ISA Server Error
- From: Smurfman <smurfman@xxxxxxxxxxxxxx>
- Date: Thu, 17 Aug 2006 06:36:02 -0700
I am getting this error anytime that I attempt to view the dashboard or make
a change in ISA 2004...
"Refresh Failed"
"You do not have the necessary permissions to perform this action."
Yet the user is a domain admin that is logged into the machine...I can't
even monitor the logs, make a rule change or anything.
I have these entries in the Event log, and I have a feeling that I have
configured something in the firewall that is not allowing my server to get
authenticated or syncronized with my other servers.
(To understand what I am attempting is that I have built two new machines to
eventually replace two older machines. DC_1 is an old W2K Domain Controller,
and is being replaced with DC_2 a new W2K3 R2 server. I have already built
this machine, made it a DC in the forest, installed DNS (AD integrated), but
have not moved the Global Catalog, or demoted the old server or moved any of
the roles to the new DC_2. This new server seems to be replicating just fine
with the others....
ISA_1 is also being replaced (ISA2000 on W2K) with a new W2K3 R2 server with
ISA 2004 (ISA_2). In my model the old ISA_1 server served as a backup DC and
in our small network this has worked just fine for the past 5 years. Having
said that, I converted my new ISA_2 server to a DC, but noted that
replication was not working properly, the ISA logs were showing deny entries
for "RPC (all interfaces)" dropping on my all access rule, that was specific
to Administrators and the local System and Network groups. Administrators
was a group I defined as my DOMAIN\Domain Admins built in account, and a
couple of other specific users. Using the Sonar tool to monitor replication,
the servers were finally talking but I am getting an error with the Sonar
tool - DataCollectionState failed with a DataCollectionError of SCM. I do
not know what this is telling me.)
My ISA_2 server is pointing to my new DC_2 server for DNS
From the ISA_2 server, running AD Sites and Services, I note that the newDC_2 server has 3 NTDS entries (connections to the other 3 DC's), my old DC_1
server only has 2 NTDS connections (1 to ISA_1 and 1 to DC_2). My ISA_2
server only has 2 connections (1 to DC_2 and 1 to ISA_1), and finally ISA_1
has 3 connections (1 to ISA_2, 1 to DC_1, and 1 to DC_2).
While the connection is present, an attempt to replicate to ISA_2 from ISA_1
results in this error:
"The following error occurrec during the attempt to synchonize nameing
context DOMAINNAME.com from domain controller ISA_2 to domain controller
ISA_1: The RPC server is unavailable."
"This operation will not continue. This condition may be caused by a DNS
lookup problem. For information abotu troubleshooting common DNS lookup
problems, please se the following Microsoft Web Site:
http://go.microsoft.com/fwlink/?LinkId=5171";
I know this is a long post, but the more info I suppose the better. Much
appreciated.
J
Other errors in the event logs are like such...
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1030
Date: 8/17/2006
Time: 9:08:41 AM
User: NT AUTHORITY\SYSTEM
Computer: ISA_2
Description:
Windows cannot query for the list of Group Policy objects. Check the event
log for possible messages previously logged by the policy engine that
describes the reason for this.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: Microsoft Firewall
Event Category: None
Event ID: 21137
Date: 8/17/2006
Time: 8:53:08 AM
User: N/A
Computer: ISA_2
Description:
The connectivity verifier "DNS" reported an error when trying to connect to
DC_2.DOMAINNAME.com.
Reason: The request has timed out.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 8/16/2006
Time: 4:17:21 PM
User: N/A
Computer: ISA_2
Description:
The Security System detected an authentication error for the server
ldap/isa_2.DOMAINNAME.COM. The failure code from authentication protocol
Kerberos was "There are currently no logon servers available to service the
logon request.
(0xc000005e)".
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 5e 00 00 c0 ^..À
Event Type: Warning
Event Source: DnsApi
Event Category: None
Event ID: 11164
Date: 8/16/2006
Time: 4:17:35 PM
User: N/A
Computer: ISA_2
Description:
The system failed to register host (A) resource records (RRs) for network
adapter
with settings:
Adapter Name : {706E8886-34B6-45E5-B9BB-BB957122E48F}
Host Name : isa_2
Primary Domain Suffix : DOMAINNAME.COM
DNS server list :
192.168.1.19
Sent update to server : <?>
IP Address(es) :
192.168.1.18
The reason the system could not register these RRs was because either (a)
the DNS server does not support the DNS dynamic update protocol, or (b) the
authoritative zone for the specified DNS domain name does not accept dynamic
updates.
To register the DNS host (A) resource records using the specific DNS domain
name and IP addresses for this adapter, contact your DNS server or network
systems administrator.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: b4 05 00 00 ´...
.
- Follow-Ups:
- Re: ISA Server Error
- From: Julian Dragut
- Re: ISA Server Error
- From: Shijaz
- Re: ISA Server Error
- Prev by Date: Re: ISA 2000: Error when displaying page , page OK after refresh
- Next by Date: Re: outlook express and icq
- Previous by thread: Re: ISA 2000: Error when displaying page , page OK after refresh
- Next by thread: Re: ISA Server Error
- Index(es):
Relevant Pages
|
