Search WWW Search

Thursday, October 28, 2010

Setup failed to install ADAM.\r\n

When installing TMG\UAG you receive error Setup failed to install ADAM.\r\n. When you view the ISAADAM_INSTALL_XXX setup log file you see the error "The trust relationship between this workstation and the primary domain failed." In this case the issue was that the dynamic RPC port range was not allowed from the DMZ where TMG was installed to the DC's in the internal back office network.

Ensure you have the following ports open from UAG to the DC's in the internal network.

LDAP ports: 389, 636 (TCP)

Global catalog ports: 3268, 3269 (TCP)

RPC services: 1025-5000 (TCP) (I restricted the range on the DCs to range 49152 - 49407)

RPC portmapper listener: 135 (TCP)

RPC in NT 4.0: 139 (TCP)

Kerberos exchanges: 88 (TCP, UDP)

If firewall isn't an issue, it could be related to domain policy restrictions.

Troubleshooting ERROR: Setup failed to install ADAM.\r\n (0x80074e46) and 0x80070643 while trying to install TMG 2010

James Chong (MVP)
Security+, Project+, ITIL

Monday, October 25, 2010

RDP Remote Desktop Configuring Remote Session UAG

When remoting to a Windows 2008 box you get a login prompt but after supplying credentials you get stuck at Configuring Remote Session. You notice that logging in using a local account on the server works fine but Domain Accounts do not.

The issue was caused by two DNS records. If the server has multiple NICS such as proxy or UAG\TMG servers and all NICS register in DNS, RDP does not work. Ensure that you uncheck "Register this connection's addresses in DNS" in the NIC properties.

James Chong (MVP)
Security+, Project+, ITIL

Monday, October 18, 2010

Exchange 2007: 501 5.1.3 Invalid address Short Name Rcpt SMTP address

Summary: Application servers relaying through Exchange get NDR 501 5.1.3 Invalid address

When viewing the SMTP logs on the Exchange server or packet captures you see the short name being used instead of the fually qualified SMTP address.

mail from:
rcpt to: user

Should be rcpt to:

Servers should be specifying the fully qualified SMTP address, however it may not. Some applications such as scanners, listservs communigate pro.

Resolution: Set the defaultdomain parameter on the receive connector.

set-receiveconnector "nameofconnector) -defaultdomain

This will append the domain when applications use the shortname rather than the fully qualified SMTP address.

James Chong (MVP)
Security+, Project+, ITIL
xml:lang="en" lang="en"> MS Exchange Tips: October 2010