I'm using ISA Server 2006 Enterprise on Windows Server 2003 R2 Enterprise.
My ISA server has 3 NICs: 192.168.20.100 to the WAN (Internet) 192.168.10.1 to the first subnet 192.168.0.1 to the second subnet.
This server ("ISA-SERVER") is also running DHCP and managing the scopes for the 10 and 0 subnets.
I have set up and tested static routes to allow communication across subnets. Communication via IP addresses works flawlessly.
Here is my basic issue:
I have 3 domain controllers on the 0 subnet, and I'm trying to add a 4th DC but on the 10 subnet. I am able to join machines on the 10 subnet to the domain without any issues, but trying to promote the machines to domain controllers (via DCPROMO) always fails. I also get an RPC Error or a remote procedure call failed error (essentially the same thing, right?)
If I try to add another DC on the 0 subnet, it works without any issues.
If I add the DC while on the 0 subnet, then physically rewire it on to the 10 subnet, replication stops working.
So, apart from just being able to join a domain, other common tasks such as DCPROMO and replication are not functioning.
In my ISA server access rules, my very first rule is from Internal Networks & Localhost to (again) Internet Networks & Localhost. All protocols are allowed. No protocol is being blocked (as far as I can tell.) Yet, RPC only fails when attempting to do it across subnets.
The confusing this is that I created an analogous set up using virtual machines, and it worked just fine.
I even re-installed the OS on the 4th domain controller, but that didn't help.
I'm almost certain it's a firewall issue, but I can't be sure since, to my knowledge, I've not blocked a single port when it comes to communication between the 0 and 10 subnets.
Any help on troubleshooting this problem would be GREATLY appreciated!
< Message edited by waqqas31 -- 6.Nov.2009 5:57:26 PM >
Also, it may be worth checking if the traffic is being blocked by the RPC filter; disabling the option for "Strict RPC compliance" should indicate this.
You may also want to look at the Flood Mitigation alerts to see if this feature is blocking traffic (I have seen that before with AD comms) the real time logs may also who "quota exceeded" entries to indicate this...
I've had the "Strict RPC Compliance" option unchecked since almost the beginning, so I'm afraid my solution doesn't lie there (well, not completely, at least.)
When you say "Flood Mitigation Alerts", are you referring to the Monitoring --> Alerts options in ISA Server 2006? I don't see an item by that title/name, per se.
Do you know of any easily obtainable utilities or better yet, utilities built-in to Windows Server 2008 R2 that can help me quickly diagnose which ports are blocked? I've tried googling for one, but they're either convoluted or for linux!
Thanks a bunch for suggesting PortQry. It's refreshing to know that Microsoft wasn't leaving people out in the cold with "trivial" problems such as mine!
The summary of my results is that the queries between DC's that replicated successfully (DC2 and DC3) differed in the following ways (ports) from DC's that did not replicate successfully (DC2 and DC5). DC5, of course, failed to run DCPROMO to completion, as the subject of this thread indicates.
How can I *completely* disable RPC compliance? The way I've done it so far is to select "Configure RPC" on a particular rule and disable it there, but I also saw it in one of the System Policies, though I'm not sure I want to fool around with those.
As for the flood mitigation, I was unable to find any options with that name. Can you point me in the right direction?