ISA Scripting Without “Scripting ISA”


ISA Server 2006 SP1 includes a fix released in September 2007 that allowed ISA 2006 arrays to use multicast and IGMP-aware Integrated NLB. Implementing this change is a four-part process:

1. Install the update (or preferably; SP1)

2. Run the nlbclear utility

3. Run the script with appropriate command-line options

4. Reconfigure Integrated NLB

In order to change the ISA 2006 Integrated NLB so that it can support multicast or IGMP, we need to change the storage schema. Since CSS is based on Active Directory Application Mode (ADAM), any time you change the schema you have to do so at the server which holds the Flexible Single Master of Operations (FSMO) Schema Master Role. The problem encountered by most folks was that although it’s a general truth that the first-installed CSS is the Schema Master, most folks can’t easily determine if this is actually true in their particular deployment. Server failures and replacements can often leave the CSS replication group without a Schema Master. This state won’t normally affect CSS operation, since ISA doesn’t make schema updates as part of normal ISA operations, but when you need to make the changes required by this particular update, or if another update or service pack requires a schema change, the installation will likely fail for lack of a responsive Schema Master.

Since the ISA admin needs a simple way to determine which CSS owns the Schema Master role, I went on a search for such a tool. One TechNet article offers a method using an optional ADAM Schema MMC snap-in, but because I’m a command-line and script geek (I often miss my seriously-modded Kaypro-4); I wanted something a bit less GUI-dependent. Unfortunately, none of the provided ADAM management tools allow you to simply query the FSMO roles without issuing a “transfer” or “seize” command. Unless a FSMO master is missing from the CSS set, why reassign a role just to find out which server currently owns it?”

Check out the rest of this article written by Jim Harrison on the ISA Firewall Team Blog (whoops! It’s changed its name, it’s now the Forefront TMG (ISA Server) Product Team Blog) at:…a.aspx



Thomas W Shinder, M.D.

Email: [email protected]
MVP — Microsoft Firewalls (ISA)

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top