Navigate Up
Sign In

Defend SharePoint 2010 environment against Error 503 Service available

Current average rating is 5 stars. Press SHIFT+ENTER to rate this item.1 star selected. Press SHIFT+ENTER to submit. Press TAB to increase rating. Press SHIFT+ESCAPE to leave rating submit mode.2 stars selected. Press SHIFT+ENTER to submit. Press TAB to increase rating. Press SHIFT+TAB to decrease rating. Press SHIFT+ESCAPE to leave rating submit mode.3 stars selected. Press SHIFT+ENTER to submit. Press TAB to increase rating. Press SHIFT+TAB to decrease rating. Press SHIFT+ESCAPE to leave rating submit mode.4 stars selected. Press SHIFT+ENTER to submit. Press TAB to increase rating. Press SHIFT+TAB to decrease rating. Press SHIFT+ESCAPE to leave rating submit mode.5 stars selected. Press SHIFT+ENTER to submit. Press SHIFT+TAB to decrease rating. Press SHIFT+ESCAPE to leave rating submit mode.
3 days ago, I encountered an error 503 when I prepared a synchronize AD with SharePoint 2010. I tried to remember what I did that morning. I remembered that I used exist application pool for User Profile Synchronization Service.  Immediately, the SharePoint farm got an error 503 service available. I searched in Google and fixed this issue by replacing loadUserProfile propertiy from “True” to “False”. I didn’t know what caused it until I learned about the facts.
 
This issue, such as 1xx, 2xx, 3xx, 4xx and 5xx, relates to HTTP status code.
 
When you try to access content on a server that is running Internet Information Services (IIS) 7.0 by using HTTP, IIS 7.0 returns a numeric code that indicates the status of the response. The HTTP status code is recorded in the IIS log. Additionally, the HTTP status code may be displayed in the client browser.
 
503.png
The HTTP status code may indicate whether a request is successful or unsuccessful. The HTTP status code may also reveal the exact reason that a request is unsuccessful.
 
IIS 7.0 defines the following HTTP status codes that indicate a more specific cause of a 503 error:
  • 503.0 – Application pool unavailable.
  • 503.2 – Concurrent request limit exceeded.
The application pool 503 Error was caused by  the requested limit value which is 0 by default. Therefore, a value of 0 means the application pool can process an unlimited number of requests.
 
demo1.png
 
In other words, the application pool was stopped. Stopping an application pool causes the Windows Process Activation Service (WAS) to shut down all running worker processes serving that application pool. WAS does not restart these worker processes. An administrator must restart all stopped application pools. All applications routed to a stopped application pool receive 503 Service Unavailable errors.
 
When did WAS stop the application pool? I knew that the application was invalid. However, my application identity was valid, thus I guessed loadUserprofile. I thought when I granted User Profile Synchronization Service service account, this application pool conflict would exit application pool.
 
error.png
 
According to Microsoft, Services and Web Applications in the farm are configured upon start to use an account. For Web Applications and Service Applications, these are linked to an application pool.
 

Defend with separate service account.

 
To resolve this issue, you should isolate application pool. In other words, you can use separate service accounts. If you haven’t installed SharePoint 2010 yet, you can apply this recommendation.
 
Some causes of SharePoint corruption:
  • If you use single account for all service accounts: if this account is in policy and you force change the password then it impacts services and application pool in SharePoint. Therefor, you will encounter error 503 or Can’t connect configuration database.
  • Security risk: you will encounter security risk when you lose password.
Best practice for administrator who has just started in the SharePoint world:
  • Sp_install: used to install SharePoint.
  • Sp_farm: farm account. Used to Central Administrator. You can use it for Timer Service. But I recommend separate account for Timer service. Because SharePoint Timer service is an important key for farm operation.
  • Sp_timerservice: used to SharePoint Timer Service. If you feel that your SharePoint was extraordinary, you should find in Service (service.msc) and then check your account that used  SharePoint Timer Service.
  • Sp_apppool: we saw some problems with Application pool because application pool is worker processor which process web services for SharePoint. If Application pool was changed, web application will crash and then you get errors when you login Central administrator or front-end URL. Thus you should think about this account.
  • Sp_userprofile: used to User Profile service. When you want to sync SharePoint with AD, you can use this service. Becareful with this account.

Regarding the above information, I only give best practice using separate account. When you implement this, you must consider the requirements for each account. For example, sp_install must have dbcreator and securityadmin role in SQL Server.

 

spinstall.png

 

 
You can find recommendations from Todd ​Klindt's blog: http://www.toddklindt.com/blog/Lists/Posts/Post.aspx?ID=237
 
A few golden rules:
  1. Never use domain administrator or built-in machine administrator for any SharePoint service account, and never be logged onto a server as either of these accounts when installing SharePoint.
  2. Never use the same service account for all SharePoint services
  3. Never manually grant SQL Server rights to any service account (except the one you use to install SharePoint – farm service account. We'll come back to this later). SharePoint will give all SQL Server rights to the appropriate service accounts
  4. Read the installation documentation. This is not a simple installation and configuration, so don’t treat it as such. Do your home work before installing and configuring a SharePoint farm. Seriously, this is not a file server!
 
You can learn about account permission: http://technet.microsoft.com/en-us/library/cc678863.aspx
 
Caution: for important accounts that are application pool or service, you should consider policies and then add them to one OU. I recommend two policies: Password never expired and User cannot change password.
 

Recycle worker process

 
An alternative to stopping an application pool is to recycle it using the Recycle command in the Actions pane. This command instructs IIS to retire any current worker process automatically after it has executed existing requests. The benefit is that users will not see a disruption to service on their computer, but the worker process will be replaced by a new one as quickly as possible. Recycling application pools is generally done when issues such as memory leaks or resource usage tend to increase significantly over time. Often, the root cause of this problem is a defect or other problem in the application code. The ideal solution is to correct the underlying application problem. However, it is possible at least to address the symptoms by using the Recycle command.
 
In some cases, you might automatically recycle worker processes based on resource usage or at specific times. You can access these options by clicking the Recycling command under Edit Application Pool in the Actions pane.
 
recycle.png
 
The primary options for recycling settings are either Fixed Intervals (which are based on specific times or after a fixed number of requests is processed), or Memory Based Maximums. The most appropriate options will be based on the specific problems you are trying to troubleshoot or avoid. In general, recycling application pools too quickly can reduce performance. However, if a Web application has serious problems, it is preferable to address them through recycling worker processes before users see slowdowns or errors on the Web site.
 
Keeping track of application pool recycle events is also an important part of ensuring that your Web server and its applications are running as expected. For example, if you set the maximum memory settings, you will likely want to know how often the application pool has been recycled.
 
The following image shows the Recycling Events to Log step that enables you to define which events are recorded. To view the Recycling Events to Log page, click Next.
 
recycle1.png
 
You can refer to Configuring Recycling Settings for an Application Pool (IIS 7) at: http://technet.microsoft.com/en-us/library/cc753179%28WS.10%29.aspx
 
 

Keep in touch between SharePoint with IIS

 
How to keep in touch between SharePoint with IIS? I learned about HTTP request processing in IIS7. W3SVC acts as  a listener adapter for the HTTP listener (HTTP.sys). Listener adapters are components that establish communication between WAS (Windows Activation Process Service) and protocol listeners. WAS includes a listener adapter interface that provides communication with listener adapters.
 
W3SVC is responsible for configuring HTTP.sys, updating HTTP.sys when configuration changes, and notifying WAS when a request enters the request queue.
 
And WAS? WAS is responsible for managing application pool configuration and worker processes. The process manager in WAS is responsible for managing the worker processess, which includes starting the worker processes and maintaining information about the running worker processes. It also determines when to start a worker process, when to recycle a worker process, and when to restart a worker process if it becomes blocked and is unable to process any more request.
 
What will happen if W3SVC and WAS don’t start? It’s the reason that I wanted to write this article to keep in touch between SharePoint with IIS. WAS is a core component in IIS thus you should consider its availability.
 
When I configured User Profile Synchronization Service, I encountered WAS. WAS disabled application pool and it caused worker process that processes the SharePoint site to pause.
 
To configure WAS and W3SVC, you can open Services.
  • Start > Administrative Tools > Services
  • Open Run and then enter service.msc.
service-iis.png

You can right click Windows Process Activation Service service and then select Properties. Switch to Recovery tab, you will see configuration for this service.
 
service-iis1.png
 
When WAS fails the first time, it impacts  on IIS Reset function. Then iisreset.exe will execute. A Second failure and Subsequent failures are the same as First failure. You can re-select depending on your requirements.
 
service-iis2.png
 
 Let’s keep in touch between SharePoint with IIS if you can.
 
kit.gif
 
 Reference resources:
  • Windows Server 2008 with IIS 7.
  • IIS 7 in MSDN Library.
  • IIS HTTP status code from WikiPedia
  • Microsoft Technet SharePoint 2010
  • Blog Joel - MSDN
  • Blog Michael Donovan - MSDN
  • Blog Todd Klindt
Categories: SQL; SharePoint; Management; Performance and Optimization; Troubleshooting and Support

Comments

Rick Taylor

One more thing that might be the issue...

Check to make sure that the service account has "Log on as Batch" right in group policy.  This right is given to the IIS_IUSRS account and puts the app Pool account in there; but it won't work (give you the 503 error) if the right isn't assigned.

Posted 25-Apr-2011 by Rick Taylor

Notify me of comments to this article

E-mail:
   

Add Comment

Title:

 
Comment:
Email:

   


Name:

 
Url: