smcmcnutt
asked on
ISA 2004 RPC issues
My question would be:
How do I resolve the RPC/connectivity issues within my ISA 2004 server?
Details/Description:
After Installing ISA 2004, regardless of applying Service Packs, I receive Netlogon Errors (EVENT ID 1053): Windows cannot determine the user or computer name. (The RPC server is unavailable. ). Group Policy processing aborted.
If I try to add a domain user, to the Administrators group of the server, I receive a message:
RPC server unavailable.
The server logs the following error:
This computer was not able to set up a secure session with a domain controller in domain MYDOMAIN due to the following:
The RPC server is unavailable.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator
It's acting like ISA is blocking RPC traffic.
There is a trendomous pause when logging on to the machine with a Domain account. ISA does function, though. If I set up VPN, create a local user, then I can log in. If I try to VPN using a domain account, I can not log in.
When I run netdiag, without ISA 2004, all looks ok (everything passes)
When I run netdiag, with ISA, I get error, referencing DSbind
Server/Device Info:
ISA 2004 (SP3)- ALthough Issue seems to occur on each SP
Windows Server 2003 R2
I appreciate any help and suggestions!
How do I resolve the RPC/connectivity issues within my ISA 2004 server?
Details/Description:
After Installing ISA 2004, regardless of applying Service Packs, I receive Netlogon Errors (EVENT ID 1053): Windows cannot determine the user or computer name. (The RPC server is unavailable. ). Group Policy processing aborted.
If I try to add a domain user, to the Administrators group of the server, I receive a message:
RPC server unavailable.
The server logs the following error:
This computer was not able to set up a secure session with a domain controller in domain MYDOMAIN due to the following:
The RPC server is unavailable.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator
It's acting like ISA is blocking RPC traffic.
There is a trendomous pause when logging on to the machine with a Domain account. ISA does function, though. If I set up VPN, create a local user, then I can log in. If I try to VPN using a domain account, I can not log in.
When I run netdiag, without ISA 2004, all looks ok (everything passes)
When I run netdiag, with ISA, I get error, referencing DSbind
Server/Device Info:
ISA 2004 (SP3)- ALthough Issue seems to occur on each SP
Windows Server 2003 R2
I appreciate any help and suggestions!
ASKER
Keith-
Yes, on rule
Yes, RPC Strict Compliance is turned off
Thank you!
Yes, on rule
Yes, RPC Strict Compliance is turned off
Thank you!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Keith-
Found these 2 failed events in logging (in order)
Failed Connection Attempt SVRDC026 11/16/2007 10:22:24 AM
Log type: Firewall service
Status: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Rule: Allow RPC from ISA Server to trusted servers
Source: Local Host ( 192.168.28.10:1589)
Destination: Internal ( 192.168.28.3:135)
Protocol: RPC (all interfaces)
User:
Denied Connection SVRDC026 11/16/2007 10:22:17 AM
Log type: Firewall service
Status: A TCP packet was rejected because it has an invalid sequence number or an invalid acknowledgement number.
Rule:
Source: Internal ( 192.168.28.3:135)
Destination: Local Host ( 192.168.28.10:1589)
Protocol: Unidentified IP Traffic (TCP:1589)
User:
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 192.168.28.3
Client agent:
**.10 being ISA .3 being local DC
Not sure about Kerberos vs RPC. I do not see Kerberos ERRORS, Just the RPC.
Yes 2003 R2, Yes SP 2.
Reading article, now.
I did run BPA. DID squawk about RSS also (in regards to your comment)
Much Appreciated!
Found these 2 failed events in logging (in order)
Failed Connection Attempt SVRDC026 11/16/2007 10:22:24 AM
Log type: Firewall service
Status: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Rule: Allow RPC from ISA Server to trusted servers
Source: Local Host ( 192.168.28.10:1589)
Destination: Internal ( 192.168.28.3:135)
Protocol: RPC (all interfaces)
User:
Denied Connection SVRDC026 11/16/2007 10:22:17 AM
Log type: Firewall service
Status: A TCP packet was rejected because it has an invalid sequence number or an invalid acknowledgement number.
Rule:
Source: Internal ( 192.168.28.3:135)
Destination: Local Host ( 192.168.28.10:1589)
Protocol: Unidentified IP Traffic (TCP:1589)
User:
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 192.168.28.3
Client agent:
**.10 being ISA .3 being local DC
Not sure about Kerberos vs RPC. I do not see Kerberos ERRORS, Just the RPC.
Yes 2003 R2, Yes SP 2.
Reading article, now.
I did run BPA. DID squawk about RSS also (in regards to your comment)
Much Appreciated!
ASKER
KEITH!
I think it was the RSS!!!
I just need to verify a few things before the reward.
I am no longer seeing the netlogon errors!
I think it was the RSS!!!
I just need to verify a few things before the reward.
I am no longer seeing the netlogon errors!
Excellent.
ASKER
Keith-
The MS article regarding RSS was the key.
I appreciate your help on this instance, as well as your other posts, which have help tremendously in the past!!
Cheers!
The MS article regarding RSS was the key.
I appreciate your help on this instance, as well as your other posts, which have help tremendously in the past!!
Cheers!
I had this exact same issue with Server 2003 R2 sp2.
The RSS reg tweak fixed it! Thanks to Keith
The RSS reg tweak fixed it! Thanks to Keith
Welcome :)
Have you got a rule from internal & local host TO internal & local host - all protocols?
Have you turned off RPC Strict Compliance?