• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Unable to add ISA server to an existing array.

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> Unable to add ISA server to an existing array. Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
Unable to add ISA server to an existing array. - 30.Nov.2008 4:18:19 AM   
sandy2428

 

Posts: 22
Joined: 18.Sep.2008
Status: offline
Guys i have been trying to add a secondary ISA server to an existing array but unfortunately i keep getting an error which i have attached below.
"An attempt to use windows authentication to authenticate the request sent to the configuration storage server computer failed. Refer to getting started guide for help on setting up windows authentication."

I have 2 nic on my existing primary ISA SERVER which is also hosting the CSS. I have admin rights on CSS array as well as Enterprise server. Two NIC are named as DMZ which is having default gateway with no DNS entry specified and the other INTERNAL with no default gateway but dns entry specified. We will be using this server to publish Websites which are partly hosted on dmz segment and on internal.

Also I just came across an article listed in ISA 2006 Enterprise installation guide.
"Now that you have created an array, you can install ISA Server computers into the array. Perform these steps on the computer you have designated to be the array member. Perform the installation with the same user account that you were logged on to when you performed the installation of the Configuration Storage server."

Point to be highlighted here is "Perform the installation with the same user account that you were logged on to when you performed the installation of the Configuration Storage server". The CSS was installed by x user and i am trying to add ISA server using Y as X user is on leave. Please note user Y is a domain admin and also Y is listed as Enterprise array admin.
Do i need X user credentials to carry out this task??
Also please check the logs below.
----------------------------------------------------
MS Firewall Storage Initiated Connection [System] Allow access from trusted servers to the local Configuration Storage server 0x0 ERROR_SUCCESS
--------------------------------------------------------
MS Firewall Storage Closed Connection [System] Allow access from trusted servers to the local Configuration Storage server 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN-------------------------------------------------------------------------------
Post #: 1
RE: Unable to add ISA server to an existing array. - 30.Nov.2008 10:22:13 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Yes, make sure you use the same account.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to sandy2428)
Post #: 2
RE: Unable to add ISA server to an existing array. - 30.Nov.2008 1:37:24 PM   
sandy2428

 

Posts: 22
Joined: 18.Sep.2008
Status: offline
Thanks Tom for the info, but this is really strange isnt it? I mean one admin installs CSS using his credentials and the system wont allow any other admin to join a computer to the array even if the other admin belongs to ISA enterprise array admin. Anyways you cleared my doubt, saved alot of time bye.

(in reply to tshinder)
Post #: 3
RE: Unable to add ISA server to an existing array. - 5.Dec.2008 5:27:36 AM   
sandy2428

 

Posts: 22
Joined: 18.Sep.2008
Status: offline
Hey Tom,After contacting user X, he suggested to do a repair install of ISA enterprise or simply uninstall ISA completely and then reinstall it back. User X was not keen in resetting his password so i had to uninstall ISA as repair didnt work. After uninstalling ISA it would not install again and would give an error "Setup failed while trying to repair the data in ISA server storage" After doing some research on the net i disjoint the computer from the domain and then carried out ISA installation which went smooth, joined the computer back to the domain and everythg seemed to be normal except for the fact that i was still not able to join secondary server to this array.
I dont understand why the server would not allow me to complete ISA installation when its joined to the domain. It seems the installation completes only when its in workgroup.

(in reply to sandy2428)
Post #: 4
RE: Unable to add ISA server to an existing array. - 5.Dec.2008 5:31:39 AM   
sandy2428

 

Posts: 22
Joined: 18.Sep.2008
Status: offline
Hey Tom check this out
---------------------------------------------------------------------
Registering Intra-Array Adapter Service Principle Names
In a domain configuration where multiple ISA Server computers are connected through more than one network adapter, and Network Load Balancing (NLB) is configured, a request from an array member to a Configuration Storage server from a network adapter dedicated to intra-array communications may fail because Kerberos authentication does not recognize the network adapter name. As a workaround, register the intra-array adapter name in the Kerberos database using the Setspn.exe tool.
--------------------------------------------------------------------------
Do i have to do this and if yes on which computer do i execute the setspn.exe command. Also as of now we have not enabled NLB but will do it once i add the second server to the array.
I feel this might be one of the reasons as to why i am not able to add server to the array. Can you please confirm.

(in reply to sandy2428)
Post #: 5
RE: Unable to add ISA server to an existing array. - 7.Dec.2008 8:39:08 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Are you using an intra-array NIC? You shouldn't need one if your using Windows 2003 SP2.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to sandy2428)
Post #: 6
RE: Unable to add ISA server to an existing array. - 8.Dec.2008 1:01:03 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Some of the info here may help:

http://blog.msfirewall.org.uk/2008/10/resource-guide-for-using-microsoft-nlb.html

The article has link to a doc which discusses the use of SETSPN for intra-array kerberos problems.

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to tshinder)
Post #: 7
RE: Unable to add ISA server to an existing array. - 8.Dec.2008 3:52:17 PM   
Dumber

 

Posts: 278
Joined: 21.Mar.2008
Status: offline
quote:

ORIGINAL: tshinder

Yes, make sure you use the same account.

HTH,
Tom


I haven't tested it but it sounds kinda weird that you need to install ISA with the same user account as in which the CSS was installed?
I doesn't see any logic to it.
What if the previous admin has used his own account and he has left the company?
Then you are never able to add an additional ISA server?

_____________________________

Marcel
Netherlands

MCTS, MCITP (SA,EA) MCP, MCSA:Security, MCSE:Security, CCNA, CCSA, CCSE, CCSE+
No matter how secure, there is always the human factor.
http://www.phetios.com/

(in reply to tshinder)
Post #: 8
RE: Unable to add ISA server to an existing array. - 9.Dec.2008 9:34:13 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Marcel,

That's why you use service specific user accounts for this kind of work. Planning is everything :)

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Dumber)
Post #: 9
RE: Unable to add ISA server to an existing array. - 15.Dec.2008 4:10:59 AM   
sandy2428

 

Posts: 22
Joined: 18.Sep.2008
Status: offline
Guys has anyone managed to join ISA server to an existing array. I feel there is some bug with Windows Enterprise 2003 R2 and ISA ENT 2006.

(in reply to tshinder)
Post #: 10
RE: Unable to add ISA server to an existing array. - 15.Dec.2008 4:55:09 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: sandy2428

Guys has anyone managed to join ISA server to an existing array. I feel there is some bug with Windows Enterprise 2003 R2 and ISA ENT 2006.



Yeah, just a few hundred times!

Must a config issue, but not a bug...

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to sandy2428)
Post #: 11
RE: Unable to add ISA server to an existing array. - 16.Dec.2008 3:27:54 AM   
sandy2428

 

Posts: 22
Joined: 18.Sep.2008
Status: offline
We thought of installing css and isa services the other way round by making the second server primary and vice versa.
The wierd part is that the installation fails on the second server as well. After selecting css services and ISA service during installation we get the same error " Unable to create server storage space" but the installation works fine when the server is in workgroup.
We have spent quite a lot of time trying to solve this issue. We might raise a call with microsoft.

(in reply to Jason Jones)
Post #: 12
RE: Unable to add ISA server to an existing array. - 17.Dec.2008 11:36:20 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Sandy,

Check out my article on installing ISA 2006 EE with the CSS on a firewall array member.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to sandy2428)
Post #: 13
RE: Unable to add ISA server to an existing array. - 17.Dec.2008 12:24:41 PM   
sandy2428

 

Posts: 22
Joined: 18.Sep.2008
Status: offline
Thanks Tom,

Do you have the link handy, anyways i will search the article.

I tried searching for your article but was unable to locate it. Will appreciate if you can provide me the link for it.

Regards

< Message edited by sandy2428 -- 18.Dec.2008 3:21:16 AM >

(in reply to tshinder)
Post #: 14
RE: Unable to add ISA server to an existing array. - 19.Dec.2008 9:18:28 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hmmm. I can't find it either :)

What I was trying to find was my observations regarding installing the CSS and the firewall services at the same time. There is a certain procedure that seems like it should work, but it doesn't. Then there is the procedure that works. However, I don't recall the details, because I have been installing the CSS on another machine for the last two years (for security and management reasons).

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to sandy2428)
Post #: 15
RE: Unable to add ISA server to an existing array. - 19.Dec.2008 10:01:42 AM   
sandy2428

 

Posts: 22
Joined: 18.Sep.2008
Status: offline
No probs TOM, if you come across any article anywhere that addresses this issue let me know.

Regards

(in reply to tshinder)
Post #: 16
RE: Unable to add ISA server to an existing array. - 24.Dec.2008 9:56:37 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Did you check the installation guide on the CD? IIRC, they had the correct procedure there.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to sandy2428)
Post #: 17
RE: Unable to add ISA server to an existing array. - 28.Dec.2008 2:20:25 AM   
sandy2428

 

Posts: 22
Joined: 18.Sep.2008
Status: offline
I actually read the instructions mentioned in the documentation CD and the example installation was referring to installing CSS on a separate machine whereas our scenario is different we have CSS and ISA services installed on the same. Anyways I will however try to go through the document again. Thanks.

Regards

(in reply to tshinder)
Post #: 18
RE: Unable to add ISA server to an existing array. - 29.Dec.2008 10:19:55 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Sandy,

I think the way it won't work is if you install the CSS and the ISA firewall services on the machine At the same time.

So, to make it work -- you install the CSS first. Then you install the firewall services on the first machine, then you install the firewall services on the second machine.

Pay very close attention to DNS. If CSS doesn't resolve the name of the ISA firewall array members to their internal IP addresess, bad things are going to happen.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to sandy2428)
Post #: 19
RE: Unable to add ISA server to an existing array. - 15.Jan.2009 2:01:03 AM   
sandy2428

 

Posts: 22
Joined: 18.Sep.2008
Status: offline
Hey TOM sorry for the delay in replying, the problem was solved after raising the issue with Microsoft. It had to do something with our server name as it was too long something like abcef-r-rtg1.domain.com. After renaming the CSS to something short we were able to add secondary server to the array.
Anyways thanks for your assistance.

(in reply to tshinder)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> Unable to add ISA server to an existing array. Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts