RE: ISA 2004 REPORT FAILURE

Registry key is as you have noted, so did not change
and still receive the event.

Update on Restart procedure.
performed steps 1 to 6
machine restarted ok
NETOWRK SERVICES Permissions remained
Received a service failed to load message
on inspecting services list the microsoft firewall service failed to load

Events in the application log was as follows

Event id 14127
The web proxy filter could not initialise
Error code 505.112.4.0.2165.594

Event id 14060
Cannot load an application filter Web Proxy Filter
4CB7513E-220E-4C20-815A-1367BAA295FF4
FilterInit fail with error code 0x80070005

Evenit id 14001
Firewall service failed to initilize

only way to start firewall was to reapply ISA 2004 SP2
this stopped ISA server related services
copied new files
registered modules
started services
started ISA server related services
and finished

Still had to manually start the firewall, POP3, Exchange routing engine,
SMTP and WWW publishing services, but these started with no problems

Machine is now back to state before restart with
all services ok, all system running fine until the next
morning when i expect ISA reports will fail
due to NETWORK SERVICES missing on folders
Have not restarted server since.

Your thougts on this ?

Thanks
Chris

""Crina Li"" wrote:

Hi Chris,

Thanks for your update.

Based on my research, 1704 SceCli may occur if the registry information
regarding Group Policy refresh has been set inappropriately. Please
perform the following steps:

1. Open Registry Editor.
2. Locate to the following key:

HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83
A}

3. Modify the Value MaxNoGPOListChangesInterval to 3c0

This is the default value and it will reset "forced policy" re-application
to 16 hours (960 minutes).

For more detailed information regarding this value, please refer to the
following KB article:

277543 How to delay security policies from being applied
http://support.microsoft.com/?id=277543

Thanks for your time and I look forward to hearing from you.

Best regards,

Crina Li (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: ISA 2004 REPORT FAILURE
| thread-index: AcbWv5kgOULIoqppRMa8KeZCf+M36A==
| X-WBNR-Posting-Host: 165.228.6.71
| From: =?Utf-8?B?Q2hyaXM=?= <Chris@xxxxxxxxxxxxxxxxxxxxxxxxx>
| References: <FF4294D7-2EF1-40CA-81FA-E9CB39034A78@xxxxxxxxxxxxx>
<ILUZLSj0GHA.4548@xxxxxxxxxxxxxxxxxxxxx>
<07BEA69F-B40E-48D3-AE5B-0ED4C159E081@xxxxxxxxxxxxx>
<RNDvMux0GHA.4220@xxxxxxxxxxxxxxxxxxxxx>
<6A9614B3-A043-4BAB-910A-841342CBDAD6@xxxxxxxxxxxxx>
<E656A05E-0C97-41F8-9AA8-DDFD556C1D43@xxxxxxxxxxxxx>
<8gyZBeV1GHA.4280@xxxxxxxxxxxxxxxxxxxxx>
<8E1EAD7C-1659-4705-A8F4-04082878759E@xxxxxxxxxxxxx>
| Subject: RE: ISA 2004 REPORT FAILURE
| Date: Tue, 12 Sep 2006 16:03:02 -0700
| Lines: 332
| Message-ID: <152F6CA4-140E-409E-AD45-D2133110A214@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| Newsgroups: microsoft.public.windows.server.sbs
| Path: TK2MSFTNGXA01.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:297095
| NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Have not had a spare moment yet to cycle the server
| to test your options, but planning to do so in the next
| few days.
|
| Thought id pass on a few observations.
|
| Reset the NETWORK SERVICES permissions before leaving
| work last night, check remotly on the server at about 10pm
| and they were still there. This morning permissions were
| missing again.
|
| Checked the application event log and the only log entry
| of any interest between 10pm and 8am was an event 1704 SceCli
| stating Security policy in the Group policy objects as been applied
| successfully
| all other events between 10pm and 8am were normal stuff
|
| apparently policies get updated on reboot, that is why i guess
| you want me to do a clean reboot to see if the permissions change.
|
| Again as the small business server is used constantly will try asap
| to confirm above following the steps outlided by yoursef.
|
| would be interesting to know if my above observations indicate
| something that may help resolve problem.
|
| thanks.
|
| Chris
|
| "Chris" wrote:
|
| > Thanks again for the quick reply,
| > When I add back the NETWORK SERVICES permissions
| > to the folders, they stay until the next morning, at which
| > time the ISA reports fail because the permissions have
| > been removed. The only thing running at night is
| > backup exec from a member server, backing up the
| > exchange and the whole small business server.
| >
| > I will find some down time for the server and try steps 1 - 6
| > to see if the permissions remain after the reboot and
| > advise.
| >
| > thanks for the info
| >
| > Regards
| > Chris
| >
| > ""Crina Li"" wrote:
| >
| > > Hi Chris,
| > >
| > > Thanks for your update.
| > >
| > > Do you mean Network Services will be removed for c:\Program
files\Microsoft
| > > ISA Server folder? After you adding it again, does it still disappear?
| > >
| > > As for the unknown SID S-1-5-32-547, it is the SID for "Power Users"
group.
| > > This group only exists on member servers and workstations' local SAM
| > > database. After you upgrade the computer to a domain controller, it
will
| > > show as unknown SID.
| > >
| > > As for the missing of Network Services, please try to perform a clean
boot
| > > on SBS to see how thing goes:
| > >
| > > 1. Click Start, click Run, and then in the Open box, type "MSCONFIG"
| > > (without the quotation marks). Click OK.
| > > 2. In the System Configuration Utility (MSConfig) window, click to
select
| > > the Selective Startup button.
| > > 3. Click to clear the check mark from the "Load startup items" below
| > > Selective Startup.
| > > 4. Click the Services tab, click to check the "Hide All Microsoft
Services"
| > > box, and remove all the check marks from the remained Non-Microsoft
| > > Services. Please note that the Exchange services could be marked as
| > > non-Microsoft. Please do not disable those services.
| > > 5. Click OK to close the MSConfig window. Click Yes when you are
asked to
| > > restart your computer in order to enable the changes.
| > > 6. After restarting, please check whether this issue will reoccur.
| > >
| > > Related information:
| > >
| > > 827016 Local Service and other well-known security principals do not
appear
| > > on your Windows Server 2003 domain controller
| > > http://support.microsoft.com/default.aspx?scid=kb;EN-US;827016
| > >
| > > I appreciate your time and look forward to hearing from you.
| > >
| > > Best regards,
| > >
| > > Crina Li (MSFT)
| > >
| > > Microsoft CSS Online Newsgroup Support
| > >
| > > Get Secure! - www.microsoft.com/security
| > >
| > > =====================================================
| > > This newsgroup only focuses on SBS technical issues. If you have
issues
| > > regarding other Microsoft products, you'd better post in the
corresponding
| > > newsgroups so that they can be resolved in an efficient and timely
manner.
| > > You can locate the newsgroup here:
| > > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| > >
| > > When opening a new thread via the web interface, we recommend you
check the
| > > "Notify me of replies" box to receive e-mail notifications when there
are
| > > any updates in your thread. When responding to posts via your
newsreader,
| > > please "Reply to Group" so that others may learn and benefit from
your
| > > issue.
| > >
| > > Microsoft engineers can only focus on one issue per thread. Although
we
| > > provide other information for your reference, we recommend you post
| > > different incidents in different threads to keep the thread clean. In
doing
| > > so, it will ensure your issues are resolved in a timely manner.
| > >
| > > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > > check http://support.microsoft.com for regional support phone numbers.
| > >
| > > Any input or comments in this thread are highly appreciated.
| > >
| > > =====================================================
| > >
| > > This posting is provided "AS IS" with no warranties, and confers no
rights.
| > > --------------------
| > > | Thread-Topic: ISA 2004 REPORT FAILURE
| > > | thread-index: AcbVJrMO6v8XNTBySmCE+bNfsz0HbA==
| > > | X-WBNR-Posting-Host: 165.228.6.71
| > > | From: =?Utf-8?B?Q2hyaXM=?= <Chris@xxxxxxxxxxxxxxxxxxxxxxxxx>
| > > | References: <FF4294D7-2EF1-40CA-81FA-E9CB39034A78@xxxxxxxxxxxxx>
| > > <ILUZLSj0GHA.4548@xxxxxxxxxxxxxxxxxxxxx>
| > > <07BEA69F-B40E-48D3-AE5B-0ED4C159E081@xxxxxxxxxxxxx>
| > > <RNDvMux0GHA.4220@xxxxxxxxxxxxxxxxxxxxx>
| > > <6A9614B3-A043-4BAB-910A-841342CBDAD6@xxxxxxxxxxxxx>
| > > | Subject: RE: ISA 2004 REPORT FAILURE
| > > | Date: Sun, 10 Sep 2006 15:16:01 -0700
| > > | Lines: 321
| > > | Message-ID: <E656A05E-0C97-41F8-9AA8-DDFD556C1D43@xxxxxxxxxxxxx>
| > > | MIME-Version: 1.0
| > > | Content-Type: text/plain;
| > > | charset="Utf-8"
| > > | Content-Transfer-Encoding: 7bit
| > > | X-Newsreader: Microsoft CDO for Windows 2000
| > > | Content-Class: urn:content-classes:message
| > > | Importance: normal
| > > | Priority: normal
| > > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| > > | Newsgroups: microsoft.public.windows.server.sbs
| > > | Path: TK2MSFTNGXA01.phx.gbl
| > > | Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.sbs:296551
| > > | NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
| > > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > > |
| > > | Update after week end,
| > > | think I have found the problem
| > > | The NETWORK SERVICES permissions are missing
| > > | from the ISA folders.
| > > |
| > > | this is very strange as I specifically set NETWORK SERVICES
| > > | permissions from the program files root directory
| > > | before the week end.
| > > |
| > > | When I turn up Monday they have been removed by the system !!
| > > | and I have a S-1-5-32-547 user that was not there before
| > > |
| > > | Once NETWORK SERVICES permissions are set all is well
| > > | What could possibly be removing it and where does this
| > > | S-1-5-32-547 come from, solve this and the mystery is revelaed
| > > |
| > > | thanks.
| > > | Chris
| > > |
| > > | "Chris" wrote:
| > > |
| > > | > Just as an update, I have noticed that the log directories
| > > | > receive their user information from the directories above
| > > | > I had a probem removing the unknown user from the log
| > > | > directories.
| > > | >
| > > | > I went to the program files root directory, removed the
| > > | > unknown user and added network services to this directory
| > > | > therefore putting it to all directories below
| > > | >
| > > | > and guess what report publishing started to work fine
| > > | >
| > > | > I am going to check overnight and the week end to see
| > > | > if the report publishing stays enabled and if so well thats great
| > > | >
.