Subscribe via RSS Feed Connect with me on LinkedIn

SharePoint Administrators Tip: Do NOT touch IIS MMC

[ 5 ] April 16, 2011 |

SharePoint is a Microsoft web based product. Like all other Microsoft web based technology, SharePoint leverages IIS6 or IIS7 Web Server. Network administrators’ familiarity with the IIS management console (MMC) can lead them to make inappropriate changes in IIS which will affect the stability of their SharePoint environment.

The first lesson I teach all new SharePoint administrators is: DO NOT MODIFY SharePoint SETTINGS THROUGH THE IIS MMC. If it can be done through the SharePoint Central Administration, it should be done through there. 99% of all SharePoint administration tasks can and should be performed through SharePoint Central Administration. Below is a compilation of common errors performed in IIS by SharePoint Administrators and their cause.

SharePoint administrator should never:

  • Change IIS host headers for a SharePoint site without adding the corresponding Alternate Access Mappings (AAM)

An AAM should exist for every URL a user might type in the browser to access a SharePoint WebSite. Missing AAM have unpredictable effects and are in my experience the primary cause of unexplainable issues. An event will also be logged in the Windows Application log for missing AAM.

  • Do not delete SharePoint Web Applications from IIS

SharePoint stores all its configuration information in the configuration database. This configuration information includes Web Application (WebApp) information. Deleting a SharePoint WebApp from IIS will not update the SharePoint configuration database. This discrepancy will cause several issues. Including potential account lockout problems (see example below).

  • Change the IIS application pool accounts from IIS MMC.

It is best practice to have the SharePoint AppPools running under domain service accounts. There are many situations when the service account or password might need to be changed. This change needs to be made through SharePoint Central Administration and not directly through IIS MMC. The SharePoint site will stop working if the AppPool is changed through IIS.

IIS MMC is required to

  • Add an SSL certificate to a properly extended WebApp.
  • Add a new host header once an alternate access mapping has been added
  • Optimize AppPool settings (
  • Modify IIS logging settings



Situation: A SharePoint developer deleted a SharePoint WebApp from IIS. The deleted WebApp was using his user account as the App Pool service account. After a month, the domain policy forced him to change his password. The user then suffered continual user account lockouts.

Explanation: SharePoint still had some configuration information it the configuration database and the timer service was trying to perform some actions on the WebApp. Unfortunately, every time it tried to authenticate to a domain controller it failed due to the password having changed.

Resolution: Removing the WebApp from SharePoint Central Admin solved the user’s account lockout problems.

Category: General, How To

About Michal Pisarek: Michal Pisarek is the founder of Dynamic Owl Consulting and a Microsoft SharePoint MVP. View author profile.

Comments (5)

Trackback URL | Comments RSS Feed

  1. […] this article: SharePoint Administrators Tip: Do NOT touch IIS MMC | SharePoint … ← 5 SEO tips for SharePoint 2010 web sites, SharePoint […]

  2. […] Don’t touch IIS Manager!!! (Except for when you do) […]

  3. Orb says:

    My experience tells that a person who deletes a site from IIS will never be a SharePoint administrator.

  4. Larry W. Virden says:

    I am seeking advice about the setting of the 32 bit IIS 6.0 app pool recycle parameters for a MOSS 2007 Service Pack 3 farm.

    We have had a handful of events since SP3 in which some part of IIS just decided not to serve pages up.
    I am trying to figure out a way to configure IIS so that a) it generates an event during these cases, b) rules for IIS or SCOM so that when said event arises, the app pool or server can be restarted.

    However so far I have not had much success in locating resources to accomplish this.

    We are trying to get approval for the resources to move people to a 64 bit environment, but until that is accomplished, we need solutions for 32 bit IIS and SharePoint.

    If anyone has some advice, pointers, etc. that would be greatly appreciated.

  5. Assos1 says:

    Great article.
    I would like to ask you, in case we do not have access to Central Administration (CA), how we troubleshoot?
    To be more detailed, when I try to access CA I am getting “Cannot connect to configuration database” error. All web apps are working perfectly.
    Investigating I see that the user that “runs as” the application pool of CA, is not a farm admin.
    Do you recommend to change it in IIS or it is dangerous?
    If I change it, it requires iisreset, or something else?
    IS there any way to troubleshoot with SharePoint Powershell?
    P.S. Sharepoint version is 2010

Leave a Reply

If you want a picture to show with your comment, go get a Gravatar.