Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

You may receive a "Setup failed while creating the services configuration" error when you try to install ISA Server 2004 on a Windows Server 2003-based domain controller


View products that this article applies to.

Symptoms

You try to install Microsoft Internet Security and Acceleration (ISA) Server 2004 on a Microsoft Windows 2003-based domain controller. The domain controller resides in a Microsoft Windows 2000 domain. In this scenario, you may receive the following error message:
Setup failed while creating the services configuration.
Additionally, the following error message may be logged in the ISA Server Firewall service setup log file:
ISA setup CA INFO : ENTRY: <Time> ConfigureServices, Current user is <Domainname>\Administrator
ISA setup CA ERROR : the function NetLocalGroupAddMembers failed with status = 8ac at the function AddNetSvcToNetCfgOp.


Note The path of this log file is %windir%\Temp\ISAFWSV_LogNumber.log. This log file may not state that the Firewall service is successfully installed. The error message that is logged in this log file indicates that the Network Configuration Operators group is not found on the computer. A successful installation generates the following message in the log file:
Property(C): NETWORKSERVICEACCOUNTNAME = NETWORK SERVICE
Property(C): SERVICES_INSTALLED = 1

↑ Back to the top


Cause

This behavior occurs because the Network Configuration Operators group does not exist on the domain controller. In a Windows 2000 domain, the Network Configuration Operators group does not exist on the domain controller until the operations master primary domain controller (PDC) role is moved to a Microsoft Windows Server 2003-based domain controller. When the ISA Server 2004 Setup program tries to change the Network Configuration Operators group, an error occurs.

The Network Configuration Operators group exists as a local group on a Windows Server 2003-based member server. The group exists in a domain local group on a domain controller that resides in a Windows Server 2003 domain.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
243330� Well-known security identifiers in Windows operating systems

↑ Back to the top


Resolution

To resolve this problem, use one of the following methods:
  • Move the operations master PDC role to a Windows Server 2003-based domain controller in the domain. This method creates the Network Configuration Operators group.
    For more information, click the following article number to view the article in the Microsoft Knowledge Base:
    324801� How to view and transfer FSMO roles in Windows Server 2003
  • Remove the Active Directory directory service from the domain controller, install ISA Server 2004, and then install Active Directory again on the domain controller.

    For more information about how to remove Active Directory from a Windows Server 2003-based domain controller, visit the following Microsoft Web site:
After you use one of these methods to resolve the problem, make sure that the following permissions and settings are configured on the domain controller:
  • The local service account and the network service account have permissions to generate security audits in domain Group Policy.

    For more information about generating security audits, visit the following Microsoft Web site:
  • The Authenticated Users group is a member of the Pre-Windows 2000 Compatible Access group.

    For more information, click the following article number to view the article in the Microsoft Knowledge Base:
    325363� How to add users to the Pre-Windows 2000 Compatible Access group in Windows Server 2003
  • The account that you use to install ISA Server 2004 has permissions to modify the Network Configuration Operators local domain group.

    Note You can verify whether the account has permissions to change the Network Configuration Operators local domain group by using the ADSIEdit.exe or Dsacls.exe tools that are included with the Windows Server 2003 Resource Kit.

    For more information about how to use Dsacls.exe tool, click the following article number to view the article in the Microsoft Knowledge Base:
    281146� How to use Dsacls.exe in Windows 2000

↑ Back to the top


More information

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
837347� The Internet Security and Acceleration (ISA) Server Setup log files

↑ Back to the top


Keywords: KB898720, kbprb, kbtshoot

↑ Back to the top

Article Info
Article ID : 898720
Revision : 6
Created on : 12/4/2007
Published on : 12/4/2007
Exists online : False
Views : 459