Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

ISA Server configuration agent was unable to upload the configuration

37 views
Skip to first unread message

Bruce Lautenschlager

unread,
Jul 10, 2009, 7:28:26 AM7/10/09
to
I think I'm in serious trouble. ISA 2006 EE array (no service pack),
firewall and proxy, no firewall client installed on clients, two nodes, each
Windows Server 2003 R2 SP1. The CSS is another server running Windows Server
2003 R2 SP2. All members of the same AD domain. The standard config (except
I should have made another CSS to be safe). Things have been working fine
for...almost 2 years?

Today I started getting these alerts in the ISA log (didn't notice until I
tried to make a change that didn't seem to really take effect):

The ISA Server configuration agent was unable to upload the configuration to
the ISA Server services.
This could be due to a corrupt configuration. The ISA Server configuration
agent is reverting the configuration back to the last known configuration.
The service that failed to load the configuration is: fwsrv.
The failure is due to error: 0x8007000d

Event Viewer has this repeatedly:

Event Type: Error
Event Source: Microsoft ISA Server Control
Event Category: None
Event ID: 21209
Date: 7/9/2009
Time: 1:31:38 PM
User: N/A
Computer: ISA1
Description:
The ISA Server configuration agent was unable to upload the configuration to
the ISA Server services. This could be due to a corrupt configuration. The
ISA Server configuration agent is reverting the configuration back to the
last known configuration. The service that failed to load the configuration
is: fwsrv.

Other specific errors about policies are listed there, too, but I think they
are red herrings because ISA can't read the config. But I could be wrong.

It ends up with what you think might be a GOOD event (sort of):

Event Type: Information
Event Source: Microsoft ISA Server Control
Event Category: None
Event ID: 21211
Date: 7/9/2009
Time: 3:43:44 PM
User: N/A
Computer: ISA1
Description:
A new configuration cannot be loaded, and configuration settings have been
successfully reverted to last known good values. Check previous error events
for possible reasons for the failure. The error description is: Some
configuration changes were not applied. See the Windows event viewer for
more details.

But it's not really good. I cannot export array or firewall policies. Event
viewer whines about routing and other policies that should be (have been)
fine. One event I find interesting is this, though:

Event Type: Error
Event Source: Microsoft Firewall
Event Category: None
Event ID: 14019
Date: 7/9/2009
Time: 3:41:54 PM
User: N/A
Computer: ISA1
Description:
ISA Server failed to load the firewall policy configuration. The failure
occurred while loading the policy rule "FTP Access Rule".

It's interesting because when I try to export array or firewall policies it
doesn't quite finish - I get this error:

The Computer referenced by Policy Rule FTP Access Rule does not exist.

The error occurred on object 'FTP Access Rule' of class 'Policy Rule' in the
scope of array 'BHSArray'.

Hmmm...I though - could this really be the root, or just a red herring?
Maybe I should track down the computer that doesn't exist and remove it from
the rule.

But if I go to the aforementioned FTP Access RUle and click on the From tab,
I get the error:

ISA Server cannot load the property page.
The system cannot find the file specified.

I seem to be able to open up other rules, etc...but changes don't seem to do
anything but visually update.


Oh, this feels so, so bad...from my searching every other person who has had
this problem doesn't seem to have a resolution other than "I reinstalled",
it was specific to Exchange/OWA (which I don't run) or they opened a PSS,
which I may have to do, also.

I did see this blog (thanks Tom for the link):
https://blogs.technet.com/isablog/archive/2009/01/26/Rebuilding-ISA-Configuration-Cache.aspx

And I wondered if I should do that. I do have daily tape (or SAN, whatever)
backups of my CSS server, so if there's a file or files I could restore, I
can. I do NOT have backups of each ISA node...Netbackup didn't seem to play
nicely and we never sorted that out.

Any help would be greatly appreciated. In fact - half off your next heart
transplant if you stop by our hospital. (We'll just charge more for the gown
or something).

Thanks,
Bruce Lautenschlager

Bruce Lautenschlager

unread,
Jul 13, 2009, 2:32:53 PM7/13/09
to
This was solved by using ADAM ADSI Edit on the CSS to remove the offending
rule and then using the tip found here to force each node in the array to
update its local cache:

https://blogs.technet.com/isablog/archive/2009/01/26/Rebuilding-ISA-Configuration-Cache.aspx

After that, all I had to do was recreate the rule that I deleted.

Whew. Things were going badly, too. Thanks goes to a number of people on
Technet, ISAServer forums, and other MVPs.

Bruce


"Bruce Lautenschlager" <blau...@nospam.nospam> wrote in message
news:OJpfLGVA...@TK2MSFTNGP04.phx.gbl...

0 new messages