none
DirectAccess IPHTTPS Clients not registering in DNS RRS feed

  • Question

  • This is driving me nuts!

    I have a DirectAccess server set up on Server 2012. This is behind a NAT so is configured with a single NIC and using IPHTTPS / NAT64 / DNS64.

    Inbound connections are working fine, but the clients (Win7) are not registering their IPHTTPS addresses in DNS - a problem for managing out.

    Corporate DNS resolution is working on the clients - they can ping the DNS servers on their NAT64 addresses. I can ping the clients from the DA sevrer on their IPHTTPS addresses.

    I'm not really clear how the DNS registration is supposed to work in this scenario. Normally a client will register directly with it's configured DNS server. If I understand correclty, with DirectAcces and DNS64 the client send DNS requests to the DA server which relays them to the actual DNS servers translating the replies to a NAT64 address. But what about DNS registration, does this go direct to the DNS servers or is it relayed via the DA server?

    To complicate matters I'm running ISATAP internally due to a legacy 2008r2 DirectAccess setup. I intend to decomission this so am not looking to get ISATAP working on the 2012 DA setup. I have therefore set OnlySendAQuery to True on the DA 2012 server to ensure it's DNS lookups return IP4 addresses which get translated by DNS64 rather than ISATAP addresses which would get passed through. (I know the manage out machines will need IP6 connectivity - but I'll worry about this later - trying to focus on the DNS registration problem for now.)

    Things I have checked:-

     - Dynamic Updates on the DNS zone are enabled (Nonsecure & Secure).

     - "Register this connections address in DNS" is ticked in the IPv6 properties on the client. 

     - ipconfig /registerdns doesn't help.

    Can anyone shed any light on how the process is supposed to work and what the problem might be?

    Thanks,

    Tim
    Wednesday, December 11, 2013 1:10 PM

All replies

  • Thanks Ophir, I've tried setting "Only Secure" in the client GPO for DNS update security level but this hasn't helped.

    Thursday, December 12, 2013 3:56 PM
  • I am having this same exact issue. Did you ever find a solution? If I manually add a record for the client, I can ping, and RDP, but Remote Assistance or browsing to the machine doesn't work.
    Tuesday, January 21, 2014 1:45 PM
  • check the security on the clients ipv4 DNS entry. If the DHCP server/service account has rights, but the client not, chances are that the client cannot update his "own" record to ipv6

    http://setspn.blogspot.com

    Wednesday, January 22, 2014 9:53 AM
  • Hi Tim.

    Sorry for necroposting. You solve your problem?

    I have same issue, my DA are not registering their IPHTTPS addresses in DNS.

    Can't find anything about this problem =\

    Thanks in advance.

    Tuesday, December 22, 2015 1:03 PM
  • Hi,

    same here. The Setup is pretty much the same as Tim´s and we also got the Problem that Clients do not Register their IPv6 adresses in DNS. We are thinking about fiddling with ACLs of the AD integrated DNS, but i´m still not sure if this is an acceptable solution...

    Thanks

    Tuesday, March 8, 2016 11:23 AM
  • Hi,

    i know this is an old thread, but did any of you resolve this?

    Sam

    Wednesday, February 8, 2017 1:25 PM
  • The original problem could well have had to do with the fact that they were running global ISATAP, as this could certainly make routing inside the network more difficult and could have had a bearing on DNS registration. So unless you are in that same boat, I'm not sure this post would apply to anyone else. If you are/were running a 2008R2 DA instance with global ISATAP configured, that should really be decommissioned before trying to setup any new DirectAccess server or entrypoint, or there could be routing conflicts between the two.

    As far as DA clients registering in DNS - that is supposed to happen automatically by the clients. The only times I've ever seen DA clients not register automatically inside DNS is in cases where the DNS servers had been configured not to allow AAAA records to register. (the clients will register their IPv6 addresses as AAAA records, and it's possible your DNS could be configured not to accept those...?)

    Thursday, February 16, 2017 2:21 PM
  • check the security on the clients ipv4 DNS entry. If the DHCP server/service account has rights, but the client not, chances are that the client cannot update his "own" record to ipv6

    http://setspn.blogspot.com

    I know this is a very old topic, but is there a solution to this? We have the problem where our service account "owns" the record. So the computer is unable to change the record to the IPv6 address. I am unable to find out how this should be configured. 
    Tuesday, September 15, 2020 9:31 AM