Microsoft KB Archive/296657

= &quot;The Computer Cannot Join an Array&quot; Error Message and Error Code 0x8007203a Logged When You Try to Install ISA Server 2000 Enterprise Edition =

Article ID: 296657

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2000 Standard Edition

-



This article was previously published under Q296657



SYMPTOMS
When you try to perform an array-mode installation of Microsoft Internet Security and Acceleration (ISA) Server 2000 Enterprise Edition, you may receive the following error message during the Enterprise Initialization process:

'Microsoft Internet Security and Acceleration' definitions could not be installed in Active Directory

When you click OK, Setup quits.

If you perform the ISA Server 2000 Schema update on a domain controller, and then try to install ISA Server 2000 on a member server, you may receive the following error message:

The computer cannot join an array, for one of the following reasons:
 * The server is not part of a Windows 2000 domain.
 * The ISA Server schema is not installed in Active Directory directory service.
 * You do not have permission to access the domain.

If you continue with Setup now, this computer will be a stand-alone server.

Do you want to continue?

Additionally, you may notice information similar to the following in the ISA Server Setup log file (Isas.log): ISA Setup: At VerifySchemaInstallation ISA Setup: VerifySchemaInstallation - could not open root (0x8007203a)



CAUSE
This behavior may occur if you try to install ISA Server in a domain that has a disjoined Domain Name System (DNS) namespace. Instead of using Active Directory namespace (for example, example.com), ISA Server Setup uses the registered namespace of the computer on which you try to install it (for example, domain.com) to access Active Directory, and is unsuccessful.

ISA Server 2000 (both the Setup portion and the general program operation) does not work when you use a different DNS namespace than that of the domain to which it belongs.



WORKAROUND
To work around this problem, register the same DNS namespace on the member server on which you want to install ISA Server 2000, as that of Active Directory.



STATUS
Microsoft has confirmed that this is a problem in Microsoft Internet Security and Acceleration Server 2000.



MORE INFORMATION
The following example describes this issue in more detail:  Configure a Windows 2000 Server as a new domain controller for a new domain named example.com. Start the DNS snap-in and create a new primary DNS zone (in addition to the DNS zone for example.com) with a namespace of domain.com. Configure a member server to use this new DNS namespace. To do so:  On the member server, right-click My Computer and then click Properties. Click the Network Identification tab, and then click Properties.</li> Click More, and then type domain.com in the Primary DNS suffix of this computer box.</li> Click to clear the Change primary DNS suffix when domain membership changes check box and then click OK.</li> Click OK, and then restart the computer when prompted.</li></ol> </li> Join the member server to the Example.com domain.</li> On the domain controller, run the ISA Server Enterprise Initialization portion of Setup.</li> When Active Directory schema has been successfully updated, run the Install ISA Server portion of Setup on the member server whose domain namespace you changed to domain.com.</li></ol>

The installation of ISA Server 2000 will be unsuccessful on this member server because ISA Server 2000 Setup queries the DNS that is specified in the TCP/IP properties of the member server (in this case, that of domain.com) to obtain service records like LDAP and Kerberos. However, because these records do not exist in the  zone, but are registered in the   zone, Setup is unsuccessful.

For additional information about other issues that may prevent ISA Server 2000 from querying Active Directory, click the following article number to view the article in the Microsoft Knowledge Base:

282035 Unable to Control ISA If LAT Configuration Prevents Access to Domain Controller

Keywords: kbpending kbbug kbprb KB296657

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.