ISA 2004 RPC issues

My question would be:
How do I resolve the RPC/connectivity issues within my ISA 2004 server?
Details/Description:

After Installing ISA 2004, regardless of applying Service Packs, I receive Netlogon Errors (EVENT ID 1053): Windows cannot determine the user or computer name. (The RPC server is unavailable. ). Group Policy processing aborted.
If I try to add a domain user, to the Administrators group of the server, I receive a message:
RPC server unavailable.
The server logs the following error:
This computer was not able to set up a secure session with a domain controller in domain MYDOMAIN due to the following:
The RPC server is unavailable.  
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator
It's acting like ISA is blocking RPC traffic.
There is a trendomous pause when logging on to the machine with a Domain account.  ISA does function, though.  If I set up VPN, create a local user, then I can log in.  If I try to VPN using a domain account, I can not log in.
When I run netdiag, without ISA 2004, all looks ok (everything passes)
When I run netdiag, with ISA, I get error, referencing DSbind

Server/Device Info:
ISA 2004 (SP3)- ALthough Issue seems to occur on each SP
Windows Server 2003 R2

I appreciate any help and suggestions!
smcmcnuttAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Keith AlabasterConnect With a Mentor Enterprise ArchitectCommented:
Open the ISA gui, select monitoring - logging - click start query.
What do you see appear in the real time log?

Are you sure it is rpc that is failing rather than Kerberos calls etc?
What ISA SP are you running?
have you run the up the ISA BPA?
http://www.microsoft.com/downloads/details.aspx?FamilyId=D22EC2B9-4CD3-4BB6-91EC-0829E5F84063&displaylang=en
needs .net 1.1

You are on 2003 R2? Are you running SP2 also?
This might be worth a look (ISA runs NAT as you can imagine)
http://support.microsoft.com/kb/927695
0
 
Keith AlabasterEnterprise ArchitectCommented:
ISA WILL be blocking rpc traffic unless you have told it not to.

Have you got a rule from internal & local host TO internal & local host - all protocols?
Have you turned off RPC Strict Compliance?
0
 
smcmcnuttAuthor Commented:
Keith-
Yes, on rule
Yes, RPC Strict Compliance is turned off
Thank you!
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

 
smcmcnuttAuthor Commented:
Keith-
Found these 2 failed events in logging (in order)
Failed Connection Attempt SVRDC026 11/16/2007 10:22:24 AM
Log type: Firewall service
Status: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.  
Rule: Allow RPC from ISA Server to trusted servers
Source: Local Host ( 192.168.28.10:1589)
Destination: Internal ( 192.168.28.3:135)
Protocol: RPC (all interfaces)
User:  

Denied Connection SVRDC026 11/16/2007 10:22:17 AM
Log type: Firewall service
Status: A TCP packet was rejected because it has an invalid sequence number or an invalid acknowledgement number.
Rule:  
Source: Internal ( 192.168.28.3:135)
Destination: Local Host ( 192.168.28.10:1589)
Protocol: Unidentified IP Traffic (TCP:1589)
User:  
 Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 192.168.28.3
Client agent:  


**.10 being ISA .3 being local DC
Not sure about Kerberos vs RPC.  I do not see Kerberos ERRORS, Just the RPC.
Yes 2003 R2, Yes SP 2.
Reading article, now.

I did run BPA.  DID squawk about RSS also (in regards to your comment)
Much Appreciated!
0
 
smcmcnuttAuthor Commented:
KEITH!
I think it was the RSS!!!
I just need to verify a few things before the reward.
I am no longer seeing the netlogon errors!
0
 
Keith AlabasterEnterprise ArchitectCommented:
Excellent.
0
 
smcmcnuttAuthor Commented:
Keith-
The MS article regarding RSS was the key.
I appreciate your help on this instance, as well as your other posts, which have help tremendously in the past!!
Cheers!
0
 
Jared LukerCommented:
I had this exact same issue with Server 2003 R2 sp2.

The RSS reg tweak fixed it!  Thanks to Keith
0
 
Keith AlabasterEnterprise ArchitectCommented:
Welcome :)
0
All Courses

From novice to tech pro — start learning today.