[isalist] Re: "Domain Controllers" in ISA 2004
- From: "Ball, Dan" <DBall@xxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Thu, 8 Mar 2007 10:42:32 -0500
Man, I wish I had known that a year ago, when we were experiencing the
exactly problem described!
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Wednesday, March 07, 2007 4:32 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: "Domain Controllers" in ISA 2004
Rob-
The "domain controllers" list is a built-in, non-user-changeable object
that is populated during installation time by the ISA server polling AD
for existing domain controllers. The default system DNS system policy
is set to use the domain controllers object.
Just create your own Domain Controllers object (like "DC's" or
something) and populate that with the actual DC's. Then remove the
"Domain Controllers" object from the System Policy and replace it with
your "DC's" object (and anywhere else you use that object) and life will
return to normal.
t
----- Original Message -----
From: Rob Moore <mailto:RMoore@xxxxxxxx>
To: isalist@xxxxxxxxxxxxx
Sent: Wednesday, March 07, 2007 10:38 AM
Subject: [isalist] Re: "Domain Controllers" in ISA 2004
The ISA server is, indeed, a DNS server. I'm looking at The Book
and it does, indeed, say that the external interface should have NO DNS
entry. I'm not sure how the internal IP address of the ISA server got in
there. I suppose I must have put it in there, but I don't remember doing
it. Anyway, it's out now.
Rob
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Gerald G. Young
Sent: Wednesday, March 07, 2007 1:10 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: "Domain Controllers" in ISA 2004
Is the ISA server a DNS server, too?
If not, I would think you'd want to specify the DNS server IP
addresses on the NIC that resides on the same network as your DCs. It
would probably be a good idea to remove them from the other NIC.
Cordially yours,
Jerry G. Young II
Application Engineer, Platform Engineering and Architecture
NTT America, an NTT Communications Company
22451 Shaw Rd.
Sterling, VA 20166
Office: 571-434-1319
Fax: 703-333-6749
Email: g.young@xxxxxxxx
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Rob Moore
Sent: Wednesday, March 07, 2007 11:51 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: "Domain Controllers" in ISA 2004
Yes to both of your AD questions. The ISA server points only to
itself (the internal address) on both NICs.
Rob
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Gerald G. Young
Sent: Wednesday, March 07, 2007 11:12 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: "Domain Controllers" in ISA 2004
Rob,
Are sites configured in Active Directory and do you have subnets
defined for the sites in Active Directory? You'll also want to check
your NIC configuration for DNS servers on the ISA box(es). Are those
settings up to date?
Cordially yours,
Jerry G. Young II
Application Engineer, Platform Engineering and Architecture
NTT America, an NTT Communications Company
22451 Shaw Rd.
Sterling, VA 20166
Office: 571-434-1319
Fax: 703-333-6749
Email: g.young@xxxxxxxx
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Rob Moore
Sent: Tuesday, March 06, 2007 9:57 PM
To: isalist@xxxxxxxxxxxxx
Subject: RE: [isalist] Re: "Domain Controllers" in ISA 2004
Here's what I'm experiencing. We have somewheres around 15 DCs
in the domain. Two of them are on the local subnet. I recently retired
one of the two local DCs. Then I noticed that our Internet connection
got real slow--mainly a delay of, say, 20 seconds before a page would
load. I started poking around with DNS. If I changed the WAN card on the
firewall to point at an external DNS server, the web sped up a bunch.
But you probably know that this isn't a good arrangement and pretty soon
thereafter we got other problems happening. So I pointed DNS on the WAN
card back to the LAN address on the firewall. The other problems went
away but slow access came back. So I poked around on the firewall a bit
and found that Domain Controllers computer set. I noticed that the list
in there was out of date, and both of the DCs on the local domain that
were in that list are now retired. So I'm guessing (maybe incorrectly)
that that somehow bears on this problem--like maybe the ISA server is
now trying to talk to DCs on remote subnets since it can't find the two
DCs on the local subnet. So I was hoping if I could edit that computer
set I could make the problem go away.
Anyway, that's what's happening. Maybe I'm way off base? Any
suggestions?
Rob
________________________________
From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thomas W Shinder
Sent: Tue 3/6/2007 3:54 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: "Domain Controllers" in ISA 2004
http://www.ISAserver.org <http://www.isaserver.org/>
-------------------------------------------------------
The domain controllers computer set is one of the great
mysteries of the
ISA firewall. You won't find any documentation about it and many
will
deny its existance. Never bring it up in polite company.
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Rob Moore
> Sent: Tuesday, March 06, 2007 1:23 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: "Domain Controllers" in ISA 2004
>
> http://www.ISAserver.org <http://www.isaserver.org/>
> -------------------------------------------------------
>
> Can this field not be edited? Is the ISA server supposed to
> pick up the
> DCs automatically? What's the mechanism for that? Is there
> something in
> my configuration that's not allowing this to happen?
>
> Thanks,
> Rob
>
> -----Original Message-----
> From: Rob Moore
> Sent: Tuesday, March 06, 2007 1:18 PM
> To: 'isalist@xxxxxxxxxxxxx'
> Subject: RE: [isalist] Re: "Domain Controllers" in ISA 2004
>
> I have a stand-alone Standard edition server. I was trying to
edit it
> from the ISA 2004 console.
>
> Rob
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Jim Harrison
> Sent: Tuesday, March 06, 2007 12:55 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: "Domain Controllers" in ISA 2004
>
> http://www.ISAserver.org <http://www.isaserver.org/>
> -------------------------------------------------------
>
> Where are you editing from; array or enterprise level?
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Rob Moore
> Sent: Tuesday, March 06, 2007 9:10 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] "Domain Controllers" in ISA 2004
>
> I have a Computer Set in my ISA 2004 called "Domain
Controllers." The
> list is inaccurate, and I think it's starting to cause us
> some trouble.
> But I can't seem to edit it. How do I make changes to it?
>
> Thanks,
>
> Rob
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>
> Rob Moore
>
> Network Manager
>
> 215-241-7870
>
> Help Desk: 800-500-AFSC
>
>
> All mail to and from this domain is GFI-scanned.
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other
sites:
> http://www.techgenix.com <http://www.techgenix.com/>
> ------------------------------------------------------
> To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other
sites:
> http://www.techgenix.com <http://www.techgenix.com/>
> ------------------------------------------------------
> To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com <http://www.techgenix.com/>
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
