RWW and IIS Issue

[gmannatl]

I have an SBS 08 server that has been running great for quite a while, and recently the RWW "broke". With some searching I have identified the problem and can fix it. It has to do with the Auth & SSL settings on the RPC and RPCwithClient Virtual Directories in IIS7.

The problem is that the settings continue to revert to the bad settings. I can change them to the correct settings and some time around 30 minutes they will go back. If I try to restart the services they revert immediately.

How can I make the buggers "stick"?!?! I have done a fair amount of searching and can't seem to find the solution.

Thanks in advance for any suggestions.

 

[biglebowski]

Have you checked if there is a GPO that is overriding the changes?

"Anything that’s invented between when you’re fifteen and thirty-five is new and exciting and revolutionary, and you can probably get a career in it.
Anything invented after you’re thirty-five is against the natural order of things."

 

[gmannatl]

I wasn't aware that IIS settings can be configured via GP. ,however I will take a look.

 

[biglebowski]

http://www.symantec.com/connect/articles/basic-iis-lockdown-using-scripts-and-group-policy

"Anything that’s invented between when you’re fifteen and thirty-five is new and exciting and revolutionary, and you can probably get a career in it.
Anything invented after you’re thirty-five is against the natural order of things."

 

[ShackDaddy]

What do the settings seem to be reverting to and what are you setting them to? I'd like to compare them with a working install and make sure that you aren't fixing it in a way different than the default environment, which may be being enforced for some good reasons.

I assume you've already tried the basic Connect and Fix My Network stuff. In SBS 2003 you had the ability to reinstall certain portions of the server, but it's not as easy in SBS 2008.

Another option might be to export the config for those vdirs on a working server and import those configs on this server. Check them with Notepad first to make sure there's nothing server-specific in them as far as naming or GUIDs, since that might be the case.

Dave Shackelford MVP
ThirdTier.net

 

[gmannatl]

I have tried the "fix my network" wizard and it did not resolve the issue. The exact setting I am changing is on the RPC virtual directory. The SSL Cert is being set to "require" instead of "ignore". I know that this needs to be set to ignore a) because it works if I do, and b) it seems to be very well documented in all the SBS forums and blogs, and c) it makes since to ignore the cert here because that is what the RPCwithCert virtual directory is for. In the RPCwithCert the SSL Cert IS required and works properly.

 

[ShackDaddy]

Seems like the thing that's biting you is called DS2MB, and it's a process that copies AD settings to the IIS Metabase in a unidirectional fashion.

There's actually a subdirectory in the metabase hierarchy called DS2MB that holds all the data propagated from AD. The fact that this is happening seems to indicate that somewhere outside of IIS, something has been configured and has settings in AD that are being periodically propagated to IIS via DS2MB.

Sometimes when vdirs are screwy we deleted the DS2MB hierarchy using metabase explorer and the vdirs are automatically recreated after restarting some services (see KB883380), but in your situation, I'm guessing that the vdirs would be recreated with the settings you are trying to get rid of.

This might also be helpful for understanding what's happening:

"IIS 6.0 provides an automatic versioning and history feature by tracking changes to the configuration MetaBase file (MetaBase.xml). This file contains all the configuration settings related to IIS and can be found in the folder <Drive Name>:\Windows\system\inetsrv. Any time a change is made, the metabase history feature automatically keeps track of the changes to the metabase. When the metabase is written to disk, IIS 6.0 marks the new MetaBase.xml file with a version number and saves a copy of the file in the history folder. Each history file is marked with a unique version number, which is then available for rollback or restore. If IIS 6.0 has been running while configuration changes are being made, IIS 6.0 responds to configuration errors by automatically reverting to a previous history file, preventing errors in the configuration metabase from crashing the server."

So it's also possible that some other problem in the config is causing the system to revert back to an earlier version of the config.

Do you have Exchange Rollup 9 loaded and all the latest patches for SBS 2008? If the config problem is actually in a different part of the metabase, that might be "freezing" the metabase in one state and not letting ANY changes be made, not just the ones you are trying to make. You might try making some other minor change to the metabase and watching to see if that reverts back. If so, it would seem like it's a metabase-level problem, not a problem specific to the changes you are trying to make.

Hope this helps bring some clarity here.

Dave Shackelford MVP
ThirdTier.net

 

[gmannatl]

Thanks for the great suggestions, but I have resolved the issue. I actually looked into the DS2MB and learned a little bit. However, the solution was much simpler. In the SBS Web Application folder in IIS the SSL Cert was set to require for the entire site directory. Hence this was propogating down to the RPC Directory! As soon as I changed the setting to ignore on the site root it would stay on the RPC. Since the security settings were already higher (128 bit & Require) on the RPCwithCert this was allowed and worked properly.

 

[asctech]

I am having the exact same issue - the cert stops working.
I have a 3rd party cert, if i go into TS Gateway Manager and install the same valid cert that works for everything else on the network (OWA, autodiscover, etc) - RWW works fine - for 20 minutes. I see in the event viewer
shutting down worker thread and after that - it wont let users get past prompting for password when they click conenct to their PC.
Re-apply the cert - works fine again.
maddening. Please help?

 

[asctech]

Disregard, fixed the issue - go into IIS manager-
Web Applicatinons, RPC virtual directory - security, enable Windows and Form based authentication.
Worked like a charm..