Sign in
 
HomeProductsLibraryLearnDownloadsSupportForums
Note: Forums will be making significant UX changes to address key usability improvements surrounding search, discoverability and navigation. To learn more about these changes please visit the announcement which can be found HERE.
Microsoft Forefront TechCenter >
Problems with new TMG 2010 install - No connectivity

Discussion Problems with new TMG 2010 install - No connectivity

  • Thursday, April 05, 2012 4:16 PM
     
     
    Sign In to Vote
    0

    I've searched the forums and read all the suggested threads the forum reader listed as "questions similar to yours", but I simply cannot get TMG 2010 working properly.  I've followed guides and ran all the initial configuration wizards, but nothing seems to help.

    To begin, let me point out that this is on a Xen 6.0 server.  I've tried presenting two vNICs to it, but now am down to one (Internal), per several install guides that say to get one NIC up and running, then add/configure the 2nd.

    To compound matters, I'm getting the 'forever boot' issues with the TMG-associated services not starting in a timely manner.  I've set them to delayed start, ran the "sc" config to set dependencies, etc... again, nothing helps.  Currently, I'm running on Win2k8 SP2, as many have indicated the "16 minute boot" is a problem with Win2k8 R2 only.

    At any rate, I have absolutely zero domain connectivity.  I can ping the TMG server, and the server can ping out... including the internet (ie: resolve and ping google.com).  I have any number of error messages (listed below) that you would associate with a lack of domain connectivity.  Once TMG is done installing, nothing works.  I have edited the System Policy to allow Terminal Services... but still cannot RDP in.  I am using the XenCenter console to work on the server. I have also checked the "Authentication Services", which were enabled by default.  I did, however, untick the"Enforce strict RPC compliance" box, which didn't help.

    I can ping anything inside the network all day long (even though I never specifically enabled ping).

    Can anyone help??

    Here are the network settings:

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : TMG
       Primary Dns Suffix  . . . . . . . : domain.com
       Node Type . . . . . . . . . . . . : Mixed
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : domain.com

    Ethernet adapter Internal:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . :         Citrix PV Ethernet Adapter #0
       Physical Address. . . . . . . . . :     xx-xx-xx-xx-xx-xx
       DHCP Enabled. . . . . . . . . . . :     No
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . :         192.168.1.105(Preferred)
       Subnet Mask . . . . . . . . . . . :         255.255.255.0
       Default Gateway . . . . . . . . . :
       DNS Servers . . . . . . . . . . . :         192.168.1.101
                                                        192.168.1.103
        NetBIOS over Tcpip. . . . . . . . :     Enabled

    **EDIT**
    List of error messages:

    System Log:
    Event 1055: The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one or more of the following:
    a) Name Resolution failure on the current domain controller.
    b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller)

    Event 1053: The processing of Group Policy failed. Windows could not resolve the user name. This could be caused by one or more of the following:
    a) Name Resolution failure on the current domain controller.
    b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller)

    Event 5719: This computer was not able to set up a secure session with a domain controller in domain xxxxxx due to the following:
    The RPC server is unavailable.
    This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.

    Event 1067: The terminal server cannot register "TERMSRV' Service Principal Name to be used for server authentication. The following error occurred: The RPC server is unavailable.

    Event 40960: The Security System detected an authentication error for the server DNS/dc1.xxxxxxx.com. The failure code from authentication protocol Kerberos was "There are currently no logon server available to service the logon request.

    Event 1129: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed.

    Event 10154: The WinRM service failed to create the following SPNs: WSMAN/TMG.domain.com; WSMAN/TMG.

    Event 130: NtpClient was unable to set a domain peer to use as a time source because of a failure in establishing a trust relationship between this computer and the 'domain.com' domain in order to securely synchronize time.


     

All Replies

  • Thursday, April 05, 2012 5:04 PM
     
     
    Sign In to Vote
    0
    ** Updated with error messages from system log **
    • Edited by Cabuzzi Thursday, April 05, 2012 5:04 PM
    •  
     
  • Thursday, April 05, 2012 5:24 PM
     
     
    Sign In to Vote
    0

    Just to add... as with 2008 R2, this seems to be some sort of issue with the TMG services themselves.  They appear to run, but don't seem to be doing their jobs.

    If I go to the TMG Dashboard, "Firewall" is stopped under "Services".  The Windows Firewall shows "started" under the computer's services, but "Microsoft Forefront TMG Firewall" is stuck on "Starting".

    I've tried restarting the "TMG Control" services (which restarts the rest), but it times out with "Windows could not stop the Microsoft Forefront Control service on TMG. Error 1053: The service did not respond to the start or control request in a timely fashion".

    **EDIT**
    I was able to restart the services.  They took awhile, but eventually came back up.  It still seems as if there is no connectivity.  I also get the error:

    Event ID 21257: Configuration changes made may result in loss of connectivity to the configuration storage server TMG.domain.com and cannot be applied. This alert is caused by a failure to connect to the Domain Controller. 

    • Edited by Cabuzzi Thursday, April 05, 2012 5:35 PM
    •  
     
  • Friday, April 06, 2012 9:34 PM
     
     
    Sign In to Vote
    0
    Anyone??
     
  • Saturday, April 07, 2012 4:39 PM
    Moderator
     
     
    Sign In to Vote
    0

    Hi,

    Thank you for the post.

    What is TMG version? if you running TMG BPA to check the settings, is there any hint?

    Regards,

    Nick Gu - MSFT

     
  • Monday, April 09, 2012 10:35 AM
     
     
    Sign In to Vote
    1

    I believe this is somehow connected with latest xenserver tools release.

    I'm running xenserver 6.0 pool and recently upgraded all nodes to 6.0.2 version. As a result, all my guest VMs started to ask for XenServer Tools upgrade.

    I have upgraded some guests successfully, but with my virtual TMG2010 I've had no luck with the exactly same symptoms as yours - VM takes forever to boot/logon, cannot connect to TMG via RDP, cannot use TMG as a proxy. The same errors in the logs regarding group policy processing.

    I restored TMG system partition from the backup (with with xen tools 6.0 installed) and TMG returned back to normal operation. Then tried to uprade tools once again, just in case the first time some side issue prevented the tools from installing properly. Again, no luck.

    For now  I'm stuck with current (6.0) xentools version until someone come up with proper xentools upgrade path on virtual TMG2010.

     
  • Friday, May 04, 2012 5:09 AM
     
     
    Sign In to Vote
    1

    Our TMG 2010 VM running on W2K8R2 Standard Server has been stuck on XenTools 5.6 for over a year now.

    All other VMs are running the latest XenTools (6.0.2) but i haven't been able to upgrade the TMG 2010 server's XenTools version as it always has the same problems as the above post (VM takes forever to boot/logon, cannot connect to TMG via RDP, cannot use TMG as a proxy) after a Xentools upgrade. Every time a new Xenserver version upgrade is released, I upgrading XenTools on this VM again.

    I make sure I've taken a snapshot of the VM first, upgrade XenTools, and then have to revert back to the snapshot when TMG 2010 (inevitably) fails to work.

    Not a very helpful post but just wanted to add my experience to the mix in the hope that this is resolved.

     
  • Saturday, May 12, 2012 2:51 AM
     
     
    Sign In to Vote
    0

    a.klimkin and miccsm:

    Thank you both for you replies.  For whatever reason, I did not get any notifications, so I missed them until today.

    Since I upgraded all my Xen hosts long before I attempted to install TMG, I had never experienced a working virtualized install.

    I took a unused physical machine (a pretty good one, too) and installed TMG on it the same exact way I had been installing it, over and over, in my virtualized environment. Absolutely no problems. I don't get it, but I can only guess is has something to do with the virtualized networking in XenServer, or as you say, with the XenTools themselves.

    I guess this box will be my TMG machine for now.  What a bummer. All that time wasted...

     
  • Saturday, May 12, 2012 6:43 PM
     
     
    Sign In to Vote
    0
    I guess my next question is, are you able to run a TMG VM in a XenServer 6.0 environment if you install a later version (5.6) of XenTools?