You may receive a "Setup failed while creating the services configuration" error when you try to install ISA Server 2004 on a Windows Server 2003-based domain controller

You try to install Microsoft Internet Security and Acceleration (ISA) Server 2004 on a Microsoft Windows 2003-based domain controller. The domain controller resides in a Microsoft Windows 2000 domain. In this scenario, you may receive the following error message:Additionally, the following error message may be logged in the ISA Server Firewall service setup log file:

Note The path of this log file is %windir%\Temp\ISAFWSV_LogNumber.log. This log file may not state that the Firewall service is successfully installed. The error message that is logged in this log file indicates that the Network Configuration Operators group is not found on the computer. A successful installation generates the following message in the log file:

This behavior occurs because the Network Configuration Operators group does not exist on the domain controller. In a Windows 2000 domain, the Network Configuration Operators group does not exist on the domain controller until the operations master primary domain controller (PDC) role is moved to a Microsoft Windows Server 2003-based domain controller. When the ISA Server 2004 Setup program tries to change the Network Configuration Operators group, an error occurs.

The Network Configuration Operators group exists as a local group on a Windows Server 2003-based member server. The group exists in a domain local group on a domain controller that resides in a Windows Server 2003 domain.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

To resolve this problem, use one of the following methods:

• Move the operations master PDC role to a Windows Server 2003-based domain controller in the domain. This method creates the Network Configuration Operators group.
  For more information, click the following article number to view the article in the Microsoft Knowledge Base:
  324801� How to view and transfer FSMO roles in Windows Server 2003
• Remove the Active Directory directory service from the domain controller, install ISA Server 2004, and then install Active Directory again on the domain controller.
  
  For more information about how to remove Active Directory from a Windows Server 2003-based domain controller, visit the following Microsoft Web site:
  http://technet2.microsoft.com/windowsserver/en/library/f82e0fb0-552f-4b94-9ece-f550388976571033.mspx

After you use one of these methods to resolve the problem, make sure that the following permissions and settings are configured on the domain controller:

• The local service account and the network service account have permissions to generate security audits in domain Group Policy.
  
  For more information about generating security audits, visit the following Microsoft Web site:
  http://technet2.microsoft.com/windowsserver/en/library/a43aa14d-8999-451b-a929-e1f414dfd6bb1033.mspx
• The Authenticated Users group is a member of the Pre-Windows 2000 Compatible Access group.
  
  For more information, click the following article number to view the article in the Microsoft Knowledge Base:
  325363� How to add users to the Pre-Windows 2000 Compatible Access group in Windows Server 2003
• The account that you use to install ISA Server 2004 has permissions to modify the Network Configuration Operators local domain group.
  
  Note You can verify whether the account has permissions to change the Network Configuration Operators local domain group by using the ADSIEdit.exe or Dsacls.exe tools that are included with the Windows Server 2003 Resource Kit.
  
  For more information about how to use Dsacls.exe tool, click the following article number to view the article in the Microsoft Knowledge Base:
  281146� How to use Dsacls.exe in Windows 2000

For more information, click the following article number to view the article in the Microsoft Knowledge Base: