Installing ISA Server 2006 Configuration Storage Server on a Domain Controller

Installing ISA Server 2006 Configuration Storage Server on a Domain Controller

  • Comments 5
  • Likes

Introduction

 

In certain scenarios, you may want or need to install the Configuration Storage server on a domain controller. In that scenario, the most secure configuration is to configure the Configuration Storage server to run with USER privilege.

See this snippet from the ISA Server Getting Started Guide:

 

Getting started Guide (Installing the Configuration Storage Server):

 

Note the following:

 

The Configuration Storage server service normally runs under the network service account. If you install the Configuration Storage server on a domain controller, you must provide an account under which the service will run. This is because the Network Service account cannot be used when the Configuration Storage server runs on a domain controller. You can run the Configuration Storage server service using the credentials of a user in the Domain Admins group (a domain administrator). However, for the most secure configuration, we recommend that you provide the credentials of a user who is not a domain administrator. If you provide the credentials of a user who is not a domain administrator, you must perform the following procedure to ensure that the user has the permissions required by the service.

 

 

When you install an ISA Server 2006 Configuration Storage server on a domain controller using a low-privileged account, the ADAM instance (ISASTGCTRL) installs and runs but complains in the event log about two things:

 

  • It is unable to create a Service Connection Point (SCP)
  • It is unable to initialize the auditing security system

 

This article outlines the things you need to do to fix these issues. For clarity it starts with installing the Configuration Storage server and configuring the service account.

It is assumed you have administrator privileges when installing the Configuration Storage server.

Before installing the Configuration Storage server create a user account for the Configuration Storage server. The example below uses an account called isa-css which is a user in Active Directory. The user can have a long and complex password which never expires. It is only used for this purpose.


Install the Configuration Storage server

 

At some point during setup specify the account you will use for the storage instance.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Run the batch file

When installation is complete you need to run a batch file to register Service Principle Names into Active Directory. The batch file is located in the ADAMData folder which is located in the Microsoft ISA Server folder. See the snippet which is taken from the installation guide:

 

In the Program Files\Microsoft ISA Server\ADAMData folder, locate the Dnsdomain.bat file, where Dnsdomain is the DNS name of the computer on which ADAM is running.

 

At the command prompt, type Dnsdomain to run the file. The Dnsdomain.bat file appears in the directory approximately one minute after ADAM installation is complete.

 

Change permissions on the domain controller object

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Open ADSI Edit and go to the Domain Controller object on which you have installed the Configuration Storage server. In the picture above the Configuration Storage server has been installed on a domain controller called dc1 in the domain corp.local.

Add the account isa-css to the permissions list and give the user account Create All Child Objects permission on the domain controller object.

 

 

After restarting the ADAM service, you will see it successfully registers the SCP as shown in the screenshot below.

 

 

 

 

The message below from the event log also confirms successful registration.

 

 

 


Modify generate security audits policy on the domain controller

 

Add or edit the group policy object on the Domain Controllers OU and add the user account (isa-css) to the “Generate security audits” right. The screenshot below displays a separate GPO.

Run gpupdate

Now you will see security audit events in the security event log, after restarting the ADAM instance. See below for a screenshot. The service no longer logs these warnings and errors.

 

 

 

Note

When you install a replica Configuration Storage server then you need to do two things:

·         Set the permissions on the replica domain controller object (see previous)

·         Run the batch file on the Configuration Storage server.

If you use the same service account then it already has the Generate security audits rights through application of the domain controller GPO.

Eventlog entries after installation

Below are eventlog entries which the service will log when nothing has been fixed. So in the scenario of this document you will see these at the point right after the installation.

 

Insufficient access to the domain controller-object:

 

ServiceConnectionPoint errors:

AD/AM error 2537:

 

Event Type:      Error

Event Source:   ADAM [ISASTGCTRL] General

Event Category:            Internal Processing

Event ID:          2537

Date:                2/28/2005

Time:                9:10:26 AM

User:                NT AUTHORITY\ANONYMOUS LOGON

Computer:         Configuration Storage server

Description:

The directory server has failed to create the ADAM serviceConnectionPoint object in the Active Directory. This operation will be retried.

 

 

 

 

No ‘Generate security audits’ right

 

Warning 2521:

 

Event Type:      Warning

Event Source:   ADAM [ISASTGCTRL] General

Event Category:            Security

Event ID:          2521

Date:                2/28/2005

Time:                9:11:01 AM

User:                N/A

Computer:         Configuration Storage server

Description:

Active Directory was unable to initialize auditing security system. It will run with auditing disabled. No security audits will be generated.

 

Additional Data:

Error value:

1314 A required privilege is not held by the client.

 

 

Matthijs ten Seldam

ISA Server Principal Consultant

The Netherlands

 

Comments
  • Hi Matthijs,

    Very good article. The only issue I have with it is that you use the .local domain in the example. Using .local is typically a poor practice as most enterprises never use it, and even SMB shops should use valid top level domains and create a split DNS infrastructure, which is very easy to do and provides location transparency to users. --Tom

  • Hi Tom,

    I agree with your remarks regarding the domain name. I assumed people to focus on the issue. If I can repost the content, I will change the domain.

  • Thanks for the great information.  http://www.texanit.com

  • i need to know why when i joined my ISA server to domain and then installed ISA 2006 standard edition i can't run gpupdate or load users from domain controller and get the message RPC server is unavialable.

  • I know this is an old article, but really don't get the logic of installing ISA on the core of your Windows network security infrastructure. Domain Controllers have enough attack vectors let alone adding something like this on.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment