• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Domain connection problem

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> Domain connection problem Page: [1]
Login
Message << Older Topic   Newer Topic >>
Domain connection problem - 8.Oct.2007 2:24:46 PM   
tbokman

 

Posts: 8
Joined: 31.Dec.2004
Status: offline
I have 2 windows 2000 native domains (I'll just call then DomainA and DomainB).  Each domain is in a separate forest.  I have a 2 way external trust between the 2 domains.  I installed ISA 2006 standard on a windows 2003 r2 server.   The server is a member of DomainA.  When I try to specify Windows Users for VPN access I can select the group I want from DomainA.  But when I try to select a group from DomainB I get error "The specified domain either does not exist or could not be contacted." 

Also from my PC (laptop1.domainA) I can use Windows Explorer and drill down from My Network Places to DomainB and server.DomainB.  When I try to do the same with the server where ISA 2006 is installed, I get an error (DomainB is not accessable.  The list of servers for this workgroupt is not available).  But  I can connect to the server in DomainB by entering \\server.DomainB  Both my PC and the ISA 2006 server are on the same subnet but DomainB servers are on a different subnet.

I have ISA 2000 currently running and it has no problem accessing DomainB security groups.  Any ideas on how to fix this?  Thanks in advance.
Post #: 1
RE: Domain connection problem - 8.Oct.2007 6:35:39 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Check out the AD and DNS system policies

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to tbokman)
Post #: 2
RE: Domain connection problem - 9.Oct.2007 8:53:32 AM   
tbokman

 

Posts: 8
Joined: 31.Dec.2004
Status: offline
AD and DNS are working fine.  The problem is with ISA2006.  It seems to be much different from 2000.  Anyway this looks like a routing problem with ISA.  I have 2 NICs with one connected via T1 to the internet and the other to my internal network.  The NIC on the internal network has IP address 192.0.0.12/24.  I can connect to all devices on this subnet with no problem.  What I cannot do is connect to other subnets on my internet network.  Since the NIC on my internal network doesn't have a default gateway, I created static routes in RRAS to map the other internal subnets.  This worked with ISA2000 but not with ISA2006.  What am I doing wrong???

(in reply to tbokman)
Post #: 3
RE: Domain connection problem - 9.Oct.2007 4:42:41 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
You kinda got the right idea - but get rid of the stuff in RRAS.

You need to define static routes in the OS by using the "route add -p x.x.x.x mask y.y.y.y z.z.z.z" command...

Also make sure that your definition of the internal network in ISA covers all internal subnets that exist "behind" ISA.

Cheers

JJ 

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to tbokman)
Post #: 4
RE: Domain connection problem - 9.Oct.2007 8:39:58 PM   
tbokman

 

Posts: 8
Joined: 31.Dec.2004
Status: offline
OK I used the route command for all my internal networks and added them to the ISA internal network and now I can ping all the subnets from the ISA server.  But I stll have the same problem when I try to access domainB.  There must be something in ISA that is blocking access to domainB.  I do not have this problem with ISA2000.  Any ideas on how to fix this?  Thanks.

(in reply to Jason Jones)
Post #: 5
RE: Domain connection problem - 10.Oct.2007 12:09:21 PM   
tbokman

 

Posts: 8
Joined: 31.Dec.2004
Status: offline
Ok I ran diag logging and found the reason why I am not connecting to DomainB.  The diag shows "Log source: Firewall Engine
ISA Server is evaluating the rule [System] Allow NetBIOS from ISA Server to trusted servers."  Followed by "Log source: Firewall Engine source does not match the packet."  So it looks like the domain controllers in DomainB are not included in the "trusted servers" group.  So now the question is: "How do I get the DomainB controllers into the ISA "trusted servers" group?

(in reply to tbokman)
Post #: 6
RE: Domain connection problem - 10.Oct.2007 8:45:59 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Did you not look at the system policies?

You can edit these and add the members you need...

Alternatively, you could add a new rule to allow Local Host => DomainB Domain Controllers.

< Message edited by Jason Jones -- 10.Oct.2007 8:47:40 PM >


_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to tbokman)
Post #: 7
RE: Domain connection problem - 11.Oct.2007 3:15:15 PM   
tbokman

 

Posts: 8
Joined: 31.Dec.2004
Status: offline
I assume you mean ISA system policy?  Inside the System Policy editor I see Configuration Groups on the left.  Down the list I see Authentication Services and under that is Active Directory.  There I see the enable config and enforce strict RPC are both checked.  On the To tab I see Internal in the destination list and nothing in the Exceptions list.  I would think that Internal would include all the DomainB controllers since their IPs are part of the internal network.  Regardless I added the 2 DomainB DC computers to the destination list hit OK and then Apply.  I then go to specify windows users on the VPN section, click the groups tab, click add, change location to DomainB, click Ok, click advanced, click find now and wait while it searches for about 10 seconds to see message that domain cannot be contacted.

I also tried an access rule but got the same result.  I have a couple other win2k3 member servers in DomainA.  On both of those servers I can go to computer management, local users and groups, select a group, add to group, change location to DomainB, click advanced, click find now and after a second or 2 I see a list of all DomainB users and groups.  Do the same thing on ISA2006 and I get the domain cannot be contacted message.  WHY????

I bet ever Shinder can't answer this one!!!  Just kidding.

(in reply to Jason Jones)
Post #: 8
RE: Domain connection problem - 11.Oct.2007 7:39:16 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
What have you defined as addresses on the Internal network object?

Have you defined WINS/DNS on the internal interface?

Is anything different about ISA at the OS level compared to the working member servers?

What version of Windows is DomainB?

What does the ISA monitor (logging) show when you are waiting for 10 seconds?

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to tbokman)
Post #: 9
RE: Domain connection problem - 11.Oct.2007 9:25:52 PM   
tbokman

 

Posts: 8
Joined: 31.Dec.2004
Status: offline
1.Internal
IpRangeSet
10.0.0.0-10.255.255.255
111.111.111.0-111.111.111.255
192.0.0.0-192.0.0.255
2. WIN/DNS settings identical to ISA2000 server.
3. All are win2k3 r2
4. DomainB is windows 2000 native.  One DC is win2k the other win2k3.
5. Log out put:  ISA is 192.0.0.12  DomainB DCs are 111.111.111.91-92
  Original Client IP Client Agent Authenticated Client Service Server Name Referring Server Destination Host Name Transport MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload GMT Log Time Source Port Processing Time Bytes Sent Bytes Received Result Code HTTP Status Code Cache Information Error Information Log Record Type Authentication Server Log Time Destination IP Destination Port Protocol Action Rule Client IP Client Username Source Network Destination Network HTTP Method URL
192.0.0.12    ISA2K3 -  UDP -      -    10/11/2007 8:00:45 PM 138 0 0 0 0x0 ERROR_SUCCESS  0x0 0x0 Firewall - 10/11/2007 4:00:45 PM 111.111.111.92 138 NetBios Datagram Initiated Connection [System] Allow NetBIOS from ISA Server to trusted servers 192.0.0.12  Local Host Internal - -
192.0.0.12    ISA2K3 -  UDP -      -    10/11/2007 8:00:45 PM 138 0 0 0 0x0 ERROR_SUCCESS  0x0 0x0 Firewall - 10/11/2007 4:00:45 PM 111.111.111.91 138 NetBios Datagram Initiated Connection [System] Allow NetBIOS from ISA Server to trusted servers 192.0.0.12  Local Host Internal - -
192.0.0.12    ISA2K3 -  UDP -      -    10/11/2007 8:01:54 PM 138 69000 522 0 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN  0x0 0x0 Firewall - 10/11/2007 4:01:54 PM 111.111.111.92 138 NetBios Datagram Closed Connection [System] Allow NetBIOS from ISA Server to trusted servers 192.0.0.12  Local Host Internal - -
192.0.0.12    ISA2K3 -  UDP -      -    10/11/2007 8:01:54 PM 138 69000 522 0 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN  0x0 0x0 Firewall - 10/11/2007 4:01:54 PM 111.111.111.91 138 NetBios Datagram Closed Connection [System] Allow NetBIOS from ISA Server to trusted servers 192.0.0.12  Local Host Internal - -







(in reply to Jason Jones)
Post #: 10
RE: Domain connection problem - 16.Oct.2007 9:56:38 AM   
tbokman

 

Posts: 8
Joined: 31.Dec.2004
Status: offline
Jason,

Can you get Shinder to take a look at this problem?  I took some additional steps to try to determine the cause of this problem.  Here is what I did:

1. Wiped the disk and installed win2k3 r2 standard edition.
2. Joined new server to DomainA.
2. Installed SP2 and all MS updates.
3. At this point I can add both DomainA and DomainB users/groups to ISA server local groups.
4. Installed ISA 2006.
5. Can now access DomainA users/groups but get error message when trying to access DomainB.
6. Removed ISA server from DomainA and then joined to DomainB.
7. Can now access DomainB users/groups but get error message when trying to access DomainA.

This problem is specific to ISA 2006 as I don't have this problem with my production ISA 2000 server.  Not sure if this problem also exists in ISA 2004.  Would really like to get Shinders input on this.  Thanks.

(in reply to Jason Jones)
Post #: 11
RE: Domain connection problem - 18.Oct.2007 4:15:44 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Hi,

I am not Tom's keeper!

Your troubleshooting concludes to me that ISA is blocking access to the Domain Controllers in DomainB.

Apart from the million doifferences between ISA2k and ISA2k6, is the fact that ISA2k6 now firewalls all interfaces. Hence access from the ISA server to internal systems is also firewalled.

Have you set appropriate filters in the ISA logging tab and looked at access that is allowed and denied? This is likely the only way to see what is really going on...

How about defining a temp rule that allows all protocols (both ways) between ISA and the DCs for DomainB?

Are you sure which DC you are connecting to for DomainB? Is this definitely accessible from ISA? Can you PING it?

There is still quite a lot of basic stuff you should be able to troubleshoot here...

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to tbokman)
Post #: 12
RE: Domain connection problem - 18.Oct.2007 9:16:11 AM   
tbokman

 

Posts: 8
Joined: 31.Dec.2004
Status: offline
Ok, I finally got it to work.  Had to create an access rule: All outbound traffic; From: internal, local host; To: internal, local host.  Maybe not the best way to do it but this way everyone is happy!  Thanks for your help!!!!

(in reply to Jason Jones)
Post #: 13
RE: Domain connection problem - 22.Oct.2007 6:13:30 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
THIS IS NOT A GOOD IDEA!!!!!!!!!!!!!!!!!!!

The idea of the temp rule was to track down the problems and allow you to report on the protocols in use. You could then define a specific rule, as required, once you had determined what was required to solve your problem.

The rules you have created has essentially opened up your entire internal network to ISA. You also need to consider that if ISA is compromised, it now has full access to you internal network...not an ideal configuration

You may want to change this???

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to tbokman)
Post #: 14

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> Domain connection problem Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts