In the following scenario, the Windows operating system may not run correctly after installing ISA Server 2006 Supportability Pack:
1. ISA Server 2006 is installed on a computer which is a member of an Active Directory domain.
2. The Enteprise Admins group (which exists by default on the Active Directory root domain) has been assigned any of the following roles:
· ISA Server 2006 Enterprise Edition: ISA Server Enterprise Administrator role
· ISA Server 2006 Standard Edition: ISA Server Full Administrator role
3. You install ISA Server 2006 Supportability Pack and restart the computer.
In this scenario, the computer may not run correctly after restarting. You can log in, but many services do not run. The following event in issued in the Event Viewer: 6015 – "The custom security descriptor for the event log ISA Server Diagnostics is invalid. Please ask an administrator to correct the CustomSD value in the registry for this event log."
Cause: The problem occurs because ISA Server formats the CustomSD registry value of the new ISA Server Diagnostics events folder in a way which is not supported by the EventLog service.
Complete the following steps to resolve this issue:
In Active Directory:
1. Open the Active Directory Users and Computers snap-in.
2. Right-click the required OU, point to New, and then click Group.
3. Create a group, ensuring that the Group scope is set to Universal.
4. Add the Enterprise Admins group to the new group.
On the ISA Server computer, do the following:
1. Manually start the netlogon service. To do this, in a command window type: net start netlogon.
2. Manually start the Microsoft Firewall service. To do this, type the following in a command window:
· For ISA Server 2006 Standard Edition type: net start fwsrv.
· For ISA Server 2006 Enterprise Edition type: net start isastgctrl, and then type: net start fwsrv.
3. Start ISA Server Management console and remove the Enterprise Admins group from the ISA Server roles, as follows:
· Right-click the server name (or enterprise name in ISA Server 2006 Enterprise Edition) and then click Properties.
· Click the Assign Roles tab and do the following:
· For ISA Server 2006 Standard Edition, select ISA Server Full Administrator from the roles list, and then click Edit. Replace Enterprise Admins with the new universal group you created.
· For ISA Server 2006 Enterprise Edition, select ISA Server Enterprise Administrator from the roles list, and then click Edit. Replace Enterprise Admins with the new universal group you created.
4. Restart the computer, and repeat steps 1 and 2.
5. Restart the computer again to ensure that the change is applied.
· ISA Server 2006 Supportability Update is available from the Microsoft Download Center at http://www.microsoft.com/downloads/details.aspx?FamilyID=6f629eac-d8c6-4437-9d20-b47b02db413a&DisplayLang=en.
Thanks to Philip Bailey who helped with this.
ISA Server sustained engineering group.
Security Microsoft and Novell Open Interoperability Lab http://www.microsoft.com/presspass/press/2007/sep07/09-11MSNovellLabsPR.mspx
pingback from http://blogs.technet.com/isablog/archive/2007/07/18/isolating-problems-that-seem-to-be-related-to-isa-server-part-ii.aspx