Essential Business Server 2008 (EBS) - Security Server Installation fails on Forefront Threat Management Gateway.

[This post comes to us courtesy Vikramjit Singh.]

Issue

You have installed the first server of Essential Business Server 2008 – Management Server. Now while installing the Security the setup fails on Forefront TMG with he following error:

“An error occurred while configuring the certificate for the server.”

Here’s a screenshot:

*Apologies for the poor screenshot, we will update it with a better one the next time we come around the error. :)

Cause

This could be caused due to a time difference between the Management Server and the Security Server. All EBS servers install on PST time zone by default. If the time/time zone is altered during the installation of these servers you could expect a few failures. Also the Security server may synchronize time with its BIOS. As a result, Kerberos tickets expiry because of the time change which causes the conflict/authentication failure eventually resulting in a failure of installation which cannot be resumed.

MMSSetup.log can confirm that the failure was caused because of a time difference. Please use Shift+F10 to open the command prompt on the security server. Go to c:\Program Files\Windows Essential Business Server\Logs\MMSSetup.log

You can view the time as marked in yellow in the log below:-

[1008],"2021.09.22 18:37:11.812","MMSNet","Information","**********************************"
[1008],"2021.09.22 18:37:12.843","MMSNet","Information","Entering IsDomainJoined()"
[1008],"2021.09.22 18:37:12.843","MMSNet","Information","status = 'NetSetupWorkgroupName’
[1008],"2021.09.22 18:37:12.843","MMSNet","Information","Return value of this method = 'False'"
[1008],"2021.09.22 18:37:12.875","MMSSetup","Information","SETUP STARTING: 09/22/2021 18:37:12"

In the log above we can see that the year mentioned above 2021 which is incorrect. This is due to the wrong date in the BIOS which needs to be changed.

Resolution

Unfortunately reinstallation of security server cannot be avoided! Therefore turn the machine off, reboot it and go into the BIOS. Under the BIOS settings please make sure that the date and time are the same as that on the Management Server (most likely PST). Once the changes have been made exit setup and use the Security Server disk to restart the Installation.

Please format the system drive and the data drive as well and proceed with the Installation of the Security Server. Once the setup wizard occurs you would reach a stage where it would prompt for the domain name and details. After this is entered the setup might go into a replacement mode state where it knows that the security server was already installed previously and was part of the domain. Therefore the user might be prompted to run the installation is replacement mode. If yes, please click on “Prepare Replacement”

Now follow the simple instructions on the screen and continue.

Note: You are not required to do any cleanup to remove Security Server’s objects and attributes in Active Directory or on the existing servers in the domain. The setup would automatically detect that and do necessary changes and continue the installation.