[isalist] Re: Install of TMG on 2K8 R2

No, it means that you have to leave it there.

While I agree that it would have been a good thing to allow more granular
access controls, the fact is that this wasn't done.

Likewise, you can't reasonably expect the team to test every permutation of
the ACLs. J

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGR
Sent: Monday, June 28, 2010 13:24
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Install of TMG on 2K8 R2

 

I can't fire the entire group of admins!!! J

 

Now I learn the group needs to be there for joining a new server to the
array, but after that and under regular (filtering, proxiing, VPN..) job of
the array, that permission don't need to be there, right? 

Meaning, if I'm not joining new servers (which doesn't happen pretty often),
I should be able to remove the group and everything should be fine. As you
can see I don't trust the administrators.

 

Besides that workaround of adding and removing the group, I guess that is a
behavior that Microsoft should address on the product as it looks like a
none smart utilization of the security on TMG.

 

Regards

Diego R. Pietruszka

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Monday, June 28, 2010 3:17 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Install of TMG on 2K8 R2

 

Some of the behaviors created through MMC actions require membership in this
group because of OS object ACLs in place.

This is why it exists.

 

Forget trying to protect yourself from your admins - if you can't trust
them, fire them.

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGR
Sent: Monday, June 28, 2010 09:37
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Install of TMG on 2K8 R2

 

Well I have my server joined to the array.

Just in case if anybody run across the same issue, for stupid it sounds I
was able to join the array after I re-added back the BUILTIN\ADMINISTRATORS
group as array administrator on the EMC server (I removed that group for
security, since there was some administrators of the server that don't
really needs to be TMG admins).

 

Why the built-in group have to be there?, well I would love to know. For me
it sounds like a bug, because I had all the right permissions to do the
task.

 

Regards

Diego R. Pietruszka

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGR
Sent: Thursday, June 24, 2010 2:11 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Install of TMG on 2K8 R2

 

Probably I just wasn't lucky enough.

Yes the account I'm using is listed there as TMG Enterprise Administrator

 

BTW, thanks for your time

 

Regards

Diego R. Pietruszka

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jerry Young
Sent: Thursday, June 24, 2010 1:38 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Install of TMG on 2K8 R2

 

I'm in the process of deploying TMG 2010 now but haven't run into any of the
issues you've experienced. :(

 

And the account you're using shows up on under the Assign Roles tabbed page
on the Enterprise properties with the role Forefront TMG Enterprise
Administrator?

On Thu, Jun 24, 2010 at 12:49 PM, D PIETRUSZKA USWRN INTERLINK INFRA SHIFT
MGR <DPietruszka@xxxxxx> wrote:

Thanks I will keep it in mind, well that if I don't go back to ISA2006, to
many problems for now with TMG.

 

Regards

Diego R. Pietruszka

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jerry Young
Sent: Thursday, June 24, 2010 12:42 PM 


To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Install of TMG on 2K8 R2

 

And in case you're going to be installing SP1, make sure you install it in
the following order.

 

Install SP1 on the EMS server.

Install SP1 on the array reporting server (To identify the reporting server,
in the Forefront TMG Management console, click the Logs & Reports node. In
the details pane, click the Reporting tab. On the Tasks tab, click Configure
Reporting Settings, and then click the Report Server tab.).

Install SP1 on the remaining array member servers.

 

For reference, here's the Microsoft link for the TMG SP1 install.

 

http://technet.microsoft.com/en-us/library/ff717843.aspx

On Thu, Jun 24, 2010 at 12:34 PM, D PIETRUSZKA USWRN INTERLINK INFRA SHIFT
MGR <DPietruszka@xxxxxx> wrote:

Tired of not being able to install TMG, I reinstall the OS and TMG installed
right away after that.

 

But now I have another weird problem. When I try to join the new server to
an existing array manage by an EMS server it always return the below error.

 

The Operation Failed

You do not have the necessary permissions to perform this action

 

The user I'm using to join the server to the array, is Array administrator
on the new server, Array administrator on the Array it is trying to join to
and enterprise administrator on the EMS server. Also is local administrator
on all those servers. So what can be wrong? I mean, which other permission
it needs?

 

Thanks 

 

Regards

Diego R. Pietruszka

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Saturday, June 19, 2010 5:24 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Install of TMG on 2K8 R2

 

Once you've failed a TGM installation, you need to ensure that you:

1.       Close the installer

2.       Remove all vestiges of TMG, AD-LDS or SQL that may have been
partially installed via Control Panel, Programs and Features

3.       Delete any installation folders that may have been created for
those applications:

a.       %programfiles%\Microsoft Forefront Threat Management Gateway

b.      %programfiles%\Microsoft SQL Server

c.       %programfiles(x86)%\ Microsoft SQL Server

 

Jim

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGR
Sent: Saturday, June 19, 2010 2:14 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Install of TMG on 2K8 R2

 

Well, that is basically what I did. With the exception of the static routes
because both servers are on the same subnet.

But the error keep coming.

 

Regards

Diego R. Pietruszka

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jerry G. Young II
Sent: Saturday, June 19, 2010 1:07 PM
To: isalist@xxxxxxxxxxxxx
Cc: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Install of TMG on 2K8 R2

 

Also keep in mind that TMG now wants to control your static routes.  So, to
avoid making the same, tedious mistake I made, try the following order:

 

1. Manually set single static route to facilitate network connectivity to
your EMS server (if using one).

2. Pre-configure the static route settings in the Array.

3. Install TMG.

4. Join Array.

 

Don't bother configuring anything on the TMG server prior to joining the
Array; settings will just get overwritten and you'll get to experience some
of the wonderful joy I did. :P

Cordially yours,

Jerry G. Young II

+=+ Sent via iPhone +=+


On Jun 19, 2010, at 12:19 PM, Jim Harrison <Jim@xxxxxxxxxxxx> wrote:

There is no way to join an array as part of the installation.

This is because the "Join array" wizard that you start from the console
doesn't exist until the TMG components are installed.

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jerry Young
Sent: Wednesday, June 16, 2010 12:19 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Install of TMG on 2K8 R2

 

That's an error with installing SQL Express 2008, not TMG.

 

It's throwing an error when its checking for the existence of the reporting
database (doesn't exist).

 

0x84be03f4 = Checks if the Reporting Services catalog database file exists.

Review http://msdn.microsoft.com/en-us/library/dd981032(SQL.100).aspx,
specifically near the bottom where it describes the logs that the installer
writes.  Perhaps there is something in there.

 

And just for the sake of sanity, check to make sure the W2K8 R2 box you're
installing TMG on meets the SQL Express 2008 system requirements (.Net and
all that).

On Wed, Jun 16, 2010 at 2:59 PM, D PIETRUSZKA USWRN INTERLINK INFRA SHIFT
MGR <DPietruszka@xxxxxx> wrote:

Hello all, I have a couple of servers with TMG on it and was trying to
install another one to make it part of an existing array.

 

First of all, on ISA 2006 if my memory is not that bad, there was an option
to install and while installing choose if that box was going to be part of
an array, so we could pick the CSS then which array you wanted to join (or
created a new one), etc...

On TMG I found the only option to be: Installed as an stand alone TMG server
and then from the console choose to join an existing array. If I'm wrong on
that please anybody let me know. But besides that, I tried to install this
particular TMG server 3 times already and before reinstalling the entire OS
I wanted to ask for help.

 

Every time I'm running the installation, when the wizard is on "Additional
Components (Estimated....)" the installation fail with this error:

 

-          Microsoft SQL Express 2008 (reporting instance could not be
installed). As a result, Forefront TMG installation cannot be completed.

 

Any help will be appreciated.

 

ISAWRAP is showing this:

 

13:01:24 INFO:   Add/Remove entry was created

13:01:24 INFO:   Installing Additional components...

13:01:24 INFO:   Activating Extration of SQL Express 2008 SP1 Package,
command line args = '-s -f
"C:\Windows\temp\{79FA0C64-EA49-46CB-9CEA-6591E4A9887D}" -e'

13:01:24 INFO:   SQL Express 2008 SP1 Package path is .\Program
Files\Microsoft ISA Server\SQLE\SQLExpress2008SP1.exe

13:02:50 INFO:   Process completed successfully

13:02:50 INFO:   SQL Express 2008 SP1 Package was sucessfully extracted to
'C:\Windows\temp\{79FA0C64-EA49-46CB-9CEA-6591E4A9887D}'

13:02:50 INFO:   Activating SQL Express installation, command line args =
'/QUIET /ACTION=Install /FEATURES=SQLEngine /INSTANCENAME=MSFW
/SQLSYSADMINACCOUNTS="BUILTIN\Administrators" /BROWSERSVCSTARTUPTYPE=4
/SAPWD=************** /SQLSVCACCOUNT="NT AUTHORITY\SYSTEM" /NPENABLED=0
/TCPENABLED=0 /SKIPRULES=RebootRequiredCheck /HIDECONSOLE
/PCUSource="C:\Windows\temp\{79FA0C64-EA49-46CB-9CEA-6591E4A9887D}\PCU"'

13:02:50 INFO:   SQL Express 2008 installation path is
C:\Windows\temp\{79FA0C64-EA49-46CB-9CEA-6591E4A9887D}\setup.exe

13:09:08 INFO:   Process completed successfully

13:09:08 INFO:   SQL Express 2008 successfully installed

13:09:08 INFO:   Starting SQL Express service

13:09:18 INFO:   Changing network service permissions to allow access to SQL
Express

13:09:19 INFO:   Changing SQL Express tempdb size

13:09:19 INFO:   Failed to change Tempdb MAXSIZE, error = ,, 0x80040e09.
Ignoring...

13:09:19 INFO:   Moving SQL Express tempdb to stingray logging directory

13:09:24 INFO:   AdjustSSEConfiguration completed successfully.

13:09:24 INFO:   Activating SQL Express installation, command line args =
'/QUIET /ACTION=Install /FEATURES=SQLEngine,RS /INSTANCENAME=ISARS
/SQLSYSADMINACCOUNTS="BUILTIN\Administrators" /BROWSERSVCSTARTUPTYPE=4
/SAPWD=************** /SECURITYMODE=SQL /SQLSVCACCOUNT="NT AUTHORITY\SYSTEM"
/RSINSTALLMODE=DefaultNativeMode /RSSVCACCOUNT="NT AUTHORITY\SYSTEM"
/RSSVCStartupType=Automatic /NPENABLED=0 /TCPENABLED=1
/SKIPRULES=RebootRequiredCheck /HIDECONSOLE
/PCUSource="C:\Windows\temp\{79FA0C64-EA49-46CB-9CEA-6591E4A9887D}\PCU"'

13:09:24 INFO:   SQL Express 2008 installation path is
C:\Windows\temp\{79FA0C64-EA49-46CB-9CEA-6591E4A9887D}\setup.exe

13:10:37 ERROR:               Setup failed. Error returned: 0x84be03f4

13:10:37 ERROR:               Installation of SQL Express 2008 failed. hr =
0x84be03f4

13:10:37 ERROR:               Installation failed. hr = 0x84be03f4

13:10:37 ERROR:               Installation failed, hr=0x84be03f4

14:24:03 ERROR:               InstallProducts:Install Additional components
failed, hr=0x84be03f4

14:24:03 INFO:   Rollback: Performing rollback after installation failure.

14:24:03 INFO:   CMsiAttendantInstaller::Prepare: Upgrade code is not set

14:24:03 INFO:   CMsiAttendantInstaller::Prepare: There is no any product
code for upgrade code 

14:24:03 INFO:   CMsiAttendantInstaller::Prepare: Upgrade code is not set

14:24:03 INFO:   CMsiAttendantInstaller::Prepare: There is no any product
code for upgrade code 

14:24:03 INFO:   The instance Id of instace MSFW is MSSQL10.MSFW

14:24:03 INFO:   GetUninstallCode: Prepare: product code is
{FBD367D1-642F-47CF-B79B-9BE48FB34007}

14:24:03 ERROR:               CSSEInstaller::GetInstanceId failed to read
from reg 'ISARS' 

14:24:03 INFO:   CSSEInstaller::Prepare: Failed to get the instace id of
ISARS

14:24:03 INFO:   CMsiAttendantInstaller::Prepare: Upgrade code is not set

14:24:03 INFO:   CMsiAttendantInstaller::Prepare: There is no any product
code for upgrade code 

14:24:03 INFO:   The instance Id of instace MSFW is MSSQL10.MSFW

14:24:03 INFO:   Activating SQL Express uninstallation, command line args =
'/QUIET /ACTION=Uninstall /FEATURES=SQLEngine /INSTANCENAME=MSFW
/SKIPRULES=RebootRequiredCheck /HIDECONSOLE'

14:24:03 INFO:   Uninstall command line is C:\Program Files\Microsoft SQL
Server\100\Setup Bootstrap\Release\Setup.exe

 

 

Regards

Diego R. Pietruszka

 




-- 
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
Young Consulting & Staffing Services Company - Owner
www.youngcss.com <http://www.youngcss.com/> 




-- 
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
Young Consulting & Staffing Services Company - Owner
www.youngcss.com <http://www.youngcss.com/> 




-- 
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
Young Consulting & Staffing Services Company - Owner
www.youngcss.com

Other related posts: