From: Suceava, Suceava, Romania
I have the following configuration:
1 Domain Controller running SBS 2003 with ISA 2004 1 Additional Domain Controller running Windows 2003 Standard, with ISA 2006
I have connectivity problems to main DC on the secondary DC when ISA 2006 is running. If I run dcdiag on tha machine i get failures at the beginning of test:
Domain Controller Diagnosis Performing initial setup: [bdc] Directory Binding Error 1726: The remote procedure call failed. This may limit some of the tests that can be performed. Done gathering initial info.
The problem dissapears if I stop ISA Server Control Service, so the problem is definately in ISA. I can connect to all the ports on the main DC, I can ping it too.
Try to right click your Access rule handling the traffic between your DC's (i would guess you called something like "DC<-> DC All access" ;-), choose "RPC Filter" or whatever it's called. Clear the checkbox "Enforce strict RPC compliance".
See if this helps. I've had a lot of problems solved this way when dealing with internal network issues for different services (ie Automatic Certificate enrollment)
Is the "Local host" allowed to access "internal" as well (ie protected networks)?
Check the system policies as well, i belive there are some policy settings there for "Active directory communications".
The problem COULD also be related to how the communication is set up. For instance, if the traffic is routed from server1 to an internal router, drifts away and ends up on server two, and server2 aswers directly to server1, server1 will not accept that traffic. This doesn't show up in the logs as clear as it could.
Other than that, I don't know what could be wrong. Please let me know if you find something else.
I must say that i'm a bit puzzled by your problem. I'm not sure where to look next, besides setting up a reference environment and try to recreate your problem. unfortunately that's nothing I have time for right now, but I'll keep you in mind in case i figure something out.
Perhaps the time costs begin to be larger than the cost for a new server to dedicate as a DC on the inside to keep your plans of redundancy and solve the problem. But i personally hate leaving something unsolved. =)
I hope someone else in this forum could you assist you with some more ideas?