HowtoremovedatainActiveDirectoryafteranunsuccessful

domaincontrollerdemotion
Whatisthedifferencebetweena32bitand64bitCPU?
Thetwomaincategoriesofprocessorsare32bitand64bit.Thetypeofprocessoracomputerhasnotonly
affectsit'soverallperformance,butitcanalsodictatewhattypeofsoftwareituses.

32bitprocessor
The32bitprocessorwastheprimaryprocessorusedinallcomputersuntilthe
early1990s.IntelPentiumprocessorsandearlyAMDprocessorswere32bitprocessors.TheOperatingSystem
andsoftwareonacomputerwitha32bitprocessorisalso32bitbased,inthattheyworkwithdataunitsthat
are32bitswide.Windows95,98,andXPareall32bitoperatingsystemsthatwerecommononcomputers
with32bitprocessors.
Note:Acomputerwitha32bitprocessorcannothavea64bitversionofanoperatingsysteminstalled.Itcan
onlyhavea32bitversionofanoperatingsysteminstalled.

64bitprocessor
The64bitcomputerhasbeenaroundsince1961whenIBMcreatedtheIBM7030Stretchsupercomputer.
However,itwasnotputintouseinhomecomputersuntiltheearly2000s.Microsoftreleaseda64bitversionof
WindowsXPtobeusedoncomputerswitha64bitprocessor.WindowsVista,Windows7,andWindows8also
comein64bitversions.Othersoftwarehasbeendevelopedthatisdesignedtorunona64bitcomputer,which
are64bitbasedaswell,inthattheyworkwithdataunitsthatare64bitswide.
Note:Acomputerwitha64bitprocessorcanhavea64bitor32bitversionofanoperatingsysteminstalled.
However,witha32bitoperatingsystem,the64bitprocessorwouldnotrunatitsfullcapability.
Note:Onacomputerwitha64bitprocessor,youcannotruna16bitlegacyprogram.Many32bitprogramswill
workwitha64bitprocessorandoperatingsystem,butsomeolder32bitprogramsmaynotfunctionproperly,
oratall,duetolimitedornocompatibility.

Differencesbetweena32bitand64bitCPU
Abigdifferencebetween32bitprocessorsand64bitprocessorsisthenumberofcalculationspersecondthey

canperform,whichaffectsthespeedatwhichtheycancompletetasks.64bitprocessorscancomeindual
core,quadcore,sixcore,andeightcoreversionsforhomecomputing.Multiplecoresallowforanincreased
numberofcalculationspersecondthatcanbeperformed,whichcanincreasetheprocessingpowerandhelp
makeacomputerrunfaster.Softwareprogramsthatrequiremanycalculationstofunctionsmoothlycan
operatefasterandmoreefficientlyonthemulticore64bitprocessors,forthemostpart.
Anotherbigdifferencebetween32bitprocessorsand64bitprocessorsisthemaximumamount
ofmemory(RAM)thatissupported.32bitcomputerssupportamaximumof34GBofmemory,whereasa64
bitcomputercansupportmemoryamountsover4GB.Thisisimportantforsoftwareprogramsthatareusedfor
graphicaldesign,engineeringdesignorvideoediting,wheremanycalculationsareperformedtorender
images,drawings,andvideofootage.
Onethingtonoteisthat3Dgraphicprogramsandgamesdonotbenefitmuch,ifatall,fromswitchingtoa64
bitcomputer,unlesstheprogramisa64bitprogram.A32bitprocessorisadequateforanyprogramwrittenfor
a32bitprocessor.Inthecaseofcomputergames,you'llgetalotmoreperformancebyupgradingthevideo
cardinsteadofgettinga64bitprocessor.
Intheend,64bitprocessorsarebecomingmoreandmorecommonplaceinhomecomputers.Most
manufacturersbuildcomputerswith64bitprocessorsduetocheaperpricesandbecausemoreusersarenow
using64bitoperatingsystemsandprograms.Computerpartsretailersareofferingfewerandfewer32bit
processorsandsoonmaynotofferanyatall.
ThisarticledescribeshowtoremovedatainActiveDirectoryafteranunsuccessfuldomaincontrollerdemotion.
WarningIfyouusetheADSIEditsnapin,theLDPutility,oranyotherLDAPversion3client,andyouincorrectly
modifytheattributesofActiveDirectoryobjects,youcancauseseriousproblems.Theseproblemsmayrequire
youtoreinstallMicrosoftWindows2000Server,MicrosoftWindowsServer2003,MicrosoftExchange2000
Server,MicrosoftExchangeServer2003,orbothWindowsandExchange.Microsoftcannotguaranteethat
problemsthatoccurifyouincorrectlymodifyActiveDirectoryobjectattributescanbesolved.Modifythese
attributesatyourownrisk.
TheActiveDirectoryInstallationWizard(Dcpromo.exe)isusedforpromotingaservertoadomaincontroller
andfordemotingadomaincontrollertoamemberserver(ortoastandaloneserverinaworkgroupifthe
domaincontrolleristhelastinthedomain).Aspartofthedemotionprocess,thewizardremovesthe
configurationdataforthedomaincontrollerfromActiveDirectory.ThisdatatakestheformofanNTDSSettings
objectthatexistsasachildoftheserverobjectinActiveDirectorySitesandServices.
TheinformationisinthefollowinglocationinActiveDirectory:
CN=NTDSSettings,CN=<servername>,CN=Servers,CN=<sitename>,CN=Sites,CN=Configuration,DC=
<domain>...
TheattributesoftheNTDSSettingsobjectincludedatarepresentinghowthedomaincontrollerisidentifiedin
respecttoitsreplicationpartners,thenamingcontextsthataremaintainedonthemachine,whetherthedomain
controllerisaglobalcatalogserver,andthedefaultquerypolicy.TheNTDSSettingsobjectisalsoacontainer
thatmayhavechildobjectsthatrepresentthedomaincontroller'sdirectreplicationpartners.Thisdatais
requiredforthedomaincontrollertooperateintheenvironment,butisretiredupondemotion.

IftheNTDSSettingsobjectisremovedincorrectly(forexample,iftheNTDSSettingsobjectisremoved
incorrectlyfromademotionattempt),theadministratorcanmanuallyremovethemetadataforaserverobject.
InWindowsServer2008,andWindowsServer2008R2,theadministratorcanremovethemetadatafora
serverobjectbyremovingtheserverobjectintheActiveDirectoryUsersandComputerssnapin.
InWindowsServer2003andWindows2000Server,theadministratorcanusetheNtdsutil.exeutilityto
manuallyremovetheNTDSSettingsobject.ThefollowingstepslisttheprocedureforremovingtheNTDS
SettingsobjectinActiveDirectoryforaparticulardomaincontroller.AteachNtdsutilmenu,theadministrator
cantypehelpformoreinformationabouttheavailableoptions.

WindowsServer2003ServicePack1(SP1)orlaterservicepacksEnhancedversionof
Ntdsutil.exe
TheversionofNtdsutil.exethatisincludedwithServicePack1orlaterservicepacksforWindowsServer2003
hasbeenenhancedtomakethemetadatacleanupprocesscomplete.TheNtdsutil.exeversionthatisincluded
withSP1orlaterservicepacksdoesthefollowingwhenmetadatacleanupisrun:
RemovestheNTDSAorNTDSSettingsubject.
RemovesinboundADconnectionobjectsthatexistingdestinationDCsusetoreplicatefromthesourceDC
beingdeleted.
Removesthecomputeraccount.
RemovesFRSmemberobject.
RemovesFRSsubscriberobjects.
Triestoseizeflexiblesingleoperationsmasterroles(alsoknownasflexiblesinglemasteroperationsor
FSMO)heldbytheDCthatarebeingremoved.
CautionTheadministratormustalsomakesurethatreplicationhasoccurredsincethedemotionbefore
manuallyremovingtheNTDSSettingsobjectforanyserver.UsingtheNtdsutilutilityincorrectlymayresultin
partialorcompletelossofActiveDirectoryfunctionality.

Procedure1:WindowsServer2003SP1orlaterservicepacksonly
1.ClickStart,pointtoPrograms,pointtoAccessories,andthenclickCommandPrompt.
2.Atthecommandprompt,typentdsutil,andthenpressENTER.
3.Typemetadatacleanup,andthenpressENTER.Basedontheoptionsgiven,theadministratorcanperform
theremoval,butadditionalconfigurationparametersmustbespecifiedbeforetheremovalcanoccur.
4.TypeconnectionsandpressENTER.Thismenuisusedtoconnecttothespecificserverwherethechanges
occur.Ifthecurrentlyloggedonuserdoesnothaveadministrativepermissions,differentcredentialscanbe
suppliedbyspecifyingthecredentialstousebeforemakingtheconnection.Todothis,typesetcreds
DomainNameUserNamePassword,andthenpressENTER.Foranullpassword,typenullforthepassword
parameter.
5.Typeconnecttoserverservername,andthenpressENTER.Youshouldreceiveconfirmationthatthe
connectionissuccessfullyestablished.Ifanerroroccurs,verifythatthedomaincontrollerbeingusedinthe
connectionisavailableandthecredentialsyousuppliedhaveadministrativepermissionsontheserver.

NoteIfyoutrytoconnecttothesameserverthatyouwanttodelete,whenyoutrytodeletetheserverthat
step15refersto,youmayreceivethefollowingerrormessage:
Error2094.TheDSAObjectcannotbedeleted0x2094
6.Typequit,andthenpressENTER.TheMetadataCleanupmenuappears.
7.TypeselectoperationtargetandpressENTER.
8.TypelistdomainsandpressENTER.Alistofdomainsintheforestisdisplayed,eachwithanassociated
number.
9.TypeselectdomainnumberandpressENTER,wherenumberisthenumberassociatedwiththedomainthe
serveryouareremovingisamemberof.Thedomainyouselectisusedtodeterminewhethertheserver
beingremovedisthelastdomaincontrollerofthatdomain.
10.TypelistsitesandpressENTER.Alistofsites,eachwithanassociatednumber,appears.
11.TypeselectsitenumberandpressENTER,wherenumberisthenumberassociatedwiththesitetheserver
youareremovingisamemberof.Youshouldreceiveaconfirmationlistingthesiteanddomainyouchose.
12.TypelistserversinsiteandpressENTER.Alistofserversinthesite,eachwithanassociatednumber,is
displayed.
13.Typeselectservernumber,wherenumberisthenumberassociatedwiththeserveryouwanttoremove.
Youreceiveaconfirmationlistingtheselectedserver,itsDomainNameSystem(DNS)hostname,andthe
locationoftheserver'scomputeraccountyouwanttoremove.
14.TypequitandpressENTER.TheMetadataCleanupmenuappears.
15.TyperemoveselectedserverandpressENTER.Youshouldreceiveconfirmationthattheremovalcompleted
successfully.Ifyoureceivethefollowingerrormessage,theNTDSSettingsobjectmayalreadyberemoved
fromActiveDirectoryastheresultofanotheradministratorremovingtheNTDSSettingsobjectorreplication
ofthesuccessfulremovaloftheobjectafterrunningtheDCPROMOutility.
Error8419(0x20E3)
TheDSAobjectcouldnotbefound

NoteYoumayalsoseethiserrorwhenyoutrytobindtothedomaincontrollerthatwillberemoved.Ntdsutil
hastobindtoadomaincontrollerotherthantheonethatwillberemovedwithmetadatacleanup.
16.Typequit,andthenpressENTERateachmenuquittheNtdsutilutility.Youshouldreceiveconfirmationthat
theconnectiondisconnectedsuccessfully.
17.Removethecnamerecordinthe_msdcs.rootdomainofforestzoneinDNS.AssumingthatDCwillbe
reinstalledandrepromoted,anewNTDSSettingsobjectiscreatedwithanewGUIDandamatchingcname
recordinDNS.YoudonotwanttheDCsthatexisttousetheoldcnamerecord.
Asbestpractice,youshoulddeletethehostnameandotherDNSrecords.Iftheleasetimethatremainson
DynamicHostConfigurationProtocol(DHCP)addressassignedtoofflineserverisexceededthenanother
clientcanobtaintheIPaddressoftheproblemDC.
18.IntheDNSconsole,usetheDNSMMCtodeletetheArecordinDNS.TheArecordisalsoknownasthe
Hostrecord.TodeletetheArecord,rightclicktheArecord,andthenclickDelete.Also,deletethecname
recordinthe_msdcscontainer.Todothis,expandthe_msdcscontainer,rightclickcname,andthenclick

Delete.
ImportantIfthisisaDNSserver,removethereferencetothisDCundertheNameServerstab.Todothis,
intheDNSconsole,clickthedomainnameunderForwardLookupZones,andthenremovethisserver
fromtheNameServerstab.
NoteIfyouhavereverselookupzones,alsoremovetheserverfromthesezones.
19.Ifthedeletedcomputeristhelastdomaincontrollerinachilddomain,andthechilddomainwasalso
deleted,useADSIEdittodeletethetrustDomainobjectforthechild.Todothis,followthesesteps:
1.ClickStart,clickRun,typeadsiedit.msc,andthenclickOK
2.ExpandtheDomainNCcontainer.
3.ExpandDC=YourDomain,DC=COM,PRI,LOCAL,NET.
4.ExpandCN=System.
5.RightclicktheTrustDomainobject,andthenclickDelete.
20.UseActiveDirectorySitesandServicestoremovethedomaincontroller.Todothis,followthesesteps:
1.StartActiveDirectorySitesandServices.
2.ExpandSites.
3.Expandtheserver'ssite.ThedefaultsiteisDefaultFirstSiteName.
4.ExpandServer.
5.Rightclickthedomaincontroller,andthenclickDelete.
21.WhenyouuseDFSReplicationinWindowsServer2008andinlaterversions,thecurrentversionof
Ntdsutil.exedoesnotcleanuptheDFSReplicationobject.Inthiscase,youcanuseAdsiedit.msctocorrect
theDFSReplicationobjectsforActiveDirectoryDomainServices(ADDS)manually.Todothis,followthese
steps:
1.Logonadomaincontrollerasadomainadministratorintheaffecteddomain.
2.StartAdsiedit.msc.
3.Connecttothedefaultnamingcontext.
4.LocatethefollowingDFSReplicationtopologycontainer:
CN=Topology,CN=DomainSystemVolume,CN=DFSRGlobalsettings,CN=System,DC=Your
Domain,DC=DomainSuffix
5.DeletethemsDFSRMemberCNobjectthathastheoldcomputername.

Procedure2:Windows2000(Allversions)WindowsServer2003RTM
1.ClickStart,pointtoPrograms,pointtoAccessories,andthenclickCommandPrompt.
2.Atthecommandprompt,typentdsutil,andthenpressENTER.
3.Typemetadatacleanup,andthenpressENTER.Basedontheoptionsgiven,theadministratorcanperform
theremoval,butadditionalconfigurationparametersmustbespecifiedbeforetheremovalcanoccur.
4.TypeconnectionsandpressENTER.Thismenuisusedtoconnecttothespecificserverwherethechanges
occur.Ifthecurrentlyloggedonuserdoesnothaveadministrativepermissions,differentcredentialscanbe
suppliedbyspecifyingthecredentialstousebeforeyoumaketheconnection.Todothis,typesetcreds

DomainNameUserNamePassword,andthenpressENTER.Foranullpassword,typenullforthepassword
parameter.
5.Typeconnecttoserverservername,andthenpressENTER.Youshouldreceiveconfirmationthatthe
connectionissuccessfullyestablished.Ifanerroroccurs,verifythatthedomaincontrollerbeingusedinthe
connectionisavailableandthecredentialsyousuppliedhaveadministrativepermissionsontheserver.
NoteIfyoutrytoconnecttothesameserverthatyouwanttodelete,whenyoutrytodeletetheserverthat
step15refersto,youmayreceivethefollowingerrormessage:
Error2094.TheDSAObjectcannotbedeleted0x2094
6.Typequit,andthenpressENTER.TheMetadataCleanupmenuappears.
7.TypeselectoperationtargetandpressENTER.
8.TypelistdomainsandpressENTER.Alistofdomainsintheforestisdisplayed,eachwithanassociated
number.
9.TypeselectdomainnumberandpressENTER,wherenumberisthenumberassociatedwiththedomainthe
serveryouareremovingisamemberof.Thedomainyouselectisusedtodeterminewhethertheserver
beingremovedisthelastdomaincontrollerofthatdomain.
10.TypelistsitesandpressENTER.Alistofsites,eachwithanassociatednumber,isdisplayed.
11.TypeselectsitenumberandpressENTER,wherenumberisthenumberassociatedwiththesitetheserver
youareremovingisamemberof.Youshouldreceiveaconfirmationlistingthesiteanddomainyouchose.
12.TypelistserversinsiteandpressENTER.Alistofserversinthesite,eachwithanassociatednumber,is
displayed.
13.Typeselectservernumber,wherenumberisthenumberassociatedwiththeserveryouwanttoremove.
Youreceiveaconfirmationlistingtheselectedserver,itsDomainNameSystem(DNS)hostname,andthe
locationoftheserver'scomputeraccountyouwanttoremove.
14.TypequitandpressENTER.TheMetadataCleanupmenuappears.
15.TyperemoveselectedserverandpressENTER.Youshouldreceiveconfirmationthattheremovalcompleted
successfully.Ifyoureceivethefollowingerrormessage:
Error8419(0x20E3)
TheDSAobjectcouldnotbefound
theNTDSSettingsobjectmayalreadyberemovedfromActiveDirectoryastheresultofanother
administratorremovingtheNTDSSettingsobject,orreplicationofthesuccessfulremovaloftheobjectafter
youruntheDcpromoutility.
NoteYoumayalsoseethiserrorwhenyoutrytobindtothedomaincontrollerthatwillberemoved.Ntdsutil
hastobindtoadomaincontrollerotherthantheonethatwillberemovedwithmetadatacleanup.
16.TypequitateachmenutoquittheNtdsutilutility.Youshouldreceiveconfirmationthattheconnection
disconnectedsuccessfully.
17.Removethecnamerecordinthe_msdcs.rootdomainofforestzoneinDNS.AssumingthatDCwillbe
reinstalledandrepromoted,anewNTDSSettingsobjectiscreatedbyusinganewGUIDandamatching
cnamerecordinDNS.YoudonotwanttheDC'sthatexisttousetheoldcnamerecord.
AsbestpracticeyoushoulddeletethehostnameandotherDNSrecords.Iftheleasetimethatremainson

DynamicHostConfigurationProtocol(DHCP)addressassignedtoofflineserverisexceededthenanother
clientcanobtaintheIPaddressoftheproblemDC.
NowthattheNTDSSettingsobjecthasbeendeleted,youcandeletethecomputeraccount,theFRSmember
object,thecname(orAlias)recordinthe_msdcscontainer,theA(orHost)recordinDNS,thetrustDomain
objectforadeletedchilddomain,andthedomaincontroller.
NoteYoudonotneedtomanuallyremovetheFRSmemberobjectinWindowsServer2003RTMbecausethe
Ntdsutil.exeutilityhasalreadyremovedtheFRSmemberobjectwhenyouruntheutility.Additionaly,the
metadataofthecomputeraccountcannotberemovedifthecomputeraccountoftheDCcontainsanotherleaf
object.Forexample,RemoteInstallationServices(RIS)mightbeinstalledontheDC.
TheAdsieditutilityisincludedwiththeWindowsSupportToolsfeatureinbothWindows2000Serverand
WindowsServer2003.ToinstalltheWindowsSupportTools,followingthesesteps:
Windows2000Server:OntheWindows2000ServerCD,opentheSupport\Toolsfolder,doubleclick
Setup.exe,andthenfollowtheinstructionsthatappearonthescreen.
WindowsServer2003:OntheWindowsServer2003CD,opentheSupport\Toolsfolder,doubleclick
Suptools.msi,clickInstall,andthenfollowthestepsintheWindowsSupportToolsSetupWizardto
completetheinstallation.
1.UseADSIEdittodeletethecomputeraccount.Todothis,followthesesteps:
1.ClickStart,clickRun,typeadsiedit.mscintheOpenbox,andthenclickOK.
2.ExpandtheDomainNCcontainer.
3.ExpandDC=YourDomainName,DC=COM,PRI,LOCAL,NET.
4.ExpandOU=DomainControllers.
5.RightclickCN=domaincontrollername,andthenclickDelete.
Ifyoureceivethe"DSAobjectcannotbedeleted"errormessagewhenyoutrytodeletetheobject,change
theUserAccountControlvalue.TochangetheUserAccountControlvalue,rightclickthedomaincontrollerin
ADSIEdit,andthenclickProperties.UnderSelectapropertytoview,clickUserAccountControl.Click
Clear,changethevalueto4096,andthenclickSet.Youcannowdeletetheobject.
NoteTheFRSsubscriberobjectisdeletedwhenthecomputerobjectisdeletedbecauseitisachildofthe
computeraccount.
2.UseADSIEdittodeletetheFRSmemberobject.Todothis,followthesesteps:
1.ClickStart,clickRun,typeadsiedit.mscintheOpenbox,andthenclickOK
2.ExpandtheDomainNCcontainer.
3.ExpandDC=YourDomain,DC=COM,PRI,LOCAL,NET.
4.ExpandCN=System.
5.ExpandCN=FileReplicationService.
6.ExpandCN=DomainSystemVolume(SYSVOLshare).
7.Rightclickthedomaincontrolleryouareremoving,andthenclickDelete.

3.IntheDNSconsole,usetheDNSMMCtodeletetheArecordinDNS.TheArecordisalsoknownasthe
Hostrecord.TodeletetheArecord,rightclicktheArecord,andthenclickDelete.Alsodeletethecname
(alsoknownastheAlias)recordinthe_msdcscontainer.Todoso,expandthe_msdcscontainer,right
clickthecname,andthenclickDelete.
ImportantIfthiswasaDNSserver,removethereferencetothisDCundertheNameServerstab.Todo
this,intheDNSconsole,rightclickthedomainnameunderForwardLookupZones,clickProperties,and
thenremovethisserverfromtheNameServerstab.
NoteIfyouhavereverselookupzones,alsoremovetheserverfromthesezones.
4.Ifthedeletedcomputerwasthelastdomaincontrollerinachilddomainandthechilddomainwasalso
deleted,useADSIEdittodeletethetrustDomainobjectforthechild.Todothis,followthesesteps:
1.ClickStart,clickRun,typeadsiedit.mscintheOpenbox,andthenclickOK
2.ExpandtheDomainNCcontainer.
3.ExpandDC=YourDomain,DC=COM,PRI,LOCAL,NET.
4.ExpandCN=System.
5.RightclicktheTrustDomainobject,andthenclickDelete.
5.UseActiveDirectorySitesandServicestoremovethedomaincontroller.Todothis,followthesesteps:
1.StartActiveDirectorySitesandServices.
2.ExpandSites.
3.Expandtheserver'ssite.ThedefaultsiteisDefaultFirstSiteName.
4.ExpandServer.
5.Rightclickthedomaincontroller,andthenclickDelete.
AdvancedoptionalsyntaxwiththeSP1orlaterversionsofNtdsutil.exe
WindowsServer2003SP1introducedanewsyntaxthatcanbeused.Byusingthenewsyntax,itisnolonger
requiredtobindtotheDSandselectyouroperationtarget.Tousethenewsyntax,youmustknoworobtainthe
DNoftheNTDSsettingsobjectoftheserverthatisbeingdemoted.Tousethenewsyntaxformetadata
cleanup,followthesesteps:
1.Runntdsutil.
2.Switchtothemetadatacleanupprompt.
3.Runthefollowingcommand
removeselectedserver<DNoftheserverobjectintheconfigcontainer>
Anexampleofthiscommandisasfollows.
NoteThefollowingisonelinebuthasbeenwrapped.
Removeselectedservercn=servername,cn=servers,cn=sitename,cn=sites,cn=configuration,dc=
<forest_root_domain>
4.Removethecnamerecordinthe_msdcs.rootdomainofforestzoneinDNS.AssumingthatDCwillbe
reinstalledandrepromoted,anewNTDSSettingsobjectiscreatedbyusinganewGUIDandamatching
cnamerecordinDNS.YoudonotwanttheDCsthatexisttousetheoldcnamerecord.

Asbestpractice,youshoulddeletethehostnameandotherDNSrecords.Iftheleasetimethatremainson
DynamicHostConfigurationProtocol(DHCP)addressassignedtoofflineserverisexceeded,anotherclient
canobtaintheIPaddressoftheproblemDC.
5.Ifthedeletedcomputerwasthelastdomaincontrollerinachilddomain,andthechilddomainwasalso
deleted,useADSIEdittodeletethetrustDomainobjectforthechild.Todothis,followthesesteps:
1.ClickStart,clickRun,typeadsiedit.msc,andthenclickOK.
2.ExpandtheDomainNCcontainer.
3.ExpandDC=YourDomainName,DC=COM,PRI,LOCAL,NET.
4.ExpandCN=System.
5.RightclicktheTrustDomainobject,,andthenclickDelete.
6.UseActiveDirectorySitesandServicestoremovethedomaincontroller.Todothis,followthesesteps:
1.StartActiveDirectorySitesandServices.
2.ExpandSites.
3.Expandtheserver'ssite.ThedefaultsiteisDefaultFirstSiteName.
4.ExpandServer.
5.Rightclickthedomaincontroller,andthenclickDelete.

DeleteFailedDCsfromActiveDirectory
WhenyoutrytoremoveadomaincontrollerfromyourActiveDirectorydomainbyusingDcpromo.exeandfail,
orwhenyoubegantopromoteamemberservertobeaDomainControllerandfailed(thereasonsforyour
failurearenotimportantforthescopeofthisarticle),youwillbeleftwithremainsoftheDCsobjectintheActive
Directory.Aspartofasuccessfuldemotionprocess,theDcpromowizardremovestheconfigurationdataforthe
domaincontrollerfromActiveDirectory,butasnotedabove,afailedDcpromoattemptmightleavethese
objectsinplace.
TheeffectsofleavingsuchremainsinsidetheActiveDirectorymayvary,butonethingissure:Wheneveryou'll
trytoreinstalltheserverwiththesamecomputernameandtrytopromoteittobecomeaDomainController,
youwillfailbecausetheDcpromoprocesswillstillfindtheoldobjectandthereforewillrefusetorecreatethe
objectsforthenewoldserver.
IntheeventthattheNTDSSettingsobjectisnotremovedcorrectlyyoucanusetheNtdsutil.exeutilityto
manuallyremovetheNTDSSettingsobject.
Ifyougivethenewdomaincontrollerthesamenameasthefailedcomputer,thenyouneedperformonlythe
firstproceduretocleanupmetadata,whichremovestheNTDSSettingsobjectofthefaileddomaincontroller.If
youwillgivethenewdomaincontrolleradifferentname,thenyouneedtoperformallthreeprocedures:clean
upmetadata,removethefailedserverobjectfromthesite,andremovethecomputerobjectfromthedomain
controllerscontainer.
Youwillneedthefollowingtool:Ntdsutil.exe,ActiveDirectorySitesandServices,ActiveDirectoryUsersand
Computers.
Also,makesurethatyouuseanaccountthatisamemberoftheEnterpriseAdminsuniversalgroup.
Caution:UsingtheNtdsutilutilityincorrectlymayresultinpartialorcompletelossofActiveDirectory
functionality.

Tocleanupmetadata
1.Atthecommandline,typeNtdsutilandpressENTER.
C:\WINDOWS>ntdsutil
ntdsutil:
1.AttheNtdsutil:prompt,typemetadatacleanupandpressEnter.
ntdsutil:metadatacleanup
metadatacleanup:
1.Atthemetadatacleanup:prompt,typeconnectionsandpressEnter.
metadatacleanup:connections
serverconnections:
1.Attheserverconnections:prompt,typeconnecttoserver<servername>,where<servername>isthe
domaincontroller(anyfunctionaldomaincontrollerinthesamedomain)fromwhichyouplantocleanupthe
metadataofthefaileddomaincontroller.PressEnter.
serverconnections:connecttoserverserver100
Bindingtoserver100...
Connectedtoserver100usingcredentialsoflocallyloggedonuser.
serverconnections:
Note:WindowsServer2003ServicePack1eliminatestheneedfortheabovestep.
1.TypequitandpressEntertoreturnyoutothemetadatacleanup:prompt.
serverconnections:q
metadatacleanup:
1.TypeselectoperationtargetandpressEnter.
metadatacleanup:Selectoperationtarget
selectoperationtarget:
1.TypelistdomainsandpressEnter.Thislistsalldomainsintheforestwithanumberassociatedwitheach.
selectoperationtarget:listdomains
Found1domain(s)
0DC=dpetri,DC=net
selectoperationtarget:

1.Typeselectdomain<number>,where<number>isthenumbercorrespondingtothedomaininwhichthe
failedserverwaslocated.PressEnter.
selectoperationtarget:Selectdomain0
Nocurrentsite
DomainDC=dpetri,DC=net
Nocurrentserver
NocurrentNamingContext
selectoperationtarget:
1.TypelistsitesandpressEnter.
selectoperationtarget:Listsites
Found1site(s)
0CN=DefaultFirstSiteName,CN=Sites,CN=Configuration,DC=dpetri,DC=net
selectoperationtarget:
1.Typeselectsite<number>,where<number>referstothenumberofthesiteinwhichthedomaincontroller
wasamember.PressEnter.
selectoperationtarget:Selectsite0
SiteCN=DefaultFirstSiteName,CN=Sites,CN=Configuration,DC=dpetri,DC=net
DomainDC=dpetri,DC=net
Nocurrentserver
NocurrentNamingContext
selectoperationtarget:
1.TypelistserversinsiteandpressEnter.Thiswilllistallserversinthatsitewithacorrespondingnumber.
selectoperationtarget:Listserversinsite
Found2server(s)
0CN=SERVER200,CN=Servers,CN=DefaultFirstSite
Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
1CN=SERVER100,CN=Servers,CN=DefaultFirstSite
Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
selectoperationtarget:
1.Typeselectserver<number>andpressEnter,where<number>referstothedomaincontrollertobe
removed.
selectoperationtarget:Selectserver0
SiteCN=DefaultFirstSiteName,CN=Sites,CN=Configuration,DC=dpetri,DC=net
DomainDC=dpetri,DC=net

ServerCN=SERVER200,CN=Servers,CN=DefaultFirstSite
Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
DSAobjectCN=NTDSSettings,CN=SERVER200,CN=Servers,CN=DefaultFirstSite
Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
DNShostnameserver200.dpetri.net
ComputerobjectCN=SERVER200,OU=DomainControllers,DC=dpetri,DC=net
NocurrentNamingContext
selectoperationtarget:
1.TypequitandpressEnter.TheMetadatacleanupmenuisdisplayed.
selectoperationtarget:q
metadatacleanup:
1.TyperemoveselectedserverandpressEnter.
Youwillreceiveawarningmessage.Readit,andifyouagree,pressYes.

OriginalPost:

IdentifyingWorkerProcess(w3wp.exe)IIS6.0andIIS7.0forDebuggingASP.NET
Application
IfyouaredebuggingaASP.NETwebapplicationwhichishostedonIIS,youneedtoattachtheparticular
workerprocessinVisualStudiotostartdebugging.ToAttachaprocesswecangotoTools>AttachProcessor
useshortcutkeyCtrl+P.Theprocesswindowwillshowtheworkerprocess(w3wp.exe)whichiscurrently
runningonIIS.Youneedtoselecttheprocessandclickonattachbuttontostartthedebugging.
ProblemstartswhenyouhavemultipleworkerprocessrunningonIIS.IfyouhavemultiplesiteshostedonIIS
andeachsitehavingtheirownapplicationpoolthenyouwillseethelistofallworkerprocessintheProcess
Attachwindow.

Hereyouneedtoidentifytheparticularworkerprocesswhichisassociatedwithyourapplicationpool.

Note:WheneverwecreateanewApplicationPool,theIDoftheApplicationPoolisbeinggeneratedandits
registeredwiththeHTTP.SYS(KernelLevelofIIS).SowheneverHTTP.SYSReceivedtherequestfromany
webapplication,itchecksfortheApplicationPoolandbasedontheapplicationpoolitsendtherequest
ToknowmoreaboutIISRequestProcess,hereisoneofmyaticleHowIISProcessASP.NETRequest
IdentifyWorkerProcessinIIS6.0
Start>Run>Cmd
GoToWindows>System32
Runcscriptiisapp.vbs
YouwillgetthelistofRunningWorkerProcessIDandtheApplicationPoolName.

So,hereisyourlistofallworkerprocesswithcorrespondingapplicationpoolname.FromtheApplicationpool
nameyoucaneasilyidentifywhichworkerprocessisrelatedwithyourapplication.
IdentifyWorkerProcessinIIS7.0
FromIIS7.0youneedyoutorunIISCommandTool(appcmd).
Start>Run>Cmd
GoToWindows>System32>Inetsrv
Runappcmdlistwp
ThiswillshowyoulistworkerprocessthatisrunningonIIS7.0inthesimilarformatofIIS6.0
OriginalPost:

HowtouseIISManagertogetWorkerProcesses(w3wp.exe)detailsinformation?
Inoneofmypreviousblogpost,IdentifyingWorkerProcess(w3wp.exe)IIS6.0andIIS7.0forDebugging
ASP.NETApplicationIhaveexplainedabouthowwecanidentifythelistofcurrentlyrunningworkerprocess
usingcommandpromptwhileweneedtoattachprocessfromvisualstudio.ButdoyouknowforIIS7.0andIIS
7.5wecangettheworkerprocess(w3wp.exe)detailslikeApplicationPoolname,ProcessID,CPUUsages
fromIISManageritself.EvenyoucangetdetailsofeachworkerprocessforaWebGardenscenarios.So
whenyouneedtoattachsomeprocessfordebuggingfromVisualstudio,Insteadofgoingtocommandprompt,
youcaneasilyidentifytheworkerprocessIdfromIISitself.

GetWorkerProcesses(w3wp.exe)List:
Togetlistofrunningworkerprocess,OpenIISManager(Run>Inetmgr),Selectrootlevelfromleftsite
navigationtreeandfromFeaturesViewPanelselectWorkerProcesses

ClickontheWorkerProcessestogetdetailsofallworkerprocesswhicharecurrentlyrunningasshownin
below.

SofromtheabovelistofworkerprocessesyoucangetthedetailsofApplicationPoolName,ProcessID,state
ofworkerprocessesalongwithCPUusesandmemoryuses.

AttachWorkerProcesses(w3wp.exe)ForDebugging:
FromVisualstudioAttachProcesswindowyouwillfindthesamelistofworkerprocesswiththesameProcess
ID.SobasedonyourapplicationPoolnameyoucanattachtheprocessandstartthedebugging.

ToKnowmoreaboutattachprocesswhiledebuggingyourapplicationisrunningonIIS,pleasereadoneofmy
completearticleDebugYourASP.NETApplicationthatHostedonIIS:ProcessAttachandIdentifywhich
processtoattach(Note:ThisarticlewastargetedtodebuggingwithIIS6.0)

WhatelsewecanhavefromWorkerProcesseslistsinIIS7Manager?
WehavealreadyidentifiedtheworkerprocessandApplicationPoolnamewhicharemorethanenoughforus
toattachaprocessfromVisualStudio.Nowwhatelsewecangetoutofthislist?Yeswecanhaveenough
informationregardingworkerprocesslike
WorkerProcessCurrentState
CPUUsesbytheworkerprocess
Memoryusesbyworkerprocess
CurrentRequestHandlingbyWorkerProcess

WhataboutthecurrentWorkerProcess(w3wp.exe)State?
Youcangetthecurrentstatusofworkerprocessfromstatuscolumn.Workerprocesseshaving3statusas
listedbelow
1.Running
2.Stopping
3.Starting

YoumustbewonderingwhythereisnoStoppedStatusforWorkerProcessinIIS?Iwillexploreritina
differentblogpost.Yeahthatwillbeveryinteresting!Verysoon!
SimilarlikeStateyoucanalsomonitorCPU%UsesandMemoryUsesfromtheIISItself.

WhatabouttheCurrentRequestatWorkerProcess?
Well,youcanviewthecurrentrequestdetailsforaparticularworkerprocessfromIISManagerItself.So,When
yourworkerprocessisonrunningmode,Ifyouwanttocheckthewhatarethethinggoingonbackend,just
doubleclickontheparticularworkerprocess.

Fromtherequestdetails,youcangetwebsiteid,URL,HTTPVerbs,clientIDandStatealongwithModule
Name.IlikedtheStateandModulenamecolumnverymuch.Thistwocolumnswillletyouknowwhereisyour
currentrequestandwhichHTTPModuleistakingcareofthatRequest.
ToknowmoreabouthowfundamentalsHowIISprocessASP.NETRequestyoucanreadoneofmyarticleHow
IISProcessASP.NETRequest
YoucanalsoreadSecurelyImplementRequestProcessing,Filtering,andContentRedirectionwithHTTP
PipelinesinASP.NETtoknowmoreadvancetopics.
ToknowmoreaboutWorkerProcessRequestreadViewCurrentlyExecutingRequestsinaWorkerProcess
(IIS7)

ViewDetailsofEachWorkerProcesswhenyouareusingWebGarden
Beforestartwebgardenmode,ifyouwanttoknowmoreaboutWebgardenorjustwantedtorecapplease
readonofmypreviousarticleWhatisthedifferencebetweenWebFarmandWebGarden?
IfYouhaveconfiguredyoursiteasWebGarden,youcanalsogetthelistofalltheworkerprocessinthe
workerprocesseslistwiththedifferentworkerProcessIDbutallworkerprocessshouldhaveaSingle
ApplicationPool.

So,fromtheabovediagramsyoucansee,WCFSitehasconfiguredasWebGardenmodewithTwoWorker
ProcessandfromtheWorkerProcesseslistyoucanviewboththeworkerprocesswithdifferentWorker
ProcessIdandbothofthemarelistedundersameApplicationPool.
Note:Youwillabletoseeonlytheworkerprocesswhichareinrunningstate.
Summary:InthisblogpostIhaveexplainedhowyoucanusethepowerofIISManagertogetthelistof
workerprocesswiththereapplicationpoolid,name,RunningStatealongwithCPUandMemoryUsesalong

withviewingtheworkerprocessrequest.Ihavealsoexplainedabouthowtogetdetailsofeachworkerprocess
inwebgardenscenarios.IwillpublishanotherblogpostWorkerProcessStateverysoon.
Hopethiswillhelp!
Thanks!
OriginalPost:

BeginnersGuide:HowIISProcessASP.NETRequest
Introduction
Whenrequestcomefromclienttotheserveralotofoperationisperformedbeforesendingresponsetothe
client.ThisisallabouthowIISProcesstherequest.HereIamnotgoingtodescribethePageLifeCycleand
thereevents,thisarticleisallabouttheoperationofIISLevel.Beforewestartwiththeactualdetails,letsstart
fromthebeginningsothateachandeveryoneunderstanditsdetailseasily.Pleaseprovideyourvaluable
feedbackandsuggestiontoimprovethisarticle.

WhatisWebServer?
WhenwerunourASP.NETWebApplicationfromvisualstudioIDE,VSIntegratedASP.NETEngineis
responsibletoexecuteallkindofasp.netrequestsandresponses.Theprocessnameis
WebDev.WebServer.Exewhichactuallytakwcareofallrequestandresponseofanwebapplicationwhichis
runningfromVisualStudioIDE.
Now,thenameWebServercomesintopicturewhenwewanttohosttheapplicationonacentralizedlocation
andwantedtoaccessfrommanylocations.Webserverisresponsibleforhandlealltherequeststhatare
comingfromclients,processthemandprovidetheresponses.

WhatisIIS?
IIS(InternetInformationServer)isoneofthemostpowerfulwebserversfromMicrosoftthatisusedtohost

yourASP.NETWebapplication.IIShasitsownASP.NETProcessEnginetohandletheASP.NETrequest.So,
whenarequestcomesfromclienttoserver,IIStakesthatrequestandprocessitandsendresponsebackto
clients.

RequestProcessing:
Hope,tillnowitscleartoyouthatwhatisWebserverandIISisandwhatistheuseofthem.Nowletshavea
lookhowtheydothingsinternally.Beforewemoveahead,youhavetoknowabouttwomainconcepts
1.WorkerProcess
2.ApplicationPool
WorkerProcess:WorkerProcess(w3wp.exe)runstheASP.NetapplicationinIIS.Thisprocessisresponsible
tomanagealltherequestandresponsethatarecomingfromclientsystem.AlltheASP.Netfunctionalityruns
underthescopeofworkerprocess.Whenarequestcomestotheserverfromaclientworkerprocessis
responsibletogeneratetherequestandresponse.Inasinglewordwecansayworkerprocessistheheartof
ASP.NETWebApplicationwhichrunsonIIS.
ApplicationPool:Applicationpoolisthecontainerofworkerprocess.Applicationpoolsisusedtoseparate
setsofIISworkerprocessesthatsharethesameconfiguration.Applicationpoolsenablesabettersecurity,
reliability,andavailabilityforanywebapplication.Theworkerprocessservesastheprocessboundarythat
separateseachapplicationpoolsothatwhenoneworkerprocessorapplicationishavinganissueorrecycles,
otherapplicationsorworkerprocessesarenotaffected.Thismakessurethataparticularwebapplication
doesntnotimpactotherwebapplicationastheytheyareconfiguredintodifferentapplicationpools.

ApplicationPoolwithmultipleworkerprocessiscalledWebGarden.
Now,IhavecoveredallthebasicstufflikeWebserver,ApplicationPool,Workerprocess.Nowletshavelook
howIISprocesstherequestwhenanewrequestcomesupfromclient.
IfwelookintotheIIS6.0Architecture,wecandividedthemintoTwoLayer
1.KernelMode
2.UserMode
Now,KernelmodeisintroducedwithIIS6.0,whichcontainstheHTTP.SYS.Sowheneverarequestcomes
fromClienttoServer,itwillhitHTTP.SYSFirst.

Now,HTTP.SYSisResponsibleforpasstherequesttoparticularApplicationpool.Nowhereisonequestion,
HowHTTP.SYScomestoknowwheretosendtherequest?Thisisnotarandompickup.Wheneverwecreates
anewApplicationPool,theIDoftheApplicationPoolisbeinggeneratedanditsregisteredwiththeHTTP.SYS.
SowheneverHTTP.SYSReceivedtherequestfromanywebapplication,itchecksfortheApplicationPooland
basedontheapplicationpoolitsendtherequest.

So,thiswasthefirststepsofIISRequestProcessing.
Tillnow,ClientRequestedforsomeinformationandrequestcametotheKernellevelofIISmeansat
HTTP.SYS.HTTP.SYShasbeenidentifiedthenameoftheapplicationpoolwheretosend.Now,letsseehow
thisrequestmovesfromHTTP.SYStoApplicationPool.
InUserLevelofIIS,wehaveWebAdminServices(WAS)whichtakestherequestfromHTTP.SYSandpassit
totherespectiveapplicationpool.

WhenApplicationpoolreceivetherequest,itsimplypasstherequesttoworkerprocess(w3wp.exe).The
workerprocessw3wp.exelooksuptheURLoftherequestinordertoloadthecorrectISAPIextension.ISAPI
extensionsaretheIISwaytohandlerequestsfordifferentresources.OnceASP.NETisinstalled,itinstallsits
ownISAPIextension(aspnet_isapi.dll)andaddsthemappingintoIIS.
Note:SometimesifweinstallIISafterinstallingasp.net,weneedtoregistertheextensionwithIISusing
aspnet_regiiscommand.

WhenWorkerprocessloadstheaspnet_isapi.dll,itstartanHTTPRuntime,whichistheentrypointofan
application.HTTPRuntimeisaclasswhichcallstheProcessRequestmethodtostartProcessing.

Whenthismethodscalled,anewinstanceofHTTPContextisbeencreated.Whichisaccessibleusing
HTTPContext.CurrentProperties.Thisobjectstillremainsaliveduringlifetimeofobjectrequest.Using
HttpContext.CurrentwecanaccesssomeotherobjectslikeRequest,Response,Sessionetc.

AfterthatHttpRuntimeloadanHttpApplicationobjectwiththehelpofHttpApplicationFactoryclass..Eachand
everyrequestshouldpassthroughthecorrespondingHTTPModuletoreachtoHTTPHandler,thislistof
moduleareconfiguredbytheHTTPApplication.
Now,theconceptcomescalledHTTPPipeline.ItiscalledapipelinebecauseitcontainsasetofHttpModules
(ForBothWeb.configandMachine.configlevel)thatintercepttherequestonitswaytotheHttpHandler.
HTTPModulesareclassesthathaveaccesstotheincomingrequest.WecanalsocreateourownHTTPModule
ifweneedtohandleanythingduringupcomingrequestandresponse.

HTTPHandlersaretheendpointsintheHTTPpipeline.AllrequestthatarepassingthroughtheHTTPModule
shouldreachedtoHTTPHandler.ThenHTTPHandlergeneratestheoutputfortherequestedresource.So,
whenwerequestingforanyaspxwebpages,itreturnsthecorrespondingHTMLoutput.
AlltherequestnowpassesfromhttpModuletorespectiveHTTPHandlerthenmethodandtheASP.NETPage
lifecyclestarts.ThisendstheIISRequestprocessingandstarttheASP.NETPageLifecycle.

Conclusion
Whenclientrequestforsomeinformationfromawebserver,requestfirstreachestoHTTP.SYSofIIS.
HTTP.SYSthensendtherequesttorespectiveApplicationPool.ApplicationPoolthenforwardtherequestto
workerprocesstoloadtheISAPIExtensionwhichwillcreateanHTTPRuntimeObjecttoProcesstherequest
viaHTTPModuleandHTTPHanlder.AfterthattheASP.NETPageLifeCycleeventsstarts.
ThiswasjustoverviewofIISRequestProcessingtoletBeginnersknowhowtherequestgetprocessedin
backend.IfyouwanttolearnindetailspleasecheckthelinkforReferenceandfurtherStudysection.
OriginalPost:

HOWTO:Diagnose401.xHTTPerrorsonIIS
OneofthemostcommonquestionsaskedaboutIISonthenewsgroupsaswellasMicrosoftProductSupportis
"whyamIgetting401AccessDenied"?
Therearemany,manypossiblecausesandvariations,butfromtheIISperspective,thetoplevel,logical
categoriesarefixed.Thisinformationcanhelpdramaticallynarrowdownthescopeofanyinvestigation,but
unfortunately,fewpeopleknowtotakeadvantageofthisinformation.ThisiswhatIamgoingtoaddresswith
thisentryhowtouseanddiagnosethe401.xerrorcodesonIIS.

Step1:DeterminetheSubStatusCode
Whenyougeta401responseinthebrowserfromIISandyouwanttotroubleshootit,thefirstthingyoushould
doisdeterminewhat"type"(i.e.HTTPsubstatus)of401itis.
StartingwithIIS6.0,theIISweblogfileslocatedat:
%SYSTEMROOT%\System32\LogFiles\W3SVC###\*.log

recordboththeHTTPstatusandsubstatuscode,whichwhencombinedwiththeWin32errorcodecanaidto
troubleshootmany401errors.TheW3Clogentrieslooklikethefollowing,withtheHTTPstatus,substatus,
andWin32errorcodeshighlighted.
#Software:MicrosoftInternetInformationServices6.0
#Version:1.0
#Date:2005052105:39:27
#Fields:datetimesipcsmethodcsuristemcsuriquerysportcsusernamecip
cs(UserAgent)scstatusscsubstatusscwin32status
2005052105:39:27192.168.0.101GET/VirtualServer/VSWebApp.exeview=11024
WEBBROWSER\User192.168.0.101Mozilla/4.0+(UserAgent)20000
2005052105:39:27192.168.0.101GET/VirtualServer/scripts/VSScripts.js1024
192.168.0.101Mozilla/4.0+(UserAgent)40125
2005052105:39:27192.168.0.101GET/VirtualServer/scripts/VSScripts.js1024
192.168.0.101Mozilla/4.0+(UserAgent)40112148074254
2005052105:39:27192.168.0.101GET/VirtualServer/scripts/VSScripts.js1024
WEBBROWSER\User192.168.0.101Mozilla/4.0+(UserAgent)30400
YoucanalsogetthesubstatuscodefromtheHTMLresponseitself,butwebbrowserslikeInternetExplorer
haveoptionslike"ShowFriendlyHTTPErrors"whichobscurethedetailederrorresponsebymakingthem
"simple"and"userfriendly",soifyouwanttherealerrorresponse,youneedtoturnoffthatoption.
Unfortunately,priortoIIS6.0,theIISweblogfilesareuselessindistinguishing401substatusbecauseitdoes
notevenrecordit.YouronlyoptionistofigurethisoutfromtheHTMLresponseitself,assumingthe401.x
CustomErrorpagesforthatURL'sscopeareconfiguredtosenddifferentHTMLpagesforeachtypeoferror.

Step2:DetermineCourseofAction
OnceyouhavedeterminedtheHTTPsubstatuscode,youcanstartnarrowingdownthetypesoffailuresand
causes.ThefollowingarethefixedcategoriesthatIISreports.Iwillgivedetailedexplanationofwhateach
meansaswellassomecommoncauses/solutions(obviouslynotexhaustive).
401.1DeniedbyInvalidUserCredentials
ThiserrorindicatesthatIISfailedtoobtainanNTusertokenwithwhichtoexecutetherequest.
Inanutshell,IISexpectstohaveaNTusertokenattheendofAuthentication(evenanonymousauthentication
seethisURLfordetails),andifthisdoesnothappen,youget401.1.
Somecommoncausesinclude:
Theclientgavethewrongusername/password(includingnoneatall).Thiscouldbefromincorrectcached
autologinattemptbythebrowser,orfromauserlogindialogfromthebrowser.
InvalidKerberosconfigurationonIIS6,ifyouhaveacustomizedApplicationPoolIdentityANDIntegrated
AuthenticationisusedANDthewebserverisinadomain,youwillmysteriouslyget401.1unlessyou
configureSETSPN*or*changeIntegratedAuthenticationtofavorNTLM.SeethefollowingURLson
ApplicationPoolIdentity,IntegratedAuthenticationinIIS,andConstrainedDelegationconfigurationaswell
asthisURLonadditionalKerberosrelatedtroubleshootingformoreinformation
YouenabledAnonymousauthentication,yetyoustillget401.1forallrequests.Onecommoncauseisifthe

configuredanonymoususercredentialsstoredintheIISmetabaseconfigurationfileisDIFFERENTthanthe
userprinciple'scredentialsinreality(i.e.mismatchedpassword).Inallcases,thepreferredsolutionisto
manuallysynchronizetheusername/passwordoftheanonymoususerprincipleinIISwiththatofthereal
userprinciple.Ihaveseenmanyamazingvariationsofthiscause,including:
Fortestingpurposes,theusertypesinhis/herOWNusername/passwordasanonymoususercredentials
atsomepointinthepastandforgetsaboutit.Later,whenpasswordpolicyforcesthemtochangetheir
password,theanonymoususercredentialsstoredinIISconfigurationisnowmismatchedwithreality.On
subsequentanonymousrequests,IISfailstologinandobtainaNTusertokenforanonymous
authenticationandfailswith401.1,anditlookslikeIISisjustplainbuggyandcouldnotevensupport
anonymousauthentication.
IhavealsoseenthereversehappenuserconfiguresIIStousetheirusername/passwordasanonymous
user,andwhentheychangedtheirpassword,webservertrafficquicklycausesIIStoincorrectlyloginwith
wrongusercredentialstoomanytimes,causingtheiruseraccounttobelockedout.Theseusersnow
complainthattheiruseraccountismysteriouslygettinglockedoutassoonasitisunlocked,evenbefore
theyloginanywhere.
OnupgradingfromIIS5toIIS6,IISSubAuthentication(i.e.the"allowIIStocontrolanonymoususer's
password"feature)isenabledbydefaultforcompatibility.ThisallowsIIStologintheanonymoususer
principlewithoutactuallykeepingtheusercredentialsinsync,andanonymousauthenticationlooksgood
whileinIIS5CompatibilityMode.However,assoonasyouswitchintoIIS6WorkerProcessIsolation
Mode,SubAuthenticationisdisabledbecauseitrequiresaprivilegedprocessidentitylikeLocalSystem
(whichisaknownandquiteunnecessarysecurityriskforthelowlypurposeofpasswordsync).This
meansthatIIS6nowtriestologintheanonymoususercredentialsstoredinthemetabase,whichhas
probablyNEVERbeenkeptinsyncwithrealitythroughtheupgrade...andyounowget401.1forevery
singleanonymousrequest.Toacasualuser,itlookslikeswitchingintoIIS6'snativemodesimplybreaks
anonymousauthenticationandtherestofthewebsite.
Theserverhasbeenreconfiguredtodenynecessaryloginprivilegesfortheauthenticatinguserorits
containinggroup(eitheranonymousorthroughsomeauthenticationprotocol).Thiscanbedonethrough
automatedreapplicationofGroupPolicyfordomainmembers,DCPROMOto/fromDomainController,or
staticapplicationofsecuritytemplates.Whatendsuphappeningisthattheserversidereconfigurationmay
removeLocal/RemoteLoginrightsforthatuser,imposenewrestrictions(likeLoginhours,Logontype),etc...
preventingIISfromsuccessfullyloggingintheusertoexecuterequestsandresultingin401.1.
YoureventlogcouldbefullforsomereasonseeKB832981.
401.2DeniedbyServerConfiguration
Thiserrorindicatesthatthewebserverisconfiguredtorequirecertainauthenticationprotocolsfor
communication,butthebrowserfailedtouseanyofthoseauthenticationprotocols.Thecorrectiveaction
shouldbetoeitherconfiguretorequireanauthenticationprotocolacceptabletotheclient,oruseaclientthat
satisfiestheserverauthenticationprotocolrequirements.
AcommoncauseofthisissuehappenswiththeolderNetscape/MozillabrowserclientsandanIISweb
serverconfiguredtorequireIntegratedAuthentication.ThesebrowserclientsdidnotunderstandIntegrated
Authentication,sowhenIISrequiredIntegratedAuthenticationandthebrowsersrepeatedlyignoredthose

responses,IISwillreturn401.2indicatingthatthebrowserfailedtouseanauthenticationprotocolrequired
bytheserver.NewerMozillabrowserslikeFireFoxdonothavethisdeficiency.
AnotherpossiblecauseiswhenusingIntegratedAuthenticationovertheInternet.IntegratedAuthentication
(NTLM)isaconnectionbasedauthenticationprotocol,meaningthatanauthenticatedconnectionbetweena
clientandserveristheonlyproofofauthenticity.ThisworksfineinIntranetscenarios,butforInternet
scenariosalotofnetworkdevicesinbetweentheclientandservercaneithernotsupportormishandle
NTLM(suchasProxyServerconnectionpooling/multiplexing),causingunexpected401.2.Hereishowit
happens:sinceNTLMisconnectionbasedauthentication,onceaclientsuccessfullyauthenticatesusing
NTLM,itoftenreusesitsendoftheconnectionandsimplysendsanonymousrequestsoverit.Now,assume
aninterveningproxyserverpoolsconnectionsbetweenclientandserver,isunawareofNTLM,
andindependentlydecidestosendtheclient'srequestover*another*connectioninitspool(insteadofthe
alreadyauthenticatedone)totheserver.Thiscausestheclient'sanonymousrequesttobesenttothe
serveroveranew,unauthenticatedconnection,andtheserverdutifullyrejectsitwitha401.2sincethe
serverrequiresIntegratedauthentication.The401.2rejectionistotallyunexpectedbytheclientsinceit
thoughtitwasreusinganauthenticatedconnectionanddidnotinitiateanyreauthentication.Yup,fun...)
Commonvariationsofan"interveningproxyserver"include:
"WebAccelerators",suchastheGoogleWebAccelerator.Theseprogramsbasicallyactlikealocal
"cachingproxy"suchthatrequestsforcontenthasahigherchanceofcomingfromyourlocalharddrive
thanoverthenetwork,thus"speedingup"apparentwebaccess.
WebAnonymizerstheseprogramsbasicallydisguiseyourownIPandotherrequestcharacteristicswith
theirproxy'sIPandcharacteristics,andthisissharedamongstalltheirusers,thusprovidinganonymity
throughnumbers.
SniffertoolslikeFiddlerforIEtheseprogramsactlike"WebAccelerators"exceptinsteadofcaching
request/responses,itchoosestoselectivelycaptureanddisplaythoserequest/responsesforuser
analysis.
WebAccessProxiesforsomebroadbandprovidersorpresetCompanyproxiesthesearethetraditional
obviousproxies.
401.3DeniedbyResourceACL
ThiserrorindicatesthatthewebserverwasabletoauthenticationandobtainSOMENTusertokentoprocess
theHTTPrequest(youstillhavetodetermineWHICHuser'stoken...),butthatNTusertokenlacksthe
FileSystemACLstoaccesstherequestedresource.Thisisthetypical"accessdenied"duetomissingfileACLs
thatpeopleassume,andyes,youwilllikelyneedtoadjustACLstoresolvethisissue.
However,realizethatalloftheOTHER401.xerrorshavenothingtodowithACLs,soIrecommendAGAINST
tweakingresourceACLsto"Everyone:FullControl"toremoveACLissuesfromthepicture.Youshouldbeable
todeterminetheexactuserthatfailstohaveACLstotheresource,andjustadjustACLsforthatuseronthe
necessaryresourcesandresolvetheissue
Commoncausesinclude:
Wrong/MissingACLsonthefilefortheauthenticateduser.YouneedtochangetheACLsorchangetheuser
toanidentitythathascorrectACLsonthefile.
Youarenotauthenticatingwiththeauthenticationprotocolyouthink,andthustheuserprinciplemaybe
unexpected.Reconfiguretheauthenticationprotocolsasappropriatesothatyouenduprunningasuser

identityyouexpectontheserver.
IfyourcontentisonaUNCshare,youmayhavemismatchedNTFSACLsvs.UNCShareACLs.
AusefultooltopragmaticallydetermineaccessdeniedtofileresourcesisFileMonitor.
401.4DeniedbyCustomISAPIFilter
ThiserrorindicatesthatsomeISAPIFilterrunningonthatrequestsentbackastructured401responseofsome
sort.
ThereasonswhytheISAPIFilterisreturningsuch401responsesarecompletelyarbitraryanduncontrollable
byIIS.YouwillneedtodetermineWHICHISAPIFilterisreturningthisresponseandobtainsupportforthis
ISAPIFiltertoresolvetheissue.
401.5DeniedbyCustomISAPI/CGIWebApplication
ThiserrorindicatesthatsomeISAPIExtensionorCGIWebApplicationsentbackastructured401responseof
somesort.
ThereasonswhytheCGI/ISAPIarereturningsuch401responsesarecompletelyarbitraryanduncontrollable
byIIS.YouwillneedtodetermineWHICHCGI/ISAPIisreturningtheresponseandobtainsupportforit.
Inthecaseofrequeststhatexecute.DLLor.EXErequests,theCGI/ISAPIbinaryisclear.Inthecaseof
requestswithExtensionsthathaveApplicationMapping(i.e.the.aspextensionismappedtotheASPISAPI
DLLScriptEngine),youneedtolookuptheextensionanditsassociatedApplicationMappingintheURL's
scopetodeterminetheScriptEnginetoobtainsupport.
StartingwithIIS6,itisalsopossibleforWildcardApplicationMappingstoexecuteonanyrequestwithinits
configuredscopepriortoexecutingtheactualhandlerfortherequest.ItisconceptuallylikehowanISAPIFilter
canactona.asprequestbeforetheASPISAPIhandlerprocessestherequest.
ApopularscenarioforWildcardApplicationMappingistoimplementcustomauthentication,soa401.5ona
.htmlfilemayindicatepresenceofaWildcardApplicationMappingbasedcustomauthentication.Totheastute
reader.htmlishandledbytheStaticFileHandlerbydefault,whichwillonlyreturn401.3foraccessdenied...
soifyouseea401.5involvedwitharesourcelike.htmlthatisusuallyNOTassociatedwithanApplication
Mappingwhichcanonlyreturn401.5foraccessdenied...youknoweitheraWildcardApplicationMapping,or
nonstandardApplicationMappingfor.htmlisinvolved.
TodeterminewhichWildcardApplicationMappingisinvolvedonarequest,youhavetousetheIISManagerto
lookuptheEFFECTIVEWildcardApplicationMappingforthatrequest,startingfromthewebpageoftheURL
itselfandworkingupthedirectorytreeuntilyoufindthenearestMappingdefinition.Yes,itisamajorhassle
priortoIIS7todeterminetheeffectiveApplicationMappingofarequestforsupportpurposes.
StartingwithIIS7,youcanuseFailedRequestTracingtodetermineallhandlersthatexecutedinsequenceon
agivenrequest,whichwillshowexactlywhatmodule/applicationmappingcausedthe401.5.Thismakesit
extremelyeasytoidentifythefaultyDLLwithouttryingtocalculateeffectiveWildcardApplicationMapping
configuration.

Conclusion
401.1through401.3errorsareassociatedwithIISrequestprocessingandallowthelogicalinterpretationsand
assumptionsthatIlistedabove.

Meanwhile,the401.4and401.5errorsarethemostarbitrarytodiagnosesincecustomISAPIDLLsandCGI
EXEcancauseIIStobehaveinnonobviousmanners.Thus,muchofthelogicalassumptionsabout401.xdo
notapply.
Ihopethatthisinformationhasbeenusefulindecipheringthe401.xerrorsfromIIS.Ifyouhaveadditional
questions,feelfreetopostacommentorpostaprivatequestionviathe"contact"link.
Recently,wehavealsoreleasedatool,AuthDiag,tohelptroubleshootIISaccessdeniedissues.Youcan
downloaditfromthislocation.Inparticular,ithasafeaturetohookintovariousfailurepointsinIISanddirectly
troubleshootwhatisfailingonagivenrequestyouneedtoseeandtryitout!
GoodLuck.
OriginalPost: