Error in ISA 2006 EE Configuration Storage server

I have 2 ISA 2006 servers in an array both with CSS loaded locally on the ISA server.  For some reason they are both giving the following error in the configuration status tab:
Server is unable to update the configuration. (See Alerts Tab)

In the Alerts tab I get:  Propagate configuration changed failed.
Description: A change to the configuration in the central storage could not be propagated to the ISA Server computer.
Description: The ISA Server configuration agent was unable to update the local registry with changes made to the central storage. The failure is due to error: Unspecified error

Any ideas on how to correct this or how to rebuild the configuration on the local registry?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ahmed ShahbaSystem ArchitectCommented:

Check the name resolution problem between 2 ISAs and Array.

Bruno PACIIT ConsultantCommented:

Are you using NLB between the two ISA servers and if yes did dedicated a NIC for intra-array communications ?

Have a nice day
pagejAuthor Commented:

Thanks for the responses.

Yes, we are using NLB between the two servers and yes there is a dedicated NIC running on it's own network address for intra-array communications.

Ahmed:  What name resolution problem are you referring to.  Both servers resolve to the intra-array address.  Is this correct or should it be the internal IP address?

The servers do see each other as if I stop the firewall service on one server, the other server shows that the service was stopped on the other server.

Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Bruno PACIIT ConsultantCommented:

How your NLB is configured ? Do you use unicast or multicast NLB ?

The best way to avoid network traffic troubles is to use multicasted NLB.

The CSS dialog does not use the dedicated intra-array network. It will then use the NLB enabled NIC.
The problem with unicast NLB is that the NLB enabled NIC of each ISA server use a unique and common MAC Address.
In this case, if the first ISA server want to join the second on via the NLB enabled NIC it will fail because the network packets will never go out from the server: if the server tries to send a network packet to a MAC address that is already used by its own NIC the packet won't be send on the wire and will stay locally.

With multicast NLB each NLB enabled NIC will have 2 MAC Address: one private MAC Address that is unique on the network, and one common MAC address that is the same for both ISA server.

To verify if NLB is welle configure do that steps:
1) From the first ISA server, PING the private IP address of the NLB-enabled NIC of the other ISA server
2) From the first ISA server again,  Ping the NLB-shared IP address of the NLB-enabled NIC of the ISA array
3) On the first ISA server again, from a CMD command prompt type the command ARP -a.
4) Take a look at the ARP -a response: you should see both previous pinged IP address associated with distinct MAC address. If the MAC address is the same for both IP addresses then you probably have unicast NLB and this is probably the cause of the troubles.

Also, you must ensure that you disabled DNS dynamic registering on both ISA servers to prohibit them to create DNS records for their name associated with NLB shared IP address.
You'll have to create DNS records manually in the DNS servers to associate the ISA server name with it's unique IP address.

Have a nice day.
pagejAuthor Commented:
Thanks for the response.

When I ping both the private IP and the shared IP of the other ISA server, they both responded back but when I did a ARP -a it only should the private IP of the other ISA server and the MAC address.

We are doing NLB on both the internal and external networks.  When I am setting the DNS name record which IP address should I use?  Internal, intra-array or external?  I used the internal private IP for DNS records.

I have disabled dynamic registration on all NIC's but only the internal NIC had DNS entries.

I rebooted the servers but still getting that error.

Should I remove and recreate the NLB?

Bruno PACIIT ConsultantCommented:

Each ISA server should be registered in DNS for its own computer name associated to the private (not shared) internal IP address.
It seems like it's already done like that as you explained it.

To verify if you're using unicast NLB or multicast NLB you can use the command IPCONFIG /ALL and check if there is 2 IP addresses and 2 MAC addresses associated to the internal NIC (in this case you're using multicast). If you see 2 IP addresses but only one MAC address on the internal NIC that means you're using unicast. In this last case I suggest you to change to multicast to avoid some network problems.

Also, to verify if your problems come from NLB or come from ISA Rules can you try adding an ISA rule to allow ALL outgoing traffic coming from any IP private addresses of the internal NIC of the ISa servers, and going to any IP private addresses of the internal NIC of the ISA servers... More clearly, mke a rule to allow all protocols between ISA servers using their private internal NICs.

If the problem disappear after adding the ISA rule, that means that built-in computers set in ISA haven't been totally populated with IP addresses of ISA servers. You can add them.

Have a nice day
pagejAuthor Commented:

I will try that.

i also found that in the ADAM event viewer the following is giving an error:

Source:  ADAM [ISASTGCTRL] Replication
Category: Replication
Event ID: 2042

It has been too long since this directory server last replicated with the following source directory server. The time between replications with this source has exceeded the tombstone lifetime. Replication has been stopped with this source.
The reason that replication is not allowed to continue is that the two directory servers’ views of deleted objects may now be different. The source directory server may still have copies of objects that have been deleted (and garbage collected) on this machine. If they were allowed to replicate, the source machine might return objects which have already been deleted.
Time of last successful replication:
2010-01-28 15:44:39
Invocation ID of source directory server:
Name of source directory server:
Tombstone lifetime (days):
The replication operation has failed.
User Action:
Determine which of the two directory servers is out of date. You have three options:
1. Remove or reinstall the directory server(s) that are out of date.
2. Use the "repadmin /removelingeringobjects" tool to remove inconsistent deleted objects and then resume replication.
3. Resume replication. Inconsistent deleted objects may be introduced. You can continue replication by using the following registry key. Once the systems replicate once, it is recommended that you remove the key to reinstate the protection.
 Registry Key:
HKLM\System\CurrentControlSet\Services\ADAM_ISASTGCTRL\Parameters\Allow Replication With Divergent and Corrupt Partner
pagejAuthor Commented:
I have tried everything I can think of and it still giving the same error.

One thing I did note was that even if I change the array properties to point to the other server as the Configuration Storage server when I look at Monitoring - Configuration it still points to the first server.  It is like it is corrupt.

Is there a way to rebuild the configuration storage server without losing all of my rules and other config info?

Ahmed ShahbaSystem ArchitectCommented:
Sorry for delay in reply, I would suggest to check this link for troubleshooting ISA Server , its very useful

Thanks and Regards,
pagejAuthor Commented:
Thanks for document.  Everything checked out but I am still receiving the same error from my original question.

Anything else I can look at?

pagejAuthor Commented:

Well the question has changed as I had been fighting with the
issue for 3 days. I decided to rebuild my ISA cluster and have
gotten to the point of adding the second ISA server to the array
and I keep getting the following error:

An attempt to authenticate to the configuration storage server
computer failed. The server service may be stopped on the
Configuration Storage server computer.

Error code: 0x800704b3
Error description: No network provider accepted the given network

I have confirmed that “File and Printer sharing” is enable on
both servers.

What am I missing?

pagejAuthor Commented:

Turned out to be Symantec Endpoint protection was stopping the authentication.  I disabled it and then it was able to authenticate and then I re-enabled it.

Thanks for everyone suggestions.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.