?
Solved

Problem with Primary Domain Controller and ISA Server 2006

Posted on 2009-12-31
34
Medium Priority
?
1,331 Views
Last Modified: 2012-05-08
Hi Guys, I have an issue, which goes thus:
I have 4 boxes running Windows Server 2003:
Server 1 - An HP ML 370 G4 Server Running Windows Server 2003 wt SP2. Its my primary domain controller (is also hosts WSUS and McAffee ePO)

Server 2 - An HP ML370 G4 Server Running Windows Server 2003 wt SP2. Its a File and Application Server

Server 3 - An HP ML350 G4 Server Running Windows Server 2003 wt SP2. It hosts Exhange Server 2003 and its a Secondary Domain controller (with global catalag enabled - same as Server 1)

Server 4 - ISA Server 2006  Running Windows Server 2003 wt SP2
For several reasons, Server 4 was initially just a regular HP Desktop machine but yesterday, after close of work, I had changed it to an HP ML370 G5 Server. I ran Security Configuration wizard to harden the server and also ran all updates for Windows Server 2003 and ISA server 2006. I did the basic config to enable HTTP access for my clients. I tested on a few clients (Web Proxy - IE) and it worked fine before I closed. I also have GFI Web Monitor installed on the same machine.

This morning, everything was working ok when I arrived at the office, so I got down to define more restrictive access rules in accordance with the company's Internet access policy - restriction is either by IP or Active Directory Users/User Groups.
I defined the first rule Ok, but when I started trying to added users and groups to the second rule, I got an error: Cannot Determine User/Computer name. Rpc server is unavailable.
At this point I also observed that the usernames were no longer being listed in the Isa Log.
Subsequent, I also noticed that Server 1's AD User and Computer MMC won't respond. I restarted Server 1. When it came back up, the AD User and Computer MMC was Ok but it takes about 2min before the MMC will launch when clicked! Please see attached file for some of the Event Logs for Server 1 and 3

DOES ANYONE HAVE AN IDEA WHAT JUST WENT WRONG AND HOW TO RESOLVE IT?!!!
Server-1-Log.txt
Server-3-Log.txt
0
Comment
Question by:enlconsortium
  • 16
  • 13
  • 3
  • +2
34 Comments
 
LVL 11

Expert Comment

by:pcfreaker
ID: 26153978
Hi,
The first thing to do is to disable the rules you created and setup a main rule with the protocols needed for the servers and computers for main services (RPC, RDP, GC, LDAP, DHCP, DNS, etc). Then monitor on the ISA server the traffic being denied and setting this protocols on the main rule previously mentioned.
Then, I usually create a group of servers in the computer objects within ISA to enable a rule for all traffic between them.
After that let me know how is it and we can go through more.
Rgds.
 
0
 
LVL 39

Assisted Solution

by:ChiefIT
ChiefIT earned 400 total points
ID: 26154167
Check your SRV records for DNS. See if the MSDCS file folders are greyed out. It looks exactly like this:
http://www.experts-exchange.com/Networking/Protocols/DNS/Q_24349599.html
0
 
LVL 59

Assisted Solution

by:Darius Ghassem
Darius Ghassem earned 1600 total points
ID: 26154721
Also, check to make sure you are only pointing to internal DNS servers. You shouldn't have any external DNS servers listed in your TCP\IP properties.
0
Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 

Author Comment

by:enlconsortium
ID: 26158985
Thanks guys for your response. My apologies for the late response but I'd posted this question toward the close of work yesterday and today is a public holiday in my country.

@ pcfreaker and ChiefIT, I'd get back to you guys when I get into the office tomorrow.

@ dariusg, please explain something, Server 4 has 2 NICs. I originally had my public facing NIC setup with an IP, Subnet Mask and gateway (no DNS) and Internal NIC with an IP, Subnet Mask and DNS setup to point to my Internal DNS, Server 1, (Gateway Blank). However, after I started having issues, I'd tried placing DNS values on my Public facing NIC (DNS provided by my ISP) and right after that, it started working again and I left the office with it still working but I still can't get Username displayed. Anyway, I want to understand why I shouldn't configure DNS for my Public facing NIC. How will the ISA resolve DNS requests, using my Internal DNS (Server 1)? If so, I never configured Server1 to do that, is there something I'm missing out from my settings?
0
 
LVL 7

Expert Comment

by:ARK-DS
ID: 26163487
Hi,

The RPC error may be due to the rules you set. But the log files are stating that there are replication issues as well. And probably they are due to the name resolution.
See where these two DCs are pointing for DNS (one by one), then go to that DNS server and check if the site specific SRV records , GUID records (in the MSDCS folder) and the host A records mapping to the GUID record are in place.

Regards,

Arun.
0
 
LVL 59

Assisted Solution

by:Darius Ghassem
Darius Ghassem earned 1600 total points
ID: 26164051
Check your binding order for your Nics to make sure your external facing NIC is not higher then you internal NIC. Also, uncheck register this IP address in your TCP\IP for your external facing nic.

Is the ISA running on a DC?
0
 

Author Comment

by:enlconsortium
ID: 26171919
Hi Darius, how do I check my binding order on the NIC? I'm not sure how to do that.
Yes, the msdc is grayed out. When u said to check if I'm pointing at an external DNS, is that on my NIC or where? Everytime I remove the External DNS from my public facing NIC, I lost internet connection

@ ARK-DS, you lost be somewhere in the second paragraph. Could you break that down a little. Thanks
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 26171962
Go to your Network Connections then click Advanced Settings you should see your binding order here.

So, your msdcs folder is grayed out? Do you have a msdcs.domain.com zone?
0
 

Author Comment

by:enlconsortium
ID: 26172281
Thanks for your response! Yes got an _msdcs.domain.com zone as a node in the forward lookup zone zone. However, this one isn't grayed out.
I checked the binding order. You were right. The public facing NIC was higher up so, I made the internal NIC top on the binding list.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 26172301
The binding order was most likely the issue.
0
 

Author Comment

by:enlconsortium
ID: 26172352
Could that have also been the cause of the issues I've been having with my DC? That doesn't exactly make sense to me
0
 

Author Comment

by:enlconsortium
ID: 26172363
How does ISA impact my DC?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 26172684
That is why I asked if your ISA was your DC.

What is happening on the DC? Do you have 2 NICS? Please post ipconfig /all and dcdiag for DC.
0
 

Author Comment

by:enlconsortium
ID: 26174652
No the ISA is not the DC, they are separate boxes. I tried to explain this in my first posting. Please refer to that posting for the complete scenario. I'm not sure the two problems described in it are related, but I'd observed them at about the same time.  I'm away from work at the moment and will send the required info when I return to my office.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 26174950
Ok, got confused there for a second. So, I think we fix a part of the problem with the ISA server because of your binding order not being correct let's see if we can fix the DC problem.
0
 

Author Comment

by:enlconsortium
ID: 26179461
Ok Dariusq, if you don't mind, lets proceed. I have attached screen clips for ipconfigc /all and dcdiag for my PDC and SDC.
dcdiag---Primary-DC.txt
dcdiag---Secondary-DC.txt
IPConfig---Primary-DC.jpg
IPConfig---Secondary-DC.jpg
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 26180217
Everything looks good except you are failing SYSVOL replication. What Events do you have in your Event Viewer under FRS?
0
 

Author Comment

by:enlconsortium
ID: 26180428
Thanks Dariusq for your response. U d main man!!!
Please see the attached files for the FRS Event Log for my two domain controllers. It seems you are right. After the last posting, I had noticed that much of the issues I previously observed where taken care of, except of course the issue with replication.
Also, you should know that after changing the binding order and removing DNS entries from my external facing NIC, my issues with ISA now is resolved.
PDC-FRS-Log.txt
SDC-FRS-Log.txt
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 26180732
Can you ping he DNS name enlapapa3 from enlapapa1?

There have been some issues with delegate msdcs.domain.com zones and\or you have to update these records manually.

So, the best was is to delete both the msdcs.domain.com and domain.com zones then recreate the domain.com.

http://www.experts-exchange.com/Networking/Protocols/DNS/Q_24349599.html
0
 

Author Comment

by:enlconsortium
ID: 26180951
Can ping both. Just deleted and recreated the msdcs.domain.com and domain.com zones and recreated them. Ran dcdiag on both servers after this. Please see attached for result
dcdiag---Primary-DC---2.txt
dcdiag---Secondary-DC---2.txt
0
 

Author Comment

by:enlconsortium
ID: 26180984
Wow, right now, my users are getting the following errors from ISA:

Error Code 11001: Host not found
Background: This error indicates that the gateway could not find the IP address of the website you are trying to access. This is usually due to a DNS-related error.
Date: 05/01/2010 3:21:23 PM [GMT]
Server: ENLAPAPA4.enl.com
Source: DNS error
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 26181082
Hey Dariusq:

You have a multihomed domain controller, and probably issues with the bind order.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 26181287
Hi Chief,

I think the multihomed server is the ISA which isn't a DC.

Both DCs seem to have 1 NIC enabled but lets confirm that.

@enlconsortium

The ISA problem is not related to the DC issue with the above error. Make sure you can the ISA server. Do you have the external DNS listed in the TCP\IP properties on teh ISA external NIC?
0
 

Author Comment

by:enlconsortium
ID: 26181359
I currently have DNS only on the Internal NIC, and it points to the Internal Servers. I had removed the DNS entries on the External NIC (which pointed to my ISP's DNS)
0
 

Author Comment

by:enlconsortium
ID: 26181650
Ok, placed the DNS for my ISP back on the public facing NIC and that seems to have resolved that. But still having DNS related issues!
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 26183834
DNS related issues for what system so we don't get confused? If you are talk about the DC please look over the link.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 26185622
So, you are using the ISA server as a ROUTER?

I think we are a bit confused as to the network topolgy and use of the ISA server in comparison to the Domain controllers.
0
 

Author Comment

by:enlconsortium
ID: 26190364
I think my issues with the DC is resolved. The setting was messed up at DNS. The wrong IP was specified for the Secondary DNS and No forwarders where set up (that is on the DNS Server's Property dialog box's Forwarders tab, where it says "forward queries in the following DNS Domains). I had set my ISP's DNS's as forwarders on the page (I hope that was a right decision, pls advise). After doing this, I ran dcdiag again and all tests were passed on both servers. I've been monitoring by event log since then and there had been no new error or warnings for DNS FRS or Directory Services. However I'm getting a new error on the Application event Log which keeps repeating itself. Can't seem to make sense of it. Take a look at this log entry:

Event Type:      Error
Event Source:      Userenv
Event Category:      None
Event ID:      1041
Date:            06/01/2010
Time:            12:58:13 PM
User:            NT AUTHORITY\SYSTEM
Computer:      ENLAPAPA1
Description:
Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D} and it will not be loaded. This is most likely caused by a faulty registration.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

As for my ISA, it is not my intension to use ISA Server as a router. ISA is intended largely for Internet Users, SMTP & POP clients, UDP Clients and VPN clients etc. Help me out here, should the public facing NIC have DNS values set or not? I'm freaking out here men! From the documentations I've read, ISA shouldn't have DNS on the Public facing NIC, but everytime I remove DNS from my Public facing NIC, many of my users immeadiatly loose Internet connection. If I retain DNS on the public facing NIC, what could be d possible downturn of that decision?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 26190398
The most likley problem was that you didn't have the most current DNS forwarders within your DNS which will make the clients now fully resolve external DNS.

Have you tried removing the DNS servers from the ISA server after getting everything fully functional on the DC and DNS?
0
 

Author Comment

by:enlconsortium
ID: 26190700
I never setup DNS on the ISA Server.
About the last error I posted, found a posting that helped:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q_24205873.html
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 26190752
What do you mean by never setup DNS on ISA? What I'm saying is that if you DNS forwarders weren't setup correctly then you could have issues so remove the DNS servers from the ISA.
0
 

Author Comment

by:enlconsortium
ID: 26190883
That is where I'm having issues. Every time I remove the DNS from ISA, I start getting Internet connectivity failure! I'm just wondering if there is something I'm doing wrong. Perhaps I need to allow DNS from my local DNS Servers to pass through ISA to External!
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 26193691
Your clients should be pointing to your internal DNS servers.
0
 

Accepted Solution

by:
enlconsortium earned 0 total points
ID: 26198235
Think you miss-understood me there. My clients already point to my Internal DNS. However, the reason my connection kept failing was because my Internal DNS could not resolve requests by forwarding since ISA didn't allow the DNS traffic to leave the perimeter. Thanks guys for your contribution. It was really kind of you
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question