Dec 032010

Like Microsoft ISA server, the Configuration Storage Server (CSS) from TMG also uses ADAM to store the configuration. When creating a replica of the CSS, ADAM is also used to replicate the data.

But what if the primary fails and you have to reinstall the server? Well, in that case you can still use the replica CSS to connect the firewall to. However when installing a new replica of the secondary CSS you will receive issues with ADAM. One of the issues you might get is something like this:

Event ID: 2091

Ownership of the following FSMO role (Operations Master role) is assigned to a server which is deleted or does not exist.

Operations which require contacting a FSMO role owner will fail until this condition is corrected.

So because of this error the roles needs to be transferred to an other CSS server. There are 2 possible ways to do this. 1) Transferring the role or 2) Seizing the role. Actually it’s just like Active Directory. Seizing is something you only do when the previous FSMO holder isn’t available anymore. If it is still available but you want to replace that server you should use the transfer method.

But how do you do this in a Forefront environment?

Let’s say we have two ISA servers and we want to add an additional CSS on a different computer. Let’s say the computer names are as follows: CSS01, ISA01 and ISA02. The CSS01 will become the primary CSS and we want to decommission the current primary CSS running on ISA01.

First of all, let’s tackle the easy part. In the ISA or TMG client right click the array and simply change the primary configured CSS to the secondary or replica CSS. So instead of as your primary CSS, change it to After this is done you need to change the FSMO roles to CSS01.

Okay, first of all you need to start the ADAM Tools Command Prompt. If you click the start button, go to All Programs >> ADAM and there you can find the ADAM Tools Command Prompt. Basically it opens a new command prompt with a starting point in C:\Windows\adam folder. Those tools are installed when you install a CSS on either computer.

Once you are in the command prompt you need to follow the following procedure:

  1. Open an ADAM tools command prompt on ISA1 or ISA2.
  2. At the command prompt, type: dsmgmt.exe
  3. At the dsmgmt: command prompt, type: roles
  4. At the fsmo maintenance: command prompt, type: connections
  5. At the server connections: command prompt, type: connect to server CSS01.domain.local:2171

The ADAM port used by ISA or TMG is 2171 so keep notice of this. Otherwise it will try to connect to port 389 which is the default port number for ADAM or AD.

Once connected you also need to transfer the roles if possible. To transfer the roles follow the procedure below.

  1. At the server connections: command prompt, type: quit
  2. At the fsmo maintenance: command prompt, type: transfer naming master
  3. At the fsmo maintenance: command prompt, type: transfer schema master

And you’re done! If all went well the roles are transferred. If not you will get error messages in your command line window. Ok this is one part, but what if ISA01 had issues with its CSS? For example, if objects are tombstoned or any way corrupted. Or maybe ISA01 is crashed and cannot be recovered anymore. Or what if you tried to transfer the role and received a warning like this:

Event ID: 1837

An attempt to transfer the operations master role represented by the following object failed.

In that case you can seize the FSMO roles instead of transferring. To do this follow the procedure below:

  1. At the server connections: command prompt, type: quit
  2. At the fsmo maintenance: command prompt, type: seize naming master
  3. At the fsmo maintenance: command prompt, type: seize schema master

If you want to add the ISA01 again as CSS simply install the Configuration Storage Server again as a replica and you’re done.