Troubleshooting Windows 2008 Common Problems - Legacy Software Versions

This TechNote is for Ithicos Solutions applications released prior to May 2014. That includes Directory Update v2.4 (and earlier), Directory Manager v2.1 (and earlier), Directory Password v1.1 (and earlier), and Directory Search v1.8 and earlier. For newer versions of the software, we have a different TechNote available.

Windows Server 2008 and Windows Server 2008 R2 are great operating systems. Windows Server 2008 R2 is the recommended platform for our applications due to improved scalability, stability, and security. But thanks to improvements in security, getting any application to run can be an ardous process.

The top problems we have reported with Windows Server 2008 and Windows Server 2008 R2 are:

Missing Prerequisites

Missing prerequisites will cause the installer to fail. All Ithicos Solutions applications require the following Windows 2008 / Windows 2008 R2 components:

The simplest way to ensure that all of these are installed is to simply run the Server Manager command line tool (ServerManagerCMD). Open a command prompt (Run As Administrator) and then run this command to install (or make sure that all prequisites are met. (This is all one single command.)

ServerManagerCMD.exe -i AS-NET-Framework AS-Web-Support Web-Server Web-Asp-Net Web-Net-Ext 
 Web-Security Web-Mgmt-Tools Web-Mgmt-Compat NET-Framework-Core

Application Pool Issues

An IIS application pool is essentially an isolated memory space and CPU threads that run under a specific security context. By default, all IIS applications and web sites will run in an application pool called DefaultAppPool. This application pool runs in a security context called ApplicationPoolIdentity. This is sufficient for many applications that do no need to perform certain types of LDAP queries or that need to write to the file system.

However, this will cause problems for organizations that need to use any of our applications to query a Global Catalog server or if the applicatiin needs to write to log files or write temporary photos to the file system.

For this reason, we strongly urge you to create a dedicated application pool for Ithicos Applications that runs under the NetworkService identity. Please see our TechNote article Creating dedicated IIS Application Pools.

User Access Control (UAC)

Windows Server 2008 User Access Control (UAC) is a feature that allows you to place even tighter security controls on Windows Server users by prompting for tasks that require elevated access, limiting access even Administrators have by default, and requiring that application installers be digitally signed by a trusted certificate authority. While we wholeheartedly support making Windows Server more secure, it sure can make installing applications a pain in the neck.

We occaasionally have a customer report that when they try to run our installer, they get an "access denied" or "insufficient rights" type message even when they are logged on as a member of Domain Admins. This is usually resolved by following these steps:

  1. Ensure that you are logged on as a domain user that is a member of the local Administrators group
  2. Copy the installer file (the MSI) file to a folder such as c:\temp (in this excample, DirectoryUpdate.MSI
  3. Open a command prompt as an Administrator (Run As Administrator)
  4. Run the Microsoft installer using this command:
msiexec.exe /i c:\temp\directoryupdate.msi

From this point, you should be able to continue forward with a standard installatoin. For a tightly locked down system, though, you may also need to run the Configuration wizard as an administrator. Right click on the Configuratoin wizard and choose "Run As Administrator"

Log file and Photo folders

Directory Update, Directory Password, and Directory Manager can create tab-separated value files (text) that record individual changes using the respective application. This is controlled in the Auditing section of the AppSettings.XML file. The logs are stored by default in c:\inetpub\wwwroot\directoryupdate\logs or c:\inetpub\wwwroot\directorymanager\logs.

Assuming that you have created a dedicated application pool that uses the NETWORK SERVICE security context, make sure that the NETWORK SERVICE user has "Modify" permissions to this folder.

File system permissions for Ithicos applications

The same holds true for the Photos folder if you are allowing users to upload photos in to the Active Directory. That folder is c:\inetpub\wwwroot\directoryupdate\photos or c:\inetpub\wwwroot\directorymanager\photos.