As with most of my blogs this one was inspired by real events. Occasionally you may have a need to remove a primary Configuration Storage Server (CSS). Configuration Storage Servers are a component of ISA Server 2004 or 2006 Enterprise Edition and all Forefront TMG editions. In a nutshell, CSS is an instance of Active Directory Application Mode (ADAM) database that contains the firewall schema and configuration data . For more information on the concept behind the CSS please see http://technet.microsoft.com/en-us/library/cc302686.aspx
For this scenario we have 3 ISA Server 2006 EE machines in an Enterprise Array (ISA1, ISA2, and ISA3). ISA1 contains the primary CSS and ISA2 contains the alternate CSS.
Now let’s say that you need to remove ISA1 because you need to replace the server with better hardware. Because the primary CSS will be offline for the duration of the server replacement, ISA2 must become your primary CSS. It is easy enough to go into the ISA Management Console on either ISA2 or ISA3 and configure the Array to use isa2.contoso.com as the primary CSS.
Changing the Primary CSS
1. Right-click on the Array and choose Properties.
2. Select the Configuration Storage tab and enter the fully-qualified name of the new primary CSS (See Figure 1).
3. Click OK to close the Properties page
4. When the Apply and Discard buttons appear in the center pane, click Apply to save your change
Note: if the CSS that holds the FSMO Naming or Schema Master roles (ISA1 in this example) is unavailable, you must use the Seizing the Roles process.
Since ADAM is a scaled-down form of Active Directory, you need to transfer some Flexible Single Master Operations (FSMO) roles to the new primary CSS. The two FSMO roles you will need to transfer to ISA2 (your new primary CSS) are the Schema Master and Naming Master roles. To do this you would log on to either CSS and go to the ADAM Tools Command Prompt (See Figure 2).
At the prompt you would go through the procedure outlined here http://technet.microsoft.com/en-us/library/cc758598.aspx
For this scenario you would proceed like this:
1. Open an ADAM tools command prompt on ISA1 or ISA2.
2. At the command prompt, type: dsmgmt
3. At the dsmgmt: command prompt, type: roles
4. At the fsmo maintenance: command prompt, type: connections
5. At the server connections: command prompt, type: connect to server ISA2.contoso.com:2171
Note: ISA2.contoso.com:2171 is the computer name and communications port number of the ADAM instance that you want to use as the new naming master.
6. At the server connections: command prompt, type: quit
7. At the fsmo maintenance: command prompt, type: transfer naming master
8. At the fsmo maintenance: command prompt, type: transfer schema master
In a scenario where ISA1 is unavailable, you would have to seize the FSMO roles. This procedure is described here http://technet.microsoft.com/en-us/library/cc781970.aspx
The difference here is that you must log on to ISA2 to perform this since ISA1 is unavailable.
1. Open an ADAM tools command prompt on ISA2.
Note: ISA2.contoso.com:2171 is the computer name and communications port number of the ADAM instance that you want to use as the new naming master. In this case connect to server localhost:2171 would also work.
7. At the fsmo maintenance: command prompt, type: seize naming master
8. At the fsmo maintenance: command prompt, type: seize schema master
When you rebuild ISA1 you should probably make it the replica CSS. By doing this you will avoid have to transfer the roles again and you will also have the redundancy that a replica CSS brings. To make it a replica CSS simply choose that option when reinstalling (See Figure 3)
In this article you learned that the Enterprise Edition of ISA Server uses ADAM which is a scaled-down form of Active Directory. In ISA Server Enterprise Edition the primary CSS usually holds the FSMO roles of Naming Master and Schema Master. You also learned how to transfer these FSMO roles if you ever need to rebuild or replace the primary Configuration Storage Server.
Author: Keith Abluton, SR SUPPORT ENGINEER, CSS Security
Technical Reviewers: Jim Harrison, Program Manager, FF Edge CS
PingBack from http://www.it-training-grote.de/blog/?p=729
Great and inspirational stuff!
Thanks for your sharing.
Have a nice day.
News Security The Challenge of Information Security Management, Part 1
you might like to also remove the instances of ISA1 in the above example from ADAM. which can be done using ADAM adsi edit..