Getting error " The operation failed 0x800004005 " while joining TMG server to an EMS Array



Data Collection :


We collected TMG Data Packager in repro mode with "TMG Administration " Template

Data Analysis :

In TMG Tracing (TMG Tracing can only be analyzed by Microsoft CSS) we saw this :

ERROR:m_pXMLDocument->selectSingleNode for path Enterprise/Extensions/ISAPI-Filters/_5F9E8182-4B40-4DDF-BAA7-6F0C3C40F2A6_

0747277 CNF:c60dfa3e-aa6a-41ce-9657-556225fb5a4c failed, hr = 0x80004005(E_FAIL)

The CNF in the path above would indicate a GUID conflict, so we would need to check the Enterprise for duplicate filter registrations. That would explain why it affects e.g. new servers in any array

So we checked in ADAM using ADSI Edit and there were multiple entries for the GUID and we deleted the one with CNF and after that we were able to join server to Array. (Microsoft doesn't recommend deleting stuff from ADAM until you know what you are doing, If you need help contact Microsoft CSS)


My aim to write this blog was to make everyone aware that we suspected issue may have been caused by installing Updates in wrong order.

So what we saw was that first Secondary EMS was updated with Updates and then Primary EMS. 

TMG Service Pack / Update installation order :

http://technet.microsoft.com/en-us/library/ff717843.aspx 
 
For identifying which EMS is primary and which is secondary we need to see which EMS Server holds FSMO Naming or Schema Master roles. It is a bit channging as we dont have GUI option for checking it.

Look for these Article for Identifying / Transfer FSMO Roles

http://technet.microsoft.com/en-us/library/cc758598.aspx


http://support.microsoft.com/kb/234790 

Steps:

  1. Click Start, click Run.
  2. Type cmd in the Open box, and then press ENTER.
  3. Type dsmgmt, and then press ENTER and the type roles and hit ENTER
  4. Type connections, and then press ENTER.
  5. Type connect to server ServerName:port number, (eg. tmg.nwtraders.com:2171) where ServerName is the Name of the Domain Controller you would like to view, and then press ENTER.
  6. Type quit, and then press ENTER.
  7. Type select operation target, and then press ENTER.
  8. Type list roles for connected server, and then press ENTER.

A list is displayed similar to what is listed below. Results may very depending on the roles the particular Domain Controller may hold. If you receive an error message, check the spelling of the commands as the syntax of the commands must be exact. If you need the syntax of a command, type ? at each prompt:

Server "dc1" knows about 5 roles
Schema - CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=corp,DC=com
Domain - CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=corp,DC=com
PDC - CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=corp,DC=com
RID - CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=corp,DC=com
Infrastructure - CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=corp,DC=com   

Author :
Junaid Jan - Security Support Escalation Engineer - Forefront Edge Team