IIS6: "Supposed" Metabase Corruption

Published 13 January 06 04:59 PM | jamesbl 

Prologue (required boredom)

I recently worked on an issue where the IIS Admin service would not start after a reboot.  The customer had just finished installing a set of patches, and thought that might be related (we'll soon see that it wasn't related).  The error was:

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7024
Date: xx/xx/2005
Time: xx:xx:xx PM
User: N/A
Computer: xxxxx
Description:
The IIS Admin Service service terminated with service-specific error 2148073478
0x80090006).

After much initial troubleshooting by more than enough people, metabase XML files were backed up, renamed, re-copied, scrubbed, analyzed, scrutinized, and investigated.  Machinekeys were then targeted, checked for proper ACLs, etc. and after nothing worked, the conclusion was metabase corruption, and IIS should be uninstalled and reinstalled.  This solved the issue, but for all the wrong (and unknown) reasons.

This had occurred, however, on 3-4 other occasions in the customer's environment, so it was time to find out why.  Like clockwork, the problem occurred again, so thanks to a friend in Exchange (you know who you are) asking me to give my .02 cents, I got my chance to look at it.

Epilogue (the good part)

In my experience, the reason IISADMIN fails to start in this scenario is because of a failure to decrypt secure data in the metabase, which, of course, brings us back to our old friend Machinekeys.  The machine key is a file that IIS uses to decrypt secure data in the metabase.  There can be many machine key files in the MachineKeys directory, but the IIS specific one starts with "c2319", which I remember thanks to the memorable quote in Monsters, Inc. (and now you will too).

There's a little known fact that the machine key file IIS uses can be stored in one of two locations.  The typical one everyone seems to know is:

   %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\MachineKeys

The other location that is not so well-known is:

   %windir%\Profiles\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

This is almost always due to the fact that the machine had been originally upgraded from NT4.  We looked in the registry under the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

and confirmed the Common AppData value was, indeed, pointing to the C:\Windows\Profiles directory!  Now we're getting somewhere!

Next we made copies of the multiple sets of machine key files, deleted the "c2319" machine key file in the \Windows\Profiles\...\MachineKeys folder and then copied the one from \Documents and Settings\...\MachineKeys into the \Windows\Profiles\...\MachineKeys folder and voilà this was a match!  IISAdmin started just fine.

The keen reader should notice this means IIS WAS using the \Documents and Settings\...\MachineKeys folder initially and something changed it after the fact.  This is the reason for my almost comment above.  Upon further inspection, it appeared the customer had installed a piece of older software (NT4 version, perhaps?) that actually modified the registry to point to the \Windows\Profiles\...\MachineKeys directory.  OUCH!

One other tidbit I noticed during the course of working on this issue is if you delete the machine key IIS uses, then attempt to start IISADMIN, another "c2319" machine key file will be created using the same filename.  The problem with this is the data/private key inside will not match what was used to encrypt the metabase data initially, therefore, it's completely useless and IISADMIN will not start.  This leads me to ask why it's created in the first place.  If you know, I would love to hear...
 
Filed under:

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# Raymon said on January 20, 2006 6:10 PM:
Very Helpfull! Please keep sharing
# Marnix Wolf said on February 6, 2006 9:49 AM:
Great article!

We had similar problems (IIS Admin Service not starting after a reboot) and tried to solve it with restoring the IIS Metabase. Didn't help.

But when reading your article about the machinekey, something came to my mind.

A couple of days ago we overwrote the original All Users profile since the Citrix users needed a different 'default' setting for their countrysettings.

With this, the original machinekey which IIS Admin Service uses, disappeared as well.

But before we overwrote the original All User Profile folder, we made a backup. From backup we restored the original machinekey for IIS Admin Service.

And voila, everything runs like clockwork again!

Thanks for sharing your experience and knowledge!

Kind regards,
M.S. Wolf
System Administrator (and learning a lot from mishaps like mentioned above...)
# G Hill said on March 15, 2006 4:56 AM:
Bonza advice - and much beeter than the MS technet info.
# wxstorm said on April 28, 2006 6:22 AM:
good
It solves my problem
Thank you!!!!!!
# Wole Banjoko said on July 27, 2006 6:52 PM:
Awesome!! This solved an issue we experienced in our CITRIX environment. We went back to tape to get the machine file.
# Muhammad Nadeem said on August 20, 2006 9:37 PM:
Great Artical !

But In my case we end up in re-installing the IIS because unfortunatelt for in our Backup configuration "C:\Documents and Settings\" was under exception list and never get backed up.

Lesson learned:
If you have IIS Installed, make sure your  Tape backup application includes "C:\Documents and Settings\" or Atleast "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys"
# msadmin said on August 21, 2006 4:00 PM:
I ran into the same problem on Win2k3 R2 x64. I didn't try to use it after setting up the machine but based on the logs it wasn't working initially. This server was created from an image (the image is created by another team).

I don't have the \windows\profile directory mentioned and the reg entry points to the All Users folder as it should, so at this point I'm going to uninstall/reinstall and see if that works.  Based on the article I don't see any other option.
# Phil Chapman said on November 30, 2006 10:02 AM:

Great article! Some very useful info..Thanks

# George said on December 5, 2006 2:05 AM:

Thank you! This blog just saved my life!! Thank you for these insights.

# billys said on January 22, 2007 7:21 AM:

Hello! I am Billy Johnson Nice design. Enjoy! Good site! OK. 0n79p7k .

# Lisa said on February 7, 2007 9:39 AM:

I don't have a  \windows\profile dir.  I tried to reinstall and still no go.  Any suggestions?

# Kevin said on February 11, 2007 9:54 PM:

Hi all , very nice site! Thank You !

# PaolaR said on February 20, 2007 10:27 AM:

Thanks a lot, a great article!!!!!

I can resolve the problem.

# A very happy admin ;p said on April 5, 2007 6:03 AM:

JEPP very fine stuff

and thanks a lot :)

# A very, very happy one said on July 11, 2007 5:39 PM:

Yep man, that worked. *uh* Hours of search ... Exchange did not start, even the IISADMIN. They KEYS were the Key.

Thanks god I had Backup. System is back up and running.

An interesting question after that: what if the keyfiles were destroyd? (*look left, look right, run*)

# The good german said on July 26, 2007 3:50 AM:

Thank you for this article. This saved me from reinstalling my server.

And always remember: It is a rather bad idea to move the "All Users" profile folder to another drive without moving the files (like the RSA keys) as well.

# Net Admin said on July 27, 2007 3:18 PM:

This article is a life saver. Keep up the good work. I initially thought I had to reinstall IIS but after reading this post and following it to the T I did not have to re-install IIS. Thanks a million.

# Daniel Bragg said on August 7, 2007 3:22 PM:

(sigh)  No, uninstalling GoToMeeting wasn't the solution, and following the advice in this column wasn't either.  My machine wasn't updated from an earlier version (fresh into XP Pro), and "Common AppData" is pointing to the correct folder in the appropriate %ALLUSERSPROFILE% directory.  

Although I do have a C:\WINDOWS\Profiles\All Users directory, all that is in it is an empty C:\WINDOWS\Profiles\All Users\Adobe\Webbuy folder (maybe a clue to something, but I'm not seeing the connection).  I also have only one "c2319" machine key file on my computer (in the correct directory).

I am very glad this information has helped a lot of people.  I, for one, will have to look further.

Thank you for your efforts.

# Kane Martin said on August 14, 2007 4:09 PM:

Okay... First thank you for the posting as it put me on the right path and saved me a lot of time. I had a similar issue with the IISAdmin Service not starting. I noticed that I had two c2319 keys in my folder. The dates were so that one was before our issue and one was after. I renamed the new (not working) key and tried to start the service. It didn’t work and when it created the new key, it came back as the wrong one (although the same wrong one as before. The keys are set in two groups of numbers with an “_” separating them. The first set is not important here, but the second set of numbers (after the _) is the key represented in the registry as MachineGuid and can be found at HKLM\software\Microsoft\Cryptography. I changed that to match the old key and everything started working as normal. Still testing to see what the fix might have broken, but so far so good.

# Jose Miguel said on September 6, 2007 3:58 AM:

Thank you, Kane.

Your last post is the one it help us.

Great article!

# Famous Birthdays » Blog Archive » Keith Richie : IIS6: Supposed Metabase Corruption said on January 5, 2008 7:20 PM:

PingBack from http://birthdays.247blogging.info/?p=3560

# Joe said on February 27, 2008 10:41 PM:

THANKS YOU!!!!!!!!!!!!!!!!!!!!!!!!!!!

# Cardspace for BlogEngine.Net said on March 28, 2008 12:39 AM:

PingBack from http://www.dscoduc.com/post/2008/03/Cardspace-for-BlogEngineNet.aspx

# Ken said on May 14, 2008 3:15 PM:

Thanks for the tip!

Not sure why but on mine copying the c2319.. file from C:\Documents and Settings\All Users\Application Data\Microsoft\HTML Help\Crypto\RSA\MachineKeys  to   C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys allowd IIS admin to start.

# ????????????????????? » Restore IIS when IIS admin fails to start… « said on May 16, 2008 10:47 PM:

PingBack from http://www.puzzlebird.com/wp/technical-hands-on/restore-iis-when-iis-admin-fails-to-start/

# Rusty said on July 15, 2008 2:44 PM:

My research of why IIS 6 could not start brought me to this thread, but restoring keys did not work for me. My problem turned out to be a corrupt metabase. Restoring MetaBase.xml fixed my issue. To restore MetaBase.xml, restore system state from your backup to a temp folder. Now copy the restored MetaBase.xml from your temp folder to %Systemroot%\System32\inetsrv\

# Lutz said on August 24, 2008 12:59 PM:

I have had an older (manual)backup of the IIS-Metabase-configurationfiles in %windir%\system32\inetsrv\metaback

If I tried to make a resore (after reinstalled IIS) it didn't work. (signature-failure / "Falsche Signatur"), Now we know, it's because of the new machinekey-file.

My Solution was :

net stop iisadmin /y

net stop W3Svc /y

transfer the following XML-Tags form backuck.MDO into ..\inetsrv\metabase.xml :

- WebSvcExtRestrictionList=...

- all <IIsWebServer .. (webpages) entries

until tag <IIsApplicationPools

AND NOW :

change all entries UNCPassword="... and AdminACL=".. into the same entry as AdminACL=", which you will find at the top of file in tag <IIS_ROOT.

So you use the NEW metabase.xml, have the old entries for applications and websites in it, but simply changed their key-entries into the new key.

After finishing save metabase.xml and start iis :

net start iisadmin

net start W3Svc

For me, this was the solution for having NO Back-MachineKeyfile c2319, but had a back-config-file.

# GDPfluger said on January 22, 2009 11:46 AM:

I am encountering this error on Windows XP SP3 after sysprep with IIS 5.1 WWW and FTP installed.  I am using the SP3 version of sysprep, so I don;t have any incompatibility there.  Any idea how to prevent this from happening during/after sysprep?

# Dmitry said on February 20, 2009 3:20 AM:

Kane Martin? you are the BEST!

# Justme said on March 18, 2009 3:24 AM:

Your solution worked!  Thanks so much for the explanation and saving me all the troubleshooting and headaches just to figure this one out!  

Thanks again for sharing!

# 小向美奈子 said on June 13, 2009 4:54 PM:

話題の小向美奈子ストリップを隠し撮り!入念なボディチェックをすり抜けて超小型カメラで撮影した神動画がアップ中!期間限定配信の衝撃的映像を見逃すな

# Carla said on July 27, 2009 1:01 AM:

Thank You !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

# Jeff M said on August 15, 2009 9:48 AM:

Thanks for this article, and a big thanks to Kane Martin. Had the same problem in my environment. For some reason, mid-week, the 'c2319' MachineKey file was replaced by a new one with a different MachineGuid. Swapped them around and IIS (and most importantly, SMTP) started right back up. Thanks again!

Leave a Comment

(required) 
(optional)
(required) 

  
Enter Code Here: Required

Search

This Blog

Syndication

Page view tracker