IIS AppPools stop working when server joined to domain

2

I have a Windows 2012 R2 server that was configured with IIS, websites, and other supporting software while not connected to a domain. After the server was joined to a domain IIS AppPools crash when the a website is requested.

The problem I'm seeing is that any time I test a webpage I'm getting a 503 Service Unavailable error. For example, if I go to "http://localhost/dc/" I receive this error message:

Service Unavailable

I have found that the ApplicationPools are crashing when a webpage is requested. For example, the Default Web Site uses the application pool DefaultAppPool. If I make sure this is started and then request a webpage the DefaultAppPool is stopped.

Looking in the event viewer I can see this message: "The worker process failed to initialize correctly and therefore could not be started. The data is the error."

The data in the error is "80070005". Using MS's err.exe tool I looked this up and got this information back:

C:\Users\dhughes.figleaf\Desktop\Err>err.exe 80070005
# for hex 0x80070005 / decimal -2147024891 :
  COR_E_UNAUTHORIZEDACCESS                                      corerror.h
# MessageText:
# Access is denied.
  DIERR_OTHERAPPHASPRIO                                         dinput.h
  DIERR_READONLY                                                dinput.h
  DIERR_HANDLEEXISTS                                            dinput.h
  DSERR_ACCESSDENIED                                            dsound.h
  ecAccessDenied                                                ec.h
  ecPropSecurityViolation                                       ec.h
  MAPI_E_NO_ACCESS                                              mapicode.h
  STIERR_READONLY                                               stierr.h
  STIERR_NOTINITIALIZED                                         stierr.h
  E_ACCESSDENIED                                                winerror.h
# General access denied error
# 11 matches found for "80070005"

All I can tell from this is that this appears to be an access denied error. But I'm not sure what's being denied. I've made sure that the permissions on the inetpub directory are correct, but that didn't make a difference. I also added in the IIS Failed Request Tracing module and that didn't log anything at all.

I used process explorer to watch the w3svc process and saw that when I tried to access a webpage that the process would attempt to access configuration information under the windows directory but was denied access.

I've tried fiddling with permissions on the IIS config directory but I'm unable to make changes there and, frankly, it just feels wrong to have to do that.

Does anyone know where this error might be coming from or how I could further research it?

I've also tried:

  • Removing the server from the domain does resolve the IIS AppPool crashing problem, but the server needs to be connected to the domain.
  • I've tried uninstalling and reinstalling IIS. The problem persists.

Of possible relevance: This is a VM that was cloned from another VM.

Any help or suggestions would be greatly appreciated.

active-directory
permissions
windows-server-2012-r2
iis-8
asked on Server Fault Sep 10, 2015 by Doug Hughes

2 Answers

0

I found this problem happening on a newly installed system, with a newly installed IIS, and a default app pool with pages in the default site.

We found that the only (seeming) solution (in IIS) was to change the app pool's identity (in the app pool's "Advanced Settings") from the default of applicationpoolidentity to either of the 3 other options: localservice, localsystem, or networkservice. (Don't forget to start the app pool after making the change.)

As for why this worked, and what the implications are (running the app pool that way, or why the default did not work), we did not get a chance to explore.

I do think that this server in question was indeed join to an AD, as Doug notes in his original post (long time, no talk, Doug). So that seems to be where the problem is. And I suspect there may be a better solution than what we did. I'll look forward to seeing if others ever elaborate on this.

But since others are raising this issue here and elsewhere, and this is among the first google search results where the thread is not closed and I can offer this reply, I hope at least this workaround may help someone.

answered on Server Fault Apr 14, 2017 by charlie arehart
0

It's possible that a GPO is affecting the server when it's joined to the domain, in a way that doesn't allow the app pool identity to work properly.

You should look out for GPOs that affect user rights; the most likely culprits are those ones that restrict the "log on as a service" right, or that manipulate local group membership.

gpresult allows you to examine which GPOs are applied to the computer and which settings do they apply.

answered on Server Fault Feb 6, 2021 by Massimo

User contributions licensed under CC BY-SA 3.0