Troubleshooting an ISA Server Enterprise Edition Upgrade: What if I forget to export user permission settings?

Upgrading from ISA Server 2004 Enterprise Edition to ISA Server 2006 Enterprise Edition is a very easy task. Our official upgrade guide is useful and clear.

In a nutshell, the upgrade path is the following (for the detailed steps, PLEASE read the upgrade guide, which is available at http://www.microsoft.com/technet/isa/Server 2006/Upgrade_Guide_EE.mspx ) :

1. Export the ISA Server 2004 configuration from the ISA Server 2004 based Configuration Storage Server (Configuration Storage server)

2. Create a new Configuration Storage server – this step depends on your equipment

a. If you have an extra server, you should install a new ISA Server 2006 based Configuration Storage server

b. If you don’t have an extra server and you can’t place a new ISA Server 2006 based Configuration Storage server on an existing infrastructure server you have to uninstall the current ISA Server 2004 based Configuration Storage server and install the ISA Server 2006 Configuration Storage server on the same hardware

3. Import the exported ISA Server 2004 configuration

4. Perform an inplace upgrade of the ISA Array member

If you have to use the same Configuration Storage server hardware you should be careful. It is very important to select the “Export user permission setting” option during the export process. But what will happen if you create an Export without the user permission settings? The short answer is: catastrophy. The long answer: you can’t import the configuration to the ISA Server 2006 Configuration Storage server and if you already uninstalled the ISA Server 2004 Configuration Storage server you are in trouble. When you try to import the exported XML to the ISA Server 2006 Configuration Storage server you will receive the following error message and upgrade process will be terminated:

To solve this problem, you have to rebuild your ISA infrastructure and export the configuration again with the right settings. The answer is trivial but the whole process is not trivial and it is time consuming.

If it is acceptable to lose the delegated permissions, you can solve this problem without resorting to rebuilding the entire system. You have to insert some new sections to the existing exported XML file. Follow these steps:

1. Install a new ISA Server 2004 Enterprise Edition on a clean computer. Create one array, and export the configuration with the“Export user permission setting” option selected.

2. Open this new XML file with an XML editor (you can use Notepad, but it’s not a good application for navigating within XML) and copy the XML code from the following XPATHs (examples of the portions you should copy are provided later in this posting):

o /Root/Enterprise/Policies/Policy/AdminSecurity

o /Root/Enterprise/AdminSecurity

o /Root/Arrays/Array/AdminSecurity

3. Open the originally exported XML file and make the following changes in it:

o Change the OptionalData from 13 to 15:

§ XPATH = /Root/OptionalData

§ Original data: <fpc4:OptionalData dt:dt="int">13</fpc4:OptionalData>

§ New data: <fpc4:OptionalData dt:dt="int">15</fpc4:OptionalData>

o Insert the copied AdminSecurity part to the following XML XPATHs:

§ /Root/Enterprise/Policies/Policy/AdminSecurity

· If you have more than one Enterprise Policy, you should copy this information under every Enterprise Policy

§ /Root/Enterprise/AdminSecurity

§ /Root/Arrays/Array/AdminSecurity

· ingIf you have more than one Array, you should copy this information under every Array

4. Save the XML file.

5. After you complete these steps, you should finalize the upgrade process with the modified XML file, following the procedures in the Upgrade Guide.

6. After upgrading the configuration, re-assign the Administrative Roles at the Enterprise, Enterprise Policy and Array levels.

Here are some examples of the XML snippets described in this process. These are for illustration purposes only – don’t use these snippets!

/Root/Enterprise/Policies/Policy/AdminSecurity

<fpc4:AdminSecurity StorageName="AdminSecurity" StorageType="1">

                    <fpc4:SecurityRoles StorageName="SecurityRoles" StorageType="1">

                                        <fpc4:SecurityRole StorageName="{GUID}" StorageType="1">

                                                            <fpc4:Description dt:dt="string">Has full control over the selected enterprise policy.</fpc4:Description>

                                                            <fpc4:Name dt:dt="string">ISA Server Enterprise Policy Editor</fpc4:Name>

                                                            <fpc4:Predefined dt:dt="boolean">1</fpc4:Predefined>

                                        </fpc4:SecurityRole>

                    </fpc4:SecurityRoles>

                    <fpc4:DelegatedAdmins StorageName="DelegatedAdmins" StorageType="1"/>

</fpc4:AdminSecurity>

/Root/Enterprise/AdminSecurity

<fpc4:AdminSecurity StorageName="AdminSecurity" StorageType="1">

                    <fpc4:SecurityRoles StorageName="SecurityRoles" StorageType="1">

                                        <fpc4:SecurityRole StorageName="{ GUID }" StorageType="1">

                                                            <fpc4:Description dt:dt="string">Has full control over the enterprise and all array configurations, and permissions to assign all roles to other users and groups.</fpc4:Description>

                                                            <fpc4:Name dt:dt="string">ISA Server Enterprise Administrator</fpc4:Name>

                                                            <fpc4:Predefined dt:dt="boolean">1</fpc4:Predefined>

                                        </fpc4:SecurityRole>

                                        <fpc4:SecurityRole StorageName="{ GUID }" StorageType="1">

                                                            <fpc4:Description dt:dt="string">Has read-only access to the enterprise and array configurations.</fpc4:Description>

                                                            <fpc4:Name dt:dt="string">ISA Server Enterprise Auditor</fpc4:Name>

                                                            <fpc4:Predefined dt:dt="boolean">1</fpc4:Predefined>

                                        </fpc4:SecurityRole>

                    </fpc4:SecurityRoles>

                    <fpc4:DelegatedAdmins StorageName="DelegatedAdmins" StorageType="1">

                                        <fpc4:DelegatedAdmin StorageName="{GUID}" StorageType="1">

                                                            <fpc4:AccountSid dt:dt="string">SID</fpc4:AccountSid>

                                                            <fpc4:SecurityRoleName dt:dt="string">ISA Server Enterprise Administrator</fpc4:SecurityRoleName>

                                                            <fpc4:Ref StorageName="SecurityRole" StorageType="1">

                                                                                <fpc4:Name dt:dt="string">{ GUID }</fpc4:Name>

                                                                                <fpc4:RefClass dt:dt="string">msFPCSecurityRole</fpc4:RefClass>

                                                                                <fpc4:Scope dt:dt="int">1</fpc4:Scope>

                                                            </fpc4:Ref>

                                        </fpc4:DelegatedAdmin>

                                        <fpc4:DelegatedAdmin StorageName="{ GUID }" StorageType="1">

                                                            <fpc4:AccountSid dt:dt="string"> SID </fpc4:AccountSid>

                                                            <fpc4:SecurityRoleName dt:dt="string">ISA Server Enterprise Administrator</fpc4:SecurityRoleName>

                                                            <fpc4:Ref StorageName="SecurityRole" StorageType="1">

                                                                                <fpc4:Name dt:dt="string">{ GUID }</fpc4:Name>

                                                                                <fpc4:RefClass dt:dt="string">msFPCSecurityRole</fpc4:RefClass>

                                                                                <fpc4:Scope dt:dt="int">1</fpc4:Scope>

                                                            </fpc4:Ref>

                                        </fpc4:DelegatedAdmin>

                    </fpc4:DelegatedAdmins>

</fpc4:AdminSecurity>

/Root/Arrays/Array/AdminSecurity

<fpc4:AdminSecurity StorageName="AdminSecurity" StorageType="1">

                    <fpc4:SecurityRoles StorageName="SecurityRoles" StorageType="1">

                                        <fpc4:SecurityRole StorageName="{ GUID }" StorageType="1">

                                                            <fpc4:Description dt:dt="string">Has full control over the array-level configuration for this array, including permissions to assign array roles. Has read-only access to the enterprise policy applied to this array.</fpc4:Description>

                                                            <fpc4:Name dt:dt="string">ISA Server Array Administrator</fpc4:Name>

                                        <fpc4:Predefined dt:dt="boolean">1</fpc4:Predefined>

                                        </fpc4:SecurityRole>

                                        <fpc4:SecurityRole StorageName="{ GUID }" StorageType="1">

                                                            <fpc4:Description dt:dt="string">Has full access to array monitoring and read-only access to the array configuration. Has read-only access to the enterprise policy applied to this array.</fpc4:Description>

                                                            <fpc4:Name dt:dt="string">ISA Server Array Auditor</fpc4:Name>

                                                            <fpc4:Predefined dt:dt="boolean">1</fpc4:Predefined>

                                        </fpc4:SecurityRole>

                                        <fpc4:SecurityRole StorageName="{ GUID }" StorageType="1">

                                                            <fpc4:Description dt:dt="string">Has restricted access to array monitoring features. Can view sessions, view and reset alerts, query service status, and verify connectivity.</fpc4:Description>

                                                            <fpc4:Name dt:dt="string">ISA Server Array Monitoring Auditor</fpc4:Name>

                                                            <fpc4:Predefined dt:dt="boolean">1</fpc4:Predefined>

                                        </fpc4:SecurityRole>

                    </fpc4:SecurityRoles>

                    <fpc4:DelegatedAdmins StorageName="DelegatedAdmins" StorageType="1"/>

</fpc4:AdminSecurity>

Zoltan Harmath

Principal Consultant – ISA Server

Microsoft ,Hungary