Microsoft KB Archive/332097

= DCPROMO does not retain permissions on some IIS folders =

Article ID: 332097

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Internet Information Server 1.01
 * Microsoft Internet Information Services 6.0

-



This article was previously published under Q332097





SYMPTOMS
When you promote a Microsoft Windows Server 2003 member server to a domain controller, if Internet Information Services (IIS) is installed on the server, you may see the following symptoms:
 * No compressed files are stored in the temporary folder (also known as the cache directory), even though a client that supports HTTP compression has requested them.
 * No files are cached in the ASP Compiled Templates folder.

For security reasons, IIS should not be installed on domain controllers.



CAUSE
The operation that promotes a member server to a domain controller (DCPromo.exe) resets permissions on some folders. The Access Control Lists (ACLs) for three folders are not set correctly during this operation.



MORE INFORMATION
You may also see the following in your application event log: Source : Active Server Pages

Event ID: 5

Error: The Template Persistent Cache initialization failed for Application Pool&quot; AppPoolName: because of the following error: Could not create a Disk Cache Sub-directory for the Application Pool. The data may have additional error codes: If you view permissions on the following folders, you will see that the IIS_WPG and the NT AUTHORITY\NETWORK SERVICE groups do not have permissions on these folders:
 * \Help\IISHelp\Common
 * \System32\Inetsrv\ASP Compiled Templates
 * \IIS Temporary Compressed Files



Manually set permissions on the folders

 * 1) Click Start, click Windows Explorer, double-click My Computer, double-click the system drive (this is typically drive C), and then double-click WINDOWS or WINNT.
 * 2) Double-click Help, double-click iisHelp, right-click common, and then click Sharing and Security.
 * 3) Click Security, click Add, type IIS_WPG, and then click OK.
 * 4) With IIS_WPG selected, click to select the following check boxes, and then click OK:
 * 5) * Read and Execute
 * 6) * List Folder Contents
 * 7) * Read
 * 8) Open the Sharing and Security dialog box for the  \system32\inetsrv\ASP Compiled Templates folder, and then grant Full Control to the IIS_WPG group.
 * 9) Repeat step 5 for the  \IIS Temporary Compressed Files folder.

To manually set the permission for NT AUTHORITY\NETWORK SERVICE, follow these steps:
 * 1) Click Start, click Run, type %systemroot%\Help\iisHelp, and then click OK.
 * 2) Right-click the Common folder, and then click Sharing and Security.
 * 3) On the Security tab, click Add, type NETWORK SERVICE, and then click OK.
 * 4) Click NETWORK SERVICE, click to select the following check boxes under Allow, and then click OK:
 * 5) * Read and Execute
 * 6) * List Folder Contents
 * 7) * Read
 * 8) Click Start, click Run, type %systemroot%\system32\inetsrv, and then click OK.
 * 9) Right-click the ASP Compiled Templates folder, and then click Sharing and Security.
 * 10) On the Security tab, click Add, type NETWORK SERVICE, and then click OK.
 * 11) Click NETWORK SERVICE, click to select the Full Control check box under Allow, and then click OK
 * 12) Click Start, click Run, type %systemroot%, and then click OK.
 * 13) Right-click the IIS Temporary Compressed folder, and then click Sharing and Security.
 * 14) On the Security tab, click Add, type NETWORK SERVICE, and then click OK.
 * 15) Click NETWORK SERVICE, click to select the Full Control check box under Allow, and then click OK

After you have completed these steps, restart the IIS Admin Service. To do this, follow these steps:
 * 1) Click Start, click Run, type Services.msc, and then click OK.
 * 2) Right-click IIS Admin, and then click Restart.



STATUS
Microsoft has confirmed that this is a problem in Microsoft Windows Server 2003.

