Discussion of 2003 SP1 Final Release w/ISA2004 (Full Version)

All Forums >> [ISA Server 2004 General ] >> Installation



Message


WyldWolf -> Discussion of 2003 SP1 Final Release w/ISA2004 (31.Mar.2005 4:58:00 AM)

It's official, 2003 SP1 final released today. Starting the testing with ISA 2004 now.

Please post any observations here, and I'll do the same!

http://www.microsoft.com/downloads/details.aspx?amp;displaylang=en&familyid=22CFC239-337C-4D81-8354-72593B1C1F43&displaylang=en




WyldWolf -> RE: Discussion of 2003 SP1 Final Release w/ISA2004 (31.Mar.2005 6:06:00 AM)

First I rebooted my test DC server and my 2004 ISA STD server twice to verify on two reboots I had no preexisting warnings or errors in any of the event logs. I then applied 2003 SP1 to the DC first and rebooted it with no errors. I then applied it to the ISA server and rebooted and received the following errors in the event logs. Rebooted a second time and still receive the following errors (note the windows firewall service is disabled by default so it is not interfering with domain authentication):

System Log:

EventID 7 The kerberos subsystem encountered a PAC verification failure

EventID 5719 This computer was not able to set up a secure session with a domain controller in domain XXXXX due to the following:
The remote procedure call was cancelled

EventID 5783 The session setup to the Windows NT or Windows 2000 Domain Controller \\XXXXXXX for the domain XXXXXX is not responsive. The current RPC call from Netlogon on \\XXXXX to \\XXXXXXXXX has been cancelled

App log:

EventID 14176 cache failed to initialize

EventID 1097 Windows cannot find the machine account, No authority could be contacted for authentication

EventID 1030 Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.

I'm able to browse through the ISA and ran a gpupdate /force on the ISA and no additional errors were logged, so this problem appears to be a timing change at startup.

I'm anxious to hear other's feedback on SP1 applied to ISA 2004.




gazc -> RE: Discussion of 2003 SP1 Final Release w/ISA2004 (31.Mar.2005 6:11:00 AM)

Hi

They havent solved the kerberos issue it seems.

In the beta for sp1 i had the same problems, only resolved by creating an access rule allowing all outbound from internal to localhost.....it seems that the system policy is ignored for the most part.

I also had problems getting any PPTP VPN connections using a backend radius server for authentication to work properly.

Im very cagey on installing sp1 again but will give it ago soon enough....




gazc -> RE: Discussion of 2003 SP1 Final Release w/ISA2004 (31.Mar.2005 6:13:00 AM)

You might wanna try and run the Security Configuration Wizard to see if it helps.




WyldWolf -> RE: Discussion of 2003 SP1 Final Release w/ISA2004 (31.Mar.2005 6:17:00 AM)

Thanks I'll try the SCW, however it's optional and since the built in windows firewall is disabled it shouldn't be blocking anything.

I'll let you know if I find anything else.




WyldWolf -> RE: Discussion of 2003 SP1 Final Release w/ISA2004 (31.Mar.2005 6:26:00 AM)

It seems that it's simply a startup timing issue with the domain validation, as after it's up I can open drives on the ISA server, gpupdate from the ISA server successfully, and all outbound functionality seems to be working properly, tested as many outbound protocols as I could, PPTP through the ISA, etc. and all working.

Also scanned from externally to verify no new holes and passed all stealth tests.

I hate seeing errors in the event logs, I'm wondering if changing the dependsonservice to wait for the ISA services would eliminate these errors.




WyldWolf -> RE: Discussion of 2003 SP1 Final Release w/ISA2004 (31.Mar.2005 7:16:00 AM)

Well I'm still working on a solution to eliminate the errors, however I don't think that adding a localhost rule is an acceptable solution.

I can confirm that once the ISA server is up, no errors recur relating to domain authentication. I can see successful machine account authentication on the DC for the ISA, and vice versa when attaching to the ISA from the DC. This is without adding any localhost rules (other than the system policy).

All user and group based domain authentication functions for access rules requiring authentication.

[ March 31, 2005, 07:17 AM: Message edited by: WyldWolf ]




gazc -> RE: Discussion of 2003 SP1 Final Release w/ISA2004 (31.Mar.2005 5:44:00 PM)

Was hoping this topic generated more response!

WW is the only person who is installing sp1?

Will install over the weekend Wyldwolf.




tinto -> RE: Discussion of 2003 SP1 Final Release w/ISA2004 (31.Mar.2005 5:45:00 PM)

quote:
Originally posted by WyldWolf:

EventID 5719 This computer was not able to set up a secure session with a domain controller in domain XXXXX due to the following:
The remote procedure call was cancelled

I also get other errors: in APPLICATION log

MS DTC Tracing infrastructure : the attempt to flush the existing trace data failed. Internal Information : msdtc_trace : File: d:\srvrtm\com\complus\dtc\dtc\trace\src\tracelib.cpp, Line: 1690, QueryTrace Failed, hr=0x80071069 (id 4407)

and

Windows cannot determine the user or computer name. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted. (1053)

Being sincere, I'm quite disapponted.
And not sure about what to do.




WyldWolf -> RE: Discussion of 2003 SP1 Final Release w/ISA2004 (31.Mar.2005 5:55:00 PM)

Does functionality appear to be affected?




erickufrin -> RE: Discussion of 2003 SP1 Final Release w/ISA2004 (31.Mar.2005 9:54:00 PM)

I had issues with errors in the event log on startup but didnt seem to have any serious problems after the system was started up and logged in for a minute or two. I also dont like to see errors or warnings on startup so I spent quite a bit of time tweaking my settings to resolve the issue. Here is what I did:

My ISA box is in its own OU called Firewall. I have applied the HighSecWs.inf security template to this Group Policy.

The settings that I changed that helped me to resolve my warnings and errors are:

AdminTemplates/System/Logon/Always wait for the network at computer startup and logon -> Set to Enabled.

Also set:

AdminTemplates/System/Net Logon/Expected dial-up delay on logon -> Set to Enabled and configure for 120 seconds.

I also have my Netlogon service set to depend on DNS service.

Configuring these settings should give your ISA box enough time to start all needed services before attempting to perform and kind of netlogon or AD stuff.

Let me know if this helps. It worked for me.

I am planning on redoing all of my 2K3 boxes, and my ISA 2K4 box with a slipstreamed copy of 2K3 SP1.

I will update with any issues I encounter with SP1 for 2K3 or ISA 2K4. My ISA box doesnt even have ISASP1 on it cause Ive been waiting for 2K3 SP1.... [Smile]

Eric Kufrin




WyldWolf -> RE: Discussion of 2003 SP1 Final Release w/ISA2004 (31.Mar.2005 10:18:00 PM)

Eric,

I already had all of these policies set, other than the DNS server which I don't have installed on the ISA server.

All the above errors exist but only at a fresh boot and never repeat.




erickufrin -> RE: Discussion of 2003 SP1 Final Release w/ISA2004 (31.Mar.2005 10:53:00 PM)

I dont know what to tell you about it then. As I said I will be redoing all my setup this weekend and will let you know if I experience any problems.

I just setup a fresh copy of 2K3 SP1 on vmware session and I am getting a warning in my application log after creating a new domain. [Frown]

MSDTC Service warning 1:

MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC will continue to function and will use the existing security settings. Error Specifics: d:\srvrtm\com\complus\dtc\dtc\adme\uiname.cpp:9280, Pid: 1516
No Callstack,
CmdLine: C:\WINDOWS\system32\msdtc.exe

MSDTC Service warning 2:

MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC will continue to function and will use the existing security settings. Error Specifics: %1

I am already starting to be disappointed with SP1... You'd think they would get it right after taking a 1 1/2 years...

With regards to the PAC verification issue. Have you tried changing the RPC system policy to not enable Strict Enforcement?

Eric Kufrin




WyldWolf -> RE: Discussion of 2003 SP1 Final Release w/ISA2004 (31.Mar.2005 10:55:00 PM)

Yep, made the RPC change no effect. Just curious are you running ISA's SP1 as well as 2003 SP1?




erickufrin -> RE: Discussion of 2003 SP1 Final Release w/ISA2004 (31.Mar.2005 11:01:00 PM)

I havent applied SP1 for ISA or 2K3 in my "Production" network. I am planning rebuilding from scratch this sunday. Only 3 systems, 1 DC 2K3, 1 ISA 2K4, 1 box that will be being setup w/ Exch 2K3.

Hopefully I dont experience and issues...

Eric Kufrin




WyldWolf -> RE: Discussion of 2003 SP1 Final Release w/ISA2004 (31.Mar.2005 11:05:00 PM)

So the comments you made on errors didn't apply to SP1 on 2003 and SP1 on ISA 2004?




erickufrin -> RE: Discussion of 2003 SP1 Final Release w/ISA2004 (31.Mar.2005 11:10:00 PM)

SP1 2K3 on vmware, I am getting MSDTC errors on fresh install after setting up new domain/forest/domain controller.

Still dont got it on my real boxes. I wanted to test it first before making the leap...

I havent even installed SP1 for ISA yet... From the kb article's description of the fixes it made, I didnt see any real value in installing it imediatly.

Eric Kufrin




luiscperu -> RE: Discussion of 2003 SP1 Final Release w/ISA2004 (31.Mar.2005 11:18:00 PM)

I had to install SP1 even RC2, on some production servers, you must tell me why I did this. Microsoft Support is not good enough and all patches that we get trough Windows Update are concerned to security mostly. There are other issues only addressed by Microsoft Support Personnel.

It's been working fine, sine the day I instaled SP1-RC2. Now the whole morning there were no problems at all. 15 servers are up with SP1 final release.




WyldWolf -> RE: Discussion of 2003 SP1 Final Release w/ISA2004 (31.Mar.2005 11:29:00 PM)

Eric, I haven't gotten any MSDTC errors on non-SP1 2003 and SP1 ISA, or with 2003 SP1 and ISA SP1......on many implementation including VMWare testing....so it must be something specific to configuration changes you're making.

We should keep this thread to disussions on ISA 2004 SP1 running on 2003 server SP1 final release, just so we don't muddy the water too much.




tshinder -> RE: Discussion of 2003 SP1 Final Release w/ISA2004 (31.Mar.2005 11:39:00 PM)

Hi WW,

I agree. Everyone needs to have ISA 2004 SP1 installed. It doesn't break anything, and includes *things* that aren't doc'd in the release notes (I think).

I haven't installed Win2003 SP1 yet, but will check it out tonight (on VMs, I need my production ISA firewalls).

Thanks!
Tom




Page: [1] 2 3 4 5   next >   >>