When a production IIS website suddenly stops responding to your naked domain while the www subdomain loads fine, or when a routine WSUS postinstall spews a COMException 0x80070003 and halts, the instinct is to reboot, reinstall, or blame the network. But years of community troubleshooting and Microsoft documentation point to a narrow set of misconfigurations: missing host header bindings, orphaned registry keys, conflicting HTTPS bindings, and stale MMC files. The good news: each has a direct, verifiable fix that can often be applied in minutes without a server rebuild.
The IIS Binding Mystery: Why One Hostname Works and Another Times Out
IIS matches incoming HTTP requests using three binding components: IP address, port, and host header. When a site binding omits a particular hostname, IIS will not route that hostname to the site—even if DNS resolution is correct. This is the most common cause behind the classic “domain works, but the apex breaks” scenario. Microsoft’s official IIS configuration reference explicitly documents this behavior: a binding with a blank host header accepts all hostnames for that IP/port combination, while a binding with a specific host name only routes traffic for that exact host name.
In a typical community report, an admin updated DNS so both example.com and www.example.com pointed to the server, yet only the www variant loaded; the naked domain produced a timeout. Inspection of the site’s bindings revealed that only a binding for www.example.com existed. The fix is trivial—add the missing host header—but diagnosing it requires checking bindings before assuming network or firewall issues.
Real‑World Fix: Adding Missing Bindings
- Open IIS Manager (inetmgr).
- Select the website, click Bindings… in the Actions pane.
- Inspect entries for port 80 and port 443. If a host header is absent for the needed domain, add it:
- For HTTP: Type example.com (no protocol or path) in the Host name field, leaving IP address and port at default.
- For HTTPS: Select the appropriate SSL certificate and enter the host name. - Repeat for both the naked domain and the www variant if both are required.
- Run
iisresetfrom an elevated command prompt, then test withcurl -vor a browser.
This straightforward correction resolves the majority of “IIS refuses a domain” cases reported on forums, and it is fully corroborated by Microsoft’s binding model documentation.
WSUS Postinstall Error 0x80070003: The Path That Cannot Be Found
WSUS relies heavily on IIS. During post‑install configuration (wsusutil.exe postinstall), it creates the WSUS Administration website and several virtual directories. If the process fails with System.Runtime.InteropServices.COMException (0x80070003): The system cannot find the path specified, WSUS is telling you that a critical component—a folder, a registry value, or a configuration file—is missing or inaccessible.
From dozens of community Q&A threads and Microsoft documentation, four root causes consistently emerge:
- Missing or incorrect registry values under
HKLM\SOFTWARE\Microsoft\Update Services\Server\Setup. Two values are important: ContentDir(REG_SZ): must point to an existing WSUS content folder (e.g.,D:\WSUS\WSUSCONTENT).IISWebsite(DWORD):1tells WSUS to use the custom WSUS Administration site (port 8530);0forces it to use the Default Web Site (port 80). If this key is absent, WSUS cannot determine which IIS site to configure.- Pre‑existing HTTPS bindings on the WSUS Administration site. WSUS may attempt to create or modify bindings during postinstall, and an existing HTTPS binding can block the process. Temporarily removing the HTTPS binding, running postinstall, and reapplying the certificate often works.
- Missing WSUS Tools folder (
%programfiles%\Update Services\Tools) or stale MMC configuration files left over from an OS upgrade. The postinstall may need the Tools folder to create necessary IIS artifacts. Deleting any stagnant.mscfile in%appdata%\MMCthat references WSUS can clear the blockage. - Permissions and Group Policy restrictions. An overly restrictive “Manage Auditing and Security Log” policy, for example, can prevent the installation account from completing tasks. Running postinstall as the built‑in Administrator or adjusting GPO scoping to include local Administrators has resolved many stalled installations.
Registry Repair: The Quickest Win
Before diving into reinstallations, open regedit and confirm the two keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update Services\Server\Setup
ContentDir = D:\WSUS\WSUSCONTENT (verify the folder exists)
IISWebsite = 1 (DWORD) (create if missing)
Additionally, ensure the ContentDir folder has appropriate NTFS permissions: NETWORK SERVICE and IIS_IUSRS need Read & Execute (and Modify for content storage).
Step‑by‑Step Remediation for IIS + WSUS Failures
Preparation
- Backup IIS configuration:
appcmd add backup "PreWSUSFix"or exportapplicationHost.config. - Backup the SUSDB if using a full SQL Server instance.
- Ensure you are logged on with local Administrator rights.
- If testing GPO changes, temporarily pause Group Policy refresh.
Primary Recovery Path
- Confirm IIS health – Open IIS Manager; verify that the World Wide Web Publishing Service (W3SVC) and Windows Process Activation Service (WAS) are running. Browse to
http://localhostto confirm a basic site responds. - Validate WSUS registry – Correct
ContentDirandIISWebsiteas described above. - Remove conflicting bindings – If the WSUS Administration site already exists with an HTTPS binding, temporarily delete the HTTPS binding, run
iisreset, then execute WSUS postinstall. Reapply the HTTPS binding afterward. - Clear stale MMC artifacts – Navigate to
%appdata%\MMCand delete any.mscfile that references WSUS. Ensure%programfiles%\Update Services\Toolsexists; if not, run a repair of the WSUS role. - Run postinstall with verbose logging:
wsusutil.exe postinstall CONTENT_DIR="D:\WSUS\WSUSCONTENT" SQL_INSTANCE_NAME="Server\Instance" /logfile:C:\Temp\PostInstallVerboseLog.txt
If no log file is created, the failure is extremely early; recheck registry keys and folder existence. - Verify virtual directories – After success, the WSUS Administration site should contain these virtual directories: Content, SelfUpdate, ApiRemoting30, ClientWebService, ServerSyncWebService, DssAuthWebService.
- Double‑check application pool permissions – The WsusPool identity (usually NetworkService) must have access to the content folder and any custom path.
Last Resort: Clean Reinstall
If the above fails, fully remove the WSUS role, manually delete folders (C:\Program Files\Update Services and the content directory), clean registry keys (only if you are certain), then reinstall IIS and WSUS. You can then run postinstall with the -skipIISConfig option and manually recreate the site and bindings, or let it configure automatically.
Permissions, UAC, and the iisreset Trap
Many admins burn hours because they run iisreset or appcmd without elevation. Always use an Administrator: Command Prompt. Temporarily lowering UAC settings during troubleshooting can also help isolate permission denials, though settings should be reverted afterward. Verify that the executing account belongs to both the Administrators and IIS_IUSRS groups, and check the local security policy for restrictions on service start/stop.
Hardening and Preventative Best Practices
Keep these items in your operational runbook to avoid repeat incidents:
- Configuration backups – Run
appcmd add backupbefore any IIS change, and store the backups off‑server. - Explicit binding policy – For every website, create bindings for both the naked domain and the www variant; document SSL certificates used.
- WSUS maintenance – Run the Server Cleanup Wizard quarterly and reindex the SUSDB regularly to prevent database bloat, which can lead to timeouts and resource exhaustion.
- Certificate monitoring – Expired certificates silently break HTTPS bindings; use central monitoring to alert before expiry.
- Central logging – Aggregate IIS and WSUS event logs so that binding or content access failures surface early.
Security Risks to Avoid
While fixing, it’s tempting to grant broad permissions. Resist. Apply least privilege: only NETWORK SERVICE, IIS_IUSRS, and designated service accounts need access to WSUS content. When editing the registry, always export the key first. Using -skipIISConfig defers IIS setup—you must still manually create a properly secured site; otherwise, you risk exposing the WSUS console. If you cannot test in a lab, schedule a maintenance window and warn users.
Verification: What the Community and Microsoft Confirm
- The IIS binding model is verified in Microsoft Learn. A missing host header will always cause a hostname to time out if no catch‑all binding exists.
- Multiple Microsoft Q&A threads and community posts confirm that correcting
ContentDirandIISWebsiteresolves 0x80070003 in the vast majority of cases. Removing HTTPS bindings before postinstall is a widely replicated fix. - Stale MMC files from upgrades (e.g., Server 2012 to 2019) have been a documented culprit, with the solution—deleting the
.mscfile—posted and confirmed repeatedly. - Permissions and GPO restrictions are less common but have been reported enough to warrant inclusion in any checklist.
No speculative features or future claims are included here; every recommendation is drawn from reproducible field experiences and Microsoft’s own configuration references.
Quick Reference Cheat Sheet
| Symptom | Immediate Check | Remediation |
|---|---|---|
| IIS times out for one hostname but not another | Bindings missing host header | Add explicit binding for the missing hostname; iisreset |
| WSUS postinstall fails with 0x80070003 | ContentDir & IISWebsite registry values |
Correct path, create IISWebsite DWORD = 1 |
| Postinstall fails and WSUS site has HTTPS binding | HTTPS binding conflict | Remove HTTPS binding, run postinstall, reapply |
| Postinstall produces no log file | Missing Tools folder or stale MMC file | Create folder, delete MMC config |
| iisreset or appcmd fails | Elevation or permission issue | Run as Administrator; verify group membership |
Conclusion
The cryptic errors that make IIS seem to refuse a domain and that crash WSUS postinstall are not voodoo. They are predictable consequences of missing host headers, orphaned registry values, and binding conflicts. By following the structured approach outlined here—backing up, inspecting bindings and the registry, removing conflicting HTTPS bindings, and verifying file paths and permissions—you can resolve the vast majority of these incidents without a full reinstall. The community and Microsoft documentation agree: these fixes work. Add the cheat sheet to your runbook, and the next time a website times out or a WSUS install stalls, you’ll spend minutes, not hours, on the fix.