none
Default Domain Controller GPO - IIS APPPOOL replaced with SID #

    Question

  • While backing up our server GPOs (OS is Server 2012) I got the following warning:

    [Warning] The security principal [S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415] referenced in extension [Security] cannot be resolved, but the task will continue. In the future, you can use a migration table to map or remove this security principal.

    Details: No mapping between account names and security IDs was done.

    The SID # is referenced here:

    Under Default Domain Controllers Policy-

    Adjust memory quotas for a process S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415, BUILTIN\Administrators, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE

    Generate security audits S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE

    Replace a process level token S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE

    IIS APPPOOL\DefaultAppPool is missing, replaced with the SID #.

    We have three domain controllers. This warning only shows up on two of them.

    The third controller, which has Web Server (IIS) Installed, does not give the warning above, and lists IISAPPPOOL\DefaultAppPool instead of the SID #.

    Is it possible to address this issue without installing Web Server on the other two Domain Controllers?

    Is there another solution that I can use for this?

    Thanks for any input you can provide.


    Tuesday, June 7, 2016 4:31 PM

Answers

  • > The third controller, which has Web Server (IIS) Installed, does not
    > give the warning above, and lists IISAPPPOOL\DefaultAppPool instead of
    > the SID #.
     
    Simply ignore the "error". This is not a domain account, so its SID
    cannot be resolved in the domain. But it will work upon restoring it anyway.
     
    • Proposed as answer by Todd Heron Wednesday, June 8, 2016 5:32 PM
    • Marked as answer by Jay GuModerator Tuesday, June 14, 2016 2:23 PM
    Wednesday, June 8, 2016 3:14 PM

All replies

  • <Edited - Refer to Martin's answer regarding the IISAPPPOOL\DefaultAppPool identity.  I've marked his post as the "Proposed answer".  Otherwise, read onto my answer below if you do happen to suspect you have any structural AD issues>


    Check your Event Logs on each DC, and then run some diagnostics to get at the source of the problem.  On each DC:

    dcdiag /v

    netdiag /v

    repadmin /replsummary


    Check the primary network interface DNS settings on all three DCs. You said you have three domain controllers.  On each DC, the primary DNS server listed on each should be the same - ideally the PDCe and the secondary DNS server should point back to the server itself.  This should help fix any AD replication issues.  Avoid installing IIS on domain controllers.  But since you already have it installed on one of them, best to fix the source of the problem before installing it on any additional ones.  If your time/budget allows it, move IIS off onto a domain member server.

    Best Regards, Todd Heron | Active Directory Consultant

    • Edited by Todd Heron Wednesday, June 8, 2016 5:32 PM Correction to post
    Wednesday, June 8, 2016 3:35 AM
  • > The third controller, which has Web Server (IIS) Installed, does not
    > give the warning above, and lists IISAPPPOOL\DefaultAppPool instead of
    > the SID #.
     
    Simply ignore the "error". This is not a domain account, so its SID
    cannot be resolved in the domain. But it will work upon restoring it anyway.
     
    • Proposed as answer by Todd Heron Wednesday, June 8, 2016 5:32 PM
    • Marked as answer by Jay GuModerator Tuesday, June 14, 2016 2:23 PM
    Wednesday, June 8, 2016 3:14 PM