The Internet Information Services (IIS) Windows Process Activation Service (WAS) is needed for most Web sites because it supports the World Wide Web Publishing Service (W3SVC), which handles HTTP requests. The WAS Process Manager maps application pools to existing worker processes and spawns new instances of W3SVC to host new application pools as needed. If WAS is not available, most Web sites will not start..
Remap the built-in IIS accounts
IIS 7 uses several built-in Windows Server 2008 accounts, including the IIS_IUSRS group and the IUSR guest user account. These replace the <MACHINE_NAME>_USR account that was created by IIS 6.0.
A problem occurs when a Windows Server 2008 computer that hosts IIS 7 becomes a domain controller (DC) of a non-Windows Server 2008 domain (that is, a DC of a Windows 2000 or Windows Server 2003 domain). When the DC promotion occurs, the new Windows Server 2008 built-in accounts are no longer available to IIS 7. Any Access Control List (ACL) that uses the built-in accounts will not be able to resolve to a friendly name, but will instead show their raw SID (Security Identifier) values.
To resolve this issue, run a script that will restore the mapping of SIDs to friendly names for the built-in accounts. The script must be run on the DC while it is connected to its Primary Domain Controller (PDC). This will reestablish access to the built-in accounts that IIS 7 requires. To obtain the script, see the Knowledge Base article 946139, IIS7 built-in accounts become unavailable after Domain Controller promotion.
| Target | Microsoft.Windows.InternetInformationServices.2008.WebServer | ||
| Category | Alert | ||
| Enabled | True | ||
| Event_ID | 5153 | ||
| Event Source | Microsoft-Windows-WAS | ||
| Alert Generate | True | ||
| Alert Severity | Warning | ||
| Alert Priority | Normal | ||
| Remotable | True | ||
| Alert Message |
| ||
| Event Log | System |
| ID | Module Type | TypeId | RunAs |
|---|---|---|---|
| DS | DataSource | Microsoft.Windows.EventProvider | Default |
| WA | WriteAction | Microsoft.Windows.Server.IIS.2008.GenerateAlertAction.SuppressedByDescription | Default |
Home
ENU <Rule ID="Microsoft.Windows.InternetInformationServices.2008.WAS.encountered.an.error.attempting.to.look.up.the.built.in.IIS_IUSRS.group" Enabled="onEssentialMonitoring" Target="Microsoft.Windows.InternetInformationServices.2008.WebServer" ConfirmDelivery="false" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>Alert</Category>
<DataSources>
<DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>System</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">Microsoft-Windows-WAS</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>5153</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="WA" TypeID="Microsoft.Windows.Server.IIS.2008.GenerateAlertAction.SuppressedByDescription">
<Priority>1</Priority>
<Severity>1</Severity>
<AlertMessageId>$MPElement[Name="Microsoft.Windows.InternetInformationServices.2008.WAS.encountered.an.error.attempting.to.look.up.the.built.in.IIS_IUSRS.group.AlertMessage"]$</AlertMessageId>
</WriteAction>
</WriteActions>
</Rule>