Unable to control ISA If LAT configuration prevents access to Domain Controller (282035)


The information in this article applies to:

  • Microsoft Internet Security and Acceleration Server 2000
This article was previously published under Q282035

SYMPTOMS

When you use an array-mode installation of an Internet Security and Acceleration Server (ISA) Enterprise Edition-based computer, and you accidentally configure the local address table (LAT) so that only the external interfaces are included, the internal network becomes the external side of ISA. When this occurs, it is impossible for the array to query Active Directory for the array configuration, and the ISA Server Control service (ISACTRL) does not start. The user interface of the local ISA Management Microsoft Management Console (MMC) does not display the current configuration, and you cannot correct the LAT from any array member in this array.
The following error messages are generated when you try to connect to the array in the ISA Management:
ISA Error
The operation Failed
Failed to connect!
Error 0x8007203a

Details:
The server is not operational.

The following events will also be logged:

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Date: <date>
Time: <time>
User: N/A
Computer: <computername> Description:
The Microsoft Firewall service terminated with the following error:
The server is not operational.
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7024
Date: <date>
Time: <time>
User: N/A
Computer: <computername> Description: The Microsoft Web Proxy service terminated with service-specific error 2147950650.
Event Type: Error
Event Source: Microsoft ISA Server Control
Event Category: None
Event ID: 11009
Date: <date>
Time: <time>
User: N/A
Computer: <computername>
Description:
Microsoft ISA Server Control failed to start. The storage of the current array {99FFAA22-EB44-4E00-9A3B-7B3109423FD4} (or server {B9AD9D18-AC68-47BA-A51A-D4012498BDBA}) could not be accessed during Service initialization. The error code in the event viewer indicates the source of the failure. Use the source location 1.1044.3.0.1200.50 to report the failure. If your server is a stand-alone ISA Server, try to restore the ISA Server configuration, otherwise, check the connectivity to domain controller (DC), and the DNS configuration.The error description is: The server is not operational.
NOTE: The global universal identifications (GUIDs) that are specified above may not be the same.
Data:
0000: 3a 20 07 80 : .?

Event Type: Error
Event Source: Microsoft ISA report generator
Event Category: None
Event ID: 12012
Date: <date>
Time: <time>
User: N/A
Computer: <computername>
Description:
The action to create ISA array members list failed. The error code in the Data area of the event properties indicates the cause of the failure. The error description is: The directory service is unavailable.

Data:
0000: 0f 20 07 80 . .?
Event Type: Warning
Event Source: Microsoft ISA Server Control
Event Category: None
Event ID: 13110
Date: <date>
Time: <time>
User: N/A
Computer: <computername>
Description:
ISA Server snapin failed to retrieve the arrays list since connection to Global Catalog could not be established. It will next try to retrieve the arrays information from current domain. Check your Active Directory configuration, DNS settings and ensure that the 'Net Logon' service is started.

CAUSE

The LAT was not configured properly, and it includes the external IP addresses instead of the internal IP address ranges. This effectively disconnects ISA from the internal network, and Active Directory, to which ISA must have access because its configuration is stored in Active Directory (Enterprise version installed in Active Directory mode.) Being unable to reach Active Directory, ISA cannot determine its configuration, and is unable to start.

RESOLUTION

To fix the LAT, you need to get to another computer, or ISA array that is running the ISA Management user interface. If none are available, you can install the ISA Management tool on a Windows 2000 computer that is connected to the domain.

When you have this set up, use the Connect to shortcut menu from the root node of the ISA Management MMC, and specify the array that you want to manage. This allows you to read that array's configuration, which is stored in Active directory. You can now change the LAT to the correct value. Note that the construct LAT option is not available in this remote administration mode.

After you have corrected the LAT information, you can restart the ISA servers in the affected array, and they should all start without any ISA related problems.

Detailed Steps

  1. Open ISA Administrator, and then right-click Internet Security and Acceleration Server 2000.
  2. Click the specified remote computer, type the array that you want to manage, and then expand the array name.
  3. Double-click Network Configuration, and then double-click Local Address Table.
  4. On the right panel, double-click the IP address range.
  5. Change the IP address range from an external IP address range to an internal IP address range, and then restart ISA services.
Modification Type:MinorLast Reviewed:1/15/2006
Keywords:kberrmsg kbprb KB282035
©2004 Microsoft Corporation. All rights reserved.