Active Directory RPC calls and ISA 2006 (Full Version)

All Forums >> [ISA 2006 Firewall] >> Network Infrastructure



Message


ntldr -> Active Directory RPC calls and ISA 2006 (21.Feb.2007 12:47:56 AM)

Hi

I have the following configuration:

1 Domain Controller running SBS 2003 with ISA 2004
1 Additional Domain Controller running Windows 2003 Standard, with ISA 2006

I have connectivity problems to main DC on the secondary DC when ISA 2006 is running.
If I run dcdiag on tha machine i get failures at the beginning of test:
 
Domain Controller Diagnosis
Performing initial setup:
[bdc] Directory Binding Error 1726:
The remote procedure call failed.
This may limit some of the tests that can be performed.
Done gathering initial info.

 
The problem dissapears if I stop ISA Server Control Service, so the problem is definately in ISA. I can connect to all the ports on the main DC, I can ping it too.

What can I do?
Thanks




patos -> RE: Active Directory RPC calls and ISA 2006 (21.Feb.2007 3:24:32 PM)

Try to right click your Access rule handling the traffic between your DC's (i would guess you called something like "DC<-> DC All access" ;-), choose "RPC Filter" or whatever it's called. Clear the checkbox "Enforce strict RPC compliance".

See if this helps. I've had a lot of problems solved this way when dealing with internal network issues for different services (ie Automatic Certificate enrollment)





ntldr -> RE: Active Directory RPC calls and ISA 2006 (22.Feb.2007 4:42:11 PM)

"Enforce strict RPC compliance" is unchecked on both servers. Any other ideas?




patos -> RE: Active Directory RPC calls and ISA 2006 (22.Feb.2007 5:39:15 PM)

Ok just so I get this correct. You have the following:

[ISA/DC]<->[DC on internal network]

Rules:
Allow All from Local Host <-> DC??

I guess using DC on the same server as ISA makes you need to allow "local host" as object.

Could you be more specific about the scenario?

May I ask WHY you have two DC's like this? Failover?




ntldr -> RE: Active Directory RPC calls and ISA 2006 (26.Feb.2007 7:38:27 AM)

Hi!

Here's my topology. Yes, I use the second server for redundancy.

[image]http://upload6.postimage.org/446937/photo_hosting.html][img]http://upload6.postimage.org/446937/Config.jpg[/image]

The full image is at:
http://upload6.postimage.org/446937/photo_hosting.html

SBS is running Windows Small Business 2003 R2 Premium, ISA Server 2004 SP2, Exchange 2003 SP2, DHCP, DNS, WINS. SBS is the main DC.

BDC is running Windows 2003 R2 Standard, ISA Server 2006, Exchange 2003 SP2, DNS and WINS, and is an additional DC for the domain.




patos -> RE: Active Directory RPC calls and ISA 2006 (26.Feb.2007 1:18:00 PM)

Okay, then I'm on track with the setup..

As long as you have the rules configured correctly, this should work.

Can you access file shares from one server to the other? Both using IP address and FQDN(ie server1.network.com).

If there's a difference here, there may be that the RPC tries to use the external interface. Maybe the external IP has been registered as the computer name in the DNS server.

Check your IP settings, and try to use DNS on the internal interface only. Also make sure you have default GW only on the external interfaces.





ntldr -> RE: Active Directory RPC calls and ISA 2006 (27.Feb.2007 3:56:15 AM)

Yes, file shares works fine between them.
Actually it's yes for all your questions.
The rules on both servers are like this:

Access rule:
Protocol - all outbound traffic
From: All protected networks
To: All protected networks
Users: All users
Schedule: Always
Content types: All content types

I also clicked on that rule > Configure RPC Protocol > Unchecked "Enforce strict RPC compliance"

I started monitoring ISA for denied packets. The only blocked entries are some Netbios broadcast packets on ports 137 and 138 coming from localhost.




patos -> RE: Active Directory RPC calls and ISA 2006 (27.Feb.2007 1:06:29 PM)

Wow this doesn't seem to be an easy nut to crack.


Is the "Local host" allowed to access "internal" as well (ie protected networks)? 

Check the system policies as well, i belive there are some policy settings there for "Active directory communications".

The problem COULD also be related to how the communication is set up. For instance, if the traffic is routed from server1 to an internal router, drifts away and ends up on server two, and server2 aswers directly to server1, server1 will not accept that traffic. This doesn't show up in the logs as clear as it could.

Other than that, I don't know what could be wrong. Please let me know if you find something else.




ntldr -> RE: Active Directory RPC calls and ISA 2006 (28.Feb.2007 5:58:08 AM)

As you know, "All Protected Networks" object include all networks BUT External, so yes, local host has already full access to "Internal"




patos -> RE: Active Directory RPC calls and ISA 2006 (28.Feb.2007 11:19:29 AM)

Hehe true, but you never know.

I must say that i'm a bit puzzled by your problem. I'm not sure where to look next, besides setting up a reference environment and try to recreate your problem. unfortunately that's nothing I have time for right now, but I'll keep you in mind in case i figure something out.

Perhaps the time costs begin to be larger than the cost for a new server to dedicate as a DC on the inside to keep your plans of redundancy and solve the problem. But i personally hate leaving something unsolved. =)

I hope someone else in this forum could you assist you with some more ideas?




tshinder -> RE: Active Directory RPC calls and ISA 2006 (1.Mar.2007 3:33:39 PM)

This is an SBS issue, I"ll move it to that section.

Tom




ntldr -> RE: Active Directory RPC calls and ISA 2006 (1.Mar.2007 11:59:15 PM)

Thank you for your patience. I'll keep digging... If I'll solve the problem, I'll let you know.




ntldr -> RE: Active Directory RPC calls and ISA 2006 (2.Mar.2007 12:00:39 AM)

quote:

ORIGINAL: tshinder

This is an SBS issue, I"ll move it to that section.

Tom


Hi Tom,

Are you sure it's a SBS issue? The problem happens on the additional DC which is W2K3 Standard running ISA 2006.




wiim -> RE: Active Directory RPC calls and ISA 2006 (26.Mar.2007 10:33:22 AM)

I'm having the same problem. My topology is a bit different but I'm also using my DC as a ISA 2006 firewall...

So this is definitly not a SBS issue. I have also tried the above suggestions and checked Microsoft's site though there's only information this problem regarding 2004 SP2 there...

Anyone got a clue?




wiim -> RE: Active Directory RPC calls and ISA 2006 (27.Mar.2007 3:47:21 AM)

yay I fixed it. Turns out I had to REMOVE SP2; which automatically updated through windows update... and then they tell you to keep your stuff up to date...




speedhost -> RE: Active Directory RPC calls and ISA 2006 (29.Mar.2007 3:37:45 AM)

Hi.

I had a similar issue.

I just bought a brand new HPDL380G5 with multifunction nics.

I installed it with windows 2003 SP2 and couldn't get RPC to work.
If I uninstalled SP2 it worked again.

I found out that I had to disable RSS to get RPC to work on SP2.

Thomas Shinder has released an article referring to a MS KB on how to disable RSS.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;927695

So if you are running windows 2003 SP2 and can't get RPC to it's
Probably because you're having issues with RSS.

(If you have a HP server you can disable RSS in the HP Network Configuration Utility)

Cheers.




tshinder -> RE: Active Directory RPC calls and ISA 2006 (29.Mar.2007 3:45:52 PM)

Hi Speed,

Thanks!
Tom




BrandonOz -> RE: Active Directory RPC calls and ISA 2006 (30.Mar.2007 8:32:06 AM)

I tried this suggestion and unfortunately it didnít work for me.

Ref:http://forums.isaserver.org/Remote_Procedure_Call_Failed/m_2002041428/tm.htm

B




Page: [1]