How to retrieve current TMG configuration from array nodes' registry and import it into new EMS array
Shabunin Anton, MCSE 2003, MCITP EA, MCT
27 Jul 2012 v 1.1
The only TMG EMS is lost, there is no TMG configuration backup. Now what?
Outline of steps needed to retrieve
and restore TMG configuration if no backup is available
-
Install new EMS, make sure it has the same service pack and patches as array nodes;
- Export current array configuration from array node's registry to XML using the export script below;
- Create new enterprise config;
- Create new array with the same name and DNS name as before;
- Modify XML file which was exported from registry (add/remove/move XML elements according to the list below);
- Import modified XML into new array using the import script below or TMG console;
- Make configuration consistent - recreate/move lacking rules and objects (including enterprise-level ones), make sure that mission-critical rules have no unresolved object references and that configurations successfully backs up to XML file;
- Reestablish configuration synchronization - change array's UUID in EMS LDS, so that it is the same as current array UUID in nodes' registry and wait for configuration to sync.
Export script - get current array configuration from array node's registry to XML
'Parameters
' 1 – xml file name to export. current date and .xml extension will be appended
' If it fails with error tmgexp_from_reg.vbs(41,
7) (null): The Server referenced by Reports Configuration Reports does not
exist.
' The error occurred on object 'Reports' of class
'Reports Configuration' in the scope of array 'ARRAY'.
' Find current config tree in rem HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fpc\Storage
' (e.g. ActiveEffective - \EffecTree2) rem Go
to rem HKEY_LOCAL_MACHINE\IsaStg_Eff2\Arrays\{array guid}\Reports\ReportingServicesProperties\Server
' and zero msFPCName there
' tmgexp_from_reg.vbs:
Sub ExportFromRegistry()
' Use this password
pass="mypassword"
'Declare the objects needed
Dim root ' The FPCLib.FPC root object
Dim isaArray ' An FPCArray object
localDate = FormatDateTime(date(), 1)
' Create the root object.
Set root = CreateObject("FPC.Root")
' VendorMode = true is optional, needed only if save to local storage is needed
root.VendorMode = true
'Connect root to local storage
root.ConnectToLocalStorage
' Get a reference to the array object.
Set isaArray = root.GetContainingArray()
WScript.Echo "Exporting the configuration of the " & _
isaArray.Name & " array object to " & _
WScript.Arguments(0) & " " & localdate & ".xml"
& " ..."
isaArray.ExportToFile WScript.Arguments(0) & " " & localdate
& ".xml",15,pass
' 15 = 1 + 2 + 4 + 8
' fpcExportImportPasswords (0x00000001)
' The optional data includes encrypted secret data, such as passwords or shared
secrets that are used to create digital signatures for authenticating to RADIUS
servers.
' fpcExportImportUserPermissions (0x00000002)
' The optional data includes the security roles assigned to delegated administrators.
The delegated administrators are identified by the security identifiers (SIDs)
of their user accounts, which are included in this optional data. These SIDs,
which are relevant to the workgroup or domain of the exporting computer, are
not necessarily relevant to that of the importing computer.
' fpcExportImportServerSpecific (0x00000004)
' The optional data includes server-specific information, which consists of
cache drive settings and SSL certificates.
' fpcExportImportEnterpriseSpecific (0x00000008)
' The optional data includes information that is specific to ISA Server Enterprise
Edition (available only in ISA Server Enterprise Edition).
WScript.Echo "Exporting was completed successfully."
WScript.Quit
End
Sub
ExportFromRegistry
Modify XML file which was exported from registry
The following changes are required for registry-exported
XML file to successfully import:
1. no Enterprise element
FIX: copy Enterprise element with default policy from console-exported XML
2. Enterprise networks are in Root/Arrays/Array/NetConfig/EnterpriseNetworks (5 default and the rest are custom)
FIX: EnterpriseNetworks should be moved to Root/Enterprise/NetConfig or else import will fail
3. no enterprise policy assigned to array
FIX: add Root/Arrays/Array/PolicyAssignment (before ConfigurationStorageServerConnection element) or else import will fail. UUID in <fpc4:Name... should be among the ones in Enterprise/Policies. UUID of default Enterprise policy is {aa53ce81-985c-4362-81cd-51a3e517742c}
<fpc4:PolicyAssignment StorageName="PolicyAssignment" StorageType="1">
<fpc4:Ref StorageName="EnterprisePolicyUsed" StorageType="1">
<fpc4:Name dt:dt="string">{Enterprise policy UUID here}</fpc4:Name>
<fpc4:RefClass dt:dt="string">msFPCPolicy</fpc4:RefClass>
<fpc4:Scope dt:dt="int">1</fpc4:Scope>
</fpc4:Ref>
</fpc4:PolicyAssignment>
4. Security roles at Arrays/Array/AdminSecurity/DelegatedAdmins are different from those in LDS
FIX: replace AdminSecurity element with default
<fpc4:AdminSecurity StorageName="AdminSecurity" StorageType="1">
<fpc4:SecurityRoles StorageName="SecurityRoles" StorageType="1">
<fpc4:SecurityRole StorageName="{e55f4cc7-84c9-48de-809d-8b0e4b34e4dd}" StorageType="1">
<fpc4:Description dt:dt="string">Has full control over the array-level configuration for this array, including permissions to assign array roles. Has read-only access to the enterprise policy applied to this array.</fpc4:Description>
<fpc4:Name dt:dt="string">Forefront TMG Array Administrator</fpc4:Name>
<fpc4:Predefined dt:dt="boolean">1</fpc4:Predefined>
</fpc4:SecurityRole>
<fpc4:SecurityRole StorageName="{b59a032e-1018-4e3a-aaac-9c8a128cd0df}" StorageType="1">
<fpc4:Description dt:dt="string">Has full access to array monitoring and read-only access to the array configuration. Has read-only access to the enterprise policy applied to this array.</fpc4:Description>
<fpc4:Name dt:dt="string">Forefront TMG Array Auditor</fpc4:Name>
<fpc4:Predefined dt:dt="boolean">1</fpc4:Predefined>
</fpc4:SecurityRole>
<fpc4:SecurityRole StorageName="{9c0bfea2-f463-438f-85d2-fcd9e81a9c94}" StorageType="1">
<fpc4:Description dt:dt="string">Has restricted access to array monitoring features. Can view sessions, view and reset alerts, query service status, and verify connectivity.</fpc4:Description>
<fpc4:Name dt:dt="string">Forefront TMG Array Monitoring Auditor</fpc4:Name>
<fpc4:Predefined dt:dt="boolean">1</fpc4:Predefined>
</fpc4:SecurityRole>
</fpc4:SecurityRoles>
<fpc4:DelegatedAdmins StorageName="DelegatedAdmins" StorageType="1"/>
</fpc4:AdminSecurity>
5. Full Arrays/Array/RuleElements/UrlCategorySets and UrlCategories
(optionally) FIX: replace full UrlCategorySets element with <fpc4:UrlCategorySets StorageName="UrlCategorySets" StorageType="1"/> and delete UrlCategories element
FIX: copy Enterprise element with default policy from console-exported XML
2. Enterprise networks are in Root/Arrays/Array/NetConfig/EnterpriseNetworks (5 default and the rest are custom)
FIX: EnterpriseNetworks should be moved to Root/Enterprise/NetConfig or else import will fail
3. no enterprise policy assigned to array
FIX: add Root/Arrays/Array/PolicyAssignment (before ConfigurationStorageServerConnection element) or else import will fail. UUID in <fpc4:Name... should be among the ones in Enterprise/Policies. UUID of default Enterprise policy is {aa53ce81-985c-4362-81cd-51a3e517742c}
<fpc4:PolicyAssignment StorageName="PolicyAssignment" StorageType="1">
<fpc4:Ref StorageName="EnterprisePolicyUsed" StorageType="1">
<fpc4:Name dt:dt="string">{Enterprise policy UUID here}</fpc4:Name>
<fpc4:RefClass dt:dt="string">msFPCPolicy</fpc4:RefClass>
<fpc4:Scope dt:dt="int">1</fpc4:Scope>
</fpc4:Ref>
</fpc4:PolicyAssignment>
4. Security roles at Arrays/Array/AdminSecurity/DelegatedAdmins are different from those in LDS
FIX: replace AdminSecurity element with default
<fpc4:AdminSecurity StorageName="AdminSecurity" StorageType="1">
<fpc4:SecurityRoles StorageName="SecurityRoles" StorageType="1">
<fpc4:SecurityRole StorageName="{e55f4cc7-84c9-48de-809d-8b0e4b34e4dd}" StorageType="1">
<fpc4:Description dt:dt="string">Has full control over the array-level configuration for this array, including permissions to assign array roles. Has read-only access to the enterprise policy applied to this array.</fpc4:Description>
<fpc4:Name dt:dt="string">Forefront TMG Array Administrator</fpc4:Name>
<fpc4:Predefined dt:dt="boolean">1</fpc4:Predefined>
</fpc4:SecurityRole>
<fpc4:SecurityRole StorageName="{b59a032e-1018-4e3a-aaac-9c8a128cd0df}" StorageType="1">
<fpc4:Description dt:dt="string">Has full access to array monitoring and read-only access to the array configuration. Has read-only access to the enterprise policy applied to this array.</fpc4:Description>
<fpc4:Name dt:dt="string">Forefront TMG Array Auditor</fpc4:Name>
<fpc4:Predefined dt:dt="boolean">1</fpc4:Predefined>
</fpc4:SecurityRole>
<fpc4:SecurityRole StorageName="{9c0bfea2-f463-438f-85d2-fcd9e81a9c94}" StorageType="1">
<fpc4:Description dt:dt="string">Has restricted access to array monitoring features. Can view sessions, view and reset alerts, query service status, and verify connectivity.</fpc4:Description>
<fpc4:Name dt:dt="string">Forefront TMG Array Monitoring Auditor</fpc4:Name>
<fpc4:Predefined dt:dt="boolean">1</fpc4:Predefined>
</fpc4:SecurityRole>
</fpc4:SecurityRoles>
<fpc4:DelegatedAdmins StorageName="DelegatedAdmins" StorageType="1"/>
</fpc4:AdminSecurity>
5. Full Arrays/Array/RuleElements/UrlCategorySets and UrlCategories
(optionally) FIX: replace full UrlCategorySets element with <fpc4:UrlCategorySets StorageName="UrlCategorySets" StorageType="1"/> and delete UrlCategories element
Import modified XML into new EMS array
If new EMS has different name and ip-address,
first:
-
Redirect array nodes to new EMS using ChangeStorageServer.vbs;
- Fix EMS name and address in XML file before
import (replace "OLD_EMS_NAME" to "NEW_EMS_NAME"):
-
In "Remote Management Computers" computerset <fpc4:IPAddress and <fpc4:NameIn "
-
In "Enterprise Configuration Storage Servers" domain name set
-
In "ConfigurationStorageServerConnection" Array element <fpc4:PrimaryConfigurationStorageServer ..
-
' tmgimp.vbs - Parameters
' 1 – xml file to import
' 2 – array name to import to
Sub ImportExport()
' Define a constant to indicate optional
' data to be exported or imported.
Const OptionalData = 15
'Declare the objects needed
Dim root ' The FPCLib.FPC root object
Dim isaArray ' An FPCArray object
' Create the root object.
Set root = CreateObject("FPC.Root")
' Get a reference to the array object.
Set isaArray = root.Arrays.Item(WScript.Arguments(1))
WScript.Echo "Importing the configuration
from " & _
WScript.Arguments(0) &
" to the " & _
isaArray.Name & "
array object ..."
' declare and define the optional data for
the export method
Dim iOptionalData: iOptionalData = OptionalData
' declare and define the TMG export data
password
Dim szPassword: szPassword = "mypassword"
' declare and define the TMG import policy
overwrite flag
Dim bOverwrite: bOverwrite = True
' declare and define the TMG import services
reset flag
Dim bReset: bReset = False
' declare and define the TMG import policy
reload flag
Dim bReload: bReload = True
' declare and define the TMG import file
path
Dim szInFilePath: szInFilePath = WScript.Arguments(0)
' enable script error handling
On Error Resume Next
' try to import the configuration update
from a file
' parameters - FILEPATH, optdata, password,
overwrite, services reset, policy reload
isaArray.ImportFromFile szInFilePath, iOptionalData,
szPassword, bOverwrite, bReset, bReload
' isaArray.ImportFromFile WScript.Arguments(0),noOptionalData,,,True
If 0 <> Err.Number Then
WScript.Echo "Failed to import the
current array configuration from " & _
szInFilePath & ";
" & Err.Number & "; " & Err.Description
' Exit Function
End If
End Sub
ImportExport
Make configuration consistent
If imported enterprise rules have references to non-existent
enterprise objects, when clicking on them console will error out. Configuration
backup will also not work.
![[Image]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6NlikrF_KtNo47BlJSwZvYlpIwMLgUZ85kY4aqGr_BbBqxO7EY5LLmZIG5u_815MLrDSqJuVfyZqpmKgP80WogW445msybr9yLki1JiSOtyoQ6bXQCymxd1gsrg35t_uJ3M7LkbIKzPo/s1600/image007.jpg)
General steps to fix this (detailed description is at http://blogs.technet.com/b/yuridiogenes/archive/2009/09/18/error-0xc0040357-while-trying-to-backup-isa-server-configuration.aspx):
- Find the object by name in XML file, note its UUID
- Find the object in LDS by UUID,
make backup copy using ldifde:
set cn=CN={Object UUID },CN=Protocols,CN=RuleElements,CN={Array UUID },CN=Arrays,CN=Array-Root,CN=FPC2
ldifde -f "%cn%.ldf" -s localhost:2171 -d "%cn%" - Delete object from LDS
Before recreating
enterprise rules new enterprise policy should be created and assigned to array
since Default Policy will not allow to create custom rules.
How to recreate
enterprise rules:
·
Move needed
rule elements from array level to enterprise level using array rule copy wizard (Right-click array, select
“Copy Array Rule Elements…”;
·
Create enterprise rule
(find it by name in XML file and see which components it uses).
You may try
moving existing array rule to enterprise level:
-
Create new enterprise rule with any parameters;
-
Export it to XML rule file (the file will have the rule and all objects it references);
-
Replace
<fpc4:Root \ <fpc4:Enterprise \ <fpc4:Policies \ <fpc4:Policy \ <fpc4:PolicyRules \ <fpc4:PolicyRule
in XML rule file to
<fpc4:Root \ <fpc4:Arrays \ <fpc4:Array \ <fpc4:ArrayPolicy \ <fpc4:PolicyRules \ <fpc4:PolicyRule
from registry XML file - Import modified XML rule file back to new enterprise rule.
Reestablish configuration synchronization
Although configuration file was imported, array servers will
not use EMS configuration. This is because new array UUID is different from
the one stored in array nodes' registry. When XML file was imported array
UUID was not overwritten.
If you change array UUID in LDS
and match it with the UUID in node's registry, the node will recognize new
array.
![[Image]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdK9dK4cdoARkAffiIqakxtVUqGgEnjpSq3lD1kKUbmCMq_RycB40gP4xSKoGeO6sWe3O42Vx1hgSrkxbPjBWEHA_m84HAns6Bc7zTzN0s-4LUgdnYfbLpR5_3nRVxDrSogZF-79L-qTA/s1600/image011.jpg)
![[Image]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjR3-Bnr1H5U8XWtiX_V7bBbeMv5hb4hOsYOSXpEseEmIbK1RCCU7N7bJtZfdWWHwjdvM04JYHiHSz-woh0BS1IaH_bt8Qtk7XZbTYpgOYibt664IE1hfQz7hQc1NsLOOM8k0JH5KkiMTk/s1600/image012.jpg)
Be very careful to do it in production, since configuration
from EMS will overwrite current registry configuration on array nodes.
ATTENTION! Before changing
array UUID in LDS make sure that
EMS configuration has all mission-critical
rules, that these rules are valid and they do not have references to non-existent
objects, and that configuration backs up successfuly!
After some time
array configuration from EMS will sync to array nodes and you will be able to manage the array.