Unable to control ISA If LAT configuration prevents access to Domain Controller (282035)
The information in this article applies to:
- Microsoft Internet Security and Acceleration Server 2000
This article was previously published under Q282035 SYMPTOMS When you use an array-mode installation of an Internet
Security and Acceleration Server (ISA) Enterprise Edition-based computer, and
you accidentally configure the local address table (LAT) so that only the
external interfaces are included, the internal network becomes the external
side of ISA. When this occurs, it is impossible for the array to query Active
Directory for the array configuration, and the ISA Server Control service
(ISACTRL) does not start. The user interface of the local ISA Management
Microsoft Management Console (MMC) does not display the current configuration,
and you cannot correct the LAT from any array member in this array. The
following error messages are generated when you try to connect to the array in
the ISA Management: ISA Error The operation
Failed Failed to connect! Error 0x8007203a
Details:
The server is not operational.
The following events will also be
logged:
Event Type: Error Event Source: Service Control
Manager Event Category: None Event ID: 7023 Date:
<date> Time: <time> User: N/A Computer:
<computername> Description: The Microsoft Firewall service
terminated with the following error: The server is not operational.
Event Type: Error Event Source: Service
Control Manager Event Category: None Event ID: 7024 Date:
<date> Time: <time> User: N/A Computer:
<computername> Description: The Microsoft Web Proxy service terminated
with service-specific error 2147950650. Event
Type: Error Event Source: Microsoft ISA Server Control Event
Category: None Event ID: 11009 Date: <date> Time:
<time> User: N/A Computer: <computername>
Description: Microsoft ISA Server Control failed to start. The storage of
the current array {99FFAA22-EB44-4E00-9A3B-7B3109423FD4} (or server
{B9AD9D18-AC68-47BA-A51A-D4012498BDBA}) could not be accessed during Service
initialization. The error code in the event viewer indicates the source of the
failure. Use the source location 1.1044.3.0.1200.50 to report the failure. If
your server is a stand-alone ISA Server, try to restore the ISA Server
configuration, otherwise, check the connectivity to domain controller (DC), and
the DNS configuration.The error description is: The server is not operational.
NOTE: The global universal identifications (GUIDs) that are specified
above may not be the same. Data: 0000: 3a 20 07 80
: .?
Event Type: Error Event Source: Microsoft ISA report
generator Event Category: None Event ID: 12012 Date:
<date> Time: <time> User: N/A Computer:
<computername> Description: The action to create ISA array
members list failed. The error code in the Data area of the event properties
indicates the cause of the failure. The error description is: The directory
service is unavailable.
Data: 0000: 0f 20 07 80 . .?
Event Type: Warning Event Source:
Microsoft ISA Server Control Event Category: None Event ID:
13110 Date: <date> Time: <time> User: N/A
Computer: <computername> Description: ISA Server snapin failed
to retrieve the arrays list since connection to Global Catalog could not be
established. It will next try to retrieve the arrays information from current
domain. Check your Active Directory configuration, DNS settings and ensure that
the 'Net Logon' service is started. CAUSE The LAT was not configured properly, and it includes the
external IP addresses instead of the internal IP address ranges. This
effectively disconnects ISA from the internal network, and Active Directory, to
which ISA must have access because its configuration is stored in Active
Directory (Enterprise version installed in Active Directory mode.) Being unable
to reach Active Directory, ISA cannot determine its configuration, and is
unable to start. RESOLUTION To fix the LAT, you need to get to another computer, or ISA
array that is running the ISA Management user interface. If none are available,
you can install the ISA Management tool on a Windows 2000 computer that is
connected to the domain. When you have this set up, use the
Connect to shortcut menu from the root node of the ISA
Management MMC, and specify the array that you want to manage. This allows you
to read that array's configuration, which is stored in Active directory. You
can now change the LAT to the correct value. Note that the construct
LAT option is not available in this remote administration
mode. After you have corrected the LAT information, you can restart
the ISA servers in the affected array, and they should all start without any
ISA related problems. Detailed Steps- Open ISA Administrator, and then right-click
Internet Security and Acceleration Server 2000.
- Click the specified remote computer, type the array that
you want to manage, and then expand the array name.
- Double-click Network Configuration, and then double-click Local Address Table.
- On the right panel, double-click the IP address
range.
- Change the IP address range from an external IP address
range to an internal IP address range, and then restart ISA
services.
Modification Type: | Minor | Last Reviewed: | 1/15/2006 |
---|
Keywords: | kberrmsg kbprb KB282035 |
---|
|