Posts: 30
Joined: 19.Jan.2002
From: Suceava, Suceava, Romania
Status: offline
Hi
I have the following configuration:
1 Domain Controller running SBS 2003 with ISA 2004 1 Additional Domain Controller running Windows 2003 Standard, with ISA 2006
I have connectivity problems to main DC on the secondary DC when ISA 2006 is running. If I run dcdiag on tha machine i get failures at the beginning of test:
Domain Controller Diagnosis Performing initial setup: [bdc] Directory Binding Error 1726: The remote procedure call failed. This may limit some of the tests that can be performed. Done gathering initial info.
The problem dissapears if I stop ISA Server Control Service, so the problem is definately in ISA. I can connect to all the ports on the main DC, I can ping it too.
Try to right click your Access rule handling the traffic between your DC's (i would guess you called something like "DC<-> DC All access" ;-), choose "RPC Filter" or whatever it's called. Clear the checkbox "Enforce strict RPC compliance".
See if this helps. I've had a lot of problems solved this way when dealing with internal network issues for different services (ie Automatic Certificate enrollment)
As long as you have the rules configured correctly, this should work.
Can you access file shares from one server to the other? Both using IP address and FQDN(ie server1.network.com).
If there's a difference here, there may be that the RPC tries to use the external interface. Maybe the external IP has been registered as the computer name in the DNS server.
Check your IP settings, and try to use DNS on the internal interface only. Also make sure you have default GW only on the external interfaces.
Posts: 30
Joined: 19.Jan.2002
From: Suceava, Suceava, Romania
Status: offline
Yes, file shares works fine between them. Actually it's yes for all your questions. The rules on both servers are like this:
Access rule: Protocol - all outbound traffic From: All protected networks To: All protected networks Users: All users Schedule: Always Content types: All content types
I also clicked on that rule > Configure RPC Protocol > Unchecked "Enforce strict RPC compliance"
I started monitoring ISA for denied packets. The only blocked entries are some Netbios broadcast packets on ports 137 and 138 coming from localhost.
Is the "Local host" allowed to access "internal" as well (ie protected networks)?
Check the system policies as well, i belive there are some policy settings there for "Active directory communications".
The problem COULD also be related to how the communication is set up. For instance, if the traffic is routed from server1 to an internal router, drifts away and ends up on server two, and server2 aswers directly to server1, server1 will not accept that traffic. This doesn't show up in the logs as clear as it could.
Other than that, I don't know what could be wrong. Please let me know if you find something else.
I must say that i'm a bit puzzled by your problem. I'm not sure where to look next, besides setting up a reference environment and try to recreate your problem. unfortunately that's nothing I have time for right now, but I'll keep you in mind in case i figure something out.
Perhaps the time costs begin to be larger than the cost for a new server to dedicate as a DC on the inside to keep your plans of redundancy and solve the problem. But i personally hate leaving something unsolved. =)
I hope someone else in this forum could you assist you with some more ideas?
I'm having the same problem. My topology is a bit different but I'm also using my DC as a ISA 2006 firewall...
So this is definitly not a SBS issue. I have also tried the above suggestions and checked Microsoft's site though there's only information this problem regarding 2004 SP2 there...
yay I fixed it. Turns out I had to REMOVE SP2; which automatically updated through windows update... and then they tell you to keep your stuff up to date...
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA 2006 Firewall] >> Network Infrastructure >> Active Directory RPC calls and ISA 2006 
Active Directory RPC calls and ISA 2006 - 
RE: Active Directory RPC calls and ISA 2006 - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread