The only TMG EMS is lost, no backup. Now what?

How to retrieve current TMG configuration from array nodes' registry and import it into array at new EMS

Shabunin Anton, MCSE 2003, MCITP EA, MCT

26 Jul 2012 v 1.0

Outline of steps needed to retrieve and restore TMG configuration if no backup is available

Export script - get current array configuration from array node's registry to XML

' If it fails with error tmgexp_from_reg.vbs(41, 7) (null): The Server referenced by Reports Configuration Reports does not exist.

' The error occurred on object 'Reports' of class 'Reports Configuration' in the scope of array 'ARRAY'.

' Find current config tree in rem HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fpc\Storage

' (e.g. ActiveEffective - \EffecTree2) rem Go to rem HKEY_LOCAL_MACHINE\IsaStg_Eff2\Arrays\{array guid}\Reports\ReportingServicesProperties\Server

' and zero msFPCName there

' tmgexp_from_reg.vbs:

Sub ExportFromRegistry()

' Use this password

pass="mypassword"

'Declare the objects needed

Dim root ' The FPCLib.FPC root object

Dim isaArray ' An FPCArray object

localDate = FormatDateTime(date(), 1)

' Create the root object.

Set root = CreateObject("FPC.Root")

' VendorMode = true is optional, needed only if save to local storage is needed

root.VendorMode = true

'Connect root to local storage

root.ConnectToLocalStorage

' Get a reference to the array object.

Set isaArray = root.GetContainingArray()

WScript.Echo "Exporting the configuration of the " & _

isaArray.Name & " array object to " & _

WScript.Arguments(0) & " " & localdate & ".xml" & " ..."

isaArray.ExportToFile WScript.Arguments(0) & " " & localdate & ".xml",15,pass

' 15 = 1 + 2 + 4 + 8

' fpcExportImportPasswords (0x00000001)

' The optional data includes encrypted secret data, such as passwords or shared secrets that are used to create digital signatures for authenticating to RADIUS servers.

' fpcExportImportUserPermissions (0x00000002)

' The optional data includes the security roles assigned to delegated administrators. The delegated administrators are identified by the security identifiers (SIDs) of their user accounts, which are included in this optional data. These SIDs, which are relevant to the workgroup or domain of the exporting computer, are not necessarily relevant to that of the importing computer.

' fpcExportImportServerSpecific (0x00000004)

' The optional data includes server-specific information, which consists of cache drive settings and SSL certificates.

' fpcExportImportEnterpriseSpecific (0x00000008)

' The optional data includes information that is specific to ISA Server Enterprise Edition (available only in ISA Server Enterprise Edition).

WScript.Echo "Exporting was completed successfully."

WScript.Quit

End Sub

ExportFromRegistry

Modify XML file which was exported from registry

The following changes are required for registry-exported XML file to successfully import:

Registry-exported XML file contains	How to fix so that it imports
1. no Enterprise element	Export XML configuration of any valid enterprise array and copy Enterprise element from it
2. Enterprise networks are in Root/Arrays/Array/NetConfig/EnterpriseNetworks	EnterpriseNetworks should be moved to Root/Enterprise/NetConfig or else import will fail
3. no enterprise policy assigned to array	add Root/Arrays/Array/PolicyAssignment (before ConfigurationStorageServerConnection element) or else import will fail. UUID in <fpc4:Name... should match the one in Enterprise/Policies. UUID of default Enterprise policy is {aa53ce81-985c-4362-81cd-51a3e517742c} <fpc4:PolicyAssignment StorageName="PolicyAssignment" StorageType="1"> <fpc4:Ref StorageName="EnterprisePolicyUsed" StorageType="1"> <fpc4:Name dt:dt="string">{Your enterprise policy UUID here}</fpc4:Name> <fpc4:RefClass dt:dt="string">msFPCPolicy</fpc4:RefClass> <fpc4:Scope dt:dt="int">1</fpc4:Scope> </fpc4:Ref> </fpc4:PolicyAssignment>
4. Security roles at Arrays/Array/AdminSecurity/DelegatedAdmins are different from those in LDS	replace AdminSecurity element with default <fpc4:AdminSecurity StorageName="AdminSecurity" StorageType="1"> <fpc4:SecurityRoles StorageName="SecurityRoles" StorageType="1"> <fpc4:SecurityRole StorageName="{e55f4cc7-84c9-48de-809d-8b0e4b34e4dd}" StorageType="1"> <fpc4:Description dt:dt="string">Has full control over the array-level configuration for this array, including permissions to assign array roles. Has read-only access to the enterprise policy applied to this array.</fpc4:Description> <fpc4:Name dt:dt="string">Forefront TMG Array Administrator</fpc4:Name> <fpc4:Predefined dt:dt="boolean">1</fpc4:Predefined> </fpc4:SecurityRole> <fpc4:SecurityRole StorageName="{b59a032e-1018-4e3a-aaac-9c8a128cd0df}" StorageType="1"> <fpc4:Description dt:dt="string">Has full access to array monitoring and read-only access to the array configuration. Has read-only access to the enterprise policy applied to this array.</fpc4:Description> <fpc4:Name dt:dt="string">Forefront TMG Array Auditor</fpc4:Name> <fpc4:Predefined dt:dt="boolean">1</fpc4:Predefined> </fpc4:SecurityRole> <fpc4:SecurityRole StorageName="{9c0bfea2-f463-438f-85d2-fcd9e81a9c94}" StorageType="1"> <fpc4:Description dt:dt="string">Has restricted access to array monitoring features. Can view sessions, view and reset alerts, query service status, and verify connectivity.</fpc4:Description> <fpc4:Name dt:dt="string">Forefront TMG Array Monitoring Auditor</fpc4:Name> <fpc4:Predefined dt:dt="boolean">1</fpc4:Predefined> </fpc4:SecurityRole> </fpc4:SecurityRoles> <fpc4:DelegatedAdmins StorageName="DelegatedAdmins" StorageType="1"/> </fpc4:AdminSecurity>
5. Full Arrays/Array/RuleElements/UrlCategorySets and UrlCategories	(optionally) replace full UrlCategorySets element with <fpc4:UrlCategorySets StorageName="UrlCategorySets" StorageType="1"/> and delete UrlCategories element

Import modified XML into new EMS array

If new EMS has different name and ip-address, first:

Redirect array nodes to new EMS using ChangeStorageServer.vbs;
Fix EMS name and address in XML file before import (replace "OLD_EMS_NAME" to "NEW_EMS_NAME"):
- In "Remote Management Computers" computerset <fpc4:IPAddress and <fpc4:NameIn "
- In "Enterprise Configuration Storage Servers" domain name set
- In "ConfigurationStorageServerConnection" Array element <fpc4:PrimaryConfigurationStorageServer ..

' tmgimp.vbs - Parameters

' 1 – xml file to import

' 2 – array name to import to

Sub ImportExport()

' Define a constant to indicate optional

' data to be exported or imported.

Const OptionalData = 15

'Declare the objects needed

Dim root ' The FPCLib.FPC root object

Dim isaArray ' An FPCArray object

' Create the root object.

Set root = CreateObject("FPC.Root")

' Get a reference to the array object.

Set isaArray = root.Arrays.Item(WScript.Arguments(1))

WScript.Echo "Importing the configuration from " & _

WScript.Arguments(0) & " to the " & _

isaArray.Name & " array object ..."

' declare and define the optional data for the export method

Dim iOptionalData: iOptionalData = OptionalData

' declare and define the TMG export data password

Dim szPassword: szPassword = "mypassword"

' declare and define the TMG import policy overwrite flag

Dim bOverwrite: bOverwrite = True

' declare and define the TMG import services reset flag

Dim bReset: bReset = False

' declare and define the TMG import policy reload flag

Dim bReload: bReload = True

' declare and define the TMG import file path

Dim szInFilePath: szInFilePath = WScript.Arguments(0)

' enable script error handling

On Error Resume Next

' try to import the configuration update from a file

' parameters - FILEPATH, optdata, password, overwrite, services reset, policy reload

isaArray.ImportFromFile szInFilePath, iOptionalData, szPassword, bOverwrite, bReset, bReload

' isaArray.ImportFromFile WScript.Arguments(0),noOptionalData,,,True

If 0 <> Err.Number Then

WScript.Echo "Failed to import the current array configuration from " & _

szInFilePath & "; " & Err.Number & "; " & Err.Description

' Exit Function

End If

End Sub

ImportExport

Make configuration consistent

If imported enterprise rules have references to non-existent enterprise objects, when clicking on them console will error out. Configuration backup will also not work.

General steps to fix this (detailed description is at http://blogs.technet.com/b/yuridiogenes/archive/2009/09/18/error-0xc0040357-while-trying-to-backup-isa-server-configuration.aspx):

Find the object by name in XML file, note its UUID
Find the object in LDS by UUID, make backup copy using difde:
set cn=CN={Object UUID },CN=Protocols,CN=RuleElements,CN={Array UUID },CN=Arrays,CN=Array-Root,CN=FPC2
ldifde -f "%cn%.ldf" -s localhost:2171 -d "%cn%"
Delete object from LDS

Before recreating enterprise rules new enterprise policy should be created and assigned to array since Default Policy will not allow to create custom rules.

How to recreate enterprise rules:

· Move needed rule elements from array level to enterprise level using array rule copy wizard (Right-click array, select “Copy Array Rule Elements…”;

· Create enterprise rule (find it by name in XML file and see which components it uses).

You may try moving existing array rule to enterprise level:

Reestablish configuration synchronization

Although configuration file was imported, array servers will not use EMS configuration. This is because new array UUID is different from the one stored in array nodes' registry. When XML file was imported array UUID was not overwritten.

If you change array UUID in LDS and match it with the UUID in node's registry, the node will recognize new array.

Be very careful to do it in production, since configuration from EMS will overwrite current registry configuration at array nodes.

After some time array configuration from EMS will sync to array nodes.

ATTENTION! Before changing array UUID make sure that EMS configuration has all mission-critical rules, that these rules are valid and they do not have references to non-existent objects, and that configuration backs up successfuly!