Microsoft KB Archive/282035

= Unable to control ISA If LAT configuration prevents access to Domain Controller =

Article ID: 282035

Article Last Modified on 1/15/2006

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2000 Standard Edition

-



This article was previously published under Q282035



SYMPTOMS
When you use an array-mode installation of an Internet Security and Acceleration Server (ISA) Enterprise Edition-based computer, and you accidentally configure the local address table (LAT) so that only the external interfaces are included, the internal network becomes the external side of ISA. When this occurs, it is impossible for the array to query Active Directory for the array configuration, and the ISA Server Control service (ISACTRL) does not start. The user interface of the local ISA Management Microsoft Management Console (MMC) does not display the current configuration, and you cannot correct the LAT from any array member in this array.

The following error messages are generated when you try to connect to the array in the ISA Management:

ISA Error

The operation Failed

Failed to connect!

Error 0x8007203a

Details:

The server is not operational.

The following events will also be logged:

Event Type: Error

Event Source: Service Control Manager

Event Category: None

Event ID: 7023

Date:

Time:

User: N/A

Computer: Description:

The Microsoft Firewall service terminated with the following error:

The server is not operational.

Event Type: Error

Event Source: Service Control Manager

Event Category: None

Event ID: 7024

Date:

Time:

User: N/A

Computer: Description: The Microsoft Web Proxy service terminated with service-specific error 2147950650.

Event Type: Error

Event Source: Microsoft ISA Server Control

Event Category: None

Event ID: 11009

Date:

Time:

User: N/A

Computer:

Description:

Microsoft ISA Server Control failed to start. The storage of the current array {99FFAA22-EB44-4E00-9A3B-7B3109423FD4} (or server {B9AD9D18-AC68-47BA-A51A-D4012498BDBA}) could not be accessed during Service initialization. The error code in the event viewer indicates the source of the failure. Use the source location 1.1044.3.0.1200.50 to report the failure. If your server is a stand-alone ISA Server, try to restore the ISA Server configuration, otherwise, check the connectivity to domain controller (DC), and the DNS configuration.The error description is: The server is not operational.

NOTE: The global universal identifications (GUIDs) that are specified above may not be the same.

Data:

0000: 3a 20 07 80 : .?

Event Type: Error

Event Source: Microsoft ISA report generator

Event Category: None

Event ID: 12012

Date:

Time:

User: N/A

Computer:

Description:

The action to create ISA array members list failed. The error code in the Data area of the event properties indicates the cause of the failure. The error description is: The directory service is unavailable.

Data:

0000: 0f 20 07 80. .?

Event Type: Warning

Event Source: Microsoft ISA Server Control

Event Category: None

Event ID: 13110

Date:

Time:

User: N/A

Computer:

Description:

ISA Server snapin failed to retrieve the arrays list since connection to Global Catalog could not be established. It will next try to retrieve the arrays information from current domain. Check your Active Directory configuration, DNS settings and ensure that the 'Net Logon' service is started.



CAUSE
The LAT was not configured properly, and it includes the external IP addresses instead of the internal IP address ranges. This effectively disconnects ISA from the internal network, and Active Directory, to which ISA must have access because its configuration is stored in Active Directory (Enterprise version installed in Active Directory mode.) Being unable to reach Active Directory, ISA cannot determine its configuration, and is unable to start.



RESOLUTION
To fix the LAT, you need to get to another computer, or ISA array that is running the ISA Management user interface. If none are available, you can install the ISA Management tool on a Windows 2000 computer that is connected to the domain.

When you have this set up, use the Connect to shortcut menu from the root node of the ISA Management MMC, and specify the array that you want to manage. This allows you to read that array's configuration, which is stored in Active directory. You can now change the LAT to the correct value. Note that the construct LAT option is not available in this remote administration mode.

After you have corrected the LAT information, you can restart the ISA servers in the affected array, and they should all start without any ISA related problems.

Detailed Steps

 * 1) Open ISA Administrator, and then right-click Internet Security and Acceleration Server 2000.
 * 2) Click the specified remote computer, type the array that you want to manage, and then expand the array name.
 * 3) Double-click Network Configuration, and then double-click Local Address Table.
 * 4) On the right panel, double-click the IP address range.
 * 5) Change the IP address range from an external IP address range to an internal IP address range, and then restart ISA services.

Keywords: kberrmsg kbprb KB282035

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.