Forefront TMG SP1 error primary configuration storage server could not be established on port 2171

Check if you have added your servers to the associated computersets. There are a few system rules, which allow the communication between array members and the configuration storage server (if not a single deployment). At lest all servers should be part of the Array Members groups.

they are members of the array members abd managed sever computers.  All communication seems fine.  An ldap connection to tmg1from tmg1(array manager) on port 2171 works, but not to tmg2 (managed).  ldap from tmg2 to tmg2 desn't work, but does to tmg1.  That makes sense I beleive since they use the managers config.

Port 2171 and 2172 are MS Firewall storage and covered by System Rule 33 (Allow remote control to configuration storage to the local machine and  Rule 34 (Allow access from trusted servers to the local machine).
There is need to access the storage server from any array member.
Array Servers are member of both rules.  
LDAP to localhost is Rule 52 and disabled by default, if not covered by another user specific rule. But LDAP is used only for the ADLDS, which is on your configuration storage server.
Both server must snyc, if this happens, your config is o.k. so far. Otherwise you get errors in eour TMG console.

Is this possibly expected behaviour?  The array servers are communicating perfectly.  Maybe only the manager (CSS) ADAM instance is readable/writable and so connecting to a managed array member won't work.

Have you installed the newest BPA? There is now a special version for TMG.
Also it may be, that they changed the default access to AD LDS, Win 2008 suggests all the time in event log to secure the AD LDS.
Maybe the BPA just tries to access the AD LDS unsecured and do not get access due to the changed security settings.

If your TMG servers do not through errors about this issue, so sync works fine, I would just say, it is a BPA issue.
For the WIN2008 servers, there is a KB article about securing AD LDS.
http://support.microsoft.com/kb/935834 

i did run the TMG BPA.  Well, that's the question.  it seems to be something that the BPA spits out, but is not an actual problem.  It would be nice if someone could chime in to get some sort of consensus, or verify that.

Are you sure, that you have a active AD LDS instrance running on the member server? Beside the registry the AD LDS instance stores the configuration.

how do I check for an active AD LDS instance.  This is becoming a mute point.  Everything is working, and i don't want to spend any more real time on this, but if there's a quick verification than that would do.  Otherwise, I'm just going to close this question.

Thanks,
matt

Goto Server Manager - Roles
You should have a Role "Active Directory Leightweight Directory services " there.

The ADLDS for ISA (ISASTRGCTRL) listens on port 2171, so you should see this port with
netstat
i.e. netstat -a -n -p TCP

The role is installed on both servers, but isastgctrl service is disabled on TMG2.  it's not listening on 2171.  I'm guessing that this is how it is for managed nodes, and explains the behavior and is an erroneuos message that the BPA mistakenly puts out, maybe becuase it doesn't realize there's a cluster and the BPA is being run against the manaaged node.

This explanation makes sense and all is working correctly.