none
DirectAccess on Server 2012 R2 with Single NIC behind NAT on IPv4 only Corporate Network Results in "DNS Not Working Properly" RRS feed

  • Question

  • I hit this problem at a customer site and can re-produce it in a simple lab.  Lab environment: servers:

    • 1x Server 2012 R2 DC and DNS server - DC1 - 10.0.0.1
    • 1x Server 2012 R2 DirectAccess (DA) server - DA1 - 10.0.0.100

    Servers are running "Update" (KB2919355) and following DA hotfixes:

    • KB2929930
    • KB2966087

    I configured DA (via advanced wizard) as follows:

    • DA and remote access
    • AD group
    • directaccess-webprobehost DNA (A) record pointing to 10.0.0.100
    • behind an edge device (with a single network adapter)
    • SSL certificate from enterprise root CA issued to directaccess.contoso.com
    • NLS on remote server using https://nls.corp.contoso.com
    • DNS: corp.contoso.com = 10.0.0.1; nls.corp.contoso.com = ""
    • DNS suffix search list = corp.contoso.com

    The DNS server validates successfully in the configuration UI.

    With this configuration, I get a static IPv6 address of fd79:7a37:cbd9:3333::1/128 assigned to the NIC

    The operations status is all green apart from DNS which displays the following error:

    "DNS: Not Working Properly"

    Error:

    None of the enterprise DNS servers fd79:7a37:cbd9:7777::a00:1 used by DirectAccess clients for name resolution are responding. This might affect DirectAccess client connectivity to corporate resources.

    Causes:

    Enterprise DNS servers fd79:7a37:cbd9:7777::a00:1 are not responding.

    I can, however ping fd79:7a37:cbd9:7777::a00:1 (which is the DNS64 translation of 10.0.0.1)

    I would like to know what checks are failing as there are no failures in Event Viewer.

    I have come across forums where people have the same issue and fix it by specifying the local IP (in this case 10.0.0.100) as the DNS server, however Richard Hicks has confirmed with me that the DNS server should be set to the DNS server, not the DA server's IP.

    Thursday, August 14, 2014 6:43 AM

All replies

  • Hi Andrew - i have come across this once or twice but good to know it can be reproduced. Had one recently where the DirectAccess Server would not update DNS Correctly on the Domain Controller - perhaps worth a check. The webprobe host and connectivity host records were there but not the IPv6 Address of the DA Server. The config you have posted all seems "normal" and fine - except i couldn't see an NRPT exclusion for directacess.contoso.com (with no DNS Servers specified) - was this mentioned in the application of the GPO's ? Just a question as the first time i ever did this i missed that nugget of information where the internal and external names are the same.

    John Davies

    Saturday, August 16, 2014 11:46 AM
  • Hi John,

    I have added an NRPT exclusion for directaccess.contoso.com which has made no difference (yes I came across that nugget before too and the GPO application did create a warning, but in this lab it did not).  The DNS entries appear ok, but to make sure, here are the registered entries for the DA server:

    • DA1 (AAAA) - fd79:7a37:cbd9:1:0:5efe:10.0.0.100
    • DA1 (A)       - 10.0.0.100
    • directaccess-corpConnectivityHost (A)       - 127.0.0.1
    • directaccess-corpConnectivityHost (AAAA) - fd79:7a37:cbd9:7777::7f00:1
    • directaccess-WebProbeHost (A)                 - 10.0.0.100

    Cheers

    Sunday, August 17, 2014 8:01 AM
  • Hi Andrew - so the only things that spring to mind right now are as follows (unless we have found  a new feature !)

    Is the IPv6 Address on the internal nic of the DA Server after configuration - I only ask as I have seen instances where this "seems" to disappear. Secondly my thoughts are Windows Firewall. Is the Domain Profile for both DA Server and DC potentially blocking the traffic ? are there any firewalls in between or is something like AV intercepting the call - Symantec is one I can think of immediately.


    John Davies

    Sunday, August 17, 2014 8:11 AM
  • Hi John,

    The IPv6 address is still present on the DA server's internal NIC.  In this lab, there is no AV software installed (all servers are running on a single Hyper-V host using a private network).

    The Windows Firewall is enabled on both the DA server and DC in default configuration.  I created and applied a GPO that opens all the built-in "Core Networking" rules for both server but it made no difference.

    I might have to give Wireshark a spin...

    Cheers,

    Andrew

    Sunday, August 17, 2014 11:41 PM
  • hi 

    same, i could not find any solution. did you find any solution ?

    Thursday, August 21, 2014 10:08 AM
  • Hi Both - having a conversation (although not being a Hyper-V Guru) i believe the network requires to be set to either External or Internal to work. Private bridges the Physical NIC on the Host and the Virtual NIC on the VM and will not allow traffic between the Virtual Machines on the same host. Please try External for me and see what happens.

    John Davies

    Thursday, August 21, 2014 10:12 AM
  • Hi John,

    A private network in Hyper-V allows communications between VMs on a single host, internal is between them and the host. Network connectivity is working perfectly between the DA server and the DC using private.

    Changing it to external made no difference. My client with the same problem is running on VMWare with an external connection.

    Cheers, Andrew

    Thursday, August 21, 2014 10:41 AM
  • Hi Andrew - good to hear from you - ok wasn' sure but now that is clarified that's fine. The client has VMware? Have operated on both and haven't seen this issue at all. Have you tried a config with two (simulated) public IP's to see if any issues occur there? Like you trying to work out if this is NAT / DA Single NIC Related or comms between DA Server and DC. Did you manage to run a wireshark trace with any luck.

    John Davies

    Thursday, August 21, 2014 11:45 AM
  • I ran a Wireshark capture on the DA server and restarted the RaMgmtSvc serviceand everything seemed normal.

    DNS Filter:

    ICMP filter:

    10.0.0.90 is the NLS server.  Only the ISATAP DNS query is returning "no such name" but that is expected as I'm running an IPv4 internal network and do not have (nor want to) ISATAP.

    I'll try nuking the DA server config and setting it up with two NICs and see if that makes any difference, though I don't want to do this at the client site as they have a large network and t would require an insane amount of static routes to be configured on the internal NICs.

    Thursday, August 21, 2014 1:28 PM
  • I had the same issue - its because I had ISATAP misconfigured.

    Do a route /print and validate the route to the fd4f:e9b1:fa17:7777 subnet

    I had multiple entries and traffic was going thru my ISATAP interface instead of the local NIC.

    Thursday, August 28, 2014 4:58 AM
  • Thanks for the post Matt,

    ISATAP has been disabled on my DA server, so the results of a "ROUTE PRINT -6" command yields:

    ===========================================================================
    Interface List
     12...00 15 5d 01 03 64 ......Microsoft Hyper-V Network Adapter
      1...........................Software Loopback Interface 1
     14...00 00 00 00 00 00 00 e0 IPHTTPSInterface
    ===========================================================================

    IPv6 Route Table
    ===========================================================================
    Active Routes:
     If Metric Network Destination                           Gateway
      1    306 ::1/128                                               On-link
     12    261 fd79:7a37:cbd9::/48                         On-link
     14    306 fd79:7a37:cbd9:1000::/64                On-link
     14    306 fd79:7a37:cbd9:1000::/128              On-link
     14    306 fd79:7a37:cbd9:1000::1/128            On-link
     14    306 fd79:7a37:cbd9:1000::2/128            On-link
     14    306 fd79:7a37:cbd9:1000:814c:28be:46b5:52c1/128     On-link
     12    261 fd79:7a37:cbd9:3333::1/128            On-link
     12    261 fd79:7a37:cbd9:7777::/96                On-link
     12    261 fe80::/64                                           On-link
     14    306 fe80::/64                                           On-link
     12    261 fe80::20c0:e848:d304:9f01/128       On-link
     14    306 fe80::814c:28be:46b5:52c1/128      On-link
      1    306 ff00::/8                                               On-link
     12    261 ff00::/8                                              On-link
     14    306 ff00::/8                                             On-link
    ===========================================================================
    Persistent Routes:
     If Metric Network Destination                            Gateway
      0 4294967295 fd79:7a37:cbd9:1000::/64       On-link
      0 4294967295 fd79:7a37:cbd9::/48                On-link
      0 4294967295 fd79:7a37:cbd9:7777::/96       On-link
    ===========================================================================

    Thursday, August 28, 2014 5:08 AM
  • Does DNS actually work? 


    Set the DNS to the name or IP of your DirectAccess server (10.0.0.100).


    Friday, August 29, 2014 6:14 AM
  • make sure your external NIC interface is not trying to reach DNS server >

    DNS server should be reached by NIC inside .

    It should work then.

    Friday, August 29, 2014 6:49 AM
  • Hi Andrew,  we ran into the same issue and resolved by specifying the DA's IPv4 address as the DNS server.  Where did you find Richard confirming that the local DNS server should be required.
    Tuesday, January 20, 2015 4:38 PM
  • Hi Benjamin,

    I got this from Richard during an email conversation, and when discussing this particular aspect I asked him "In an IPv4 only environment, if I specify the DNS server to be the IPv4 address of the DNS server, it validates fine, but DNS shows as “not working”.  If I change the DNS server to the IPv4 address of the DA server, it validates fine and DNS then changes to “Working properly”.  Others on the interwebs have the same behaviour e.g. http://social.technet.microsoft.com/Forums/windowsserver/en-US/df08fa06-d3fc-4ca9-b4a2-85824a10819a/direct-access-server-dns-error?forum=winserver8setup, but based on what you said, we should NOT use the DA servers IP.  When I set the DNS server to the actual DNS server (10.0.0.1 no IPv6 address) – the error is: None of the enterprise DNS servers fd79:7a37:cbd9:7777::a00:1 used by DirectAccess clients for name resolution are respondingHowever I ping fd79:7a37:cbd9:7777::a00:1 from the DA server, it responds.  DNS64 is working perfectly so what darn check is failing I wonder?

    To which he replied "It’s possible that there is a UI validation bug. Although I’ve not seen this one in particular, there are others and I’ve actually worked with MS to produce a hotfix for one in the past, so they do exist. But ya…definitely don’t configure the DA server’s IP address for DNS. :)"

    • Proposed as answer by Djurman, Richard Friday, August 21, 2015 8:20 PM
    • Unproposed as answer by Djurman, Richard Friday, August 21, 2015 8:20 PM
    • Proposed as answer by jdoiwpcs Wednesday, January 6, 2016 8:04 PM
    • Unproposed as answer by jdoiwpcs Wednesday, January 6, 2016 8:04 PM
    Saturday, January 24, 2015 1:45 AM
  • Hi Andrew,
    The DA's IPv4 address should be specified as the DNS server and this is also the default value when you are using the wizard while configuring.

    It´s not a validation bug but a very confusing explanation text in the DNS configuration window.

    Friday, August 21, 2015 8:25 PM