How to Fix being unable to add, edit or delete domain controllers in the Domain Controllers Computer Set on Microsoft TMG or ISA 2006

TMG-EditSystemPolicyThere seems to be a bug in Microsoft’s TMG (Threat Management Gateway) / ISA 2006 (Internet Security and Acceleration Server) that once installed and configured, prevents an administrator from modifying the entries in the Domain Controllers Computer Set.  This Computer set is used in a number of System Policies and if you ever do an IP address change of a DC contained in this group (which is what I needed to do), it needs to be changed for things to continue to function correctly.  Firstly, we will need to get into the Registry to verify the GUID of the Computer Set (be default it is generally {F77C3B63-0DD8-440B-9921-A9341533A9C6}).  Navigate to HKLM\Software\Microsoft\Fpc\Storage\Array-Root\Arrays\{GUID}\RuleElements\ComputerSets and find the Domain Controllers computer set and note down the GUID.

Now we need to start-up ADSI Edit on the TMG / ISA machine.  Connect to localhost on port 2171 with the Naming Context CN=FPC2. Expand to the following CN=FPC2, CN=Array-Root, CN=Arrays, CN={3E5A92A0-0C54-4BD5-A8EB-1A0F1E77FF79}, CN=RuleElements, CN=ComputerSets.  Locate the GUID we found before and right-click and select properties.  Now under the Attribute Editor find msFPCPrefined attribute and set it from True to False.

Restart the TMG / ISA Console (no need to restart any services) and you should now be able to go into the Domain Controllers Computer Set and perform changes as required.

Leave a Reply

Your email address will not be published. Required fields are marked *