If you for some reason move an ISA server from one domain to another (labb environment) without uninstall/install the ISA software you can experiance that the "Domain Controllers" computer set is read only and populated with the wrong set of servers. This prevents the ISA server to apply GPOs from the current domain if it's not "allowed" to contact DC's to download security polices and other GPO settings.
After investigating the issue on a ISA 2006 Standard server I found the following solution:
- Start Regedit
- Go to the following regkey:
HKLM\IsaStg_Eff1\Arrays\{GUID}\RuleElements\ComputerSets\{AA7BB30B-D410-4A75-8657-E87F4F7CDF7} - Changes the msFPCPredefined key from 1 to 0
- Restarted ISA server console
- Now the Domain Controllers computer set was editable
After other investigations this settings seems to be in registry or in Active directory (in some cases in ADAM) for ISA server.
- ISA 2006 Std: Registry (see above)
- ISA 2006 Ent: Active Directory
- ISA 2004 Std: ADAM on Configration storage server
- ISA 2040 Std: Registry (HKLM\Software\Microsoft\Fpc\Storage\Array-Root\Arrays\{GUID}\RuleElements\ComputerSets\{DC_GUID}
Links
- Forum post with information
http://forums.isaserver.org/m_2002014363/mpage_1/key_/tm.htm - Blog with information
http://blogs.isaserver.org/shinder/2006/07/09/how-do-i-edit-the-domain-controllers-computer-set/
No comments:
Post a Comment