Sign in
 
HomeProductsLibraryLearnDownloadsSupportForums
Note: Forums will be making significant UX changes to address key usability improvements surrounding search, discoverability and navigation. To learn more about these changes please visit the announcement which can be found HERE.
Microsoft Forefront TechCenter >
Server 2012 DirectAccess DNS

Unanswered Server 2012 DirectAccess DNS

  • Thursday, December 13, 2012 8:39 PM
     
     
    Sign In to Vote
    0

    I’m having a DNS issue on my Server 2012 DA setup.  The server has 2 NICs: 1 internal and 1 external.  I think I have almost everything configured properly (all the check marks are green on the Remote Access server console) and the client looks good as well. 

    From a client (Win 7), under firewall, Monitoring, Connection Security Rules, I see 4 different entries: ClientToCorp, ClientToDNS64NAT64PrefixExemption, ClientToInfra, and ClientToLnaExempt.  Also, under Security Associations, Main Mode I see 2 entries and under Quick Mode I see 5 entries.  This indicates to me that the tunnel is working and ‘netsh interface httpstunnel show interfaces’ shows the tunnel as active.  I can ping the private IPv6 address of the DA server, the Tunnel adapter IPHTTPSInterface IPv6 address, the Tunnel adapter isatap.{GUID} IPv6 address (which has the private IPv4 address at the end), and the Tunnel adapter 6TO4 adapter IPv6 address.

    However, if I try nslookup -q=aaaa example.my.domain {DA IPHTTPSInterface IPv6 address, 6TO6 IPv6 address, or the isatap IPv6 address} none of these work.  If I sniff on the DA server while I issue these commands I see them come in, but nothing goes out to DNS server that I have specified on the DNS server configuration page of the DA server.

    I can’t connect to any internal resources.

    Any thoughts?

     

All Replies

  • Thursday, December 13, 2012 11:46 PM
    Moderator
     
     
    Sign In to Vote
    0
    You need to point nslookup to the IPv6 address of the DA server using the server [IPv6 Address] command. Once configured you should then be able to use queries...

    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

     
  • Thursday, December 13, 2012 11:50 PM
    Moderator
     
     
    Sign In to Vote
    0
    P.S. You can get the [IPv6 Address] value from the NRPT table by using the netsh name show policy command; it will be under the DirectAccess (DNS Servers) setting.

    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

     
  • Thursday, December 13, 2012 11:50 PM
    Moderator
     
     
    Sign In to Vote
    0

    I’m having a DNS issue on my Server 2012 DA setup.  The server has 2 NICs: 1 internal and 1 external.  I think I have almost everything configured properly (all the check marks are green on the Remote Access server console) and the client looks good as well. 

    From a client (Win 7), under firewall, Monitoring, Connection Security Rules, I see 4 different entries: ClientToCorp, ClientToDNS64NAT64PrefixExemption, ClientToInfra, and ClientToLnaExempt.  Also, under Security Associations, Main Mode I see 2 entries and under Quick Mode I see 5 entries.  This indicates to me that the tunnel is working and ‘netsh interface httpstunnel show interfaces’ shows the tunnel as active.  I can ping the private IPv6 address of the DA server, the Tunnel adapter IPHTTPSInterface IPv6 address, the Tunnel adapter isatap.{GUID} IPv6 address (which has the private IPv4 address at the end), and the Tunnel adapter 6TO4 adapter IPv6 address.

    However, if I try nslookup -q=aaaa example.my.domain {DA IPHTTPSInterface IPv6 address, 6TO6 IPv6 address, or the isatap IPv6 address} none of these work.  If I sniff on the DA server while I issue these commands I see them come in, but nothing goes out to DNS server that I have specified on the DNS server configuration page of the DA server.

    I can’t connect to any internal resources.

    Any thoughts?


    Under Main Mode, do you see any references to Kerberos or just NTLM?

    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

     
  • Friday, December 14, 2012 6:44 PM
     
     
    Sign In to Vote
    0

    Hi Jason,

    Thanks for your response.  I thought issuing nslookup from the command line as I indicated above would accomplish the same thing.  Step 5 in this MS article indicates that: http://technet.microsoft.com/en-us/library/ee844142(v=ws.10).aspx.  However, I did try and got the same results:

    PS C:\Windows\system32> nslookup
    Default Server:  google-public-dns-a.google.com
    Address:  8.8.8.8

    > server 2002:8008:760a:3333::1
    Default Server:  [2002:8008:760a:3333::1]
    Address:  2002:8008:760a:3333::1

    > host.example.com
    Server:  [2002:8008:760a:3333::1]
    Address:  2002:8008:760a:3333::1

    DNS request timed out.
        timeout was 2 seconds.
    DNS request timed out.
        timeout was 2 seconds.
    DNS request timed out.
        timeout was 2 seconds.
    DNS request timed out.
        timeout was 2 seconds.
    *** Request to [2002:8008:760a:3333::1] timed-out

    Perhaps something is wrong with my NRPT settings.  Do I need an entry for certificate authority for .example.com?  If so, how do I fix this?  The cert for IPHTTPS tunnel is issued from digicert.

    PS C:\Windows\system32> netsh namespace show policy
    DNS Name Resolution Policy Table Settings

    Settings for .example.com
    ----------------------------------------------------------------------
    Certification authority                 :
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (DNS Servers)              : 2002:8008:760a:3333::1
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : Bypass proxy

    Settings for directaccess.example.com
    ----------------------------------------------------------------------
    Certification authority                 :
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (DNS Servers)              :
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : Use default browser settings

    Settings for DirectAccess-NLS.example.com
    ----------------------------------------------------------------------
    Certification authority                 :
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (DNS Servers)              :
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : Use default browser settings

    Under Main Mode I see ‘User (Kerberos V5)’ and ‘User (NTLMv2)’ for the 2 entries 2<sup>nd</sup> authentication methods.

     
  • Friday, December 14, 2012 9:11 PM
     
     
    Sign In to Vote
    0

    Hi,

    Is there any chance that you have migrated from a UAG setup with ISATAP or modified the IPv6 range used in the setup for some reason?

    There is an issue that if you change the internal IPv6 range for your setup (like you have to do if you migrate from FF UAG to WS2012/URA) the DNS64 addresses change in the NRPT rules but the corresponding rules in the Windows Firewall are not updated with the correct addresses.

    The simplest way is to check the firewall rules manually, or you can see an powershell example here(search for "firewall"): http://technet.microsoft.com/en-us/library/hh831643

    Best wishes,
    Jonas Blom

    Jonas Blom | Relevo AB | http://blog.nrpt.se

     
  • Friday, December 14, 2012 10:40 PM
     
     
    Sign In to Vote
    0

    Thanks again for responding.  I have been banging my head on this for a few weeks now.

    No, I know I didn’t migrate from UAG and I am fairly certain that I didn’t modify the IPv6 range used in the setup.  Although I did have some initial trouble in setting this up because we route our public space IP’s (which could reach our DC’s) and had to initially setup a firewall rule that blocked access from the pubic IP to the internal address space.  I have since disabled this rule and changed our routing to not allow passage back of this public IP to the internal subnet that the DC’s are on (NLA now correctly designates the public IP as Public network whereas before it designated it as Domain network).

    I have to say I find it curious that the IPv6 address that is specified as the ‘DirectAccess (DNS Servers)’ belongs to the internal network adapter of the DA server, not the external one (as I would expect).  Is this correct?  Shouldn’t this be the IPv6 address on the external adapter?  Perhaps I am missing something about the magic of DA and the IPSec tunnel it creates.

    I checked the firewall rules and they look correct.  For inbound I have ‘Domain Name Server (TCP-In)’ and ‘Domain Name Server (UDP-In)’ enabled for all profiles.  However, the scope is for the 2002:8008:760a:3333::1 which belongs to the private interface.  For outbound I have the UDP rule enabled for any IP address.  I have also checked the firewall rules and do not see any dropped packets destined for port 53 logged recently.

    Even on the DA server if I try to nslookup, set the server to 2002:8008:760a:3333::1, and resolve something that I know has a resolvable IPv6 address it doesn’t work.  It immediately says it can’t find it, no response from server.  I’ve also tried sniffing while doing this and see no packets going out to a DNS server.


     
  • Saturday, December 15, 2012 8:44 PM
     
     
    Sign In to Vote
    0

    Hi again,

    Then atleast that possible issue is ruled out.

    If you're not able to query the DNS server using nslookup, have you checked that the IP Helper service is running and that it is actually listening on port 53 on your DA server?
    (A way to check that it is listening could be to run netstat -anb | more in an elevated commandprompt and check that something is listening on :53)

    Jonas Blom | Relevo AB | http://blog.nrpt.se

     
  • Sunday, December 16, 2012 9:41 PM
     
     
    Sign In to Vote
    0

    Yes:

    Can not obtain ownership information
      UDP    [::]:53                *:*
      iphlpsvc

    I made a change to the ‘Domain Name Server (TCP-In)’ Inbound firewall rule to change the scope from the 2002 IPv6 address to any.  Now I nslookup on the DA server works:

    PS C:\Users\admin> nslookup -q=aaaa host.example.com 2002:8008:760a:3333::1
    Server:  UnKnown
    Address:  2002:8008:760a:3333::1

    Non-authoritative answer:
    Name:    host.example.com
    Address:  fd26:aa50:bf05:7777::c0a8:4b11

    However it still does not work from the client.  If I sniff on the DA server I see chatter between the client and the server but see a query go for the record I was looking for.

    I'm thinking of reinstalling but I really want to figure this out.  I'm new to DA and want to build up knowledge set before I put this into production so I can properly troubleshoot in the future so the need arise.  Any other ides's?  It seems to be a firewall issue?  Should I post screen shots of my firewall rules?  Or is there a better way?

     
  • Monday, December 17, 2012 8:12 PM
     
     
    Sign In to Vote
    0

    Did you modify both the TCP and UDP firewall rules?

    Enable logging in Windows Firewall for both allowed and dropped packets and see if you see anything strange related to the DNS service.

    The problem with screenshots is that it will most likely require a lot of separate sreenshots since you have so many views.

    It is probably better if you upload a NCA/DCA logfile from a client along with html output from the client and server GPOs (put it on skydrive for example so you can remove it later)

    Jonas Blom | Relevo AB | http://blog.nrpt.se