Anonymous Web Site Access does't work on a newly promoted Domain Controller

If you have an anonymous user account that is shared across your domain and is used for anonymous access to web sites, it may not work correctly after you promote a web server to a ddomain controller. The anonymous account user appears in the "IIS Directory Security" tab if you click "Edit..." under the "Anonymous access and authentication control" heading.

So, if you have just promoted a web server to domain controller, and you still have web sites running on the domain controller (which is not recommended in general but may be necessary), you may find that it prompts you for a username and password when you try to access any of the sites running on this machine, even thjose sites configured for anonymous access. If this happens, you may have to set the "Domain Controller Security Policy" under the "Administrative Tools" menu to allow the "Log On Locally" permission to the DOMAIN\IUSER_AllMachines account or whatever you call your domain-wide anonymous user account. By default, the new Domain Controller will have the IUSR_machinename account set to allow Log on Locally, but this will not work if that is not the account you use for anonymous access. Once you add your user to this permission group, WAIT 5 MINUTES and try again. The security policy updates every 5 minues.

On a related note, If you have any components registered in COM+, these components may fail on your new domain controller. This is because the user identity for these objects may be incorrect. You will need to set the correct user identity on these com objects as well. To do so, go to  Component Services undert the Administrative Tools menu, locate teh affected component, click properties, then under the "identity" tab, choose the correct user for this component to run with.