Troubleshooting Issues on Windows 2016

This TechNote covers the 3.x versions of Ithicos Solutions products running on Windows Server 2016 including:

  • Directory Update v3.0 or later
  • Directory Manager v3.0 or later
  • Directory Search v3.0 or later
  • Directory Password 3.0 or later

Note: Versions older than the above versions are not supported on Windows Server 2016.

The top reported problems with Windows Server 2016 are:

  • Missing IIS prerequisites during or after installation
  • Restrictive User Access Control (UAC) settings during installation
  • .NET Framework not properly configured


Missing Prerequisites

Missing prerequisites may cause the installer to fail or may cause the application to not work once installed. Our software relies on components of Microsoft Internet Information Server (IIS) and the .NET Framework 4.x platform. The simplest way to install all of the necessary components is to use the PowerShell Server Management module.

1.  Open a PowerShell command prompt as an administrator 
2.  Type Import-Module ServerManager and press Enter
3.  Type Add-WindowsFeature Web-Server, Web-Mgmt-Console, Web-Scripting-Tools, Web-Basic-Auth, Web-Windows-Auth, NET-FRAMEWORK-45-Core, NET-FRAMEWORK-45-ASPNET, Web-HTTP-Logging, Web-NET-Ext45, Web-ASP-Net45 and press Enter
4.  Reboot if prompted.

Microsoft is continually making updates to the .NET Framework v4.x including bug fixes and security updates. We strongly recommend keeping your server within 2 or 3 months of the most recent updates. So, ensure that you run a “Windows Update” on your server periodically and ensure that all critical as well as recommended updates are applied.


Installation Access Denied or Administrator Permissions Required

Windows 2016 provides more scalability, stability, and security than ever before. But thanks to improvements in security, getting any application to run can be an arduous process. The Windows Server 2016  User Access Control (UAC) is a feature that allows you to place even tighter security controls on Windows Server users by prompting for tasks that require elevated access, limiting access even Administrators have by default, and requiring that application installers and utility software be digitally signed by a trusted certificate authority. While we wholeheartedly support making Windows Server more secure, it sure can make installing applications a pain in the neck.

We occasionally have a customer report that when they try to run our installer, they get error messages like these:

  • Access denied
  • Insufficient rights
  • Administrator privileges are required to install this product
  • Error message: unable to contact domain
  • They may see these errors even when they are logged on to the IIS server as a member of Domain Admins. This is usually resolved by following these steps:

    1. Ensure that you are logged on as a domain user that is a member of the IIS server's local Administrators group
    2. Copy the installer file (the MSI) file to a folder such as c:\temp (in this example, DirectoryUpdate.MSI)
    3. Open a command prompt as an Administrator (Run As Administrator)
    4. Run the Microsoft installer using this command:         
           msiexec.exe /i c:\temp\directoryupdate.msi

    From this point, you should be able to continue forward with a standard installation. For a tightly locked down system, though, you may also need to run the Configuration wizard as an administrator. Right click on the Configuration wizard and choose "Run As Administrator"


    Application Pool Issues

    An Application Pool is essentially a memory space and dedicated set of processor threads that can be assigned to an IIS web site or web application. Separating web sites or web applications helps to prevents one application from causing problems for another. Our installers automatically create a dedicated application pool for each of our applications, such as “DirectoryUpdateAppPool”. Occasionally, another web application installer or system administrator may accidentally change the application pool assigned to one of our apps or the application pool properties may be changed.

    You can view the application pool assignments and application pools properties via IIS Manager. To see which application pool an application such as Directory Update is assigned, use IIS Manager, open the Sites folder and navigate to the Web site on which Directory Update is configured. This is usually the Default Web Site. Right click on the web site, choose Manage Application and then Advanced Settings. In this screen shot, the Directory Update application is assigned to the DirectoryUpdateAppPool.

    Advanced Settings of a web application

    You can look at the application pools via IIS Manager under the Application Pools folder. Simply right click on the application pool and choose Advanced Settings.

    The application pool has 3 properties that must be set correctly:

    • .NET Framework version must be v4.0
    • Enable 32-Bit Applications must be False
    • Identity must be NetworkService

    Advanced Settings of an W2K16 IIS Application Pool


    Log file and Photo folder permissions

    Directory Update, Directory Password, and Directory Manager can create tab-separated value files (text) that record individual changes using the respective application. This is controlled in the Auditing section of the AppSettings.XML file. The logs are stored by default in c:\inetpub\wwwroot\directoryupdate\logs or c:\inetpub\wwwroot\directorymanager\logs.

    Our installer sets these permissions during the installation but some customers create their own application pools or manually install the software to another path. By default, we assume that the application pools assigned to our applications will be using the NETWORK SERVICE identity so make sure that the NETWORK SERVICE user has "Modify" permissions to the Logs folder.

    File system permissions for Ithicos applications

    The same holds true for the Photos folder if you are allowing users to upload photos in to the Active Directory. That folder is c:\inetpub\wwwroot\directoryupdate\photos or c:\inetpub\wwwroot\directorymanager\photos.


    Update, Update, Update

    Our software relies on the security and stability of the Windows Operating System, Internet Information Server, and the .NET Framework. Microsoft is continually providing updates in the form of updating security fixes as well as roll-up or convenience updates to the operating system. These updates are important not only for the stability and security of your computing environment, but often these updates fix code that our software relies on to execute. Ensure that you regularly update all recommended and critical updates provided by Microsoft including any updates affecting IIS or the .NET Framework.

    Last Review: 3 Jan 2017