How to Install ISA Server in an Array Without Domain Administration Rights

You must belong to the Domain Administrators group to install ISA Server in Array mode.

By default, users who do not belong to the Domain Administrators group have only rights to read from the System and FPC nodes in the Active Directory domain container. Therefore, these users cannot create or write to new nodes.

Following customer feedback, Microsoft has lowered the setup border to resolve this issue for customers who find this limitation unacceptable.

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language. The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

To use this code change, you must prepare the Active Directory by using the following procedure.

WARNING: If you use the Active Directory Service Interfaces (ADSI) Edit snap-in and incorrectly modify the attributes of Active Directory objects, you can cause serious problems that may require you to reinstall Microsoft Windows 2000 Server or ISA Server 2000. Microsoft cannot guarantee that problems that result from the incorrect modification of Active Directory object attributes can be solved. Modify these attributes at your own risk. If you are running Microsoft Windows NT or Microsoft Windows 2000, update your Emergency Repair Disk (ERD).

1. Log on as a member of the Enterprise Administrators group on the server where ISA Server will be installed.
2. Create an ISA Server Administrators group in Active Directory. To do this, open Active Directory Users and Computers in Administrative Tools.
3. Right-click Users, click New, and then click Group.
4. Type a name for the new group (for example, ISA Administrators), click to select Global Domain for the Group Scope, and then click to select Security for the Group Type.
5. Install the schema extension for ISA Server. To do this, start the Msisaent.exe file in the \Isa\I386 folder.
6. Install ISA Server in Array mode. Note that the first installation of ISA Server creates the FPC object in Active Directory under the System object. You must follow this step to make sure that the FPC object is created correctly.
7. Change the properties of the relevant FPC object in Active Directory by using the ADSI Edit tool of the Microsoft Windows 2000 Support tools:
   1. Click the Domain NC container.
   2. Click DC=[your Domain], click DC=[root Domain], and then click CN=System.
   3. Expand CN=FPC, and then open its properties.
   4. Click the Security tab.
   5. Add the ISA Administrators group and give the group Write permission.
   6. On the Security tab, click Advanced, and then click the Permissions tab. Click to select ISA Administrators, and then click View/Edit. In the Apply onto box, click to select This object and all child objects to make sure that the rights for ISA Administrators are inherited.
   7. Close ADSI Edit.
   8. Wait until replication is performed on all domain controllers in the domain. Note that if you remove ISA Server at this time, the FPC object is not deleted.
   NOTE: If you want to join an existing array, you must change the permissions on both the array and the FPC node to include this group.
   
   
8. Prepare the installation of the relevant files:
   1. Insert the CD-ROM of ISA Server Enterprise Edition and copy all files and subfolders of the \Isa folder in a separate folder or share.
   2. Rename the Stpsrvex.dll, Msfpc.dll, and Msfpccom.dll files in the \Isa\I386 folder to .old.
   3. Copy the files of the hotfix in the \Isa\I386 folder.
9. Start the installation of the ISA Server array or computers:
   1. In the \Isa folder, click the Setup.exe file to install ISA Server.
   2. Install Service Pack 1 for ISA Server.
   3. Install the hotfix package Isahf173.exe.
   4. Open the Microsoft Management Console (MMC) for ISA Server.
   5. Right-click Server and Arrays, and then click New.
      
      NOTE: If a user who is not a domain administrator tries to join the server to an existing array, the dialog box that shows the list of the available arrays shows only the arrays where the account that is used has the required permissions to perform the join operation.
      
      If a user who is not a domain administrator wants to join an existing array, a domain administrator must give the user full access on the array.
   6. Follow the instructions of the array wizard, starting with an appropriate array name.
   7. Log on to another computer as a member of the ISA Administrators group that you just created.
   8. Start the setup of the ISA Server and follow the instructions of the setup wizard to add the computer to the array that you just defined.NOTE: When you create the first array, you must change the Write permissions of the parent system node to allow full access on the new created FPC node. When you install a second array in the domain (so that the FPC node in the Active Directory already exists), you allow full access on the FPC node.

The new code works for ISA Server installed in a single domain environment, in a subdomain, and with different enterprise policies.

NOTE: If an Active Directory forest includes more than one domain that hosts ISA Server arrays, you must make sure to apply the noted changes to each FPC node of the relevant domain. Each time you want to install ISA Server in an array with limited rights for the ISA administrators, you must also follow the procedure that this article describes.

The code change does not work for an ISA Server computer that is installed on a domain controller because of the privilege model of Active Directory.

Only domain administrators can access system access-control list (SACL) information in Active Directory. This is by design. Even when you use the changes that are included with this article, backup is blocked if it is not performed in the context of a domain administrator account.

The code change that is referenced in this article introduces a new DWORD registry key named SkipSACLInBackupRestore (located under the FPC key in the registry) to override this behavior. If it is set to a value other than 0, you can back up and restore ISA Server configuration data even if the administrator is not a member of the Domain Administrators group.