FIX: Multiple Registered Web Filters in Active Directory Are Handled Incorrectly (813865)
The information in this article applies to:
- Microsoft Internet Security and Acceleration Server 2000
- Microsoft Internet Security and Acceleration Server 2000 SP1
SYMPTOMSAfter you install ISA Server Web filters such as Urlscan or
Link Translation, the ISA Server control service may not start, or the Web
filter may not work correctly and may not appear in the ISA Server Microsoft
Management Console (MMC). This problem only occurs if all the following
conditions are met:
- Multiple ISA Server computers are operating in an
enterprise array.
- The domain contains multiple domain controllers.
- The Web filter was installed on separate enterprise array
members that were logged on to different domain controllers at the time of
installation.
- After the first Web filter was installed on a computer in
the ISA Server array, Active Directory domain controller replication was not
completed before Web filters were installed on other computers in the
array.
CAUSEThis is a result of an Active Directory replication issue
that occurs when ISA Server Web filters are installed on separate computers in
the domain. In this issue, duplicate entries (that is, "mangled nodes") for the
same Web filter may exist in the ISA server array policy, and ISA Server cannot
handle the mangled nodes correctly. For more information about how to detect
the mangled nodes, see the "More Information" section. WORKAROUNDTo work around this issue, run Active Directory replication
after you install a Web filter on the first computer in the ISA Server array.
Initiate Active Directory replication from the domain controller where that ISA
Server computer was logged on, and then verify that Active Directory
replication was completed. When you do this, you make sure that all domain
controllers have the latest information. You do not have to run Active
Directory replication after the other Web filter installations in the ISA
Server array are completed because Web filter data is global for all arrays.
For more information about how to run this task, see the "References" section
or contact Microsoft Support. RESOLUTIONA supported fix is now available from Microsoft, but it is only
intended to correct the problem that is described in this article. Apply it
only to computers that are experiencing this specific problem. This fix may
receive additional testing. Therefore, if you are not severely affected by this
problem, Microsoft recommends that you wait for the next Internet Security and
Acceleration Server 2000 service pack that contains this hotfix. To
resolve this problem immediately, contact Microsoft Product Support Services to
obtain the fix. For a complete list of Microsoft Product Support Services phone
numbers and information about support costs, visit the following Microsoft Web
site: NOTE: In special cases, charges that are ordinarily incurred for
support calls may be canceled if a Microsoft Support Professional determines
that a specific update will resolve your problem. The typical support costs
will apply to additional support questions and issues that do not qualify for
the specific update in question. The English version of this fix has the file
attributes (or later) that are listed in the following table. The dates and
times for these files are listed in coordinated universal time (UTC). When you
view the file information, it is converted to local time. To find the
difference between UTC and local time, use the Time Zone tab
in the Date and Time tool in Control Panel.
Date Time Version Size File name
----------------------------------------------------------
26-June-2003 09:07 3.0.1200.270 212,240 Msfpc.dll
26-June-2003 09:08 3.0.1200.270 1,822,480 Msfpccom.dll
PrerequisitesISA Server 2000 Service Pack 1 (SP1) is required to install this
hotfix.
For additional information about how to obtain the ISA Server
Service Pack 1, click the following article number to view the article in the
Microsoft Knowledge Base: 313139
How to Obtain the Latest Internet Security and Acceleration Server 2000 Service Pack
Hotfix Replacement InformationThis hotfix does not replace any other hotfixes. Note This hotfix does not remove the mangled nodes from Active
Directory. However, with the hotfix installed, ISA Server can handle the
mangled nodes correctly. Removing the Hotfix You may not be able to remove the hotfix if the Active Directory
storage for the Web filter contains mangled nodes because ISA Server cannot
handle the mangled nodes correctly during the removal process. However, ISA
Server removes the mangled nodes from Active Directory when you back up and
restore your ISA Server configuration. After the backup and restore operations
are complete, you can remove the hotfix. To remove the hotfix:
- Back up the ISA Server configuration.
- Restore the ISA Server configuration by using the backup
file that you created in step 1.
- Remove the hotfix.
For more information about how to run backup and restore
operations on ISA Server, see the "More Information" section. Note If you want to remove mangled nodes from Active Directory
manually, contact Microsoft Product Support Services (PSS) for information and
assistance. MORE INFORMATIONBecause of the Active Directory replication issue, you may
notice multiple Web filter registration entries for the same Web filter. These
multiple Web filter registration entries appear as duplicated (that is,
"mangled") nodes. For example, you may see the following: CN={87F18571-C71D-4a2f-9111-9E0927A00B51}
msFPCISAPIFilter
CN={87F18571-C71D-4a2f-9111-9E0927A00B51},CN=ISAPI-Filters,CN=Extensions,CN={EE37A70F-E9DE-4674-83C4-D602BBF20E3B},CN=Arrays,CN=Fpc,CN=System,DC=DBVWINEU
CN={87F18571-C71D-4a2f-9111-9E0927A00B51}CNF:12921ebc-b0a5-43cf-9e7f-86266db524f5
msFPCISAPIFilter
CN={87F18571-C71D-4a2f-9111-9E0927A00B51}CNF:12921ebc-b0a5-43cf-9e7f-86266db524f5,CN=ISAPI-Filters,CN=Extensions,CN={EE37A70F-E9DE-4674-83C4-D602BBF20E3B},CN=Arrays,CN=Fpc,CN=System,DC=DBVWINEU
CN={87F18571-C71D-4a2f-9111-9E0927A00B51}CNF:12fc2695-343c-48f0-9aa6-10704ebb683f
msFPCISAPIFilter
CN={87F18571-C71D-4a2f-9111-9E0927A00B51}CNF:12fc2695-343c-48f0-9aa6-10704ebb683f,CN=ISAPI-Filters,CN=Extensions,CN={EE37A70F-E9DE-4674-83C4-D602BBF20E3B},CN=Arrays,CN=Fpc,CN=System,DC=DBVWINEUNote A "CNF..." entry behind the GUID starts at the second duplicate
entry (that is, the mangled entry). To verify this, use ADSI Edit and view the
following Active Directory tree: Domain NC
--CN=System
----CN=Fpc
------CN=Arrays
--------CN=%Current GUID of your ISA Server Array%
----------CN=Extensions
------------CN=ISAPI-Filters If you want to remove the mangled nodes from Active Directory,
you can use the ISA Server backup and restore process that is described in the
"Resolution" section. For help with manually cleaning the mangled nodes,
contact Microsoft PSS. ADSI Edit is available in Windows Support
Tools.
For additional information about how to install Windows
2000 Support Tools, click the following article number to view the article in
the Microsoft Knowledge Base: 301423
HOW TO: Install the Windows 2000 Support Tools to a Windows 2000 Server-Based Computer
Back up and Restore the ISA Server Configuration To back up the ISA Server configuration:
- Open the ISA Server MMC.
- Right-click a server name or an array name.
- Right-click Back Up.
- Select a name and location for the backup file.
- Click OK.
To restore the ISA Server configuration:
- Open the ISA Server MMC.
- Right-click a server name or an array name.
- Right-click Restore.
- Select the backup file that you want to restore.
- Click OK.
REFERENCESYou can use Replmon.exe and Dcdiag.exe to troubleshoot
Active Directory replication issues. For more information, visit the following
Microsoft Web sites: STATUS Microsoft
has confirmed that this is a problem in the Microsoft products that are listed
at the beginning of this article.
| Modification Type: | Minor | Last Reviewed: | 10/11/2005 |
|---|
| Keywords: | kbHotfixServer kbQFE kbISAServ2000preSP2fix kbfix kbbug KB813865 kbAudDeveloper |
|---|
|