Microsoft KB Archive/813865

= FIX: Multiple Registered Web Filters in Active Directory Are Handled Incorrectly =

Article ID: 813865

Article Last Modified on 6/14/2007

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2000 Standard Edition
 * Microsoft Internet Security and Acceleration Server 2000 Service Pack 1

-





SYMPTOMS
After you install ISA Server Web filters such as Urlscan or Link Translation, the ISA Server control service may not start, or the Web filter may not work correctly and may not appear in the ISA Server Microsoft Management Console (MMC). This problem only occurs if all the following conditions are met:
 * Multiple ISA Server computers are operating in an enterprise array.
 * The domain contains multiple domain controllers.
 * The Web filter was installed on separate enterprise array members that were logged on to different domain controllers at the time of installation.
 * After the first Web filter was installed on a computer in the ISA Server array, Active Directory domain controller replication was not completed before Web filters were installed on other computers in the array.



CAUSE
This is a result of an Active Directory replication issue that occurs when ISA Server Web filters are installed on separate computers in the domain. In this issue, duplicate entries (that is, &quot;mangled nodes&quot;) for the same Web filter may exist in the ISA server array policy, and ISA Server cannot handle the mangled nodes correctly. For more information about how to detect the mangled nodes, see the &quot;More Information&quot; section.



WORKAROUND
To work around this issue, run Active Directory replication after you install a Web filter on the first computer in the ISA Server array. Initiate Active Directory replication from the domain controller where that ISA Server computer was logged on, and then verify that Active Directory replication was completed. When you do this, you make sure that all domain controllers have the latest information. You do not have to run Active Directory replication after the other Web filter installations in the ISA Server array are completed because Web filter data is global for all arrays. For more information about how to run this task, see the &quot;References&quot; section or contact Microsoft Support.



RESOLUTION
A supported hotfix is now available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next service pack that contains this hotfix.

To resolve this problem, submit a request to Microsoft Online Customer Services to obtain the hotfix. To submit an online request to obtain the hotfix, visit the following Microsoft Web site:

http://go.microsoft.com/?linkid=6294451

Note If additional issues occur or any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. To create a separate service request, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.   Date          Time   Version            Size  File name --  26-June-2003  09:07  3.0.1200.270    212,240  Msfpc.dll 26-June-2003 09:08  3.0.1200.270  1,822,480  Msfpccom.dll

Prerequisites
ISA Server 2000 Service Pack 1 (SP1) is required to install this hotfix. For additional information about how to obtain the ISA Server Service Pack 1, click the following article number to view the article in the Microsoft Knowledge Base:

313139 How to Obtain the Latest Internet Security and Acceleration Server 2000 Service Pack

Hotfix Replacement Information
This hotfix does not replace any other hotfixes.

Note This hotfix does not remove the mangled nodes from Active Directory. However, with the hotfix installed, ISA Server can handle the mangled nodes correctly.

Removing the Hotfix
You may not be able to remove the hotfix if the Active Directory storage for the Web filter contains mangled nodes because ISA Server cannot handle the mangled nodes correctly during the removal process. However, ISA Server removes the mangled nodes from Active Directory when you back up and restore your ISA Server configuration. After the backup and restore operations are complete, you can remove the hotfix.

To remove the hotfix:
 * 1) Back up the ISA Server configuration.
 * 2) Restore the ISA Server configuration by using the backup file that you created in step 1.
 * 3) Remove the hotfix.

For more information about how to run backup and restore operations on ISA Server, see the &quot;More Information&quot; section.

Note If you want to remove mangled nodes from Active Directory manually, contact Microsoft Product Support Services (PSS) for information and assistance.



MORE INFORMATION
Because of the Active Directory replication issue, you may notice multiple Web filter registration entries for the same Web filter. These multiple Web filter registration entries appear as duplicated (that is, &quot;mangled&quot;) nodes. For example, you may see the following: CN={87F18571-C71D-4a2f-9111-9E0927A00B51} msFPCISAPIFilter CN={87F18571-C71D-4a2f-9111-9E0927A00B51},CN=ISAPI-Filters,CN=Extensions,CN={EE37A70F-E9DE-4674-83C4-D602BBF20E3B},CN=Arrays,CN=Fpc,CN=System,DC=DBVWINEU CN={87F18571-C71D-4a2f-9111-9E0927A00B51}CNF:12921ebc-b0a5-43cf-9e7f-86266db524f5 msFPCISAPIFilter CN={87F18571-C71D-4a2f-9111-9E0927A00B51}CNF:12921ebc-b0a5-43cf-9e7f-86266db524f5,CN=ISAPI-Filters,CN=Extensions,CN={EE37A70F-E9DE-4674-83C4-D602BBF20E3B},CN=Arrays,CN=Fpc,CN=System,DC=DBVWINEU CN={87F18571-C71D-4a2f-9111-9E0927A00B51}CNF:12fc2695-343c-48f0-9aa6-10704ebb683f msFPCISAPIFilter CN={87F18571-C71D-4a2f-9111-9E0927A00B51}CNF:12fc2695-343c-48f0-9aa6-10704ebb683f,CN=ISAPI-Filters,CN=Extensions,CN={EE37A70F-E9DE-4674-83C4-D602BBF20E3B},CN=Arrays,CN=Fpc,CN=System,DC=DBVWINEU Note A &quot;CNF...&quot; entry behind the GUID starts at the second duplicate entry (that is, the mangled entry). To verify this, use ADSI Edit and view the following Active Directory tree: Domain NC --CN=System CN=Fpc --CN=Arrays CN=%Current GUID of your ISA Server Array% --CN=Extensions CN=ISAPI-Filters If you want to remove the mangled nodes from Active Directory, you can use the ISA Server backup and restore process that is described in the &quot;Resolution&quot; section. For help with manually cleaning the mangled nodes, contact Microsoft PSS.

ADSI Edit is available in Windows Support Tools. For additional information about how to install Windows 2000 Support Tools, click the following article number to view the article in the Microsoft Knowledge Base:

301423 HOW TO: Install the Windows 2000 Support Tools to a Windows 2000 Server-Based Computer

Back up and Restore the ISA Server Configuration
To back up the ISA Server configuration:
 * 1) Open the ISA Server MMC.
 * 2) Right-click a server name or an array name.
 * 3) Right-click Back Up.
 * 4) Select a name and location for the backup file.
 * 5) Click OK.

To restore the ISA Server configuration:
 * 1) Open the ISA Server MMC.
 * 2) Right-click a server name or an array name.
 * 3) Right-click Restore.
 * 4) Select the backup file that you want to restore.
 * 5) Click OK.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

Keywords: kbhotfixserver kbqfe kbisaserv2000presp2fix kbfix kbbug KB813865

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.