You may receive a "Setup failed while creating the services configuration" error when you try to install ISA Server 2004 on a Windows Server 2003-based domain controller (898720)
The information in this article applies to:
- Microsoft Internet Security and Acceleration Server 2004, Enterprise Edition
- Microsoft Internet Security and Acceleration Server 2004, Standard Edition
SYMPTOMSYou try to install Microsoft Internet Security and Acceleration (ISA) Server 2004 on a Microsoft Windows 2003-based domain controller. The domain controller resides in a Microsoft Windows 2000 domain. In this scenario, you may receive the following error message: Setup failed while creating the services configuration. Additionally, the following error message may be logged in the ISA Server Firewall service setup log file: ISA setup CA INFO : ENTRY: <Time> ConfigureServices, Current user is <Domainname>\Administrator
ISA setup CA ERROR : the function NetLocalGroupAddMembers failed with status = 8ac at the function AddNetSvcToNetCfgOp. Note The path of this log file is %windir%\Temp\ISAFWSV_ LogNumber.log. This log file may not state that the Firewall service is successfully installed. The error message that is logged in this log file indicates that the Network Configuration Operators group is not found on the computer. A successful installation generates the following message in the log file:Property(C): NETWORKSERVICEACCOUNTNAME = NETWORK SERVICE Property(C): SERVICES_INSTALLED = 1
CAUSEThis behavior occurs because the Network Configuration Operators group does not exist on the domain controller. In a Windows 2000 domain, the Network Configuration Operators group does not exist on the domain controller until the operations master primary domain controller (PDC) role is moved to a Microsoft Windows Server 2003-based domain controller. When the ISA Server 2004 Setup program tries
to change the Network Configuration Operators group, an error occurs. The Network Configuration Operators group exists as a local group on a Windows Server 2003-based member server. The group exists in a domain local group on a domain controller that resides in a Windows Server 2003 domain.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
243330
Well-known security identifiers in Windows operating systems
RESOLUTIONTo resolve this problem, use one of the following methods: - Move the operations master PDC role to a Windows Server 2003-based domain controller in the domain. This method creates the Network Configuration Operators group.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
324801
How to view and transfer FSMO roles in Windows Server 2003
- Remove the Active Directory directory service from the domain controller, install
ISA Server 2004, and then install Active Directory again on the domain controller.
For more information about how to remove Active Directory from a Windows Server 2003-based domain controller, visit the following Microsoft Web site:
After you use one of these methods to resolve the problem, make sure that the following permissions and settings are configured on the domain controller: - The local service account and the network service account have permissions to generate security audits in domain Group Policy.
For more information about generating security audits, visit the following Microsoft Web site:
- The Authenticated Users group is a member of the Pre-Windows 2000 Compatible Access group.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
325363
How to add users to the Pre-Windows 2000 Compatible Access group in Windows Server 2003
- The account that you use to install ISA Server 2004 has permissions to modify the Network Configuration Operators local domain group.
Note You can verify whether the account has permissions to change the Network Configuration Operators local domain group by using the ADSIEdit.exe or Dsacls.exe tools that are included with the Windows Server 2003 Resource Kit.
For more information about how to use Dsacls.exe tool, click the following article number to view the article in the Microsoft Knowledge Base:
281146
How to use Dsacls.exe in Windows 2000
| Modification Type: | Major | Last Reviewed: | 2/27/2006 |
|---|
| Keywords: | kbtshoot kbprb KB898720 kbAudITPRO |
|---|
|