Windows Internal Database will not start after Install Active Directory

Discussion in 'Update Services' started by Jim, Jul 12, 2007.

  1. Given that very few WSUS installations have been made to SP2, and the
    majority of the past two years were all on SP1, that's probably the more
    appropriate platform to address this issue in.

    It doesn't matter whether =IIS6= uses the accounts... it matters that the
    =APPLICATION= uses the accounts!

    The *facts* of the ACLs on the \Program Files\Update Services folder seem to
    contradict your statement, Ken.

    Furthermore, the previously mentioned failures of WSUS on a
    Win2003SP1/IIS6/WSUS2 machine also contradict the statement.
    Or if any application chooses to use them!

    Lawrence Garvin, M.S., MCTS, MCP
    Independent WSUS Evangelist
    MVP-Software Distribution (2005-2007)

    Everything you need for WSUS is at

    And, almost everything else is at
    Lawrence Garvin \(MVP\), Jul 21, 2007
    1. Advertisements

  2. Jim

    Ken Schaefer Guest

    Just for you, I repeated the test on Windows Server 2003 R2 box (no SP2)

    - Change logon account for Windows Internal Database to Local System
    - Give IIS_WPG group Modify permissions to
    C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files
    - Give IIS_WPG group Modify permissions to C:\Windows\temp

    and WSUS v3 seems to work just fine.

    What application are you talking about? There are arbitrary accounts that
    may, or may not exist, and may or may not have the actual names that are the

    Can you give me an example of such an application?

    Well, I don't have a WSUS v2 application handy, so I will have to take your
    word for it. Perhaps that ACL was there to support Windows 2000
    installations (where IWAM_<machinename> is the default account for
    out-of-process COM+ applications).

    In any case, I don't see why WSUS v2 would be using that account *unless* it
    was running on Windows 2000. Are you suggesting that WSUS v2 does
    impersonation under the covers by creating a new WindowsIdentity and
    impersonating IWAM even on IIS6? That sounds like crazy architecture to me.
    Occam's Razor would suggest that something else is causing your issues.

    Ken Schaefer, Jul 23, 2007
    1. Advertisements

  3. My only problem with this is that on a properly functioning WSUS 3 server,
    IIS_WPG has no permissions on %windir%\temp.

    But, perhaps, this whole issue has been remediated in WSUS 3.0. I don't even
    see that any IIS account has any permissions on the \Program Files\Update
    Services tree at all on my current WSUS 3.0 front-end server.

    Also, since I don't at the moment have a point of reference on an SP1
    server, or a WSUS 2.0 server, we've still left unaddressed the issue of the
    IWAM_machinename account in the ACLs of the \Program Files\Update Services
    folder tree on a WSUS 2.0 server.

    Doh!... WSUS 2.0 -- the one we've been talking about since this thread

    And.. if the IWAM or ASPNET accounts don't matter, then we've still not
    resolved the question of why IIS needs to be reinstalled on a WSUS 2.0

    Nor, why your obviously simple solution doesn't seem to be documented
    anywhere in the Microsoft Knowledge Base, including those articles
    specifically targeted at this scenario (i.e. running dcpromo on an
    IIS-installed system).

    <sigh> Ken.. I already did. Please reread the thread history -- either this
    thread, or our other monolithic thread on this same subject.

    Thank you!

    There are no out-of-process COM+ applications in WSUS to support. WSUS is,
    and always has been, an entirely .NET-based webservices enviroment.

    I'm not "suggesting" anything. I'm merely pointing out to you what the facts
    are. WSUS 2.0 configures IWAM_machinename in the ACLs for \Program
    Files\Update Services, and when you 'dcpromo' a WSUS 2.0 server, it breaks
    it to the point that IIS must be reinstalled so that the IWAM_machinename
    account is in the correct account domain.

    Maybe it did do that to support co-existence on Windows 2000 as well as
    Windows Server 2003. Maybe it doesn't do it anymore because it no longer has
    to support coexistence on a Win2000/IIS5 environment.

    But, either way, it does not discount the (as yet unrefuted) fact that
    running 'dcpromo' on a WSUS 2.0 server requires reinstallation of IIS.

    Yes.. and a hundred empirical examples of the failure over the past two
    years would suggest otherwise.
    Lawrence Garvin [MVP], Jul 23, 2007
  4. Jim

    Ken Schaefer Guest

    Before you DCPromo the "Users" group has ExecuteFiles, CreateFiles and
    WriteData permissions to the c:\windows\temp folder. Those permissions are
    removed by the DomainController security template that is applied by
    secedit.exe during the dcpromo process.

    All I did was add a subset of those users back (IIS_WPG) group. Instead of
    configuring three permissions, I just ticked the "Modify" box.

    OK - I am going to need some guidance on what is broken here. Do you have
    concise, authorative list of issues so I can work out what IIS config needs
    to be changed?

    I installed WSUS 2.0 SP1 onto a Windows Server 2003 R2 box (no SP2) and
    dcpromo-ed the box. IIS still works, and the WSUS admin site still works.
    So, presumably something else is not working and I just need to figure out
    what needs to be tweaked to get it working.

    Rather than try to test every possible piece of functionality, can you
    provide a list of what doesn't work and I'll work out what needs to changed.

    I have no idea why it's not documented. But can you test it please, and
    either tell us whether it works for you, or whether it's not working and
    there are additional steps that need to be done?

    I didn't test every piece of functionality, but certainly the "Windows
    Internal Database" mentioned in the subject title is started, and the MMC
    console is able to connect and administer WSUS v3.

    I don't want to waste time with pointless hypothetical speculation - I'd
    just rather look at the issue in question and see if a resolution can be

    I have a test machine configured. If you can send me a list of functionality
    that doesn't work, I will endeavour to find out what IIS reconfiguration is
    required so that it's not longer "broken".

    Ken Schaefer, Jul 23, 2007
  5. hi all , i got the internal error problem and i réinstalled the win server 2003 R2 SP2 than make it a DC and when i tried to install WSUS3.0 SP1 it wont be installed at all i got the message " faild to create local group..."

    thnks for ur help
    tarik ELARAMRAM, Jun 20, 2008
  6. hi all , i got the internal error problem and i réinstalled the win server 2003 R2 SP2 than make it a DC and when i tried to install WSUS3.0 SP1 it wont be installed at all i got the message " faild to create local group..."

    thnks for ur help
    tarik ELARAMRAM, Jun 20, 2008
  7. Jim

    Myrt Webb Guest

    Domain controllers cannot have a local group.

    When you make a server a DC it eliminates any local groups.

    Put WSUS on another server.
    Myrt Webb, Jun 20, 2008
  8. Jim

    vdan02 Guest

    I know this article is dated, however I encountered this on Server 2012 addiis and wsus then promote and it broke wsus because WID could not start. I modifided my domain controller policy to allow logon as service to "NT SERVICE\ALL SERVICES" then gpupdate /force from CMD and everything started working. view document
    vdan02, Nov 5, 2013
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.