• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

[Solved] RPC and Windows 2008 AD problem

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Access Policies >> [Solved] RPC and Windows 2008 AD problem Page: [1]
Login
Message << Older Topic   Newer Topic >>
[Solved] RPC and Windows 2008 AD problem - 4.Feb.2009 4:13:41 AM   
nabu32

 

Posts: 8
Joined: 22.Jul.2007
Status: offline
Hi!

I am having an issue that I simply cannot get past, I am hoping someone may have some ideas!

I have two sites, each site has ISA 2006 SP1 on Windows 2003 x32 SP2 as the Front Firewall.

I have an L2TP IPSEC VPN tunnel that allows the Internal LAN of both sites to communicate and I can ping all servers from both sites using shortname or FQDN.

The AD Domain Controllers are running Windows 2008 x64 SP1 and are able to replicate, DNS changes replicate, etc.. across sites.

However if I try to view the remote servers Event Logs, the error I get back is "The RPC server is unavailable".

I have searched the web for hints that include making some registry changes in HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
(which I have now removed as it has made no difference), and applying SP1 for ISA (which I already have).

All of the servers involved (2 x ISA and 2 x DC) have all updates applied, with no further updates available from the Microsoft Update website.

The Firewall rules that I have are:

Site1
Internal                         >    Site2 (VPN Interface)     All Outbound
Site2 (VPN Interface)    >    Internal                          All Outbound

Site2
Internal                         >    Site1 (VPN Interface)     All Outbound
Site1 (VPN Interface)    >    Internal                          All Outbound

The firewall logs basically show:
  • "Initiated Connection" Allow rule for "RPC (all interfaces)" protocol
  • "Closed Connection"

The same pattern can be seen on both ISA Firewall logs.
Are there any ideas on what could be the possible cause?

Thanks.

N.

< Message edited by nabu32 -- 5.Feb.2009 9:19:14 PM >
Post #: 1
RE: RPC and Windows 2008 AD problem - 4.Feb.2009 6:38:40 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

your problem is very similar with this one:  http://blogs.technet.com/isablog/archive/2008/07/21/64-bit-rpc-traffic-fails-across-isa-sever-2006.aspx

As you said, you´re already have ISA SP1 installed, so try the workaround from this KB: http://support.microsoft.com/kb/943212/

Regards,
Paulo Oliveira.

(in reply to nabu32)
Post #: 2
RE: RPC and Windows 2008 AD problem - 5.Feb.2009 2:31:57 AM   
nabu32

 

Posts: 8
Joined: 22.Jul.2007
Status: offline
Hi!

Thanks Paulo for your reply, it is greatly appreciated.

I followed the KB943212 article and checked the file versions against my ISA servers (which happen to have newer versions: 5.0.7523.493).

I created a new custom RPC Protocol (Outbound), selected my DC and enabled all RPC interfaces (around 20 of them, interestingly "Event log TCPIP" was one among them).
I created new firewall rules, and basically the same thing happens. This time, instead of the older rules being logged, the new rules and my custom protocol is logged. However, the outcome is the same when trying to view a remote Event Log the dreaded "The RPC server is unavailable" error occurs.

Note:- I have two ISA servers so effectively it looks like this:

W2K8 DC <-> ISA 2K6 SP1 <--L2TP Tunnel--> ISA 2K6 SP1 <-> W2K8 DC

I will try doing a wire trace, as per the original technet blog.

Meanwhile if anyone has other thoughts - do tell!

Thanks.

N.

(in reply to paulo.oliveira)
Post #: 3
RE: RPC and Windows 2008 AD problem - 5.Feb.2009 1:34:09 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

please follow up us if you find something.

Regards,
Paulo Oliveira.

(in reply to nabu32)
Post #: 4
[Solved] RE: RPC and Windows 2008 AD problem - 5.Feb.2009 9:17:43 PM   
nabu32

 

Posts: 8
Joined: 22.Jul.2007
Status: offline
Hi!

Well I can report good news and that the fix is extremely simple...

Windows 2008 has an exception for its firewall - "Remote Event Log Management" which is disabled (even in the Domain profile). So in the end the Windows Firewall was blocking the requests.

Simply having ISA 2006 SP1 (with patches) all works fine, no need to create specific RPC interfaces, as it is already covered with the built-in "RPC (all interfaces)" protocol.

I could not understand why AD replication worked, while viewing remote Event Logs did not. So "back to basics," I tried to view a remote Event Log on the same subnet on another W2K8 server (rather than across the tunnel), which subsequently failed, thus eliminating ISA altogether

Thanks for your help!

N.

(in reply to paulo.oliveira)
Post #: 5
RE: [Solved] RE: RPC and Windows 2008 AD problem - 6.Feb.2009 9:52:22 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi N,

glad you solved. Thanks for follow up!

Regards,
Paulo Oliveira.

(in reply to nabu32)
Post #: 6
RE: [Solved] RE: RPC and Windows 2008 AD problem - 6.Feb.2009 10:40:14 PM   
nabu32

 

Posts: 8
Joined: 22.Jul.2007
Status: offline
While I am at it. I had another issue which was to do with ISA, and that was managing Exchange 2007 through the Exchange Management Console.

I thought to post the solution.

Whenever I look at a remote Exchange Server through the management console, I would see the following errors:

--------------------------------------------------------
Microsoft Exchange Error
--------------------------------------------------------
The following error(s) were reported while loading topology information:

Get-ActiveSyncVirtualDirectory
Failed
Error:
The task was not able to connect to IIS on the server 'exchange1.internal'.  Ensure that the server exists and is reachable from this computer: The RPC server is unavailable.

Get-OabVirtualDirectory
Failed
Error:
The task was not able to connect to IIS on the server 'exchange1.internal'.  Ensure that the server exists and is reachable from this computer: The RPC server is unavailable.

Get-OWAVirtualDirectory
Failed
Error:
The task was not able to connect to IIS on the server 'exchange1.internal'.  Ensure that the server exists and is reachable from this computer: The RPC server is unavailable.

--------------------------------------------------------

The event logged on the Exchange Server was:
Event ID: 10009 - "DCOM was unable to communicate with the computer exchange1.internal using any of the configured protocols."

The solution here I found (http://blogs.technet.com/isablog/archive/2007/05/16/rpc-filter-and-enable-strict-rpc-compliance.aspx) was to do with strict RPC compliance stopping DCOM communications.
Unchecking the "Enforce strict RPC compliance" option for all the rules involved between my internal and remote site removed this issue.

This has no doubt already been commented on before, I would welcome comments on a better solution if anyone has ideas.

Thanks.

N.

(in reply to paulo.oliveira)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Access Policies >> [Solved] RPC and Windows 2008 AD problem Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts