• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Active Directory RPC calls and ISA 2006

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Network Infrastructure >> Active Directory RPC calls and ISA 2006 Page: [1]
Login
Message << Older Topic   Newer Topic >>
Active Directory RPC calls and ISA 2006 - 21.Feb.2007 12:47:56 AM   
ntldr

 

Posts: 30
Joined: 19.Jan.2002
From: Suceava, Suceava, Romania
Status: offline
Hi

I have the following configuration:

1 Domain Controller running SBS 2003 with ISA 2004
1 Additional Domain Controller running Windows 2003 Standard, with ISA 2006

I have connectivity problems to main DC on the secondary DC when ISA 2006 is running.
If I run dcdiag on tha machine i get failures at the beginning of test:
 
Domain Controller Diagnosis
Performing initial setup:
[bdc] Directory Binding Error 1726:
The remote procedure call failed.
This may limit some of the tests that can be performed.
Done gathering initial info.

 
The problem dissapears if I stop ISA Server Control Service, so the problem is definately in ISA. I can connect to all the ports on the main DC, I can ping it too.

What can I do?
Thanks
Post #: 1
RE: Active Directory RPC calls and ISA 2006 - 21.Feb.2007 3:24:32 PM   
patos

 

Posts: 34
Joined: 13.Oct.2006
Status: offline
Try to right click your Access rule handling the traffic between your DC's (i would guess you called something like "DC<-> DC All access" ;-), choose "RPC Filter" or whatever it's called. Clear the checkbox "Enforce strict RPC compliance".

See if this helps. I've had a lot of problems solved this way when dealing with internal network issues for different services (ie Automatic Certificate enrollment)


(in reply to ntldr)
Post #: 2
RE: Active Directory RPC calls and ISA 2006 - 22.Feb.2007 4:42:11 PM   
ntldr

 

Posts: 30
Joined: 19.Jan.2002
From: Suceava, Suceava, Romania
Status: offline
"Enforce strict RPC compliance" is unchecked on both servers. Any other ideas?

(in reply to patos)
Post #: 3
RE: Active Directory RPC calls and ISA 2006 - 22.Feb.2007 5:39:15 PM   
patos

 

Posts: 34
Joined: 13.Oct.2006
Status: offline
Ok just so I get this correct. You have the following:

[ISA/DC]<->[DC on internal network]

Rules:
Allow All from Local Host <-> DC??

I guess using DC on the same server as ISA makes you need to allow "local host" as object.

Could you be more specific about the scenario?

May I ask WHY you have two DC's like this? Failover?

(in reply to ntldr)
Post #: 4
RE: Active Directory RPC calls and ISA 2006 - 26.Feb.2007 7:38:27 AM   
ntldr

 

Posts: 30
Joined: 19.Jan.2002
From: Suceava, Suceava, Romania
Status: offline
Hi!

Here's my topology. Yes, I use the second server for redundancy.



The full image is at:
http://upload6.postimage.org/446937/photo_hosting.html

SBS is running Windows Small Business 2003 R2 Premium, ISA Server 2004 SP2, Exchange 2003 SP2, DHCP, DNS, WINS. SBS is the main DC.

BDC is running Windows 2003 R2 Standard, ISA Server 2006, Exchange 2003 SP2, DNS and WINS, and is an additional DC for the domain.

< Message edited by ntldr -- 26.Feb.2007 7:44:17 AM >

(in reply to patos)
Post #: 5
RE: Active Directory RPC calls and ISA 2006 - 26.Feb.2007 1:18:00 PM   
patos

 

Posts: 34
Joined: 13.Oct.2006
Status: offline
Okay, then I'm on track with the setup..

As long as you have the rules configured correctly, this should work.

Can you access file shares from one server to the other? Both using IP address and FQDN(ie server1.network.com).

If there's a difference here, there may be that the RPC tries to use the external interface. Maybe the external IP has been registered as the computer name in the DNS server.

Check your IP settings, and try to use DNS on the internal interface only. Also make sure you have default GW only on the external interfaces.


(in reply to ntldr)
Post #: 6
RE: Active Directory RPC calls and ISA 2006 - 27.Feb.2007 3:56:15 AM   
ntldr

 

Posts: 30
Joined: 19.Jan.2002
From: Suceava, Suceava, Romania
Status: offline
Yes, file shares works fine between them.
Actually it's yes for all your questions.
The rules on both servers are like this:

Access rule:
Protocol - all outbound traffic
From: All protected networks
To: All protected networks
Users: All users
Schedule: Always
Content types: All content types

I also clicked on that rule > Configure RPC Protocol > Unchecked "Enforce strict RPC compliance"

I started monitoring ISA for denied packets. The only blocked entries are some Netbios broadcast packets on ports 137 and 138 coming from localhost.

(in reply to patos)
Post #: 7
RE: Active Directory RPC calls and ISA 2006 - 27.Feb.2007 1:06:29 PM   
patos

 

Posts: 34
Joined: 13.Oct.2006
Status: offline
Wow this doesn't seem to be an easy nut to crack.


Is the "Local host" allowed to access "internal" as well (ie protected networks)? 

Check the system policies as well, i belive there are some policy settings there for "Active directory communications".

The problem COULD also be related to how the communication is set up. For instance, if the traffic is routed from server1 to an internal router, drifts away and ends up on server two, and server2 aswers directly to server1, server1 will not accept that traffic. This doesn't show up in the logs as clear as it could.

Other than that, I don't know what could be wrong. Please let me know if you find something else.

(in reply to ntldr)
Post #: 8
RE: Active Directory RPC calls and ISA 2006 - 28.Feb.2007 5:58:08 AM   
ntldr

 

Posts: 30
Joined: 19.Jan.2002
From: Suceava, Suceava, Romania
Status: offline
As you know, "All Protected Networks" object include all networks BUT External, so yes, local host has already full access to "Internal"

(in reply to patos)
Post #: 9
RE: Active Directory RPC calls and ISA 2006 - 28.Feb.2007 11:19:29 AM   
patos

 

Posts: 34
Joined: 13.Oct.2006
Status: offline
Hehe true, but you never know.

I must say that i'm a bit puzzled by your problem. I'm not sure where to look next, besides setting up a reference environment and try to recreate your problem. unfortunately that's nothing I have time for right now, but I'll keep you in mind in case i figure something out.

Perhaps the time costs begin to be larger than the cost for a new server to dedicate as a DC on the inside to keep your plans of redundancy and solve the problem. But i personally hate leaving something unsolved. =)

I hope someone else in this forum could you assist you with some more ideas?

(in reply to ntldr)
Post #: 10
RE: Active Directory RPC calls and ISA 2006 - 1.Mar.2007 3:33:39 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This is an SBS issue, I"ll move it to that section.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to patos)
Post #: 11
RE: Active Directory RPC calls and ISA 2006 - 1.Mar.2007 11:59:15 PM   
ntldr

 

Posts: 30
Joined: 19.Jan.2002
From: Suceava, Suceava, Romania
Status: offline
Thank you for your patience. I'll keep digging... If I'll solve the problem, I'll let you know.

(in reply to patos)
Post #: 12
RE: Active Directory RPC calls and ISA 2006 - 2.Mar.2007 12:00:39 AM   
ntldr

 

Posts: 30
Joined: 19.Jan.2002
From: Suceava, Suceava, Romania
Status: offline
quote:

ORIGINAL: tshinder

This is an SBS issue, I"ll move it to that section.

Tom


Hi Tom,

Are you sure it's a SBS issue? The problem happens on the additional DC which is W2K3 Standard running ISA 2006.

(in reply to tshinder)
Post #: 13
RE: Active Directory RPC calls and ISA 2006 - 26.Mar.2007 10:33:22 AM   
wiim

 

Posts: 2
Joined: 26.Mar.2007
Status: offline
I'm having the same problem. My topology is a bit different but I'm also using my DC as a ISA 2006 firewall...

So this is definitly not a SBS issue. I have also tried the above suggestions and checked Microsoft's site though there's only information this problem regarding 2004 SP2 there...

Anyone got a clue?

(in reply to ntldr)
Post #: 14
RE: Active Directory RPC calls and ISA 2006 - 27.Mar.2007 3:47:21 AM   
wiim

 

Posts: 2
Joined: 26.Mar.2007
Status: offline
yay I fixed it. Turns out I had to REMOVE SP2; which automatically updated through windows update... and then they tell you to keep your stuff up to date...

(in reply to wiim)
Post #: 15
RE: Active Directory RPC calls and ISA 2006 - 29.Mar.2007 3:37:45 AM   
speedhost

 

Posts: 14
Joined: 24.Apr.2002
From: DK
Status: offline
Hi.

I had a similar issue.

I just bought a brand new HPDL380G5 with multifunction nics.

I installed it with windows 2003 SP2 and couldn't get RPC to work.
If I uninstalled SP2 it worked again.

I found out that I had to disable RSS to get RPC to work on SP2.

Thomas Shinder has released an article referring to a MS KB on how to disable RSS.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;927695

So if you are running windows 2003 SP2 and can't get RPC to it's
Probably because you're having issues with RSS.

(If you have a HP server you can disable RSS in the HP Network Configuration Utility)

Cheers.

< Message edited by speedhost -- 29.Mar.2007 3:53:06 AM >

(in reply to wiim)
Post #: 16
RE: Active Directory RPC calls and ISA 2006 - 29.Mar.2007 3:45:52 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Speed,

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to speedhost)
Post #: 17
RE: Active Directory RPC calls and ISA 2006 - 30.Mar.2007 8:32:06 AM   
BrandonOz

 

Posts: 25
Joined: 30.Jan.2007
Status: offline
I tried this suggestion and unfortunately it didnít work for me.

Ref:http://forums.isaserver.org/Remote_Procedure_Call_Failed/m_2002041428/tm.htm

B

(in reply to ntldr)
Post #: 18

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Network Infrastructure >> Active Directory RPC calls and ISA 2006 Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts