Installing ISA Server Enterprise Edition on a domain controller places your firewall on a directory server (which is not a good plan); however, installing only the CSS on a domain controller is beneficial in many situations (for example, branch office deployment with limited server capacity). Under these circumstances, follow the steps described in the section entitled "Installing Configuration Storage Server," but modify the following steps:
Account credentials A typical installation would configure the CSS to run under the context of the Network Service account. On a domain controller, this is not a viable option. The preferred method is to configure an account on the domain controller that is not a member of the Domain Admins group.
To specify an account not in the Domain Admins group during the installation of the CSS, complete these steps:
On the Configuration Storage Server Service Account page, create a domain user account you will use for the CSS server, and type the user credentials as shown in Figure 3-4.
Open the \Program Files\Microsoft ISA Server\ADAMData folder, locate the DNSDomain.bat file (where DNSDomain is the FQDN of your domain), and execute from the command line.
This batch file is created when the user under which ADAM runs doesn't have the required right in Active Directory. The purpose of the batch file is for registering the Service Principle Name (SPN) of the array member for authentication to the CSS server.
On the domain controller that contains the CSS, run the ADSI Edit tool by clicking Start, Run, typing ADSIEdit.msc, and clicking OK. Locate the CN=CSS object, and provide the user account for which you created the permission to Create All Child Objects. Close ADSI Edit.
If ADSI is not already installed, install it by opening the Support\Tools folder on the Windows Server 2003 CD, double-clicking Suptools.msi, clicking Install, and then following the steps in the Windows Support Tools Setup Wizard.
Using the Active Directory Users And Computers or the Group Policy Management console, open the Default Domain Controller GPO for editing, expand Computer Configuration, Windows Settings, Security Settings, and Local Policies, and then click the User Rights Assignments node. In the rightmost pane, double-click the Generate Security Audits right, add the user account you created, and then click OK. Close the Group Policy Object Editor.
Figure 3-4: Specify a user account when installing CSS on a domain controller, and give it a long and complex password.
You must repeat steps 2 and 3 for any replica CSS servers you install.