Microsoft KB Archive/318859

= How to Install ISA Server in an Array Without Domain Administration Rights =

Article ID: 318859

Article Last Modified on 10/17/2005

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2000 Standard Edition
 * Microsoft Internet Security and Acceleration Server 2000 Service Pack 1

-



This article was previously published under Q318859



SYMPTOMS
You must belong to the Domain Administrators group to install ISA Server in Array mode.



CAUSE
By default, users who do not belong to the Domain Administrators group have only rights to read from the System and FPC nodes in the Active Directory domain container. Therefore, these users cannot create or write to new nodes.



RESOLUTION
Following customer feedback, Microsoft has lowered the setup border to resolve this issue for customers who find this limitation unacceptable.

A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that are experiencing this specific problem.

To resolve this problem, contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.   Date            Time    Version        Size      File name 07-July-2002   14:11   3.0.1200.173    506,640  Stpsrvex.dll 07-July-2002   14:08   3.0.1200.173    210,944  Msfpc.dll 07-July-2002   14:08   3.0.1200.173  1,821,456  Msfpccom.dll



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.



MORE INFORMATION
To use this code change, you must prepare the Active Directory by using the following procedure.

WARNING: If you use the Active Directory Service Interfaces (ADSI) Edit snap-in and incorrectly modify the attributes of Active Directory objects, you can cause serious problems that may require you to reinstall Microsoft Windows 2000 Server or ISA Server 2000. Microsoft cannot guarantee that problems that result from the incorrect modification of Active Directory object attributes can be solved. Modify these attributes at your own risk. If you are running Microsoft Windows NT or Microsoft Windows 2000, update your Emergency Repair Disk (ERD).  Log on as a member of the Enterprise Administrators group on the server where ISA Server will be installed. Create an ISA Server Administrators group in Active Directory. To do this, open Active Directory Users and Computers in Administrative Tools. Right-click Users, click New, and then click Group. Type a name for the new group (for example, ISA Administrators), click to select Global Domain for the Group Scope, and then click to select Security for the Group Type. Install the schema extension for ISA Server. To do this, start the Msisaent.exe file in the \Isa\I386 folder.</li> Install ISA Server in Array mode. Note that the first installation of ISA Server creates the FPC object in Active Directory under the System object. You must follow this step to make sure that the FPC object is created correctly.</li> Change the properties of the relevant FPC object in Active Directory by using the ADSI Edit tool of the Microsoft Windows 2000 Support tools: <ol style="list-style-type: lower-alpha;"> Click the Domain NC container.</li> Click DC=[your Domain], click DC=[root Domain], and then click CN=System.</li> Expand CN=FPC, and then open its properties.</li> Click the Security tab.</li> Add the ISA Administrators group and give the group Write permission.</li> On the Security tab, click Advanced, and then click the Permissions tab. Click to select ISA Administrators, and then click View/Edit. In the Apply onto box, click to select This object and all child objects to make sure that the rights for ISA Administrators are inherited.</li> Close ADSI Edit.</li> Wait until replication is performed on all domain controllers in the domain. Note that if you remove ISA Server at this time, the FPC object is not deleted.</li></ol>

NOTE: If you want to join an existing array, you must change the permissions on both the array and the FPC node to include this group.

</li> Prepare the installation of the relevant files: <ol style="list-style-type: lower-alpha;"> Insert the CD-ROM of ISA Server Enterprise Edition and copy all files and subfolders of the \Isa folder in a separate folder or share.</li> Rename the Stpsrvex.dll, Msfpc.dll, and Msfpccom.dll files in the \Isa\I386 folder to .old.</li> Copy the files of the hotfix in the \Isa\I386 folder.</li></ol> </li> Start the installation of the ISA Server array or computers: <ol style="list-style-type: lower-alpha;"> <li>In the \Isa folder, click the Setup.exe file to install ISA Server.</li> <li>Install Service Pack 1 for ISA Server.</li> <li>Install the hotfix package Isahf173.exe.</li> <li>Open the Microsoft Management Console (MMC) for ISA Server.</li> <li>Right-click Server and Arrays, and then click New.

NOTE: If a user who is not a domain administrator tries to join the server to an existing array, the dialog box that shows the list of the available arrays shows only the arrays where the account that is used has the required permissions to perform the join operation.

If a user who is not a domain administrator wants to join an existing array, a domain administrator must give the user full access on the array.</li> <li>Follow the instructions of the array wizard, starting with an appropriate array name.</li> <li>Log on to another computer as a member of the ISA Administrators group that you just created.</li> <li>Start the setup of the ISA Server and follow the instructions of the setup wizard to add the computer to the array that you just defined.NOTE: When you create the first array, you must change the Write permissions of the parent system node to allow full access on the new created FPC node. When you install a second array in the domain (so that the FPC node in the Active Directory already exists), you allow full access on the FPC node.</li></ol> </li></ol>

The new code works for ISA Server installed in a single domain environment, in a subdomain, and with different enterprise policies.

NOTE: If an Active Directory forest includes more than one domain that hosts ISA Server arrays, you must make sure to apply the noted changes to each FPC node of the relevant domain. Each time you want to install ISA Server in an array with limited rights for the ISA administrators, you must also follow the procedure that this article describes.

The code change does not work for an ISA Server computer that is installed on a domain controller because of the privilege model of Active Directory.

Only domain administrators can access system access-control list (SACL) information in Active Directory. This is by design. Even when you use the changes that are included with this article, backup is blocked if it is not performed in the context of a domain administrator account.

The code change that is referenced in this article introduces a new DWORD registry key named SkipSACLInBackupRestore (located under the FPC key in the registry) to override this behavior. If it is set to a value other than 0, you can back up and restore ISA Server configuration data even if the administrator is not a member of the Domain Administrators group.

Additional query words: setup isa backup restore

Keywords: kbbug kbfix kbqfe KB318859

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.