Windows 2000 Server Cannot Join Existing ISA Array (295654)
The information in this article applies to:
- Microsoft Internet Security and Acceleration Server 2000
This article was previously published under Q295654 IMPORTANT: This article contains information about modifying the registry.
Before you modify the registry, make sure to back it up and make sure that you
understand how to restore the registry if a problem occurs. For information
about how to back up, restore, and edit the registry, click the following
article number to view the article in the Microsoft Knowledge Base: 256986 Description of the Microsoft Windows Registry
SYMPTOMS When you install a new ISA Server-based computer into an
existing ISA Server array, you may receive the following error message:
This computer cannot join an array, for one of the
following reasons:
* The ISA server is not part of a Windows 2000
domain.
* The ISA Server schema is not installed in Active Directory.
* You do not have permission to access the schema.
If you continue with
Setup now, this computer will be a stand-alone server.
Do you want to
continue? CAUSE This issue can occur if the new ISA Server computer does
not meet the following requirements to install a new ISA Server computer into
an existing ISA array or cannot verify them:
- The new ISA Server computer is a member of the same
Microsoft Windows 2000 domain as the ISA Server computers that are in the
target ISA array, prior to ISA Server being installed on the
computer.
- The new ISA Server computer is in the same Active Directory
site as the ISA Server computers that are in the target ISA array, prior to ISA
being installed on the computer.
During an ISA Server installation, the target server uses a
Domain Name System (DNS) server to verify which computers are in its domain and
site. If the server cannot find other ISA Server computers in its domain or
site by querying DNS, it is not able to join an existing ISA array. ISA Server
Setup is limited to configuring the new ISA Server computer as a stand-alone
ISA Server computer. RESOLUTIONWARNING: If you use Registry Editor incorrectly, you may cause serious
problems that may require you to reinstall your operating system. Microsoft
cannot guarantee that you can solve problems that result from using Registry
Editor incorrectly. Use Registry Editor at your own
risk. To resolve this issue, verify the target server's
configuration before you try to install ISA Server:
- Verify the server's domain membership. To do so, on the
desktop of the server, right-click My Computer, click Properties, and then click the Network Identification tab. The domain that is listed on this tab should match the
domain that is listed on the same tab of the ISA Server computers in the
existing ISA array. If its not, change it accordingly.
- Verify what Active Directory site the server is in by
looking at a value that is set in the registry on the server. Use Registry
Editor (Regedt32.exe) to view the DynamicSiteName value in the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters
If the new ISA Server computer is not a member of the same Active Directory
site as the servers in the target ISA array, move the new ISA Server computer
into the correct site and re-install ISA Server. Refer to Windows 2000 Server
Help for instructions about how to change Active Directory sites. - If the new ISA Server computer is a member of the same
domain and in the same Active Directory site as the other ISA Server computers
in the ISA array, but you still receive the error message that is listed in the
"Symptoms" section of this article, it is likely that DNS issues are the
cause.
As noted in Request For Comment (RFC) 2136, Windows 2000
supports dynamic DNS updates. Each Windows 2000 server registers Host (A)
record(s), Pointer (PTR) records, and Service (SRV) records with a DNS server.
Alternatively, you must manually configure a server's records in the correct
zones within DNS.
Windows 2000 servers also use these records to
locate Windows 2000 domains and Active Directory sites. If a Windows 2000
server has not successfully registered its DNS records with a DNS server, other
Windows 2000-based computer cannot locate the server and its services.
For additional
information about how domain controllers are located in Windows 2000, click the
article number below to view the article in the Microsoft Knowledge Base: 247811 How Domain Controllers Are Located in Windows 2000
To ensure that the new
ISA Server computer has registered with DNS properly, and that ISA Server
computers in the target ISA array are also registered with DNS properly, run
the netdiag.exe /test:dns /fix /v command on all ISA
Server computers. For more detail, run the netdiag.exe /debug /fix
/v command on all ISA Server computers.
When you run the
Netdiag.exe utility with these command-line switches, it tests whether all of
the server's DNS records (A, PTR, and SRV) are registered with all of the
configured DNS servers and can be found successfully. If some DNS registrations
are missing, the utility attempts to re-register the server's records with its
configured DNS servers. The utility generates a report that indicates the
results of the tests, and any re-registration attempts. The Netdiag.exe utility
is installed with the Windows 2000 Support Tools.
For additional information about
Netdiag.exe, click the article number below to view the article in the
Microsoft Knowledge Base: 265706 DCDiag/NetDiag in Windows 2000 Facilitate Join and DC Creation
| Modification Type: | Major | Last Reviewed: | 2/19/2003 |
|---|
| Keywords: | kberrmsg kbnetwork kbprb KB295654 |
|---|
|