There is not more frightening then knowing that you can’t backup your server and when I say knowing is because many times administrators don’t backup because they forgot or because they think someone else is doing. But when you know that the backup cannot be performed, than you know that Murphy’s Law might get you.
This post is about a scenario where Firewall administrator was trying to backup ISA Server configuration and it was receiving the following error:
Figure 1 – Error when trying to perform a backup.
Understanding the Error Message
Before panic it is important to take a deep breath and understand what this error message is trying to say to you. If you BING for the error code 0xc0040357 (simple like that http://www.bing.com/search?q=0xc0040357 ), you will find the KB 922222, which is a good start. But for now, let’s leave this on hold and understand the error description. It says:
I’m highlighting the keywords of this error message, with that we know that the problem is related to:
· A Web Listener that does not exist anymore however it is present in the HTTP Compression option.
To confirm that this understanding is correct, next step is to try to open the HTTP Compression Preferences under General and see if we are able to see the properties. When we do that we get the error below (which confirms that there problem resides in there):
Figure 2 – Error when opening HTTP Compression options.
2. Investigating Further
This scenario happened in an ISA Server 2006 Enterprise Edition that apparently had no problem, everything was working fine, nodes were in sync and the only operation that was failing was the backup. Since this is an Enterprise Edition we have ADAM and having ADAM we know that the values are primarily stored there. According to the error message the error occurred in the object ‘HTTP-Compression-Configuration’, therefore we should take a look on this object.
In order to do that we can use the same approach explained in KB922222 (the one that I mentioned before). Since that article is for ISA 2004, there is a slightly difference when trying to connect to CSS using ADAM on ISA 2006. Instead of using the Distinguished Name CN=FpcConfiguration, you will use CN=FPC2 as shown below:
Figure 3 – Connecting to CSS using ADAMADSIEdit.
After connecting to ADAM, browse to the following location:
Figure 4 – Looking for the HTTP-Compression-Configuration object.
Notice that under the HTTP-Compression-Configuration object we have another object called WebListenerUsed and in this case it has a GUID for a WebListener. This GUID is not the real name of the WebListener, this is actually the CN for this object. To see the name of the real web listener in which this object is referring to, you need to right click on this object and choose properties. Look for the attribute called msFPCName as shown below:
Figure 5 – Checking the msFPCName for this attribute.
If this is a valid listener, we should see this GUID under CN=RuleElements,CN=WebListeners as shown below:
Figure 6 – Valid Web Listeners.
Notice that in this case I do not have this value in there, which means that this is the reason why we are receiving this error. In other words: there is an object present under HTTP-Compression-Configuration object that has an attribute that points to an invalid object.
3. Now What?
Since this is an invalid object we need to remove it from there. However, before do that it is important to emphasize that before any intervention directly on ADAM or Registry make sure that you have a backup of your system. In this case since we cannot backup the whole array at least we should backup the Firewall Policy (which works fine since doesn’t look for that object). Also, before delete this object, you can dump it using LDIFDE, so you can have a backup of the attributes for this object (in case you need). To export this object uses the command below:
· -t allows you to specify which port you are going to use to connect to ADAM. In this case port 2171,
· -d allows you to specify the Distinguished Name (DN) of the object that you want to dump. In this case you need to open the properties of the object and search for the DN.
The output (backup.ldf) of this command for this case is:
Now that we have a backup of the Firewall Rules and a dump of the object that we are deleting, let’s get rid of this invalid object. For this particular scenario the object is the one below:
Figure 7 – Object that needs to be eliminated in this case.
After highlight this value, press delete or right click on the object and choose delete.
Note: For ISA Server 2006 Standard Edition, you have to delete this value from the registry.
4. Validating the Procedure
After remove the bad entry you should make sure that the array configuration is in sync, you can force a change, such as disabling a rule or changing the name of the rule. This is just to force a new synchronization. Now after doing that you should be able to open the HTTP Compression properties, as shown below:
Figure 8 – The bogus web listener was listed in there before, now is clear.
Fixing corrupted objects on ADAM is not always straight forward like this, sometimes you can’t really determine easily which object is corrupted because there are many objects to evaluate, compare values, etc. In scenarios where you can’t determine, don’t try to “guess” which object is corrupt and delete it without 100%, better to get an ISA Data Packager in repro mode using the Administration template and open a case with MS CSS for further analyzes.