Troubleshooting an ISA Server Enterprise Edition Upgrade: What if I forget to export user permission settings?
Upgrading from ISA Server 2004 Enterprise Edition to ISA Server 2006 Enterprise Edition is a very easy task. Our official upgrade guide is useful and clear.
In a nutshell, the upgrade path is the following (for the detailed steps, PLEASE read the upgrade guide, which is available at http://www.microsoft.com/technet/isa/Server 2006/Upgrade_Guide_EE.mspx ) :
1. Export the ISA Server 2004 configuration from the ISA Server 2004 based Configuration Storage Server (Configuration Storage server)
2. Create a new Configuration Storage server – this step depends on your equipment
a. If you have an extra server, you should install a new ISA Server 2006 based Configuration Storage server
b. If you don’t have an extra server and you can’t place a new ISA Server 2006 based Configuration Storage server on an existing infrastructure server you have to uninstall the current ISA Server 2004 based Configuration Storage server and install the ISA Server 2006 Configuration Storage server on the same hardware
3. Import the exported ISA Server 2004 configuration
4. Perform an inplace upgrade of the ISA Array member
If you have to use the same Configuration Storage server hardware you should be careful. It is very important to select the “Export user permission setting” option during the export process. But what will happen if you create an Export without the user permission settings? The short answer is: catastrophy. The long answer: you can’t import the configuration to the ISA Server 2006 Configuration Storage server and if you already uninstalled the ISA Server 2004 Configuration Storage server you are in trouble. When you try to import the exported XML to the ISA Server 2006 Configuration Storage server you will receive the following error message and upgrade process will be terminated:
To solve this problem, you have to rebuild your ISA infrastructure and export the configuration again with the right settings. The answer is trivial but the whole process is not trivial and it is time consuming.
If it is acceptable to lose the delegated permissions, you can solve this problem without resorting to rebuilding the entire system. You have to insert some new sections to the existing exported XML file. Follow these steps:
1. Install a new ISA Server 2004 Enterprise Edition on a clean computer. Create one array, and export the configuration with the“Export user permission setting” option selected.
2. Open this new XML file with an XML editor (you can use Notepad, but it’s not a good application for navigating within XML) and copy the XML code from the following XPATHs (examples of the portions you should copy are provided later in this posting):
o /Root/Enterprise/Policies/Policy/AdminSecurity
o /Root/Enterprise/AdminSecurity
o /Root/Arrays/Array/AdminSecurity
3. Open the originally exported XML file and make the following changes in it:
o Change the OptionalData from 13 to 15:
§ XPATH = /Root/OptionalData
§ Original data: <fpc4:OptionalData dt:dt="int">13</fpc4:OptionalData>
§ New data: <fpc4:OptionalData dt:dt="int">15</fpc4:OptionalData>
o Insert the copied AdminSecurity part to the following XML XPATHs:
§ /Root/Enterprise/Policies/Policy/AdminSecurity
· If you have more than one Enterprise Policy, you should copy this information under every Enterprise Policy
§ /Root/Enterprise/AdminSecurity
§ /Root/Arrays/Array/AdminSecurity
· ingIf you have more than one Array, you should copy this information under every Array
4. Save the XML file.
5. After you complete these steps, you should finalize the upgrade process with the modified XML file, following the procedures in the Upgrade Guide.
6. After upgrading the configuration, re-assign the Administrative Roles at the Enterprise, Enterprise Policy and Array levels.
Here are some examples of the XML snippets described in this process. These are for illustration purposes only – don’t use these snippets!
/Root/Enterprise/Policies/Policy/AdminSecurity
<fpc4:AdminSecurity StorageName="AdminSecurity" StorageType="1">
<fpc4:SecurityRoles StorageName="SecurityRoles" StorageType="1">
<fpc4:SecurityRole StorageName="{GUID}" StorageType="1">
<fpc4:Description dt:dt="string">Has full control over the selected enterprise policy.</fpc4:Description>
<fpc4:Name dt:dt="string">ISA Server Enterprise Policy Editor</fpc4:Name>
<fpc4:Predefined dt:dt="boolean">1</fpc4:Predefined>
</fpc4:SecurityRole>
</fpc4:SecurityRoles>
<fpc4:DelegatedAdmins StorageName="DelegatedAdmins" StorageType="1"/>
</fpc4:AdminSecurity>
/Root/Enterprise/AdminSecurity
<fpc4:AdminSecurity StorageName="AdminSecurity" StorageType="1">
<fpc4:SecurityRoles StorageName="SecurityRoles" StorageType="1">
<fpc4:SecurityRole StorageName="{ GUID }" StorageType="1">
<fpc4:Description dt:dt="string">Has full control over the enterprise and all array configurations, and permissions to assign all roles to other users and groups.</fpc4:Description>
<fpc4:Name dt:dt="string">ISA Server Enterprise Administrator</fpc4:Name>
<fpc4:Predefined dt:dt="boolean">1</fpc4:Predefined>
</fpc4:SecurityRole>
<fpc4:SecurityRole StorageName="{ GUID }" StorageType="1">
<fpc4:Description dt:dt="string">Has read-only access to the enterprise and array configurations.</fpc4:Description>
<fpc4:Name dt:dt="string">ISA Server Enterprise Auditor</fpc4:Name>
<fpc4:Predefined dt:dt="boolean">1</fpc4:Predefined>
</fpc4:SecurityRole>
</fpc4:SecurityRoles>
<fpc4:DelegatedAdmins StorageName="DelegatedAdmins" StorageType="1">
<fpc4:DelegatedAdmin StorageName="{GUID}" StorageType="1">
<fpc4:AccountSid dt:dt="string">SID</fpc4:AccountSid>
<fpc4:SecurityRoleName dt:dt="string">ISA Server Enterprise Administrator</fpc4:SecurityRoleName>
<fpc4:Ref StorageName="SecurityRole" StorageType="1">
<fpc4:Name dt:dt="string">{ GUID }</fpc4:Name>
<fpc4:RefClass dt:dt="string">msFPCSecurityRole</fpc4:RefClass>
<fpc4:Scope dt:dt="int">1</fpc4:Scope>
</fpc4:Ref>
</fpc4:DelegatedAdmin>
<fpc4:DelegatedAdmin StorageName="{ GUID }" StorageType="1">
<fpc4:AccountSid dt:dt="string"> SID </fpc4:AccountSid>
<fpc4:SecurityRoleName dt:dt="string">ISA Server Enterprise Administrator</fpc4:SecurityRoleName>
<fpc4:Ref StorageName="SecurityRole" StorageType="1">
<fpc4:Name dt:dt="string">{ GUID }</fpc4:Name>
<fpc4:RefClass dt:dt="string">msFPCSecurityRole</fpc4:RefClass>
<fpc4:Scope dt:dt="int">1</fpc4:Scope>
</fpc4:Ref>
</fpc4:DelegatedAdmin>
</fpc4:DelegatedAdmins>
</fpc4:AdminSecurity>
/Root/Arrays/Array/AdminSecurity
<fpc4:AdminSecurity StorageName="AdminSecurity" StorageType="1">
<fpc4:SecurityRoles StorageName="SecurityRoles" StorageType="1">
<fpc4:SecurityRole StorageName="{ GUID }" StorageType="1">
<fpc4:Description dt:dt="string">Has full control over the array-level configuration for this array, including permissions to assign array roles. Has read-only access to the enterprise policy applied to this array.</fpc4:Description>
<fpc4:Name dt:dt="string">ISA Server Array Administrator</fpc4:Name>
<fpc4:Predefined dt:dt="boolean">1</fpc4:Predefined>
</fpc4:SecurityRole>
<fpc4:SecurityRole StorageName="{ GUID }" StorageType="1">
<fpc4:Description dt:dt="string">Has full access to array monitoring and read-only access to the array configuration. Has read-only access to the enterprise policy applied to this array.</fpc4:Description>
<fpc4:Name dt:dt="string">ISA Server Array Auditor</fpc4:Name>
<fpc4:Predefined dt:dt="boolean">1</fpc4:Predefined>
</fpc4:SecurityRole>
<fpc4:SecurityRole StorageName="{ GUID }" StorageType="1">
<fpc4:Description dt:dt="string">Has restricted access to array monitoring features. Can view sessions, view and reset alerts, query service status, and verify connectivity.</fpc4:Description>
<fpc4:Name dt:dt="string">ISA Server Array Monitoring Auditor</fpc4:Name>
<fpc4:Predefined dt:dt="boolean">1</fpc4:Predefined>
</fpc4:SecurityRole>
</fpc4:SecurityRoles>
<fpc4:DelegatedAdmins StorageName="DelegatedAdmins" StorageType="1"/>
</fpc4:AdminSecurity>
Zoltan Harmath
Principal Consultant – ISA Server
Microsoft ,Hungary
Comments
Anonymous
April 06, 2007
nice boobs <a href="http://www.spin3000.com/forum/images/avatars/big/huge-boobs.htm "> baby got boobs </a> [url=http://www.spin3000.com/forum/images/avatars/big/huge-boobs.htm ] boobs [/url] http://www.spin3000.com/forum/images/avatars/big/huge-boobs.htmAnonymous
April 06, 2007
baby got boobs <a href="http://www.spin3000.com/forum/images/avatars/big/nice-boobs.htm "> boob </a> [url=http://www.spin3000.com/forum/images/avatars/big/nice-boobs.htm ] huge boobs [/url] http://www.spin3000.com/forum/images/avatars/big/nice-boobs.htmAnonymous
April 06, 2007
boobs <a href="http://boobs.shoutpost.com/ "> baby got boobs </a> [url=http://boobs.shoutpost.com/ ] bouncing boobs [/url] http://boobs.shoutpost.com/Anonymous
April 11, 2007
bouncing boobs <a href="http://www.leal-alfa.upc.edu/mensajes.php?id=830 "> small boobs </a> [url=http://www.leal-alfa.upc.edu/mensajes.php?id=830 ] black boobs [/url] http://www.leal-alfa.upc.edu/mensajes.php?id=830Anonymous
April 13, 2007
bouncy boobs <a href="http://tik.fory.pl/b5oh "> boob </a> [url=http://tik.fory.pl/b5oh ] nice boobs [/url] http://tik.fory.pl/b5ohAnonymous
April 18, 2007
big boobs <a href="http://www.frankdeardurff.com/blog/wp-content/1/boobs9.html "> bouncy boobs </a> [url=http://www.frankdeardurff.com/blog/wp-content/1/boobs9.html ] mommy got boobs [/url] http://www.frankdeardurff.com/blog/wp-content/1/boobs9.htmlAnonymous
May 05, 2007
Thanks for the useful information. This came in pretty handy while fixing a server. For server support, computer repair, computer networking and network cabling in Fort Worth visit http://www.texanit.com.Anonymous
September 12, 2007
wcdgy4xu4y21m8 cueball cueball