Event ID 5153 — IIS WAS Availability

Applies To: Windows Server 2008 R2

The Internet Information Services (IIS) Windows Process Activation Service (WAS) is needed for most Web sites because it supports the World Wide Web Publishing Service (W3SVC), which handles HTTP requests. The WAS Process Manager maps application pools to existing worker processes and spawns new instances of W3SVC to host new application pools as needed. If WAS is not available, most Web sites will not start.

Event Details

Product: Internet Information Services
ID: 5153
Source: Microsoft-Windows-WAS
Version: 7.5
Message: The Windows Process Activation Service (WAS) encountered an error attempting to look up the built in IIS_IUSRS group. There may be problems in viewing and setting security permissions with the IIS_IUSRS group. This happens if the machine has been joined and promoted to be a Domain Controller in a legacy domain. Please see the online help for more information and solutions to this problem. The data field contains the error number.


Remap the built-in IIS accounts

IIS 7.0 uses several built-in Windows Server 2008 accounts, including the IIS_IUSRS group and the IUSR guest user account. These replace the <MACHINE_NAME>_USR account that was created by IIS 6.0.

A problem occurs when a Windows Server 2008 computer that hosts IIS 7.0 becomes a domain controller (DC) of a non-Windows Server 2008 domain (that is, a DC of a Windows 2000 or Windows Server 2003 domain). When the DC promotion occurs, the new Windows Server 2008 built-in accounts are no longer available to IIS 7.0. Any Access Control List (ACL) that uses the built-in accounts will not be able to resolve to a friendly name, but will instead show their raw SID (Security Identifier) values.

To resolve this issue, run a script that will restore the mapping of SIDs to friendly names for the built-in accounts. The script must be run on the DC while it is connected to its Primary Domain Controller (PDC). This will reestablish access to the built-in accounts that IIS 7.0 requires. To obtain the script, see the Knowledge Base article 946139, IIS7 built-in accounts become unavailable after Domain Controller promotion.


To perform this procedure, you must have membership in Administrators, or you must have been delegated the appropriate authority.

To verify that the WAS service is running:

  1. Open an elevated Command Prompt window. Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
  2. Type sc query was, and press ENTER. WAS is running if the state reported for the service is 4 RUNNING.

IIS WAS Availability

Internet Information Services (IIS) 7.5