U-Tools: Unique Tools for Windows System Administrators
U-Move Help
Menu

Must Copy Internet Information Services

The Internet Information Services (IIS) security database must be copied in order for IIS to run correctly.

Internet Information Services (IIS) provides web services on Windows. A key part of IIS is its security database, sometimes called the “metabase”. The security database contains a list of security settings for IIS.

Some parts of the security database are encrypted. The encryption key is tied to Active Directory. The IIS metabase must have a matching encryption key. If the encryption key does not match, the IISAdmin service will fail to start and will report the error message “Access Denied”. Therefore whenever you clone AD (and you intend to run IIS on the destination computer) you must always copy the IIS metabase.

How To Fix This Error

The only time you can skip moving the IIS security database is when the encryption key is unchanged. (For example, when restoring AD on the same computer or when moving AD to the destination computer a second time.)

The procedure to fix this error depends on whether or not the source computer had IIS installed. (See below.)

Procedure 1: The source computer did not have IIS installed

If the source computer did not have IIS installed, there is no encryption key to copy. In this case you must uninstall IIS from the destination computer. (You can re-install it later.) Use the following procedure.

To uninstall IIS on Windows Server 2012-2019:

  1. Start Server Manager and select the domain controller.
  2. Select Manage -> Remove Roles and Features.
  3. Uncheck the box next to Web Server (IIS) and click Next.
  4. Click Remove to uninstall IIS.

To uninstall IIS on Windows Server 2008 R2:

  1. Click on Start -> Control Panel -> System and Security -> Administrative Tools -> Server Manager.
  2. Right-click on Roles -> Remove Roles.
  3. Uncheck the box next to Web Server (IIS) and click Next.
  4. Click Remove to uninstall IIS.

After moving Active Directory you can re-install IIS.

Procedure 2: Turn on the Advanced Option to copy the IIS security settings

To turn on the Advanced Option to copy the IIS security settings. Use the following procedure:

  1. Right-click on the U-Move dialog. A pop-up menu will appear.
  2. Click on Advanced.
  3. Check the box next to “Move the IIS metabase”.
  4. Press OK.

U-Move must copy the IIS security settings, otherwise IIS will not be able to start websites because the encryption keys for the websites will be missing or incorrect.

For more information

See Moving IIS Security Settings.

U-Move for Active Directory
U-Move for Active DirectoryU-Move for Active Directory
Backing Up Active DirectoryBacking Up Active Directory
Restoring Active DirectoryRestoring Active Directory
Cloning Active DirectoryCloning Active Directory
Upgrading Active DirectoryUpgrading Active Directory
Remote Use and ScriptingRemote Use and Scripting
AD Consulting and Repair ServiceAD Consulting and Repair Service
AD Recovery ServiceAD Recovery Service
Error MessagesError Messages
Override of Warning MessagesOverride of Warning Messages
Check for Software UpdateCheck for Software Update
Duplicate Computer on NetworkDuplicate Computer on Network
Extend Your Support PlanExtend Your Support Plan
KDC Ticket SignaturesKDC Ticket Signatures
LDAP Signing Requirements for Active DirectoryLDAP Signing Requirements for Active Directory
Lingering ObjectsLingering Objects
Must Copy Internet Information ServicesMust Copy Internet Information Services
Need to Create a Global CatalogNeed to Create a Global Catalog
Need to Repair the NTDS DatabaseNeed to Repair the NTDS Database
Need License CodeNeed License Code
SHA-2 encryption: Phase out of SHA-1SHA-2 encryption: Phase out of SHA-1
USN RollbackUSN Rollback
Operation FailedOperation Failed
Fatal Internal Error: Cannot RecoverFatal Internal Error: Cannot Recover