[isalist] Re: ISA on active directory startup errors

http://www.ISAserver.org
-------------------------------------------------------

 
It sounds like you may just have AD issues.  Check all of your DC's for
any complaints of KERBEROS issues where is can't secure the security
channel.  Since you've cleared the event logs, you've lost a good chunk
of troubleshooting information from  the process of adding the system to
the domain.  If you have any extra built boxes or a virtual machine you
can add to the domain, that would at least prove functionality of your
AD structure and the ability to join the domain.  Usually in the above
scenario AD replication is busted also, so that is another thing you
could check.

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Paul Noble
Sent: Wednesday, June 21, 2006 4:34 AM
To: 'isalist@xxxxxxxxxxxxx'
Subject: [isalist] Re: ISA on active directory startup errors

http://www.ISAserver.org
-------------------------------------------------------
  
Hi there,

First off thanks for the replies.

I tried following the post that Steve put up, however the servers
already got sp2 on it so the update to sp1 didn't work :) I updated to
the http issues for isa server as per the below mail, still no joy.

I removed isa2004
Reboot
Reinstalled 2003 sp1
Reboot (clean event log at this point)
Reinstalled isa2004 and immediately patched it to the sp1 install as per
steves mail and rebooted Setup dns forwarder access rule Reinstalled isa
sp2 and MS Update to the latest patch (http issues for isa) and rebooted

Still the same set of error messages in the event logs.

Short of taking a hammer to the OS and rebuilding from scratch does
anyone have any other ideas to try?


This install is the factory default dell sc1450 install, the system used
to be part of another active directory before I moved it to the current
AD. It didn't have any role in this other AD nor did it have ISA on it
(or any programs, it was literally joined into the domain, turned off
for 3 weeks then removed from the old AD and added to the new one).

Any help is appreciated :)

Paul

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA
Sent: Tuesday, June 20, 2006 1:29 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA on active directory startup errors

http://www.ISAserver.org
-------------------------------------------------------
  
There is a post service pack 2 patch for ISA2004, search on Microsoft
for it. Service pack 2 have some HTTP compression issues and I don't
know if something else.

Regards
Diego R. Pietruszka
 
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Paul Noble
Sent: Tuesday, June 20, 2006 8:04 AM
To: 'isalist@xxxxxxxxxxxxx'
Subject: [isalist] Re: ISA on active directory startup errors

http://www.ISAserver.org
-------------------------------------------------------
  
I installed 2003 sp1, then joined to the domain, I then installed
ISA2004
and installed sp2. I havent patched it beyond that 

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On
Behalf Of Steve Moffat
Sent: Tuesday, June 20, 2006 12:56 PM
To: ISA Mailing List
Subject: [isalist] Re: ISA on active directory startup errors

http://www.ISAserver.org
-------------------------------------------------------
  
Is your ISA fully patched and service packed? Did you join the server to
the domain before you installed ISA?

Steve

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Paul Noble
Sent: Tuesday, June 20, 2006 6:36 AM
To: ISA Mailing List
Subject: [isalist] ISA on active directory startup errors

http://www.ISAserver.org
-------------------------------------------------------
  
 Hi there,

Im currently in the process of bringing an Active Directory Server 2003
environment online (my first) to replace our existing windows NT network
(to which our ISA2004 server is currently attached and working fine,
last ISA install I did was 2 years ago).

At the moment I've got 1 Domain Controller running AD, DNS and WINS, to
that I have a Server 2003 (sp1) ISA2004 (sp2) as a member of the domain
(not a controller).

I have a caching only DNS server installed on the ISA server system
using our isp dns servers as forwarders and internal dns points to the
dc. DC dns uses isa system as a forwarder.

Before I installed the ISA software on the server the server would log
on fine with no error messages appearing in the system and application
logs.

After installing ISA2004 I get a set of error messages in the
Application log and the System log, which (upon chasing thru kb
articles) look to be dns or rpc communication failure.

System events: 
5783 The session setup to the Windows NT or Windows 2000 Domain
Controller \\DC1-Reflections.reflections.loc for the domain REFLECTIONS
is not responsive.  The current RPC call from Netlogon on
\\ISA-REFLECTIONS to \\DC1-Reflections.reflections.loc has been
cancelled
 
5719 This computer was not able to set up a secure session with a domain
controller in domain REFLECTIONS due to the following: 
The remote procedure call was cancelled.  
This may lead to authentication problems. Make sure that this computer
is connected to the network. If the problem persists, please contact
your domain administrator.  

7 The kerberos subsystem encountered a PAC verification failure.  This
indicates that the PAC from the client ISA-REFLECTIONS$ in realm
REFLECTIONS.LOC had a PAC which failed to verify or was modified.
Contact your system administrator.

Application events: 

1097 Windows cannot find the machine account, No authority could be
contacted for authentication. .

1030. Windows cannot query for the list of Group Policy objects. Check
the event log for possible messages previously logged by the policy
engine that describes the reason for this.


Despite the presence of these errors when rebooted, the system does seem
to have joined the domain fine, creating new rules and user groups I can
browse the directory ok. The errors don't appear when I just log off and
on again, it only seems to occur on boot up, no errors on the DC end
either (that I can see anyway, probably looking in the wrong place!).

I've compared the ISA server to the NT based ISA and I cant see any
differences with the system policies, but being new to AD im not sure if
they should be different or not.

With this being my first Active Directory enviroment beyond one isolated
server and it being 2 years since I installed ISA2004 last, I'm not sure
I'm looking at this the right way at the moment, so any pointers or
hints people can throw my way so I can figure it out I'd be most
grateful.

At the moment I'm thinking that the systems trying to log on to the
domain before the ISA server has finished starting up, so its kicking
the initial domain requests, hence relogging on doesn't generate the
events. /me stabs dark repeatedly.


Any pointers and tips are more than welcome, any more information
required and I'll try and get it to help clear this up.

Paul

------------------------------------------------------
List Archives: http://www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts: