Direct Access - Windows is unable to resolve corporate network names
-
שבת 09 יוני 2012 15:06
Hello together,
I have read Step-By-Step-Guides, Forum-Posts, Troubleshootingguides for days now, but I am still unable to solve my problem. I also posted this to the german TechnetForum (http://social.technet.microsoft.com/Forums/de-DE/windows_Serverde/thread/d3636678-6e83-468a-a0a3-4fd264c729de), till now: withot any results. Maybe somebody here can help me?!?
Ok, the actual state is:
- Toredo and IPHHTPS are up
- I can ping the IPv6 Adresses of the configured DCs
- but: no DNS
Following some parts of the DCA log:
RED: Corporate connectivity is not working.
Windows is unable to resolve corporate network names. Please contact your administrator if this problem persists.
7/6/2012 13:23:42 (UTC)Probes List
FAIL PING: dc3.int.domain.de
FAIL HTTP: http://dc2.int.domain.de
FAIL FILE: \\dc2.int.domain.de\DirectAccess\Testfile.txtDTE List
PASS PING: 2002:c20f:b30b::c20f:b30b
PASS PING: 2002:c20f:b240::c20f:b240...
Tunneladapter Teredo Tunneling Pseudo-Interface:
Verbindungsspezifisches DNS-Suffix:
Beschreibung. . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physikalische Adresse . . . . . . : 00-00-00-00-00-00-00-E0
DHCP aktiviert. . . . . . . . . . : Nein
Autokonfiguration aktiviert . . . : Ja
IPv6-Adresse. . . . . . . . . . . : 2001:0:c20f:b30b:3829:3af3:b2e9:2581(Bevorzugt)
Verbindungslokale IPv6-Adresse . : fe80::3829:3af3:b2e9:2581%14(Bevorzugt)
Standardgateway . . . . . . . . . :
NetBIOS ber TCP/IP . . . . . . . : DeaktiviertTunneladapter iphttpsinterface:
Verbindungsspezifisches DNS-Suffix:
Beschreibung. . . . . . . . . . . : iphttpsinterface
Physikalische Adresse . . . . . . : 00-00-00-00-00-00-00-E0
DHCP aktiviert. . . . . . . . . . : Nein
Autokonfiguration aktiviert . . . : Ja
IPv6-Adresse. . . . . . . . . . . : 2002:c20f:b30b:2:bd3e:8b81:d3d4:16a2(Bevorzugt)
Tempor„re IPv6-Adresse. . . . . . : 2002:c20f:b30b:2:184:2c7c:69e8:cdd(Bevorzugt)
Verbindungslokale IPv6-Adresse . : fe80::bd3e:8b81:d3d4:16a2%29(Bevorzugt)
Standardgateway . . . . . . . . . : fe80::68e3:2fcc:2db:8209%29
NetBIOS ber TCP/IP . . . . . . . : DeaktiviertC:\Windows\system32\LogSpace\{E0E6DCDE-7E31-465D-84D0-233B7726DC69}>netsh int teredo show state
Teredo-Parameter
---------------------------------------------
Typ : client
Servername : 194.x.x.x (Group Policy)
Clientaktual.-intervall : 30 Sekunden
Clientport : unspecified
Status : qualified
Clienttyp : Teredo host-specific relay
Netzwerk : unmanaged
NAT : restricted
NAT-spezifisches Verhalten : UPNP: Nein, Portbeibehaltung: Ja
Lokale Zuordnung : 192.168.178.29:50444
Externe NAT-Zuordnung : 77.22.218.126:50444
C:\Windows\system32\LogSpace\{E0E6DCDE-7E31-465D-84D0-233B7726DC69}>netsh int httpstunnel show interfacesParameter fr die Schnittstelle IPHTTPSInterface (Group Policy)
------------------------------------------------------------
Rolle : client
URL : https://directaccess.domain.de:443/IPHTTPS
Letzter Fehlercode : 0x0
Schnittstellenstatus : Die IP-HTTPS-Schnittstelle ist aktiv.C:\Windows\system32\LogSpace\{E0E6DCDE-7E31-465D-84D0-233B7726DC69}>netsh advfirewall monitor show consec
Global-Einstellungen:
----------------------------------------------------------------------
IPsec:
Sichere CRL-šberprfung 0:Deaktiviert
SAIdleTimeMin 5min
Standardausnahmen ICMP
IPsec-šber-NAT Niemals
Auth-Benutzergruppe Keine
Auth-Computergruppe KeineStateful-FTP Aktivieren
Stateful-PPTP AktivierenHauptmodus:
Schlsselgltigkeitsdauer 60Min.,0Sitz.
Sicherheitsmethoden DH-Gruppe 2-AES128-SHA256,DH-Gruppe 2-AES128-SHA1,DH-Gruppe 2-3DES-SHA1
DH erzwingen NoKategorien:
Regelkategorie fr Startzeit Windows-Firewall
Regelkategorie fr Firewall Windows-Firewall
Regelkategorie fr geschtzten Modus Windows-Firewall
Regelkategorie fr Verbindungssicherheitsr. Windows-Firewall
Schnellmodus:
Schnellmodus-Sicherheitsmethoden ESP:SHA1-Keine+60min+100000kb,ESP:SHA1-AES128+60min+100000kb,ESP:SHA1-3DES+60min+100000kb,AH:SHA1+60min+100000kb
Schnellmodus-PFS NoneSicherheitszuordnungen:
Keine Sicherheitszuordnungen stimmen mit den angegebenen Kriterien berein.
In English:
Security Associations:
No SAs match the specified criteria.If you need further informations, please let me know ...
Hans Moggert Technical Account Manager Geschäftsbereich Technologie & Service Allgeier IT Solutions GmbH
כל התגובות
-
יום שני 11 יוני 2012 03:49מנחה דיון
Hi Hans,
Thank you for the post.
First, I want to know the name resolution issue occurs on IP-HTTPS enabled scenario or all scenarios(isatap/6to4/teredo/ip-https)? Please verify DA works in all scenarios according to DA troubleshooting guide.
The DA Demonstrate (Step-By-Step) guide first page mentioned the guide is extending base configuration test lab guide. Have you read that guide for any steps missed?
The name resolution issue may caused by NRPT policy. Please read DirectAccess Client Cannot Resolve Names with Intranet DNS Servers article and post the result of command "netsh namespace show policy", "netsh namespace show effective". It should show your DC server ipv6 address in the DirectAccess (DNS Servers) entry like:
......
DirectAccess (DNS Servers) : 2002:42ef:7032:1:0:5efe:192.168.101.3
DirectAccess (Proxy Settings) : Bypass proxyIf there are more inquiries on this issue, please feel free to let us know.
Regards,
Rick Tan
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere.Rick Tan
TechNet Community Support
-
יום שני 11 יוני 2012 08:29
Hi Rick,
Thank you for your answer.
I think I can give you some more information because I have done further troubleshooting while waiting for a response.
From my sight of view direct access connection is a 2 step process. First step is establish a connection over the ipv6 to ipv4 tunneling protocolls (isatap,6to4, toredo, iphhtps) and after this establish a IPSEC tunnel based on the computercertificates. The ICMP protocoll isn't using the IPSEC Tunnel so the fact that I can ping the internal DNS-Server is a sign that the transitioning tunnel ist up, but the IPSEC isn't. Am I right?
In the different troubleshooting guides I always come to the point where I have to verify the IPSEC Connection and I always verify it isn't there. But I don't find the reason why I can't get the IPSEC Connection.
Here is my actual PKI Implementation:
I have an "empty" Root Domain "domain.de" with two DCs at two Sites and only the DNS Service for "domain.de" and the Enterprise Root CA in this domain. Additionally I have an Subdomain "int.domain.de" with DCs, RDS, Exchange, ... and the Direct Access Server.
The Direct Access Server is (with the external interface) in the subnet where one of the DC for "domain.de" is placed so I have implemented the filter for Domaincontrollers on the external interface. But I think this sould be configured right because the DirectAcces Setup ist going through Steps 1 - 4 without any problems and also the Statuspage says everything is ok.
The client has an autoenrolled certificate based on the computertemplate from the Enterprise RootCA with his internal name "client.int.domain.de" as common and DNS Name.
The Direct Access Server has two certificates from the RootCA:
- one autoenrolled certificate based on the computertemplate with his internal name "da.int.domain.de"
- one certificate based on a customized Webserver Template with "Serverauthentifizierung (1.3.6.1.5.5.7.3.1)" and "IP-Sicherheits-IKE, dazwischenliegend (1.3.6.1.5.5.8.2.2)" with his external name "da.domain.de" also from the Enterprise Root CA.The Revocationlists are published and reacheable from the Intranet and the Internet.
So I think this is how it should be and I don't find where my mistake is and why I don't get an IPSEC Tunnel. Do you have any idea?
Here the result of your ask commands:
C:\Windows\system32>netsh namespace show policy
Richtlinientabelleneinstellungen für die DNS-Namensauflösung
Einstellungen für nls.domain.de
----------------------------------------------------------------------
Zertifizierungsstelle : DC=de, DC=domain, CN=Domain (Root CA)
DNSSEC (Prüfung) : disabled
DNSSEC (IPsec) : disabled
DirectAccess (DNS-Server) :
Direktzugriff (IPsec) : disabled
Direktzugriff (Proxyeinstellungen) : Proxy umgehenEinstellungen für .ad.allgeier-it.de
----------------------------------------------------------------------
Zertifizierungsstelle : DC=de, DC=domain, CN=Domain (Root CA)
DNSSEC (Prüfung) : disabled
DNSSEC (IPsec) : disabled
DirectAccess (DNS-Server) : 2002:c20f:b30b:1:200:5efe:194.x.x.x
2002:c20f:b30b:1:200:5efe:194.x.x.x
Direktzugriff (IPsec) : disabled
Direktzugriff (Proxyeinstellungen) : Proxy umgehenC:\Windows\system32>netsh namespace show effective
Effektive Richtlinientabelleneinstellungen für die DNS-Namensauflösung
Einstellungen für nls.domain.de
----------------------------------------------------------------------
Zertifizierungsstelle : DC=de, DC=domain, CN=Domain (Root CA)
DNSSEC (Prüfung) : disabled
IPsec-Einstellungen : disabled
DirectAccess (DNS-Server) :
Direktzugriff (Proxyeinstellungen) : Proxy umgehenEinstellungen für .ad.allgeier-it.de
----------------------------------------------------------------------
Zertifizierungsstelle : DC=de, DC=domain, CN=Domain (Root CA)
DNSSEC (Prüfung) : disabled
IPsec-Einstellungen : disabled
DirectAccess (DNS-Server) : 2002:c20f:b30b:1:200:5efe:194.x.x.x
2002:c20f:b30b:1:200:5efe:194.x.x.x
Direktzugriff (Proxyeinstellungen) : Proxy umgehenI would be very happy if you are able to find my mistake ...
Thanks and best regards
Hans Moggert Technical Account Manager Geschäftsbereich Technologie & Service Allgeier IT Solutions GmbH
-
יום שלישי 12 יוני 2012 03:30מנחה דיון
Hi Hans,
Additionally I have an Subdomain "int.domain.de" with DCs, RDS, Exchange, ... and the Direct Access Server.
Since your DA server, DA clients are in "int.domain.de" subdomain, so your nls server(APP1) should be also in this subdomain. But your NRPT output display nls.domain.de/.ad.allgeier-it.de which should be set to nls.int.domain.de/.int.domain.de. The domain.de namespace just set on DA server for ip-https connection. In this case, please verify you set up two CRL for Internet (crl.domain.de on DA server) and Intranet (crl.int.domain.de on APP1 server).Regards,
Rick Tan
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere.Rick Tan
TechNet Community Support
-
יום שלישי 12 יוני 2012 11:16
Hi Rick,
sorry, my mistake! While copy & Paste and the try to anonymize our "realnames" I made a mistake! Here are the correct (anonymized) outputs:
C:\Windows\system32>netsh namespace show policy
Richtlinientabelleneinstellungen für die DNS-Namensauflösung
Einstellungen für nls.int.domain.de
----------------------------------------------------------------------
Zertifizierungsstelle : DC=de, DC=domain, CN=Domain (Root CA)
DNSSEC (Prüfung) : disabled
DNSSEC (IPsec) : disabled
DirectAccess (DNS-Server) :
Direktzugriff (IPsec) : disabled
Direktzugriff (Proxyeinstellungen) : Proxy umgehenEinstellungen für .int.domain.de
----------------------------------------------------------------------
Zertifizierungsstelle : DC=de, DC=domain, CN=Domain (Root CA)
DNSSEC (Prüfung) : disabled
DNSSEC (IPsec) : disabled
DirectAccess (DNS-Server) : 2002:c20f:b30b:1:200:5efe:194.15.178.42
2002:c20f:b30b:1:200:5efe:194.15.178.41
Direktzugriff (IPsec) : disabled
Direktzugriff (Proxyeinstellungen) : Proxy umgehenC:\Windows\system32>netsh namespace show effective
Effektive Richtlinientabelleneinstellungen für die DNS-Namensauflösung
Einstellungen für nls.int.domain.de
----------------------------------------------------------------------
Zertifizierungsstelle : DC=de, DC=domain, CN=Domain (Root CA)
DNSSEC (Prüfung) : disabled
IPsec-Einstellungen : disabled
DirectAccess (DNS-Server) :
Direktzugriff (Proxyeinstellungen) : Proxy umgehenEinstellungen für .int.domain.de
----------------------------------------------------------------------
Zertifizierungsstelle : DC=de, DC=domain, CN=Domain (Root CA)
DNSSEC (Prüfung) : disabled
IPsec-Einstellungen : disabled
DirectAccess (DNS-Server) : 2002:c20f:b30b:1:200:5efe:194.15.178.42
2002:c20f:b30b:1:200:5efe:194.15.178.41
Direktzugriff (Proxyeinstellungen) : Proxy umgehenIs it neccessary for internal clients to reach the CRL by http? I thought internal clients can reach it per LDAP and that should be enough. Am I right? Addionally the "external URLs" http://crl.domain.de/crl are also reachable for internal clients.
Although I followed the Step-by-Step Guides I'm not sure if I have configured the Networkinterfaces at the DA Server correct. Can you take a look at this?
External Interface:
Client for Microsoft Network - deactivated
File- and Printservices - deactivated
IPv6 - deactivated
IPv4 - with two Public IP-Adresses for example 194.1.1.11 + 194.1.1.12 with subnetmask and Gateway, without DNS-Server with specific DNS-Suffix "domain.de"
Internal Interface:
Everything activated
IPv4 - with 1 internal but also public IP-Adress* f.e 194.1.2.10, Subnet mask, no Gateway, the internal DNS-Servers and specific DNS-Suffix int.domain.de
Static Routes for all internal IP-Subnets through the Gateway for the Internal Subnet* We have Public IP-Adresses for every Server, Client etc, may this cause my problem?
Is this correct? Is it possible to configure Domain Search List for the internal Domains?
Is it correct that the external LAN-Connection shows "not authenticated"?
Which IP-Adresses are necessary to exclude by firewallrule for the external Interface (http://technet.microsoft.com/en-US/library/ee649272(v=ws.10).aspx)? Only the DCs at the Subnet from the external Interface or every DC?
Do you agree, that the IPSEC connection is the problem? I still can't find some hints for troubleshooting IPSEC Connection, can you tell me how to troubleshoot it?
Sorry for my Englisch, I hope you understand what I qwanted to say :-)
Regards
Hans Moggert Technical Account Manager Geschäftsbereich Technologie & Service Allgeier IT Solutions GmbH
-
יום רביעי 13 יוני 2012 13:05
Hi Rick,
I have again some news for you: I tried to use another Windows 7 Notebook and ... it works!
The only thing I had to do is: put the Notebook in the DA-Client Group, gpupdate and everything works how it should be!
Although I still don't know why my Notebook will not establish the IPSEC Tunnel I am now sure that my Implementaion works!
Thank you very much for your help ...
Best regards
Hans Moggert Technical Account Manager Geschäftsbereich Technologie & Service Allgeier IT Solutions GmbH
- סומן כתשובה על-ידי Rick TanModerator יום חמישי 14 יוני 2012 01:36
.png)
