Dec 032010

Like Microsoft ISA server, the Configuration Storage Server (CSS) from TMG also uses ADAM to store the configuration. When creating a replica of the CSS, ADAM is also used to replicate the data.

But what if the primary fails and you have to reinstall the server? Well, in that case you can still use the replica CSS to connect the firewall to. However when installing a new replica of the secondary CSS you will receive issues with ADAM. One of the issues you might get is something like this:

Event ID: 2091

Ownership of the following FSMO role (Operations Master role) is assigned to a server which is deleted or does not exist.

Operations which require contacting a FSMO role owner will fail until this condition is corrected.

So because of this error the roles needs to be transferred to an other CSS server. There are 2 possible ways to do this. 1) Transferring the role or 2) Seizing the role. Actually it’s just like Active Directory. Seizing is something you only do when the previous FSMO holder isn’t available anymore. If it is still available but you want to replace that server you should use the transfer method.

But how do you do this in a Forefront environment?

Let’s say we have two ISA servers and we want to add an additional CSS on a different computer. Let’s say the computer names are as follows: CSS01, ISA01 and ISA02. The CSS01 will become the primary CSS and we want to decommission the current primary CSS running on ISA01.

First of all, let’s tackle the easy part. In the ISA or TMG client right click the array and simply change the primary configured CSS to the secondary or replica CSS. So instead of as your primary CSS, change it to After this is done you need to change the FSMO roles to CSS01.

Okay, first of all you need to start the ADAM Tools Command Prompt. If you click the start button, go to All Programs >> ADAM and there you can find the ADAM Tools Command Prompt. Basically it opens a new command prompt with a starting point in C:\Windows\adam folder. Those tools are installed when you install a CSS on either computer.

Once you are in the command prompt you need to follow the following procedure:

  1. Open an ADAM tools command prompt on ISA1 or ISA2.
  2. At the command prompt, type: dsmgmt.exe
  3. At the dsmgmt: command prompt, type: roles
  4. At the fsmo maintenance: command prompt, type: connections
  5. At the server connections: command prompt, type: connect to server CSS01.domain.local:2171

The ADAM port used by ISA or TMG is 2171 so keep notice of this. Otherwise it will try to connect to port 389 which is the default port number for ADAM or AD.

Once connected you also need to transfer the roles if possible. To transfer the roles follow the procedure below.

  1. At the server connections: command prompt, type: quit
  2. At the fsmo maintenance: command prompt, type: transfer naming master
  3. At the fsmo maintenance: command prompt, type: transfer schema master

And you’re done! If all went well the roles are transferred. If not you will get error messages in your command line window. Ok this is one part, but what if ISA01 had issues with its CSS? For example, if objects are tombstoned or any way corrupted. Or maybe ISA01 is crashed and cannot be recovered anymore. Or what if you tried to transfer the role and received a warning like this:

Event ID: 1837

An attempt to transfer the operations master role represented by the following object failed.

In that case you can seize the FSMO roles instead of transferring. To do this follow the procedure below:

  1. At the server connections: command prompt, type: quit
  2. At the fsmo maintenance: command prompt, type: seize naming master
  3. At the fsmo maintenance: command prompt, type: seize schema master

If you want to add the ISA01 again as CSS simply install the Configuration Storage Server again as a replica and you’re done.

Jul 152010

Check this out, finally the official eBooks for Microsoft  UAG and Microsoft TMG are on it’s way. Hopefully this is an indication of  that “possible” exams will follow any time soon. The eBooks are expected in the fall of this year.

For my personal interests, TMG and UAG are the most interesting books. Anyhow the eBooks which will be released are:

  • Deploying Microsoft Forefront Protection 2010 for Exchange Server
  • Deploying Microsoft Forefront Threat Management Gateway 2010
  • Deploying Microsoft Forefront Unified Access Gateway 2010

Jul 152010

At my job site we have a very nice and cool lab environment. However due to budget cuts we are currently not in the position to extend our lab. So at the moment we currently have two uninterruptable power supplies (UPS) which would give the systems enough “juice” in case we have a power outrage. However, these UPS systems don’t have a management interface card. The problem with that is we are not able to communicate with the UPS to make sure that the servers are brought down nicely.

So we changed our system environment a bit. The Cisco switches are now connected on dirty power, so if we have a power outrage, the switches would be gone immediately. If the switches fail, our servers will not be able to communicate anymore with their default gateway. Within VMware this is known as isolation mode. VMware will bring it’s VM’s down, however our 3 physical servers (SQL 2008, VCenter and a DC) will have a problem. They are not brought down in such an event.

Therefore I wrote a little PowerShell script you can find below. Simple edit the time and other variables to suit your environment. With the current timers, the quickest shutdown will take place within 4 minutes, else it will take up to a maximum of 6 minutes. Note: make sure your UPS can hold it that long.

Although I do know that this is really a poor mans solution, I don’t think we have a better choice.

[code lang=”ps”]
$Gateway = ""

function checkStatus {
$PingCount = "2"
 if (!(Test-Connection $Gateway -Count $pingCount -ErrorAction SilentlyContinue)) {
  $Subject="Network Lost"
  $LogLevel= "Warning"
  $Message = "Gateway didn’t respond within a timely fasion"

function Recheck{
$PingCount = "4"
#recheck gatway response within 4 pings.
#wait ten seconds before continue. This to rule out a temporarily  unplugged cable.
Start-Sleep -Seconds 180
 if (Test-Connection $Gateway -Count $pingCount -ErrorAction SilentlyContinue) {
  $Subject="Network connection restored"
  $LogLevel= "Information"
  $Message = "Gateway responded again. ‘nConnection restored."
 else {
 #If ping is still not responding, receck it again, else shudown the Windows Server
 Start-Sleep -Seconds 60
  if (!(Test-Connection $Gateway -Count $pingCount -ErrorAction SilentlyContinue )) {
  else {
  $Subject="Network connection restored"
  $LogLevel= "Information"
  $Message = "Gateway responded again. ‘nConnection restored"

Function shutdownSystem{
$Subject="Network Lost"
$LogLevel= "Error"
$Message = "System is going down since network is lost. Possible due to a power failure `nPlease contact one the System Administrators."
# Shutting down the computer will start right now.
Stop-Computer -Force

Function WriteEventLog {
 $Event=new-object System.Diagnostics.EventLog("System")

$Counter = 1
do {
 #loop forever
 start-sleep -Seconds 120
while ($Counter -eq 1)


Jun 282010

Ok, it’s been a long time since I wrote something but this really bothered me for almost a week. I was trying to install Forefront Client Security in our lab environment. I really thought that this couldn’t be that hard to just get it up and running. Most applications install subcomponents automatically, or at least they request for additional subcomponents to be installed. You’d be wrong if you thought this is also the case for Forefront Client Security. I’ve learned my lesson, RTFM 🙂

Anyhow there are a couple of things you really need to know before you even consider installing Forefront Client Security. There are some pre-requisites. First of all, Forefront Client Security is currently not supported on Windows 2008 x64. So, Windows 2008 R2 isn’t supported either. This was a little shock for me since I thought 64-bit was a commonly supported platform. Well at least for Microsoft Software. 🙂 So switching back to x86 was supported but still I couldn’t manage to install Forefront Client Security on my server.

After almost a week of trying to install the Microsoft Forefront Client Security I finally found  this Microsoft document which helped me to Install it. I still think that Microsoft should do a check of what software is installed and if not, install it or ask for it.

Since I’m running WSUS on a different server, I didn’t need to install WSUS again. Still though check out the pre-installation requirements below if you want to run it all on the same server:

  • Install Microsoft .NET Framework 1.1 with SP1
  • Install .NET Framework 3.0.
  • Install IIS and ASP.NET
  • Install SQL Server 2005 with SP2.
  • Install GPMC with SP1
  • Install, configure, and synchronize Windows Server Update Services (WSUS) with SP1

For me, leaving out WSUS worked fine, but come on, installing 2 versions of .NET framework, IIS, GPMC, couldn’t this be included in the installation wizard?

Anyhow, I did managed to get it up which made me pretty happy… 🙂

May 282010

Now the dates are official en registration has been opened. I’m not sure yet if I’m going but for anyone who knows it for certain, enjoy!

What you’ll get at this year’s event

  • Hear about the future of Microsoft’s products, technologies, solutions and services directly from Microsoft’s leaders
  • Choose from over 370 technical sessions delivered by Microsoft and industry experts
  • Participate in more than 150 Hands-on Labs and Technical Learning Centres designed to give you practical experience with the latest tools and technologies
  • Network with Microsoft and industry experts, and fellow delegates that share your technology interests and business challenges
  • Plan the features and architecture to support your product and business goals and to prepare your skills for the future