none
Issue with adding new clients to DirectAccess 2012

    Question

  • Hi,

    We have recently implemented a DirecAccess solution based on Windows 2012. This is all working perfectly for the one client we originally used to test the solution with.

    I am trying to add another Windows 7 Enterprise laptop and have done all the pre-reqs; issued a certificate to it and added it to the DirectAccess Clients group.

    It is not working and DCA is reporting - Your computer is not configured correctly for DirectAccess. IPv6 is not enabled correctly.

    The thing is, I am not sure why this is. I have put the laptop in the same user & computer OUs as the one that works so it will have the same GPOs applied.

    I have checked what I can, but I cannot see why this is happening. I have tried another fresh laptop but with the same results.

    I have had someone else who knows DA run their eyes over the GPRESULTS output and DCA 2.0 logs that have been generated, but nothing jumps out.

    Anyone have any ideas where I should start? I can upload the gpresults output and DCA log if that would help - actually I am not sure whether I can upload in the forum.

    Embarrassing thing is, I pushed for DA over a VPN solution and I now need to get these other laptops on DA a.s.a.p. :(

    Any help or pointers would be appreciated.

    Cheers,

    Kenny



    • Modifié KPGrue lundi 15 juillet 2013 11:47
    lundi 15 juillet 2013 11:33

Toutes les réponses

  • Hello,

    On your client did the IPv6 protocol is enabled on the NIC and on the registry.

    Try to follow this KB to fully enabled again the IPv6 on your client a described on my article: http://security.sakuranohana.fr/2012/08/directaccess-my-transition-technologies.html

    Regards.


    Follow me on Twitter http://www.twitter.com/liontux | My Blog (French/English) : http://security.sakuranohana.fr/

    lundi 15 juillet 2013 14:33
  • +1 on what Lionel said - make sure the DisabledComponents key doesn't exist or is set to zero. You might have this set in your standard image.

    I can also take a look over the DCA logs if you feel like sending them over, but if that key is set blocking IPv6, it doesn't matter what is in the logs :) - Jordan.Krause@ivonetworks.com

    lundi 15 juillet 2013 15:22
  • Hi Guys,

    First of all, thanks very much for your help. It's much appreciated.

    The DisabledComponents key did exist and was set to a non-zero value. I deleted the key and rebooted. I am no longer getting the error I was before. I am still struggling to get it connected as it is now saying - Your computer cannot connect to the DirectAccess server.

    I will keep working on it. One of the things is that we disabled 6to4 and Terado on the laptop that is working, but not on the one that isn't. I will try doing the same. I believe doing this will make the initial connection faster as it doesn't try connections that we don't want to use; just leavng IPHTTPS that we do.

    I'll report back on how it goes.

    Thanks.

    Kenny

    mardi 16 juillet 2013 12:59
  • Cool, let us know! Also keep in mind that Teredo is attempted before IP-HTTPS for a reason. If your environment is configured in a way that it supports Teredo, I generally use it. Teredo connections are faster than IP-HTTPS connections (for Windows 7 clients at least), and put less of a load on the DirectAccess server. It is a more efficient protocol.
    mardi 16 juillet 2013 13:13