DHCP + DNS Blocked on New ISA 2006 Install


   I installed a new network with Domain Controller (Active Directory), DNS and DHCP.  It all works well, computers can register to the domain, get their IP adresses from DHCP.  Tested, works fine.

   I did a clean install of Isa 2006 on the domain controller itself.  It blocks DNS + DHCP although I have under System Policies the configuration Enabled for DHCP and DNS.

  Under DHCP, under the From tab, the "Internal" is selected which is my IP range of to

   My Domain Controller where my ISA 2006 is installed has an ip of

   When the computers are trying to get an IP from the DHCP, it gives an error message saying "Unable to contact your DHCP server.  Request has timed out."

   What am I doing wrong here?  Any suggestions?  

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Having ISA on a DC is a huge big no no and unless there is a business critical reason for this, don't do it.  That aside...

[quote]Under DHCP, under the From tab, the "Internal" is selected which is my IP range of to[end quote]
Great rule, but when a client is requesting an IP address, it doesn't have an address so the rule won't work.
You will need to configure the ISA for DHCP relay - have a look here at how to do it.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mordillo98Author Commented:
Will the problem go away if I setup the ISA 2006 on a different server instead of the Domain Controller, or do I HAVE to setup the ISA with DHCP relay regardless?
If you move your isa away from your domain controller, all your DNS & DHCP issues for your internal clients will disappear. :)
MSSPs - Are you paying too much?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

Mordillo98Author Commented:
Oups.  Maybe I didn't say it right.  :)

If I install my ISA 2006 on a different server on the same subnet/ip scheme of my domain controller, do I still have to configure DHCP relay to make this work.

Not removing the ISA itself.  ;)
Keith AlabasterEnterprise ArchitectCommented:
First, we need to get the comments correct. ISA on a DC is not recommended - but it can be made to work. Just remember that the only 'supported' instance of this is when you are using MS SBS Server 2000 or SBS Server 2003. The reason why is is not recommended as because you have to open so many ports on the ISA box to make it work. The terms 'Swiss Cheese' and pointless spring to mind.

Because you have the ISA on the DC, you are getting the DHCP error message. Move the ISA to a different server (attached to the domain but a Non-DC) and the error will go. The cause of the error is that by default, ISA system policy (not firewall policy) blocks the ISA server host from responding to the requests. Not sure why you would want DHCP relay at all - that is when DHCp requests actually need to traverse the ISA server or any other firewall/router device.

ISA Forefront MVP

Mordillo98Author Commented:
Cool.  Let me create another Windows 2003 server where only ISA 2006 will be installed, and let you know if the problem got resolved.  I'll get back to you within an hour or so.

Tks a lot.
Keith AlabasterEnterprise ArchitectCommented:
Mordillo98Author Commented:
Nice.  Will do.  I'll get back you soon.
Mordillo98Author Commented:
As soon as I installed ISA 2006 on a separate Windows 2003 server instead of my Domain Controller, everything started working as it should have been from day one.

Thanks guys.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.