Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: Discussion of 2003 SP1 Final Release w/ISA2004
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: Discussion of 2003 SP1 Final Release w/ISA2004 - 4.Apr.2005 1:26:00 PM
|
|
|
WyldWolf
Posts: 246
Joined: 3.Mar.2005
From: Wisconsin
Status: offline
|
Tom,
It doesn't fix the RPC and netlogon errors that appear at boot after applying the new Windows 2003 SP1 final, whether it's already applied prior to installing 2003 SP1 or after.
The errors seem to revolve around timing of establishing the secure channel to authenticate the machine account at startup. Once the machine is up, it functions other than one issue listed in this thread affecting VPN tunnels disconnecting.
According to MS, the RPC filter is broken by 2003 SP1, for ISA2000 they have a hotfix (in your post), 2004 ISA STD the solution is SP1 for ISA2004 - which doesn't quite solve all the problems.
|
|
|
|
|
RE: Discussion of 2003 SP1 Final Release w/ISA2004 - 5.Apr.2005 10:46:00 AM
|
|
|
tinto
Posts: 225
Joined: 9.Sep.2004
From: Italy
Status: offline
|
quote:
Originally posted by WyldWolf:
According to MS, the RPC filter is broken by 2003 SP1, for ISA2000 they have a hotfix (in your post), 2004 ISA STD the solution is SP1 for ISA2004 - which doesn't quite solve all the problems.
the hotfix for isa 2000 has been released after the 2003SP1;
the problem about isa2004 is: do they think that isa2004SP1 fixes the problem, or are they working about an hotfix specific for isa2004.
While writing a doubt has come in my mind: maybe that installing isa2004sp1 AFTER 2003sp1 would solve the problem???
|
|
|
|
|
RE: Discussion of 2003 SP1 Final Release w/ISA2004 - 5.Apr.2005 3:35:00 PM
|
|
|
spootnicks
Posts: 16
Joined: 29.Mar.2005
Status: offline
|
Hello,
I have noticed that I am getting an error in my system event log with Event ID 5783. I
If I disabled the ISA services (MS Firewall, Server Control, Job Scheduler, & Server Storage) and restart the server this error doesnĘt appear. It is only when the ISA services are running.
|
|
|
|
|
RE: Discussion of 2003 SP1 Final Release w/ISA2004 - 5.Apr.2005 5:45:00 PM
|
|
|
tinto
Posts: 225
Joined: 9.Sep.2004
From: Italy
Status: offline
|
quote:
Originally posted by Spootnicks_World:
If I disabled the ISA services (MS Firewall, Server Control, Job Scheduler, & Server Storage) and restart the server this error doesnĘt appear. It is only when the ISA services are running.
hi,
it seems quite clear that such kind of errors appear only when isa2004 is "active".
i've installed a 2003 from zero, applied 2003sp1 and get no errors. Tomorrow I'll install isa2004 and then isa2004sp1 and see what happens. I will keep you informed.
|
|
|
|
|
RE: Discussion of 2003 SP1 Final Release w/ISA2004 - 6.Apr.2005 10:59:00 AM
|
|
|
tinto
Posts: 225
Joined: 9.Sep.2004
From: Italy
Status: offline
|
quote:
Originally posted by Tinto:
i've installed a 2003 from zero, applied 2003sp1 and get no errors. Tomorrow I'll install isa2004 and then isa2004sp1 and see what happens. I will keep you informed.
hi folks,
as told, I've installed isa2004 and then isa2004sp1.
at boot I get netlogon errore 5783 instead of 5719.
however the problem is the same: the domain controller cannot be contacted at boot.
I actually don't know what to do: install 2003sp1 on production firewall or not?
|
|
|
|
|
RE: Discussion of 2003 SP1 Final Release w/ISA2004 - 6.Apr.2005 11:30:00 AM
|
|
|
leongni
Posts: 4
Joined: 20.Mar.2002
Status: offline
|
I applied Windows 2003 SP1 and then ISA 2004 SP1 and everything was well again. Before that I experienced all the errors you guys mentioned. Phewph... scary...
|
|
|
|
|
RE: Discussion of 2003 SP1 Final Release w/ISA2004 - 6.Apr.2005 12:34:00 PM
|
|
|
tinto
Posts: 225
Joined: 9.Sep.2004
From: Italy
Status: offline
|
quote:
Originally posted by leongni:
I applied Windows 2003 SP1 and then ISA 2004 SP1 and everything was well again. Before that I experienced all the errors you guys mentioned. Phewph... scary...
can you post all of the timeline of your installations? mine is
2003->2003sp1->isa2004->isa2004sp1
and still getting error
|
|
|
|
|
RE: Discussion of 2003 SP1 Final Release w/ISA2004 - 6.Apr.2005 1:56:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by WyldWolf:
Tom,
It doesn't fix the RPC and netlogon errors that appear at boot after applying the new Windows 2003 SP1 final, whether it's already applied prior to installing 2003 SP1 or after.
The errors seem to revolve around timing of establishing the secure channel to authenticate the machine account at startup. Once the machine is up, it functions other than one issue listed in this thread affecting VPN tunnels disconnecting.
According to MS, the RPC filter is broken by 2003 SP1, for ISA2000 they have a hotfix (in your post), 2004 ISA STD the solution is SP1 for ISA2004 - which doesn't quite solve all the problems.
Hi WW,
OK, I'm not seeing it in my test boxes right now. Are these just Event Viewer errors with no actual production effects, or are you seeing problems with user authentication for Web proxy and Firewall clients?
Thanks!
Tom
|
|
|
|
|
RE: Discussion of 2003 SP1 Final Release w/ISA2004 - 6.Apr.2005 1:58:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by leongni:
I applied Windows 2003 SP1 and then ISA 2004 SP1 and everything was well again. Before that I experienced all the errors you guys mentioned. Phewph... scary...
Hi Leon,
Did you apply ISA 2004 SP1 again *after* installing Windows 2003 SP1?
thanks!
Tom
|
|
|
|
|
RE: Discussion of 2003 SP1 Final Release w/ISA2004 - 6.Apr.2005 11:22:00 PM
|
|
|
WyldWolf
Posts: 246
Joined: 3.Mar.2005
From: Wisconsin
Status: offline
|
Tom,
Only event log errors, user authentication and functionality does not appear affected, other than the site to site VPN issues others have listed in this thread.
I've tried multiple order, ISA SP1->2003SP1->reapply ISA SP1
Same errors every time, only at boot Kerberos and netlogon. "Wait for network" is enabled, localhost rule in effect. Again these errors disappear if the only thing I do is uninstall 2003 SP1.
|
|
|
|
|
RE: Discussion of 2003 SP1 Final Release w/ISA2004 - 7.Apr.2005 2:34:00 AM
|
|
|
leongni
Posts: 4
Joined: 20.Mar.2002
Status: offline
|
quote:
Originally posted by Tinto:
quote:
Originally posted by leongni:
I applied Windows 2003 SP1 and then ISA 2004 SP1 and everything was well again. Before that I experienced all the errors you guys mentioned. Phewph... scary...
can you post all of the timeline of your installations? mine is
2003->2003sp1->isa2004->isa2004sp1
and still getting error
I installed it like that:
Windows 2003 --> ISA Server 2004 --> ISA Server 2004 SP1 --> Windows 2003 SP1 --> ISA Server SP1
|
|
|
|
|
RE: Discussion of 2003 SP1 Final Release w/ISA2004 - 7.Apr.2005 2:36:00 AM
|
|
|
leongni
Posts: 4
Joined: 20.Mar.2002
Status: offline
|
quote:
Originally posted by tshinder:
quote:
Originally posted by leongni:
I applied Windows 2003 SP1 and then ISA 2004 SP1 and everything was well again. Before that I experienced all the errors you guys mentioned. Phewph... scary...
Hi Leon,
Did you apply ISA 2004 SP1 again *after* installing Windows 2003 SP1?
thanks!
Tom
Tom, yes that's exactly what I did. Good thing this wasn't my production environment. Otherwise I would have been skinned alive!
|
|
|
|
|
RE: Discussion of 2003 SP1 Final Release w/ISA2004 - 7.Apr.2005 4:36:00 PM
|
|
|
WyldWolf
Posts: 246
Joined: 3.Mar.2005
From: Wisconsin
Status: offline
|
Exact same thing I did multiple times in multiple tests, keep getting these three event log errors.
|
|
|
|
|
RE: Discussion of 2003 SP1 Final Release w/ISA2004 - 8.Apr.2005 11:48:00 AM
|
|
|
tinto
Posts: 225
Joined: 9.Sep.2004
From: Italy
Status: offline
|
quote:
Originally posted by tshinder:
The ISA sustained engineering team says you don't need to reinstall SP1.
reinstalling isa2004sp1 on my test server has not produced any change in event log.
|
|
|
|
|
RE: Discussion of 2003 SP1 Final Release w/ISA2004 - 8.Apr.2005 4:28:00 PM
|
|
|
WyldWolf
Posts: 246
Joined: 3.Mar.2005
From: Wisconsin
Status: offline
|
Nor my test boxes. Tried the following and produces no solution to my event log errors:
ISA2004 -> 2003SP1 -> ISA2004SP1
and
ISA2004SP1 -> 2003SP1 -> Reapply ISA2004SP1
|
|
|
|
RE: Discussion of 2003 SP1 Final Release w/ISA2004 - 11.Apr.2005 4:11:00 PM
|
|
|
Guardian Angel
Posts: 1
Joined: 11.Apr.2005
Status: offline
|
I think I may have found a fix for the time being. I'm not entirely sure why it works as of yet, but after performing the below steps, MSDTC no send logs warnings to the application event log. It's interesting because a typical start of MSDTC via the Services MMC snap-in or via the command line consistently logs the aforementioned warnings to the application event log.
First off all open Start / Run / MMC.exe / Add/Remove a Snap In - Componentes Services
In Component Services, right click on My Computer, and right click Stop MSDTC
Then right click "Properties".
Select the "MSDTC" tab. On the bottom of the tab page, click the "Security Configuration" button. A new dialog will open. Just click "OK" to close the dialog ( This set the MSDTC to defaults ).
Then Start the MSDTC service.
And DONE !
Best Regards,
Guardian Angel
|
|
|
|
RE: Discussion of 2003 SP1 Final Release w/ISA2004 - 14.Apr.2005 9:00:00 AM
|
|
|
JohannHough
Posts: 3
Joined: 14.Feb.2005
From: Somerset West, South Africa
Status: offline
|
Last night, I approved the Windows 2003 SP 1 on the SUS server, rolling it out to our servers. One of which is a Windows 2003 Enterprise Server with ISA 2004 Std on. ISA2004 SP1 was already installed.
Basically I'm having the same problems that WyldWolf did. The ISA Server had the same eventlog entries:
System Log:
EventID 7 The kerberos subsystem encountered a PAC verification failure
EventID 5719 This computer was not able to set up a secure session with a domain controller in domain XXXXX due to the following:
The remote procedure call was cancelled
EventID 5783 The session setup to the Windows NT or Windows 2000 Domain Controller \\XXXXXXX for the domain XXXXXX is not responsive. The current RPC call from Netlogon on \\XXXXX to \\XXXXXXXXX has been cancelled.
Unlike WyldWolf, I am seeing problems with user authentication for Web proxy clients ?
I have checked that the various services are in process_share mode with "sc query xxxx" (as per http://support.microsoft.com/default.aspx?scid=kb;en-us;883268) which they were. This had no effect.
My next move was to re-establish a secure channel between the ISA box and the DC's (using nltest).
No getting much joy here. a "nltest /server:XXXXX /sc_query:YYYYYY" yields that there is an error, and then for spurious and short intervals, there is a normal channel, but this disappears quickly. An attempt to reset the secure channel with a "nltest /server:XXXXX /sc_reset:YYYYYY" fails. Also a "nltest /server:XXXXX /query" states that there is no NetLogon service, yet this is running on the ISA box.
Any ideas anyone ?
[ April 14, 2005, 09:30 AM: Message edited by: JohannHough ]
|
|
|
|
RE: Discussion of 2003 SP1 Final Release w/ISA2004 - 14.Apr.2005 1:00:00 PM
|
|
|
JohannHough
Posts: 3
Joined: 14.Feb.2005
From: Somerset West, South Africa
Status: offline
|
Well... it would seem I have found a resolution for my problem (described above).
I had configured ISA Server to allow TCP Outbound traffic on ports 1024-1030 from "Localhost" to "Internal Network".
After rebooting the ISA Server, all was right again. no more eventlog errors about Kerberos and PAC errors. No more failures in establishing a secure channel to the DC's and most importantly, no more Web Proxy user authentication errors.
Thanks
|
|
|
|
|
RE: Discussion of 2003 SP1 Final Release w/ISA2004 - 14.Apr.2005 8:00:00 PM
|
|
|
brick1420
Posts: 9
Joined: 22.Feb.2005
From: SC
Status: offline
|
Yep, same problem here. I installed 2003 SP1 last night via SUS and this morning all of my web proxy client users were being asked to authenticate. I checked the event logs and I am getting Event ID 7 and 5719 as well. I tried to work around it for about three hours but wound up removing Win 2003 SP1 and regained functionality.
quote:
Originally posted by WyldWolf:
So is anyone else receiving the following event log errors at boot? Again, this is not only 2003 SP1 but ISA2004's SP1, and 2003 SP1 running on the domain DC's:
System Log:
EventID 7 The kerberos subsystem encountered a PAC verification failure
EventID 5719 This computer was not able to set up a secure session with a domain controller in domain XXXXX due to the following:
The remote procedure call was cancelled
EventID 5783 The session setup to the Windows NT or Windows 2000 Domain Controller \\XXXXXXX for the domain XXXXXX is not responsive. The current RPC call from Netlogon on \\XXXXX to \\XXXXXXXXX has been cancelled
App log:
EventID 14176 cache failed to initialize
EventID 1097 Windows cannot find the machine account, No authority could be contacted for authentication
EventID 1030 Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Big Grin]](/image/smiles/biggrin.gif)
