[isalist] Re: Install of TMG on 2K8 R2

I can't fire the entire group of admins!!! :)

Now I learn the group needs to be there for joining a new server to the array, 
but after that and under regular (filtering, proxiing, VPN......) job of the 
array, that permission don't need to be there, right?
Meaning, if I'm not joining new servers (which doesn't happen pretty often), I 
should be able to remove the group and everything should be fine. As you can 
see I don't trust the administrators.

Besides that workaround of adding and removing the group, I guess that is a 
behavior that Microsoft should address on the product as it looks like a none 
smart utilization of the security on TMG.

Regards
Diego R. Pietruszka

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Monday, June 28, 2010 3:17 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Install of TMG on 2K8 R2

Some of the behaviors created through MMC actions require membership in this 
group because of OS object ACLs in place.
This is why it exists.

Forget trying to protect yourself from your admins - if you can't trust them, 
fire them.

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGR
Sent: Monday, June 28, 2010 09:37
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Install of TMG on 2K8 R2

Well I have my server joined to the array.
Just in case if anybody run across the same issue, for stupid it sounds I was 
able to join the array after I re-added back the BUILTIN\ADMINISTRATORS group 
as array administrator on the EMC server (I removed that group for security, 
since there was some administrators of the server that don't really needs to be 
TMG admins).

Why the built-in group have to be there?, well I would love to know. For me it 
sounds like a bug, because I had all the right permissions to do the task.

Regards
Diego R. Pietruszka

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGR
Sent: Thursday, June 24, 2010 2:11 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Install of TMG on 2K8 R2

Probably I just wasn't lucky enough.
Yes the account I'm using is listed there as TMG Enterprise Administrator

BTW, thanks for your time

Regards
Diego R. Pietruszka

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jerry Young
Sent: Thursday, June 24, 2010 1:38 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Install of TMG on 2K8 R2

I'm in the process of deploying TMG 2010 now but haven't run into any of the 
issues you've experienced. :(

And the account you're using shows up on under the Assign Roles tabbed page on 
the Enterprise properties with the role Forefront TMG Enterprise Administrator?
On Thu, Jun 24, 2010 at 12:49 PM, D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGR 
<DPietruszka@xxxxxx<mailto:DPietruszka@xxxxxx>> wrote:
Thanks I will keep it in mind, well that if I don't go back to ISA2006, to many 
problems for now with TMG.

Regards
Diego R. Pietruszka

From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On 
Behalf Of Jerry Young
Sent: Thursday, June 24, 2010 12:42 PM

To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: Install of TMG on 2K8 R2

And in case you're going to be installing SP1, make sure you install it in the 
following order.

Install SP1 on the EMS server.
Install SP1 on the array reporting server (To identify the reporting server, in 
the Forefront TMG Management console, click the Logs & Reports node. In the 
details pane, click the Reporting tab. On the Tasks tab, click Configure 
Reporting Settings, and then click the Report Server tab.).
Install SP1 on the remaining array member servers.

For reference, here's the Microsoft link for the TMG SP1 install.

http://technet.microsoft.com/en-us/library/ff717843.aspx
On Thu, Jun 24, 2010 at 12:34 PM, D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGR 
<DPietruszka@xxxxxx<mailto:DPietruszka@xxxxxx>> wrote:
Tired of not being able to install TMG, I reinstall the OS and TMG installed 
right away after that.

But now I have another weird problem. When I try to join the new server to an 
existing array manage by an EMS server it always return the below error.

The Operation Failed
You do not have the necessary permissions to perform this action

The user I'm using to join the server to the array, is Array administrator on 
the new server, Array administrator on the Array it is trying to join to and 
enterprise administrator on the EMS server. Also is local administrator on all 
those servers. So what can be wrong? I mean, which other permission it needs?

Thanks

Regards
Diego R. Pietruszka

From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On 
Behalf Of Jim Harrison
Sent: Saturday, June 19, 2010 5:24 PM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: Install of TMG on 2K8 R2

Once you've failed a TGM installation, you need to ensure that you:

1.       Close the installer

2.       Remove all vestiges of TMG, AD-LDS or SQL that may have been partially 
installed via Control Panel, Programs and Features

3.       Delete any installation folders that may have been created for those 
applications:

a.       %programfiles%\Microsoft Forefront Threat Management Gateway

b.      %programfiles%\Microsoft SQL Server

c.       %programfiles(x86)%\ Microsoft SQL Server

Jim

From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On 
Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGR
Sent: Saturday, June 19, 2010 2:14 PM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: Install of TMG on 2K8 R2

Well, that is basically what I did. With the exception of the static routes 
because both servers are on the same subnet.
But the error keep coming.

Regards
Diego R. Pietruszka

From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On 
Behalf Of Jerry G. Young II
Sent: Saturday, June 19, 2010 1:07 PM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Cc: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: Install of TMG on 2K8 R2

Also keep in mind that TMG now wants to control your static routes.  So, to 
avoid making the same, tedious mistake I made, try the following order:

1. Manually set single static route to facilitate network connectivity to your 
EMS server (if using one).
2. Pre-configure the static route settings in the Array.
3. Install TMG.
4. Join Array.

Don't bother configuring anything on the TMG server prior to joining the Array; 
settings will just get overwritten and you'll get to experience some of the 
wonderful joy I did. :P

Cordially yours,
Jerry G. Young II
+=+ Sent via iPhone +=+

On Jun 19, 2010, at 12:19 PM, Jim Harrison 
<Jim@xxxxxxxxxxxx<mailto:Jim@xxxxxxxxxxxx>> wrote:
There is no way to join an array as part of the installation.
This is because the "Join array" wizard that you start from the console doesn't 
exist until the TMG components are installed.

From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On 
Behalf Of Jerry Young
Sent: Wednesday, June 16, 2010 12:19 PM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: Install of TMG on 2K8 R2

That's an error with installing SQL Express 2008, not TMG.

It's throwing an error when its checking for the existence of the reporting 
database (doesn't exist).

0x84be03f4 = Checks if the Reporting Services catalog database file exists.
Review http://msdn.microsoft.com/en-us/library/dd981032(SQL.100).aspx, 
specifically near the bottom where it describes the logs that the installer 
writes.  Perhaps there is something in there.

And just for the sake of sanity, check to make sure the W2K8 R2 box you're 
installing TMG on meets the SQL Express 2008 system requirements (.Net and all 
that).
On Wed, Jun 16, 2010 at 2:59 PM, D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGR 
<DPietruszka@xxxxxx<mailto:DPietruszka@xxxxxx>> wrote:
Hello all, I have a couple of servers with TMG on it and was trying to install 
another one to make it part of an existing array.

First of all, on ISA 2006 if my memory is not that bad, there was an option to 
install and while installing choose if that box was going to be part of an 
array, so we could pick the CSS then which array you wanted to join (or created 
a new one), etc.....
On TMG I found the only option to be: Installed as an stand alone TMG server 
and then from the console choose to join an existing array. If I'm wrong on 
that please anybody let me know. But besides that, I tried to install this 
particular TMG server 3 times already and before reinstalling the entire OS I 
wanted to ask for help.

Every time I'm running the installation, when the wizard is on "Additional 
Components (Estimated........)" the installation fail with this error:


-          Microsoft SQL Express 2008 (reporting instance could not be 
installed). As a result, Forefront TMG installation cannot be completed.

Any help will be appreciated.

ISAWRAP is showing this:

13:01:24 INFO:   Add/Remove entry was created
13:01:24 INFO:   Installing Additional components...
13:01:24 INFO:   Activating Extration of SQL Express 2008 SP1 Package, command 
line args = '-s -f "C:\Windows\temp\{79FA0C64-EA49-46CB-9CEA-6591E4A9887D}" -e'
13:01:24 INFO:   SQL Express 2008 SP1 Package path is .\Program Files\Microsoft 
ISA Server\SQLE\SQLExpress2008SP1.exe
13:02:50 INFO:   Process completed successfully
13:02:50 INFO:   SQL Express 2008 SP1 Package was sucessfully extracted to 
'C:\Windows\temp\{79FA0C64-EA49-46CB-9CEA-6591E4A9887D}'
13:02:50 INFO:   Activating SQL Express installation, command line args = 
'/QUIET /ACTION=Install /FEATURES=SQLEngine /INSTANCENAME=MSFW 
/SQLSYSADMINACCOUNTS="BUILTIN\Administrators" /BROWSERSVCSTARTUPTYPE=4 
/SAPWD=************** /SQLSVCACCOUNT="NT AUTHORITY\SYSTEM" /NPENABLED=0 
/TCPENABLED=0 /SKIPRULES=RebootRequiredCheck /HIDECONSOLE 
/PCUSource="C:\Windows\temp\{79FA0C64-EA49-46CB-9CEA-6591E4A9887D}\PCU"'
13:02:50 INFO:   SQL Express 2008 installation path is 
C:\Windows\temp\{79FA0C64-EA49-46CB-9CEA-6591E4A9887D}\setup.exe
13:09:08 INFO:   Process completed successfully
13:09:08 INFO:   SQL Express 2008 successfully installed
13:09:08 INFO:   Starting SQL Express service
13:09:18 INFO:   Changing network service permissions to allow access to SQL 
Express
13:09:19 INFO:   Changing SQL Express tempdb size
13:09:19 INFO:   Failed to change Tempdb MAXSIZE, error = ,, 0x80040e09. 
Ignoring...
13:09:19 INFO:   Moving SQL Express tempdb to stingray logging directory
13:09:24 INFO:   AdjustSSEConfiguration completed successfully.
13:09:24 INFO:   Activating SQL Express installation, command line args = 
'/QUIET /ACTION=Install /FEATURES=SQLEngine,RS /INSTANCENAME=ISARS 
/SQLSYSADMINACCOUNTS="BUILTIN\Administrators" /BROWSERSVCSTARTUPTYPE=4 
/SAPWD=************** /SECURITYMODE=SQL /SQLSVCACCOUNT="NT AUTHORITY\SYSTEM" 
/RSINSTALLMODE=DefaultNativeMode /RSSVCACCOUNT="NT AUTHORITY\SYSTEM" 
/RSSVCStartupType=Automatic /NPENABLED=0 /TCPENABLED=1 
/SKIPRULES=RebootRequiredCheck /HIDECONSOLE 
/PCUSource="C:\Windows\temp\{79FA0C64-EA49-46CB-9CEA-6591E4A9887D}\PCU"'
13:09:24 INFO:   SQL Express 2008 installation path is 
C:\Windows\temp\{79FA0C64-EA49-46CB-9CEA-6591E4A9887D}\setup.exe
13:10:37 ERROR:               Setup failed. Error returned: 0x84be03f4
13:10:37 ERROR:               Installation of SQL Express 2008 failed. hr = 
0x84be03f4
13:10:37 ERROR:               Installation failed. hr = 0x84be03f4
13:10:37 ERROR:               Installation failed, hr=0x84be03f4
14:24:03 ERROR:               InstallProducts:Install Additional components 
failed, hr=0x84be03f4
14:24:03 INFO:   Rollback: Performing rollback after installation failure.
14:24:03 INFO:   CMsiAttendantInstaller::Prepare: Upgrade code is not set
14:24:03 INFO:   CMsiAttendantInstaller::Prepare: There is no any product code 
for upgrade code
14:24:03 INFO:   CMsiAttendantInstaller::Prepare: Upgrade code is not set
14:24:03 INFO:   CMsiAttendantInstaller::Prepare: There is no any product code 
for upgrade code
14:24:03 INFO:   The instance Id of instace MSFW is MSSQL10.MSFW
14:24:03 INFO:   GetUninstallCode: Prepare: product code is 
{FBD367D1-642F-47CF-B79B-9BE48FB34007}
14:24:03 ERROR:               CSSEInstaller::GetInstanceId failed to read from 
reg 'ISARS'
14:24:03 INFO:   CSSEInstaller::Prepare: Failed to get the instace id of ISARS
14:24:03 INFO:   CMsiAttendantInstaller::Prepare: Upgrade code is not set
14:24:03 INFO:   CMsiAttendantInstaller::Prepare: There is no any product code 
for upgrade code
14:24:03 INFO:   The instance Id of instace MSFW is MSSQL10.MSFW
14:24:03 INFO:   Activating SQL Express uninstallation, command line args = 
'/QUIET /ACTION=Uninstall /FEATURES=SQLEngine /INSTANCENAME=MSFW 
/SKIPRULES=RebootRequiredCheck /HIDECONSOLE'
14:24:03 INFO:   Uninstall command line is C:\Program Files\Microsoft SQL 
Server\100\Setup Bootstrap\Release\Setup.exe


Regards
Diego R. Pietruszka




--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
Young Consulting & Staffing Services Company - Owner
www.youngcss.com<http://www.youngcss.com/>



--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
Young Consulting & Staffing Services Company - Owner
www.youngcss.com<http://www.youngcss.com/>



--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
Young Consulting & Staffing Services Company - Owner
www.youngcss.com<http://www.youngcss.com>

Other related posts: