I have a client who has a single ISA 2006 server (an ESX virtual machine) set up in single network card configuration. The server repeatedly loses its secure channel to a DC, and has a load of 1030 and 1058 errors in the Application log, plus 5719 errors in the System log. There are clusters of errors every 1-4 days.
The AD domain is named in a public style, let's call it client.com.au. The local network is on a private 10.x.x.x. The ISA server has a local DC as its DNS server.
The following situation occurs sporadically, for a period of an hour or two it seems:
When I try to resolve the AD domain name client.com.au it gives an external IP - the client's public website's IP (which is also a .info address). For all other machines on the internal network, client.com.au resolves to a local DC as expected.
If I temporarily add an entry to hosts on the ISA box (client.com.au and the IP address of a DC) this allows correct resolution so I can open \\client.com.au but I get access denied on \\client.com.au\netlogon. However if I choose a local DC 'dcname' and connect using its IP address \\10.x.x.x\sysvol then I have no such problems. If I connect using \\dcname.client.com.au\netlogon I am again unable to connect.
The problem does not persist for more than an hour or two, but each time it happens the secure channel dies and users lose their internet connection and hence complain! I'm guessing this might be a config setting somewhere in ISA but my knowledge of this product is fairly minimal.