When a production IIS website suddenly stops responding to your naked domain while the www subdomain loads fine, or when a routine WSUS postinstall spews a COMException 0x80070003 and halts, the instinct is to reboot, reinstall, or blame the network. But years of community troubleshooting and Microsoft documentation point to a narrow set of misconfigurations: missing host header bindings, orphaned registry keys, conflicting HTTPS bindings, and stale MMC files. The good news: each has a direct, verifiable fix that can often be applied in minutes without a server rebuild.

The IIS Binding Mystery: Why One Hostname Works and Another Times Out

IIS matches incoming HTTP requests using three binding components: IP address, port, and host header. When a site binding omits a particular hostname, IIS will not route that hostname to the site—even if DNS resolution is correct. This is the most common cause behind the classic “domain works, but the apex breaks” scenario. Microsoft’s official IIS configuration reference explicitly documents this behavior: a binding with a blank host header accepts all hostnames for that IP/port combination, while a binding with a specific host name only routes traffic for that exact host name.

In a typical community report, an admin updated DNS so both example.com and www.example.com pointed to the server, yet only the www variant loaded; the naked domain produced a timeout. Inspection of the site’s bindings revealed that only a binding for www.example.com existed. The fix is trivial—add the missing host header—but diagnosing it requires checking bindings before assuming network or firewall issues.

Real‑World Fix: Adding Missing Bindings

  1. Open IIS Manager (inetmgr).
  2. Select the website, click Bindings… in the Actions pane.
  3. Inspect entries for port 80 and port 443. If a host header is absent for the needed domain, add it:
    - For HTTP: Type example.com (no protocol or path) in the Host name field, leaving IP address and port at default.
    - For HTTPS: Select the appropriate SSL certificate and enter the host name.
  4. Repeat for both the naked domain and the www variant if both are required.
  5. Run iisreset from an elevated command prompt, then test with curl -v or a browser.

This straightforward correction resolves the majority of “IIS refuses a domain” cases reported on forums, and it is fully corroborated by Microsoft’s binding model documentation.

WSUS Postinstall Error 0x80070003: The Path That Cannot Be Found

WSUS relies heavily on IIS. During post‑install configuration (wsusutil.exe postinstall), it creates the WSUS Administration website and several virtual directories. If the process fails with System.Runtime.InteropServices.COMException (0x80070003): The system cannot find the path specified, WSUS is telling you that a critical component—a folder, a registry value, or a configuration file—is missing or inaccessible.

From dozens of community Q&A threads and Microsoft documentation, four root causes consistently emerge:

  • Missing or incorrect registry values under HKLM\SOFTWARE\Microsoft\Update Services\Server\Setup. Two values are important:
  • ContentDir (REG_SZ): must point to an existing WSUS content folder (e.g., D:\WSUS\WSUSCONTENT).
  • IISWebsite (DWORD): 1 tells WSUS to use the custom WSUS Administration site (port 8530); 0 forces it to use the Default Web Site (port 80). If this key is absent, WSUS cannot determine which IIS site to configure.
  • Pre‑existing HTTPS bindings on the WSUS Administration site. WSUS may attempt to create or modify bindings during postinstall, and an existing HTTPS binding can block the process. Temporarily removing the HTTPS binding, running postinstall, and reapplying the certificate often works.
  • Missing WSUS Tools folder (%programfiles%\Update Services\Tools) or stale MMC configuration files left over from an OS upgrade. The postinstall may need the Tools folder to create necessary IIS artifacts. Deleting any stagnant .msc file in %appdata%\MMC that references WSUS can clear the blockage.
  • Permissions and Group Policy restrictions. An overly restrictive “Manage Auditing and Security Log” policy, for example, can prevent the installation account from completing tasks. Running postinstall as the built‑in Administrator or adjusting GPO scoping to include local Administrators has resolved many stalled installations.

Registry Repair: The Quickest Win

Before diving into reinstallations, open regedit and confirm the two keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update Services\Server\Setup
 ContentDir = D:\WSUS\WSUSCONTENT   (verify the folder exists)
 IISWebsite  = 1 (DWORD)           (create if missing)

Additionally, ensure the ContentDir folder has appropriate NTFS permissions: NETWORK SERVICE and IIS_IUSRS need Read & Execute (and Modify for content storage).

Step‑by‑Step Remediation for IIS + WSUS Failures

Preparation

  • Backup IIS configuration: appcmd add backup "PreWSUSFix" or export applicationHost.config.
  • Backup the SUSDB if using a full SQL Server instance.
  • Ensure you are logged on with local Administrator rights.
  • If testing GPO changes, temporarily pause Group Policy refresh.

Primary Recovery Path

  1. Confirm IIS health – Open IIS Manager; verify that the World Wide Web Publishing Service (W3SVC) and Windows Process Activation Service (WAS) are running. Browse to http://localhost to confirm a basic site responds.
  2. Validate WSUS registry – Correct ContentDir and IISWebsite as described above.
  3. Remove conflicting bindings – If the WSUS Administration site already exists with an HTTPS binding, temporarily delete the HTTPS binding, run iisreset, then execute WSUS postinstall. Reapply the HTTPS binding afterward.
  4. Clear stale MMC artifacts – Navigate to %appdata%\MMC and delete any .msc file that references WSUS. Ensure %programfiles%\Update Services\Tools exists; if not, run a repair of the WSUS role.
  5. Run postinstall with verbose logging:
    wsusutil.exe postinstall CONTENT_DIR="D:\WSUS\WSUSCONTENT" SQL_INSTANCE_NAME="Server\Instance" /logfile:C:\Temp\PostInstallVerboseLog.txt
    If no log file is created, the failure is extremely early; recheck registry keys and folder existence.
  6. Verify virtual directories – After success, the WSUS Administration site should contain these virtual directories: Content, SelfUpdate, ApiRemoting30, ClientWebService, ServerSyncWebService, DssAuthWebService.
  7. Double‑check application pool permissions – The WsusPool identity (usually NetworkService) must have access to the content folder and any custom path.

Last Resort: Clean Reinstall

If the above fails, fully remove the WSUS role, manually delete folders (C:\Program Files\Update Services and the content directory), clean registry keys (only if you are certain), then reinstall IIS and WSUS. You can then run postinstall with the -skipIISConfig option and manually recreate the site and bindings, or let it configure automatically.

Permissions, UAC, and the iisreset Trap

Many admins burn hours because they run iisreset or appcmd without elevation. Always use an Administrator: Command Prompt. Temporarily lowering UAC settings during troubleshooting can also help isolate permission denials, though settings should be reverted afterward. Verify that the executing account belongs to both the Administrators and IIS_IUSRS groups, and check the local security policy for restrictions on service start/stop.

Hardening and Preventative Best Practices

Keep these items in your operational runbook to avoid repeat incidents:

  • Configuration backups – Run appcmd add backup before any IIS change, and store the backups off‑server.
  • Explicit binding policy – For every website, create bindings for both the naked domain and the www variant; document SSL certificates used.
  • WSUS maintenance – Run the Server Cleanup Wizard quarterly and reindex the SUSDB regularly to prevent database bloat, which can lead to timeouts and resource exhaustion.
  • Certificate monitoring – Expired certificates silently break HTTPS bindings; use central monitoring to alert before expiry.
  • Central logging – Aggregate IIS and WSUS event logs so that binding or content access failures surface early.

Security Risks to Avoid

While fixing, it’s tempting to grant broad permissions. Resist. Apply least privilege: only NETWORK SERVICE, IIS_IUSRS, and designated service accounts need access to WSUS content. When editing the registry, always export the key first. Using -skipIISConfig defers IIS setup—you must still manually create a properly secured site; otherwise, you risk exposing the WSUS console. If you cannot test in a lab, schedule a maintenance window and warn users.

Verification: What the Community and Microsoft Confirm

  • The IIS binding model is verified in Microsoft Learn. A missing host header will always cause a hostname to time out if no catch‑all binding exists.
  • Multiple Microsoft Q&A threads and community posts confirm that correcting ContentDir and IISWebsite resolves 0x80070003 in the vast majority of cases. Removing HTTPS bindings before postinstall is a widely replicated fix.
  • Stale MMC files from upgrades (e.g., Server 2012 to 2019) have been a documented culprit, with the solution—deleting the .msc file—posted and confirmed repeatedly.
  • Permissions and GPO restrictions are less common but have been reported enough to warrant inclusion in any checklist.

No speculative features or future claims are included here; every recommendation is drawn from reproducible field experiences and Microsoft’s own configuration references.

Quick Reference Cheat Sheet

Symptom Immediate Check Remediation
IIS times out for one hostname but not another Bindings missing host header Add explicit binding for the missing hostname; iisreset
WSUS postinstall fails with 0x80070003 ContentDir & IISWebsite registry values Correct path, create IISWebsite DWORD = 1
Postinstall fails and WSUS site has HTTPS binding HTTPS binding conflict Remove HTTPS binding, run postinstall, reapply
Postinstall produces no log file Missing Tools folder or stale MMC file Create folder, delete MMC config
iisreset or appcmd fails Elevation or permission issue Run as Administrator; verify group membership

Conclusion

The cryptic errors that make IIS seem to refuse a domain and that crash WSUS postinstall are not voodoo. They are predictable consequences of missing host headers, orphaned registry values, and binding conflicts. By following the structured approach outlined here—backing up, inspecting bindings and the registry, removing conflicting HTTPS bindings, and verifying file paths and permissions—you can resolve the vast majority of these incidents without a full reinstall. The community and Microsoft documentation agree: these fixes work. Add the cheat sheet to your runbook, and the next time a website times out or a WSUS install stalls, you’ll spend minutes, not hours, on the fix.