"You must be a member of the Enterprise Administrators Group, Schema Admins Group, and Administrators on the local machine to perform this operation."

I have made sure that the account I am using is in these groups. I have tried using this special account and my administrator account. I have tried initializing the Enterprise AD on the global catalog controller and other machines in the domain.

I have posted a converstation I had with someone else about this question below in case this helps.

"Tom, You are my only hope."

Thanks,
Jon Vickers

I think the problem is that we both installed the extensions from RC1 and that has messed something up. Also neither one of us upgraded from RC1 to the final release I think we both tried a fresh install of the final realease after installing RC1. One plan might be to install RC1 again, if I can, and then upgrade to final release. See if this rings a bell. Remember I have two servers. Using RC1 I initialized the schema on Server 1. Installed RC1 and created an array. I actually had ISA up and running. I never could get server2 to join the array. I kept giving me some sort of error message and wanted to install in stand alone mode. So I never installed on Server 2. I removed ISA from Server 1 and tried to install ISA on Server 2. It kept giving me that same "can't join array" message. Keep in mind this was all using RC1. So at this point it is not installed on either server. Then I decided to download the final release from MSDN. Now I can't initialize the directory anywhere.

Does this ring a bell on anything. I don't want to create to different domains. Do you have any ideas?

Thanks,

Jon Vickers
micajah

-----Original Message-----
From: Brian Moscicki [mailto:brian@northwoodsoft.com]
Sent: Thursday, January 25, 2001 9:10 PM
To: Jon Vickers - Micajah
Subject: RE: ISA SERVER

I did install the AD extensions from RC1 successfully, but was unable to
install the ISA Server. I re-ran the AD extensions and it said it
successfully
removed them. After that, I was never able to add them again.

There was a post to the newsgroup to try and run DCDIAG and NETDIAG from the
W2K
support tools, but I saw nothing out of the norm when I ran them.
Everything
looked good.

So, now I am trying to run dcpromo on this child domain controller and
having a
DNS Lookup failure so I guess I will have to wait until tomorrow to demote
it.

Brian Moscicki
LAN Administrator
Northwoods Software Development
mailto:brian.moscicki@northwoodsoft.com

-----Original Message-----
From: Jon Vickers - Micajah [mailto:jvickers@micajah.com]
Sent: Thursday, January 25, 2001 7:38 PM
To: Brian Moscicki
Subject: RE: ISA SERVER

I have two ISA servers (hopefully). Anyway one of them is still a member
server and the other is a domain controller. So I can test against both
options pretty easy. Anyway, I created some local user accounts on the
member sever with the same password as on the domain. Then I tried
loging in locally to the machine and running the enterprise
initialization. That did not work either.

Did you ever install any beta version or RC1 of ISA. I did and was
wondering if you did as well?

Thanks,

Jon Vickers
micajah

-----Original Message-----
From: Brian Moscicki [mailto:brian@northwoodsoft.com]
Sent: Thursday, January 25, 2001 8:24 PM

Well, I still haven't found the solution. I thought I would create a
new
child domain in our forest and see if I could apply the AD extensions
there,

but the Schema was copied down to the ISA server. So I am going to
demote
the
ISA Server to a member server and promote it back to a separate domain
and
create
a transitive trust between the forests and see if that will work. I
will
let
you know what happens.

Brian Moscicki
LAN Administrator
Northwoods Software Development
mailto:brian.moscicki@northwoodsoft.com

-----Original Message-----
From: Jon Vickers - Micajah [mailto:jvickers@micajah.com]
Sent: Thursday, January 25, 2001 7:18 PM
To: Brian Moscicki
Subject: ISA SERVER

Hey,

I am having that same problem with the permissions, not being in the
local administrators group etc. I was wondering what you found out if
anything. I have installed SP1, the hotfix, and anything else I thought
would help. I have tried initializing the directory from the global
catalog controller. I don't know what to do at this point. I am out of
options. I orginally had ISA from our MSDN subscription. It was RC1. It
installed and initialized the directory. Then I uninstalled because of
some other problems. Now that version nor this new one will initialize
my schema.

I feel just fedup. I think it is bullshit since you know other people
are having the same problem. There is no telling how many people have
called microsoft and paid $300.00. But nothing show up on there support
site.

Please let me know one way or another what you found out.

Thanks,

Jon Vickers
micajah

Your last hope? Yikes!

By any chance did you install the ISA Schema changes from the Beta or RC1 versions? All the problems I've seen related to this seem to come from folks that initialized the AD using the prerelease versions.

We were performing some more test runs today to simulate a customer's environment, and initialize the AD over the network after confirming that the trust was intact between the member server and the domain.

Something I haven't tried yet was to test an AD that was initilaized was RC1 and then reinstall the schema. I do think this would be a problem, becuase you cannot remove changes to the schema once they are made. You can "deactivate" them, but they are there forever after adding them (I'd be glad to hear from some AD wizards who know how to remove them if this is possible).

Therefore, I believe when the Enterprise iniitalization wizard does it thing, its *not* removing the schema changes, its only removing the policy related objects that are stored in the AD.

You are right that this information is not documented and I haven't heard anything from MS yet either on this matter. I'm expecting that we'll hear a lot more, and get some cool whitepapers on a variety of subjects once the product is officially released. That's why we've moved our publication data back, because there's so much of this stuff that they're not talking about yet.

Please don't tell me you've installed the RC1 schema changes in your production domain.
:-(

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

I am thinking about putting up a newsgroup on our website for one of our products. We are thinking about writing on ourselves.

I was curious how you moderate these discussions.

Do you have to browse around on the frontend and just find postings to reply or do you have a backend where you can see all the new postings as they are coming in?

Just curious since I was considering this message board product.

Also, Can you have the system so for the user side it shows the new posts coming in in chronological order instead of being organized topic and then discussion topic. I need for the posting to just sort of come in like they would in a traditional newsgroup. But also have the ability to group all the messages in one thread together like deja.com does. Bottom line. I need both ways, to view by topic and by chronological order.

thanks for any feedback.

Yes I installed the schema changes from RC1. And yes I installed the schema changes in my production environment. I did not realize that schema changes were so permanent. I have just never had any problems and did not think much about it. It seems that there has to be a tool like regedit that I could get and remove the changes from the schema. It is sort of weird. You know how you always go "I can't figure this out, there is nothing I can do." But then you always figure it out. I knew like right off this was a major problem after just a few minutes.

I really think my only hope is to find some tool that could alow me to get this stuff out of my ad. Or Microsoft release a hotfix to solve the problem.

Just for you FYI, I never tried to upgrade from RC1 to final release. I removed RC1 first and then attempted to install final release. I think I have already tried to reinstall RC1 and upgrade but I will try again on Monday. This is my last thought other than the "regedit" like tool to get those schema changes out.

Also I guess I can cough up the $250 and call Microsoft and see what they have to say about this. If they do say something I will post something here.

If you try to reproduce this. I installed RC1 from MSDN first. Initialized the AD. Installed on Server1. It installed and was functioning properly. Then tried to install on server two in array. It gave me some sort of error and said I could only install in standalone mode. So I stopped and downloaded the final release from MSDN. I uninstalled RC1 from server1. Then tried to install the final release. This is when the problems started. I get that error message that I showed above, I don't have correct permission or something.

Do you think that there really is a permission problem or this is just an error message that does not mean anything?

I asked my resident AD expert (my wife) and she said that there isn't a way to remove the schema changes from the publicly available tools. However, PSS also has a group of tools available to them that are not publicly available. So, it could be that when you fork out the dough for the call, that they'll be able to do something about it. Also, it might not be a AD problem at all, and perhaps its just a few registry changes "here and there".

I did the experiment today, and while I didn't come up with the same problems you did, I did get a permissions related problem. After installing RC1, I initalized the AD, and then promoted the ISA Server to an Enterprise Array. Then I uninstalled RC1 and removed the AD objects by running the Initialization tool again.

After whacking all that I could via conventional means, I installed the final release as an Array. It did allow me to create the Array, but I keep getting the error "you do not have permissions to view the properties of this object". Of course I do, and I checked and rechecked the permissions on the object and everywhere else in the ISA Management console.

There is a comment in the release notes regarding permissions problems (not exactly what we've been dealing with, however), that involves running the dcomcfng.exe utility and making sure the default permissions are set correctly. I checked that in my situation, and everything was as it should be.

Hopefully, as the product is "officially" released and supported, we'll start seeing some "Q" articles on these issues.

Tom

quote:

---

Originally posted by vickersjon:
Hey Tom,

Yes I installed the schema changes from RC1. And yes I installed the schema changes in my production environment. I did not realize that schema changes were so permanent. I have just never had any problems and did not think much about it. It seems that there has to be a tool like regedit that I could get and remove the changes from the schema. It is sort of weird. You know how you always go "I can't figure this out, there is nothing I can do." But then you always figure it out. I knew like right off this was a major problem after just a few minutes.

I really think my only hope is to find some tool that could alow me to get this stuff out of my ad. Or Microsoft release a hotfix to solve the problem.

Just for you FYI, I never tried to upgrade from RC1 to final release. I removed RC1 first and then attempted to install final release. I think I have already tried to reinstall RC1 and upgrade but I will try again on Monday. This is my last thought other than the "regedit" like tool to get those schema changes out.

Also I guess I can cough up the $250 and call Microsoft and see what they have to say about this. If they do say something I will post something here.

If you try to reproduce this. I installed RC1 from MSDN first. Initialized the AD. Installed on Server1. It installed and was functioning properly. Then tried to install on server two in array. It gave me some sort of error and said I could only install in standalone mode. So I stopped and downloaded the final release from MSDN. I uninstalled RC1 from server1. Then tried to install the final release. This is when the problems started. I get that error message that I showed above, I don't have correct permission or something.

Do you think that there really is a permission problem or this is just an error message that does not mean anything?

---

------------------
Tom Shinder
http://www.isaserver.org/shinder/

I just look for the yellow "light bulbs" which tells me that there is a new post in a particular forum.

For the details on the software and how the site is put together, Stephen takes care of that. Just click the "Contact Us" link on the left side of the page and I'm sure he can help you out.

Tom

quote:

---

Originally posted by vickersjon:
Hey Tom, by the way.

I am thinking about putting up a newsgroup on our website for one of our products. We are thinking about writing on ourselves.

I was curious how you moderate these discussions.

Do you have to browse around on the frontend and just find postings to reply or do you have a backend where you can see all the new postings as they are coming in?

Just curious since I was considering this message board product.

Also, Can you have the system so for the user side it shows the new posts coming in in chronological order instead of being organized topic and then discussion topic. I need for the posting to just sort of come in like they would in a traditional newsgroup. But also have the ability to group all the messages in one thread together like deja.com does. Bottom line. I need both ways, to view by topic and by chronological order.

thanks for any feedback.

---

------------------
Tom Shinder
http://www.isaserver.org/shinder/

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

The cause of this is an Active Directory problem, not an ISA problem. It occurs when only three of the five FSMO Operations Masters have been moved from the original Active Directory server. Typically this occurs when the original AD server was taken off line or has failed.

The two FSMO Operations Master Roles that are not offered for transfer from the GUI interface are Schema Master and Domain Naming Master.

To fix, go to the server where you want the roles to be transferred to. Run NTDSUTIL from the command prompt. From the NTDSUTIL prompt, type '?' so you can see what is happening.

Next type ROLES from the command prompt. Then type FSMO MAINTENANCE. Next type CONNECTIONS, and finally type CONNECT TO SERVER <SERVER NAME> (being the server you are attempting to move the roles to). Then type 'Q' to quit. Type '?' at the command prompt again which will show you a different choices than before. Next, type 'SEIZE SCHEMA MASTER' to seize it to this computer. If the original AD server is not present, you will recieve an error message saying it cannot transfer roles and will then seize it.

Finally, type 'SEIZE DOMAIN NAMING MASTER' to seize the Domanin Naming Master Role to this server. Then select 'Q', 'Q', and 'Q' to exit.

Let some time pass for the AD to synchronize across the network and it should work after.

------------------
Brian Moscicki

You are *THE MAN*!

Thank you for letting us know what the deal was with this problem. Its been a real Brain Twister!

Thanks!

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

[This message has been edited by tshinder (edited 03 February 2001).]

I need some credit here. I called Microsoft and they helped me figure out what happened. I used the GUI to transfer the 3 FSMO roles but did not realize that I had to use ntdsutil to move Schema Master and Naming Master.

I had been talking with Brian on email and had him call me on my cell phone so that I could discuss with him. I did not want to post something to the newsgroup that told people to start seizing FSMO roles until I was sure that this is what Brian's problem was as well.

Brian I appreciate you writing up for us on the newsgroup.

Correction from above:
Next type ROLES from the command prompt. Then you will be at the FSMO MAINTENANCE prompt. Then type connections. Then type connect to server [server1]. The type quit to go back to fsmo maintenance prompt.

I hope this helps some people. All I can say is that if you are getting this message it is definetly a sign of a very sick active directory and I would suggest calling microsoft or getting a book and make sure your directory is straight. The problem is really more a symptom than problem.

Check on the full text search for the site. It does not seem to be functioning correctly.

Jon Vickers

You are *THE MAN* too! I appreciate the efforts you guys went through to come up with a solution, and to your company for ponying up the bucks to MS.

Hang out in the next month or two. We're thinking about giving away free books to top posters (like you guys)!

Thanks!

Tom

quote:

---

Originally posted by vickersjon:
Hey Tom,

I need some credit here. I called Microsoft and they helped me figure out what happened. I used the GUI to transfer the 3 FSMO roles but did not realize that I had to use ntdsutil to move Schema Master and Naming Master.

I had been talking with Brian on email and had him call me on my cell phone so that I could discuss with him. I did not want to post something to the newsgroup that told people to start seizing FSMO roles until I was sure that this is what Brian's problem was as well.

Brian I appreciate you writing up for us on the newsgroup.

Correction from above:
Next type ROLES from the command prompt. Then you will be at the FSMO MAINTENANCE prompt. Then type connections. Then type connect to server [server1]. The type quit to go back to fsmo maintenance prompt.

I hope this helps some people. All I can say is that if you are getting this message it is definetly a sign of a very sick active directory and I would suggest calling microsoft or getting a book and make sure your directory is straight. The problem is really more a symptom than problem.

---

------------------
Tom Shinder
http://www.isaserver.org/shinder/

I had never tried the search before. But it does seem awfully slow. But it did find the hits after awhile. I search for FSMO and it found the right posts. Was there a thread that it missed when you did the search?

Tom

quote:

---

Originally posted by vickersjon:
Hey Tom,

Check on the full text search for the site. It does not seem to be functioning correctly.

Jon Vickers

---

------------------
Brian Moscicki