Before we start explaining how Forefront TMG stores its configuration data, I would like to explain the new terminology used in Forefront TMG. There are two different terms which are now commonly used:
EMS (Enterprise Management Server)
CSS (Configuration Storage Server)
The Enterprise Management Server is a server which is used to manage a TMG Enterprise Array or even possibly, a standalone server. The EMS must be installed on a member Server with no other Forefront TMG services. Installation on a Windows Domain Controller is also not supported. You do not have to buy a TMG license for the installed EMS. If you are experienced with ISA Server 2006 Enterprise, the Forefront TMG EMS is nearly the same as the Configuration Storage Server (CSS) used in ISA Server 2006 Enterprise with a few differences. With Forefront TMG it is now possible to join or disjoin an array after TMG installation. This makes enterprise configuration much more flexible because you do not have to uninstall and reinstall the Forefront TMG Server to join other TMG arrays. It is also possible to update a Forefront TMG Standard version to Forefront TMG Enterprise without reinstallation.
The Configuration Storage Server (CSS) is used for all local TMG installations and provides storage for the TMG Server configuration. EveryForefront TMG server has a local CSS. When the TMG administrator joins the Server to a TMG Array, the local TMG Server will use the Enterprise Management Server (EMS). When the Enterprise CSS is applied, the local CSS (AD-LDS instance) will be disabled.
Let us first have a look at the installed Active Directory Lightweight Directory service installation. The Forefront TMG Setup preparation tool installs the Windows Server AD-LDS. AD-LDS will be used by Forefront TMG to save the TMG configuration data.
Figure 1: Installed AD-LDS services
The ISASTGCTRL service is the AD-LDS service for the Windows AD-LDS instance. The Forefront TMG storage service (ISASTG) is responsible for storing the TMG configuration in AD-LDS and the local Windows registry.
Connecting to the Forefront TMG configuration via ADSIEDIT
Because the AD-LDS instance uses a directory structure like its big brother Active Directory, it is possible to connect to the AD-LDS instance via tools like LDP ADSIEDIT and other LDAP tools. For the example in this article we will use ADSIEDIT to connect to the AD-LDS instance. Start ADSIEDIT, and select CN=FPC2 as the CN, specify the server name with port 2171 and after that you will be able to connect to the data store of the AD-LDS instance.
Figure 2: Connect to AD-LDS via ADSIEDIT
As shown in the following screenshot you will see entire Forefront TMG configuration.
It is possible to change and add entries in the TMG configuration via ADSIEDIT but I strongly recommend not using ADSIEDIT to modify settings, if you are not absolutely familiar about the effects of such changes.
Figure 3: Forefront TMG configuration in ADSIEDIT
Microsoft Forefront TMG Storage
During the Forefront TMG installation a service called Microsoft Forefront TMG Storage (ISASTG) will be created which provides Forefront TMG configuration storage and for interaction with the local registry which is used to save the TMG configuration locally.
Figure 4: Forefront TMG storage (ISASTG)
The AD-LDS instance installs a service called ADAM_ISASTGCTRL which is used to control the local installed AD-LDS instance. This service will be stopped and set to startup type DISABLED when the Forefront TMG Enterprise Server joins an array managed by a Forefront EMS.
Figure 5: AD-LDS instance
AD-LDS database location
The Microsoft Forefront TMG AD-LDS instance is stored in the installation directory of Forefront TMG in a subdirectory called ADAMData.
Figure 6: AD-LDS database location
Forefront TMG configuration in the Registry
The Forefront TMG configuration will be stored in the local AD-LDS instance if the Forefront TMG Server is a standalone server or managed by a local array. A copy of the Forefront TMG configuration is also stored in the local registry under HKEY_LOCAL_MACHINE. Every time a new TMG configuration change has been applied by the Forefront TMG management console, the local registry gets updated. The Forefront TMG storage service is responsible for this task.
Figure 7: Forefront TMG configuration in the registry
Stopped TMG services (TMG Storage)
If you stop the Forefront TMG Storage service, the registry keys will be deleted and automatically recreated after the service has successfully started again.
Figure 8: No Forefront TMG registry entries after the TMG storage service has been stopped
If you decide to join the Forefront TMG server to an array managed by an EMS (Enterprise Management Server), this is possible without uninstalling and reinstalling Forefront TMG. Start the TMG Management console and start the Join Array Wizard.
Figure 9: Join an array managed by an EMS Server
During joining the TMG EMS, the local ISASTGCTRL service will be stopped and disabled.
Figure 10: The ADAM ISASTGCTRL service gets disabled
In this article, I tried to show you where Forefront TMG saves the Forefront TMG configuration settings. Forefront TMG Standard and Enterprise uses AD-LDS to store the configuration but a copy of the TMG configuration is also stored in the local registry. If a Forefront TMG Enterprise Server joins an array managed by an EMS, the local AD-LDS instance (controlled by the ISASTRGCTRL service) will be disabled.