Microsoft KB Archive/898720

= You may receive a &quot;Setup failed while creating the services configuration&quot; error when you try to install ISA Server 2004 on a Windows Server 2003-based domain controller =

Article ID: 898720

Article Last Modified on 12/4/2007

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition
 * Microsoft Internet Security and Acceleration Server 2004 Standard Edition

-





SYMPTOMS
You try to install Microsoft Internet Security and Acceleration (ISA) Server 2004 on a Microsoft Windows 2003-based domain controller. The domain controller resides in a Microsoft Windows 2000 domain. In this scenario, you may receive the following error message:

Setup failed while creating the services configuration.

Additionally, the following error message may be logged in the ISA Server Firewall service setup log file:

ISA setup CA INFO : ENTRY:  ConfigureServices, Current user is \Administrator

ISA setup CA ERROR : the function NetLocalGroupAddMembers failed with status = 8ac at the function AddNetSvcToNetCfgOp.

Note The path of this log file is %windir%\Temp\ISAFWSV_ .log. This log file may not state that the Firewall service is successfully installed. The error message that is logged in this log file indicates that the Network Configuration Operators group is not found on the computer. A successful installation generates the following message in the log file:

Property(C): NETWORKSERVICEACCOUNTNAME = NETWORK SERVICE

Property(C): SERVICES_INSTALLED = 1



CAUSE
This behavior occurs because the Network Configuration Operators group does not exist on the domain controller. In a Windows 2000 domain, the Network Configuration Operators group does not exist on the domain controller until the operations master primary domain controller (PDC) role is moved to a Microsoft Windows Server 2003-based domain controller. When the ISA Server 2004 Setup program tries to change the Network Configuration Operators group, an error occurs.

The Network Configuration Operators group exists as a local group on a Windows Server 2003-based member server. The group exists in a domain local group on a domain controller that resides in a Windows Server 2003 domain.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

243330 Well-known security identifiers in Windows operating systems



RESOLUTION
To resolve this problem, use one of the following methods:  Move the operations master PDC role to a Windows Server 2003-based domain controller in the domain. This method creates the Network Configuration Operators group.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

324801 How to view and transfer FSMO roles in Windows Server 2003

 Remove the Active Directory directory service from the domain controller, install ISA Server 2004, and then install Active Directory again on the domain controller.

For more information about how to remove Active Directory from a Windows Server 2003-based domain controller, visit the following Microsoft Web site:

http://technet2.microsoft.com/windowsserver/en/library/f82e0fb0-552f-4b94-9ece-f550388976571033.mspx



After you use one of these methods to resolve the problem, make sure that the following permissions and settings are configured on the domain controller:  The local service account and the network service account have permissions to generate security audits in domain Group Policy.

For more information about generating security audits, visit the following Microsoft Web site:

http://technet2.microsoft.com/windowsserver/en/library/a43aa14d-8999-451b-a929-e1f414dfd6bb1033.mspx

 The Authenticated Users group is a member of the Pre-Windows 2000 Compatible Access group.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

325363 How to add users to the Pre-Windows 2000 Compatible Access group in Windows Server 2003

</li> The account that you use to install ISA Server 2004 has permissions to modify the Network Configuration Operators local domain group.

Note You can verify whether the account has permissions to change the Network Configuration Operators local domain group by using the ADSIEdit.exe or Dsacls.exe tools that are included with the Windows Server 2003 Resource Kit.

For more information about how to use Dsacls.exe tool, click the following article number to view the article in the Microsoft Knowledge Base:

281146 How to use Dsacls.exe in Windows 2000

</li></ul>

<div class="moreinformation_section">

MORE INFORMATION
For more information, click the following article number to view the article in the Microsoft Knowledge Base:

837347 The Internet Security and Acceleration (ISA) Server Setup log files

Keywords: kbtshoot kbprb KB898720

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.