Indeed, why would I want to transfer the FMSO roles of my CSSs (Configuration Storage Servers)?
First a little background. The CSS is based on Active Directory Application Mode storage, which is now called Active Directory Lightweight Directory Services in the Windows Server 2008 parlance (AD LDS).
ADAM is essentially a lightweight (in other words, not as big as AD) directory service that applications can plug into and store information. In the case of the Enterprise version of the ISA firewall (and all versions of the Forefront TMG firewall), configuration information is stored in ADAM/AD LDS.
Now back to the question. When would you want to transfer the FSMO roles from one instance of CSS to a second instance? Typically, the first instance of the CSS is the FSMO role holder for the CSSs (you can only have two, so you don’t have to worry about a large and sprawling CSS network, like you have to worry about with large AD deployments). If you plan on removing the first instance of CSS, such as would be the case if you’re going to take down and replace the machine hosting the first instance of the CSS. In this siutation you’re going to need to assign the second instance of the CSS the FSMO roles hosted by the first instance.
If you’re not up to speed on the CSS, or feel that you need a refresher, then check out http://technet.microsoft.com/en-us/library/cc302686.aspx This article has a lot of useful information about troubleshooting CSS installations.
So how do you perform this task? Unfortunately, it’s like a “play to fix” solution. But there is a solution. Keith Abluton did a very nice blog post on the ISA/TMG firewall Team blog that provides the step by steps in a very clear fashion that will get you to the fix in no time flat.
Check out Keith’s blog post over at:
HTH,
Tom
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING | Microsoft Forefront Security Specialist
Email: [email protected]
MVP — Forefront Edge Security (ISA/TMG/IAG)