Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

FIX: Multiple Registered Web Filters in Active Directory Are Handled Incorrectly


View products that this article applies to.

Symptoms

After you install ISA Server Web filters such as Urlscan or Link Translation, the ISA Server control service may not start, or the Web filter may not work correctly and may not appear in the ISA Server Microsoft Management Console (MMC). This problem only occurs if all the following conditions are met:
  • Multiple ISA Server computers are operating in an enterprise array.
  • The domain contains multiple domain controllers.
  • The Web filter was installed on separate enterprise array members that were logged on to different domain controllers at the time of installation.
  • After the first Web filter was installed on a computer in the ISA Server array, Active Directory domain controller replication was not completed before Web filters were installed on other computers in the array.

↑ Back to the top


Cause

This is a result of an Active Directory replication issue that occurs when ISA Server Web filters are installed on separate computers in the domain. In this issue, duplicate entries (that is, "mangled nodes") for the same Web filter may exist in the ISA server array policy, and ISA Server cannot handle the mangled nodes correctly. For more information about how to detect the mangled nodes, see the "More Information" section.

↑ Back to the top


Workaround

To work around this issue, run Active Directory replication after you install a Web filter on the first computer in the ISA Server array. Initiate Active Directory replication from the domain controller where that ISA Server computer was logged on, and then verify that Active Directory replication was completed. When you do this, you make sure that all domain controllers have the latest information. You do not have to run Active Directory replication after the other Web filter installations in the ISA Server array are completed because Web filter data is global for all arrays. For more information about how to run this task, see the "References" section or contact Microsoft Support.

↑ Back to the top


Resolution

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language. The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
   Date          Time   Version            Size  File name
   ----------------------------------------------------------
   26-June-2003  09:07  3.0.1200.270    212,240  Msfpc.dll
   26-June-2003  09:08  3.0.1200.270  1,822,480  Msfpccom.dll 
				

Prerequisites

ISA Server 2000 Service Pack 1 (SP1) is required to install this hotfix. For additional information about how to obtain the ISA Server Service Pack 1, click the following article number to view the article in the Microsoft Knowledge Base:
313139� How to Obtain the Latest Internet Security and Acceleration Server 2000 Service Pack

Hotfix Replacement Information

This hotfix does not replace any other hotfixes.
Note This hotfix does not remove the mangled nodes from Active Directory. However, with the hotfix installed, ISA Server can handle the mangled nodes correctly.

Removing the Hotfix

You may not be able to remove the hotfix if the Active Directory storage for the Web filter contains mangled nodes because ISA Server cannot handle the mangled nodes correctly during the removal process. However, ISA Server removes the mangled nodes from Active Directory when you back up and restore your ISA Server configuration. After the backup and restore operations are complete, you can remove the hotfix.

To remove the hotfix:
  1. Back up the ISA Server configuration.
  2. Restore the ISA Server configuration by using the backup file that you created in step 1.
  3. Remove the hotfix.
For more information about how to run backup and restore operations on ISA Server, see the "More Information" section.

Note If you want to remove mangled nodes from Active Directory manually, contact Microsoft Product Support Services (PSS) for information and assistance.

↑ Back to the top


More information

Because of the Active Directory replication issue, you may notice multiple Web filter registration entries for the same Web filter. These multiple Web filter registration entries appear as duplicated (that is, "mangled") nodes. For example, you may see the following:
CN={87F18571-C71D-4a2f-9111-9E0927A00B51}
		  msFPCISAPIFilter
		  CN={87F18571-C71D-4a2f-9111-9E0927A00B51},CN=ISAPI-Filters,CN=Extensions,CN={EE37A70F-E9DE-4674-83C4-D602BBF20E3B},CN=Arrays,CN=Fpc,CN=System,DC=DBVWINEU
		  
CN={87F18571-C71D-4a2f-9111-9E0927A00B51}CNF:12921ebc-b0a5-43cf-9e7f-86266db524f5
		  msFPCISAPIFilter
		  CN={87F18571-C71D-4a2f-9111-9E0927A00B51}CNF:12921ebc-b0a5-43cf-9e7f-86266db524f5,CN=ISAPI-Filters,CN=Extensions,CN={EE37A70F-E9DE-4674-83C4-D602BBF20E3B},CN=Arrays,CN=Fpc,CN=System,DC=DBVWINEU
		  
CN={87F18571-C71D-4a2f-9111-9E0927A00B51}CNF:12fc2695-343c-48f0-9aa6-10704ebb683f
		  msFPCISAPIFilter
		  CN={87F18571-C71D-4a2f-9111-9E0927A00B51}CNF:12fc2695-343c-48f0-9aa6-10704ebb683f,CN=ISAPI-Filters,CN=Extensions,CN={EE37A70F-E9DE-4674-83C4-D602BBF20E3B},CN=Arrays,CN=Fpc,CN=System,DC=DBVWINEU
Note A "CNF..." entry behind the GUID starts at the second duplicate entry (that is, the mangled entry). To verify this, use ADSI Edit and view the following Active Directory tree:
Domain NC
--CN=System
----CN=Fpc
------CN=Arrays
--------CN=%Current GUID of your ISA Server Array% 
----------CN=Extensions 
------------CN=ISAPI-Filters
If you want to remove the mangled nodes from Active Directory, you can use the ISA Server backup and restore process that is described in the "Resolution" section. For help with manually cleaning the mangled nodes, contact Microsoft PSS.

ADSI Edit is available in Windows Support Tools. For additional information about how to install Windows 2000 Support Tools, click the following article number to view the article in the Microsoft Knowledge Base:
301423� HOW TO: Install the Windows 2000 Support Tools to a Windows 2000 Server-Based Computer

Back up and Restore the ISA Server Configuration

To back up the ISA Server configuration:
  1. Open the ISA Server MMC.
  2. Right-click a server name or an array name.
  3. Right-click Back Up.
  4. Select a name and location for the backup file.
  5. Click OK.
To restore the ISA Server configuration:
  1. Open the ISA Server MMC.
  2. Right-click a server name or an array name.
  3. Right-click Restore.
  4. Select the backup file that you want to restore.
  5. Click OK.

↑ Back to the top


References

You can use Replmon.exe and Dcdiag.exe to troubleshoot Active Directory replication issues. For more information, visit the following Microsoft Web sites:

↑ Back to the top


Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

↑ Back to the top


Keywords: kbautohotfix, kbhotfixserver, kbqfe, kbisaserv2000presp2fix, kbfix, kbbug, KB813865

↑ Back to the top

Article Info
Article ID : 813865
Revision : 14
Created on : 6/14/2007
Published on : 6/14/2007
Exists online : False
Views : 395