back:
C:\Users\dhughes.figleaf\Desktop\Err>err.exe 80070005 # for hex 0x80070005 / decimal -2147024891 : COR_E_UNAUTHORIZEDACCESS corerror.h # MessageText: # Access is denied. DIERR_OTHERAPPHASPRIO dinput.h DIERR_READONLY dinput.h DIERR_HANDLEEXISTS dinput.h DSERR_ACCESSDENIED dsound.h ecAccessDenied ec.h ecPropSecurityViolation ec.h MAPI_E_NO_ACCESS mapicode.h STIERR_READONLY stierr.h STIERR_NOTINITIALIZED stierr.h E_ACCESSDENIED winerror.h # General access denied error # 11 matches found for "80070005"
All I can tell from this is that this appears to be an access denied error. But I'm not sure what's being denied. I've made sure that the permissions on the inetpub directory are correct, but that didn't make a difference. I also added in the IIS Failed Request Tracing module and that didn't log anything at all.
I used process explorer to watch the w3svc process and saw that when I tried to access a webpage that the process would attempt to access configuration information under the windows directory but was denied access.
I've tried fiddling with permissions on the IIS config directory but I'm unable to make changes there and, frankly, it just feels wrong to have to do that.
Does anyone know where this error might be coming from or how I could further research it?
I've also tried:
Of possible relevance: This is a VM that was cloned from another VM.
Any help or suggestions would be greatly appreciated.
I found this problem happening on a newly installed system, with a newly installed IIS, and a default app pool with pages in the default site.
We found that the only (seeming) solution (in IIS) was to change the app pool's identity (in the app pool's "Advanced Settings") from the default of applicationpoolidentity to either of the 3 other options: localservice, localsystem, or networkservice. (Don't forget to start the app pool after making the change.)
As for why this worked, and what the implications are (running the app pool that way, or why the default did not work), we did not get a chance to explore.
I do think that this server in question was indeed join to an AD, as Doug notes in his original post (long time, no talk, Doug). So that seems to be where the problem is. And I suspect there may be a better solution than what we did. I'll look forward to seeing if others ever elaborate on this.
But since others are raising this issue here and elsewhere, and this is among the first google search results where the thread is not closed and I can offer this reply, I hope at least this workaround may help someone.
It's possible that a GPO is affecting the server when it's joined to the domain, in a way that doesn't allow the app pool identity to work properly.
You should look out for GPOs that affect user rights; the most likely culprits are those ones that restrict the "log on as a service" right, or that manipulate local group membership.
gpresult allows you to examine which GPOs are applied to the computer and which settings do they apply.
User contributions licensed under CC BY-SA 3.0