Troubleshooting installation issues of ISA server 2006 in work group Scenario-part1- error code 0x8007203a

  • Article

After discussing the installation of the ISA server 2006 in work group scenario. I am starting the installation issues of isa server 2006 enterprise edition in workgroup scenario.

Let us assume we have two servers with windows 2003 sp2 and we will have CSS on one and firewall services on both of them exactly as per my post on the installation of isa server in workgroup scenario.

But let say when we are about to join the second node Isaserver2.contoso.com into the array then we get error " Connection to specified Configuration storage could not be established"  with error code 0x8007203a Error description= The server is not operational.

CSS server not reachable

 

Then Best thing to do is to check the steps mentioned in my article, has anyone of those steps been skipped or missed while installation,

 if not sure then

1. You can use a tool called ldp that comes along with windows support tools, install windows support tools on Isaserver2.contoso.com  and then open ldp and connect to  Isaserver1.contoso.com (i.e. css server) on port 2172  check the box that say ssl . If this test fails then try to connect on port 2171 without ssl. If this test fails then we can rule out the possiblity of certificates causing the issue and focus more towards the connectivity between the two nodes.

2. While checking the connectivity, we can start with name resolution. We can start with pinging the Isaserver1.contoso.com from the Isaserver2.contoso.com and see if name gets resolved to the IP address of  Isaserver1.contoso.com. In above scenario, I removed the entry in host file  for Isaserver1.contoso.com on Isaserver2.contoso.com so  I got host name not found as result of the ping. So after putting this entry back in the host file Isaserver2.contoso.com was able to resolve the name of Isaserver1.contoso.com and was able to connect to CSS server and I was able to join the node to array and complete its installation. In variation to this sometimes its also possible that name resolution is working but connectivity between the two nodes is missing. Then we have to follow different appraoch altogether to get the connectivity back and then move on( would talk about the connectivity variation on a different post).

3.  There are situations when you are able to connect using ldp on port 2171 from Isaserver2.contoso.com but you are not able to connect using port 2172 with ssl. In that case repeat the ldp connect steps from the CSS server i.e.  Isaserver1.contoso.com to itself and see if you can connect using port 2172 with ssl .If yes then the server authetication certificate is correct and ssl part is functional ,if not then issue could be related to the certificates. . Things that you would like to check regarding the certificates on the CSS server are:

a. Check the server authentication certificate first.

b. To whom this certificate is issued  and does it match the name of the CSS server i.e. is it issued to Isaserver1.contoso.com?

c. Is this certificate expired? what's the validity period for this certificate?

d. Does this certificate have the private key?

e. Who is the Issuing Certificate Authority?

f. Then check the certificate of the  Issuing Certificate Authority and its validity period.

There are variations to this issue depending upon which component got missing or was not configured as required will discuss that either by adding on to this post or by creating a new one. Till Then

Take care guys

Suraj singh