In certain scenarios, you may want or need to install the Configuration Storage server on a domain controller. In that scenario, the most secure configuration is to configure the Configuration Storage server to run with USER privilege.
See this snippet from the ISA Server Getting Started Guide:
Getting started Guide (Installing the Configuration Storage Server):
Note the following:
The Configuration Storage server service normally runs under the network service account. If you install the Configuration Storage server on a domain controller, you must provide an account under which the service will run. This is because the Network Service account cannot be used when the Configuration Storage server runs on a domain controller. You can run the Configuration Storage server service using the credentials of a user in the Domain Admins group (a domain administrator). However, for the most secure configuration, we recommend that you provide the credentials of a user who is not a domain administrator. If you provide the credentials of a user who is not a domain administrator, you must perform the following procedure to ensure that the user has the permissions required by the service.
When you install an ISA Server 2006 Configuration Storage server on a domain controller using a low-privileged account, the ADAM instance (ISASTGCTRL) installs and runs but complains in the event log about two things:
This article outlines the things you need to do to fix these issues. For clarity it starts with installing the Configuration Storage server and configuring the service account.
It is assumed you have administrator privileges when installing the Configuration Storage server.
Before installing the Configuration Storage server create a user account for the Configuration Storage server. The example below uses an account called isa-css which is a user in Active Directory. The user can have a long and complex password which never expires. It is only used for this purpose.
At some point during setup specify the account you will use for the storage instance.
Run the batch file
When installation is complete you need to run a batch file to register Service Principle Names into Active Directory. The batch file is located in the ADAMData folder which is located in the Microsoft ISA Server folder. See the snippet which is taken from the installation guide:
In the Program Files\Microsoft ISA Server\ADAMData folder, locate the Dnsdomain.bat file, where Dnsdomain is the DNS name of the computer on which ADAM is running.
At the command prompt, type Dnsdomain to run the file. The Dnsdomain.bat file appears in the directory approximately one minute after ADAM installation is complete.
Open ADSI Edit and go to the Domain Controller object on which you have installed the Configuration Storage server. In the picture above the Configuration Storage server has been installed on a domain controller called dc1 in the domain corp.local.
Add the account isa-css to the permissions list and give the user account Create All Child Objects permission on the domain controller object.
After restarting the ADAM service, you will see it successfully registers the SCP as shown in the screenshot below.
The message below from the event log also confirms successful registration.
Modify generate security audits policy on the domain controller
Add or edit the group policy object on the Domain Controllers OU and add the user account (isa-css) to the “Generate security audits” right. The screenshot below displays a separate GPO.
Now you will see security audit events in the security event log, after restarting the ADAM instance. See below for a screenshot. The service no longer logs these warnings and errors.
When you install a replica Configuration Storage server then you need to do two things:
· Set the permissions on the replica domain controller object (see previous)
· Run the batch file on the Configuration Storage server.
If you use the same service account then it already has the Generate security audits rights through application of the domain controller GPO.
Below are eventlog entries which the service will log when nothing has been fixed. So in the scenario of this document you will see these at the point right after the installation.
Insufficient access to the domain controller-object:
AD/AM error 2537:
Event Type: Error
Event Source: ADAM [ISASTGCTRL] General
Event Category: Internal Processing
Event ID: 2537
Time: 9:10:26 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: Configuration Storage server
The directory server has failed to create the ADAM serviceConnectionPoint object in the Active Directory. This operation will be retried.
No ‘Generate security audits’ right
Event Type: Warning
Event Category: Security
Event ID: 2521
Time: 9:11:01 AM
Active Directory was unable to initialize auditing security system. It will run with auditing disabled. No security audits will be generated.
1314 A required privilege is not held by the client.
Matthijs ten Seldam
ISA Server Principal Consultant
Very good article. The only issue I have with it is that you use the .local domain in the example. Using .local is typically a poor practice as most enterprises never use it, and even SMB shops should use valid top level domains and create a split DNS infrastructure, which is very easy to do and provides location transparency to users. --Tom
I agree with your remarks regarding the domain name. I assumed people to focus on the issue. If I can repost the content, I will change the domain.
Thanks for the great information. http://www.texanit.com
i need to know why when i joined my ISA server to domain and then installed ISA 2006 standard edition i can't run gpupdate or load users from domain controller and get the message RPC server is unavialable.
I know this is an old article, but really don't get the logic of installing ISA on the core of your Windows network security infrastructure. Domain Controllers have enough attack vectors let alone adding something like this on.