none
Direct Access - Windows is unable to resolve corporate network names

    שאלה

  • Hello together,

    I have read Step-By-Step-Guides, Forum-Posts, Troubleshootingguides for days now, but I am still unable to solve my problem. I also posted this to the german TechnetForum (http://social.technet.microsoft.com/Forums/de-DE/windows_Serverde/thread/d3636678-6e83-468a-a0a3-4fd264c729de), till now: withot any results. Maybe somebody here can help me?!?

    Ok, the actual state is:

    - Toredo and IPHHTPS are up

    - I can ping the IPv6 Adresses of the configured DCs

    - but: no DNS

    Following some parts of the DCA log:

    RED: Corporate connectivity is not working.
    Windows is unable to resolve corporate network names.  Please contact your administrator if this problem persists.
    7/6/2012 13:23:42 (UTC)

    Probes List
    FAIL  PING: dc3.int.domain.de
    FAIL  HTTP: http://dc2.int.domain.de
    FAIL  FILE: \\dc2.int.domain.de\DirectAccess\Testfile.txt

    DTE List
    PASS  PING: 2002:c20f:b30b::c20f:b30b
    PASS  PING: 2002:c20f:b240::c20f:b240

    ...

    Tunneladapter Teredo Tunneling Pseudo-Interface:

       Verbindungsspezifisches DNS-Suffix:
       Beschreibung. . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physikalische Adresse . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP aktiviert. . . . . . . . . . : Nein
       Autokonfiguration aktiviert . . . : Ja
       IPv6-Adresse. . . . . . . . . . . : 2001:0:c20f:b30b:3829:3af3:b2e9:2581(Bevorzugt)
       Verbindungslokale IPv6-Adresse  . : fe80::3829:3af3:b2e9:2581%14(Bevorzugt)
       Standardgateway . . . . . . . . . :
       NetBIOS ber TCP/IP . . . . . . . : Deaktiviert

    Tunneladapter iphttpsinterface:

       Verbindungsspezifisches DNS-Suffix:
       Beschreibung. . . . . . . . . . . : iphttpsinterface
       Physikalische Adresse . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP aktiviert. . . . . . . . . . : Nein
       Autokonfiguration aktiviert . . . : Ja
       IPv6-Adresse. . . . . . . . . . . : 2002:c20f:b30b:2:bd3e:8b81:d3d4:16a2(Bevorzugt)
       Tempor„re IPv6-Adresse. . . . . . : 2002:c20f:b30b:2:184:2c7c:69e8:cdd(Bevorzugt)
       Verbindungslokale IPv6-Adresse  . : fe80::bd3e:8b81:d3d4:16a2%29(Bevorzugt)
       Standardgateway . . . . . . . . . : fe80::68e3:2fcc:2db:8209%29
       NetBIOS ber TCP/IP . . . . . . . : Deaktiviert

    C:\Windows\system32\LogSpace\{E0E6DCDE-7E31-465D-84D0-233B7726DC69}>netsh int teredo show state
    Teredo-Parameter
    ---------------------------------------------
    Typ                     : client
    Servername              : 194.x.x.x (Group Policy)
    Clientaktual.-intervall : 30 Sekunden
    Clientport              : unspecified
    Status                  : qualified
    Clienttyp             : Teredo host-specific relay
    Netzwerk                 : unmanaged
    NAT                     : restricted
    NAT-spezifisches Verhalten   : UPNP: Nein, Portbeibehaltung: Ja
    Lokale Zuordnung           : 192.168.178.29:50444
    Externe NAT-Zuordnung    : 77.22.218.126:50444


    C:\Windows\system32\LogSpace\{E0E6DCDE-7E31-465D-84D0-233B7726DC69}>netsh int httpstunnel show interfaces

    Parameter fr die Schnittstelle IPHTTPSInterface (Group Policy)
    ------------------------------------------------------------
    Rolle                       : client
    URL                        : https://directaccess.domain.de:443/IPHTTPS
    Letzter Fehlercode            : 0x0
    Schnittstellenstatus           : Die IP-HTTPS-Schnittstelle ist aktiv.

    C:\Windows\system32\LogSpace\{E0E6DCDE-7E31-465D-84D0-233B7726DC69}>netsh advfirewall monitor show consec

    Global-Einstellungen:
    ----------------------------------------------------------------------
    IPsec:
    Sichere CRL-šberprfung               0:Deaktiviert
    SAIdleTimeMin                         5min
    Standardausnahmen                     ICMP
    IPsec-šber-NAT                        Niemals
    Auth-Benutzergruppe                   Keine
    Auth-Computergruppe                   Keine

    Stateful-FTP                          Aktivieren
    Stateful-PPTP                         Aktivieren

    Hauptmodus:
    Schlsselgltigkeitsdauer                60Min.,0Sitz.
    Sicherheitsmethoden                      DH-Gruppe 2-AES128-SHA256,DH-Gruppe 2-AES128-SHA1,DH-Gruppe 2-3DES-SHA1
    DH erzwingen                             No

    Kategorien:
    Regelkategorie fr Startzeit                 Windows-Firewall
    Regelkategorie fr Firewall                  Windows-Firewall
    Regelkategorie fr geschtzten Modus         Windows-Firewall
    Regelkategorie fr Verbindungssicherheitsr.  Windows-Firewall


    Schnellmodus:
    Schnellmodus-Sicherheitsmethoden         ESP:SHA1-Keine+60min+100000kb,ESP:SHA1-AES128+60min+100000kb,ESP:SHA1-3DES+60min+100000kb,AH:SHA1+60min+100000kb
    Schnellmodus-PFS                         None

    Sicherheitszuordnungen:

    Keine Sicherheitszuordnungen stimmen mit den angegebenen Kriterien berein.

    In English:

    Security Associations:
     
    No SAs match the specified criteria.

    If you need further informations, please let me know ...


    Hans Moggert Technical Account Manager Geschäftsbereich Technologie & Service Allgeier IT Solutions GmbH

    שבת 09 יוני 2012 15:06

תשובות

  • Hi Rick,

    I have again some news for you: I tried to use another Windows 7 Notebook and ... it works!

    The only thing I had to do is: put the Notebook in the DA-Client Group, gpupdate and everything works how it should be!

    Although I still don't know why my Notebook will not establish the IPSEC Tunnel I am now sure that my Implementaion works!

    Thank you very much for your help ...

    Best regards


    Hans Moggert Technical Account Manager Geschäftsbereich Technologie & Service Allgeier IT Solutions GmbH

    • סומן כתשובה על-ידי Rick TanModerator יום חמישי 14 יוני 2012 01:36
    יום רביעי 13 יוני 2012 13:05

כל התגובות

  • Hi Hans,

    Thank you for the post.

    First, I want to know the name resolution issue occurs on IP-HTTPS enabled scenario or all scenarios(isatap/6to4/teredo/ip-https)? Please verify DA works in all scenarios according to DA troubleshooting guide.
    The DA Demonstrate (Step-By-Step) guide first page mentioned the guide is extending base configuration test lab guide. Have you read that guide for any steps missed?
    The name resolution issue may caused by NRPT policy. Please read DirectAccess Client Cannot Resolve Names with Intranet DNS Servers article and post the result of command "netsh namespace show policy", "netsh namespace show effective". It should show your DC server ipv6 address in the DirectAccess (DNS Servers) entry like:
    ......
    DirectAccess (DNS Servers)              : 2002:42ef:7032:1:0:5efe:192.168.101.3
    DirectAccess (Proxy Settings)           : Bypass proxy

    If there are more inquiries on this issue, please feel free to let us know.
     
    Regards,
    Rick Tan
    TechNet Subscriber Support
    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere.


    Rick Tan

    TechNet Community Support

    יום שני 11 יוני 2012 03:49
  • Hi Rick,

    Thank you for your answer.

    I think I can give you some more information because I have done further troubleshooting while waiting for a response.

    From my sight of view direct access connection is a 2 step process. First step is establish a connection over the ipv6 to ipv4 tunneling protocolls (isatap,6to4, toredo, iphhtps) and after this establish a IPSEC tunnel based on the computercertificates. The ICMP protocoll isn't using the IPSEC Tunnel so the fact that I can ping the internal DNS-Server is a sign that the transitioning tunnel ist up, but the IPSEC isn't. Am I right?

    In the different troubleshooting guides I always come to the point where I have to verify the IPSEC Connection and I always verify it isn't there. But I don't find the reason why I can't get the IPSEC Connection.

    Here is my actual PKI Implementation:

    I have an "empty" Root Domain "domain.de" with two DCs at two Sites and only the DNS Service for "domain.de" and the Enterprise Root CA in this domain. Additionally I have an Subdomain "int.domain.de" with DCs, RDS, Exchange, ... and the Direct Access Server.

    The Direct Access Server is (with the external interface) in the subnet where one of the DC for "domain.de" is placed so I have implemented the filter for Domaincontrollers on the external interface. But I think this sould be configured right because the DirectAcces Setup ist going through Steps 1 - 4 without any problems and also the Statuspage says everything is ok.

    The client has an autoenrolled certificate based on the computertemplate from the Enterprise RootCA with his internal name "client.int.domain.de" as common and DNS Name.

    The Direct Access Server has two certificates from the RootCA:
    - one autoenrolled certificate based on the computertemplate with his internal name "da.int.domain.de"
    - one certificate based on a customized Webserver Template with "Serverauthentifizierung (1.3.6.1.5.5.7.3.1)" and "IP-Sicherheits-IKE, dazwischenliegend (1.3.6.1.5.5.8.2.2)" with his external name "da.domain.de" also from the Enterprise Root CA.

    The Revocationlists are published and reacheable from the Intranet and the Internet.

    So I think this is how it should be and I don't find where my mistake is and why I don't get an IPSEC Tunnel. Do you have any idea?

    Here the result of your ask commands:

    C:\Windows\system32>netsh namespace show policy

    Richtlinientabelleneinstellungen für die DNS-Namensauflösung

    Einstellungen für nls.domain.de
    ----------------------------------------------------------------------
    Zertifizierungsstelle                 : DC=de, DC=domain, CN=Domain (Root CA)
    DNSSEC (Prüfung)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (DNS-Server)              :
    Direktzugriff (IPsec)                    : disabled
    Direktzugriff (Proxyeinstellungen)           : Proxy umgehen

     

    Einstellungen für .ad.allgeier-it.de
    ----------------------------------------------------------------------
    Zertifizierungsstelle                 : DC=de, DC=domain, CN=Domain (Root CA)
    DNSSEC (Prüfung)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (DNS-Server)              : 2002:c20f:b30b:1:200:5efe:194.x.x.x
                                              2002:c20f:b30b:1:200:5efe:194.x.x.x
    Direktzugriff (IPsec)                    : disabled
    Direktzugriff (Proxyeinstellungen)           : Proxy umgehen

    C:\Windows\system32>netsh namespace show effective

    Effektive Richtlinientabelleneinstellungen für die DNS-Namensauflösung


    Einstellungen für nls.domain.de
    ----------------------------------------------------------------------
    Zertifizierungsstelle                 : DC=de, DC=domain, CN=Domain (Root CA)
    DNSSEC (Prüfung)                     : disabled
    IPsec-Einstellungen                          : disabled
    DirectAccess (DNS-Server)              :
    Direktzugriff (Proxyeinstellungen)           : Proxy umgehen

     

    Einstellungen für .ad.allgeier-it.de
    ----------------------------------------------------------------------
    Zertifizierungsstelle                 : DC=de, DC=domain, CN=Domain (Root CA)
    DNSSEC (Prüfung)                     : disabled
    IPsec-Einstellungen                          : disabled
    DirectAccess (DNS-Server)              : 2002:c20f:b30b:1:200:5efe:194.x.x.x
                                              2002:c20f:b30b:1:200:5efe:194.x.x.x
    Direktzugriff (Proxyeinstellungen)           : Proxy umgehen

    I would be very happy if you are able to find my mistake ...

    Thanks and best regards


    Hans Moggert Technical Account Manager Geschäftsbereich Technologie & Service Allgeier IT Solutions GmbH

    יום שני 11 יוני 2012 08:29
  • Hi Hans,

    Additionally I have an Subdomain "int.domain.de" with DCs, RDS, Exchange, ... and the Direct Access Server.
    Since your DA server, DA clients are in "int.domain.de" subdomain, so your nls server(APP1) should be also in this subdomain. But your NRPT output display nls.domain.de/.ad.allgeier-it.de which should be set to nls.int.domain.de/.int.domain.de. The domain.de namespace just set on DA server for ip-https connection. In this case, please verify you set up two CRL for Internet (crl.domain.de on DA server) and Intranet (crl.int.domain.de on APP1 server).

    Regards,
    Rick Tan
    TechNet Subscriber Support
    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere.


    Rick Tan

    TechNet Community Support

    יום שלישי 12 יוני 2012 03:30
  • Hi Rick,

    sorry, my mistake! While copy & Paste and the try to anonymize our "realnames" I made a mistake! Here are the correct (anonymized) outputs:

    C:\Windows\system32>netsh namespace show policy

    Richtlinientabelleneinstellungen für die DNS-Namensauflösung

    Einstellungen für nls.int.domain.de
    ----------------------------------------------------------------------
    Zertifizierungsstelle                 : DC=de, DC=domain, CN=Domain (Root CA)
    DNSSEC (Prüfung)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (DNS-Server)              :
    Direktzugriff (IPsec)                    : disabled
    Direktzugriff (Proxyeinstellungen)           : Proxy umgehen

    Einstellungen für .int.domain.de
    ----------------------------------------------------------------------
    Zertifizierungsstelle                 : DC=de, DC=domain, CN=Domain (Root CA)
    DNSSEC (Prüfung)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (DNS-Server)              : 2002:c20f:b30b:1:200:5efe:194.15.178.42
                                              2002:c20f:b30b:1:200:5efe:194.15.178.41
    Direktzugriff (IPsec)                    : disabled
    Direktzugriff (Proxyeinstellungen)           : Proxy umgehen

    C:\Windows\system32>netsh namespace show effective

    Effektive Richtlinientabelleneinstellungen für die DNS-Namensauflösung


    Einstellungen für nls.int.domain.de
    ----------------------------------------------------------------------
    Zertifizierungsstelle                 : DC=de, DC=domain, CN=Domain (Root CA)
    DNSSEC (Prüfung)                     : disabled
    IPsec-Einstellungen                          : disabled
    DirectAccess (DNS-Server)              :
    Direktzugriff (Proxyeinstellungen)           : Proxy umgehen

    Einstellungen für .int.domain.de
    ----------------------------------------------------------------------
    Zertifizierungsstelle                 : DC=de, DC=domain, CN=Domain (Root CA)
    DNSSEC (Prüfung)                     : disabled
    IPsec-Einstellungen                          : disabled
    DirectAccess (DNS-Server)              : 2002:c20f:b30b:1:200:5efe:194.15.178.42
                                              2002:c20f:b30b:1:200:5efe:194.15.178.41
    Direktzugriff (Proxyeinstellungen)           : Proxy umgehen

    Is it neccessary for internal clients to reach the CRL by http? I thought internal clients can reach it per LDAP and that should be enough. Am I right? Addionally the "external URLs" http://crl.domain.de/crl are also reachable for internal clients.

    Although I followed the Step-by-Step Guides I'm not sure if I have configured the Networkinterfaces at the DA Server correct. Can you take a look at this?

    External Interface:

    Client for Microsoft Network - deactivated
    File- and Printservices - deactivated
    IPv6 - deactivated
    IPv4 - with two Public IP-Adresses for example 194.1.1.11 + 194.1.1.12 with subnetmask and Gateway, without DNS-Server with specific DNS-Suffix "domain.de"

    Internal Interface:

    Everything activated
    IPv4 - with 1 internal but also public IP-Adress* f.e 194.1.2.10, Subnet mask, no Gateway, the internal DNS-Servers and specific DNS-Suffix int.domain.de
    Static Routes for all internal IP-Subnets through the Gateway for the Internal Subnet

    * We have Public IP-Adresses for every Server, Client etc, may this cause my problem?

    Is this correct? Is it possible to configure Domain Search List for the internal Domains?

    Is it correct that the external LAN-Connection shows "not authenticated"?

    Which IP-Adresses are necessary to exclude by firewallrule for the external Interface (http://technet.microsoft.com/en-US/library/ee649272(v=ws.10).aspx)? Only the DCs at the Subnet from the external Interface or every DC?

    Do you agree, that the IPSEC connection is the problem? I still can't find some hints for troubleshooting IPSEC Connection, can you tell me how to troubleshoot it?

    Sorry for my Englisch, I hope you understand what I qwanted to say :-)

    Regards


    Hans Moggert Technical Account Manager Geschäftsbereich Technologie & Service Allgeier IT Solutions GmbH

    יום שלישי 12 יוני 2012 11:16
  • Hi Rick,

    I have again some news for you: I tried to use another Windows 7 Notebook and ... it works!

    The only thing I had to do is: put the Notebook in the DA-Client Group, gpupdate and everything works how it should be!

    Although I still don't know why my Notebook will not establish the IPSEC Tunnel I am now sure that my Implementaion works!

    Thank you very much for your help ...

    Best regards


    Hans Moggert Technical Account Manager Geschäftsbereich Technologie & Service Allgeier IT Solutions GmbH

    • סומן כתשובה על-ידי Rick TanModerator יום חמישי 14 יוני 2012 01:36
    יום רביעי 13 יוני 2012 13:05