locked
Network Location Behavior and NRPT RRS feed

  • Question

  • I'm troubleshooting my first DirectAccess client and was following this guide.  In step 8, it says to run a netsh command to check the Network Location value.  This value is correct when it is Inside the CorpNet AND it is correct when it is Outside the CorpNet.  However, I am concerned about the "Network Location Behavior" which is set to "Never use Direct Access settings".

    C:\Windows\system32>netsh dnsclient show state

     

    Name Resolution Policy Table Options

    --------------------------------------------------------------------

     

    Query Failure Behavior                : Always fall back to LLMNR and NetBIOS

                                            if the name does not exist in DNS or

                                            if the DNS servers are unreachable

                                            when on a private network

     

    Query Resolution Behavior             : Resolve only IPv6 addresses for names

     

    Network Location Behavior             : Never use Direct Access settings

     

    Machine Location                      : Inside corporate network

     

    Direct Access Settings                : Not Configured

     

    DNSSEC Settings                       : Not Configured

     

    I haven't found anything about this setting, where it's configured or if it's value is ok.  I would assume it should be set to use DirectAccess when Outside, but I am only guessing.  Can somone tell me about it or point me to a resource that explains it?

    Furthermore, when I run "netsh namespace show policy" I get an empty list for "DNS Name Resolution Policy Table Settings".  Something seems wrong.

    Friday, May 7, 2010 9:10 PM

Answers

  • Turns out the workstation I was testing on was running Windows 7 Pro and you must use Enterprise or Ultimate for DirectAccess to work.

    http://www.microsoft.com/windows/enterprise/products/windows-7/features.aspx

    Now that I have Enterprise installed I do have settings for my NRPT.

     

    Name Resolution Policy Table Options

    --------------------------------------------------------------------

     

    Query Failure Behavior                : Always fall back to LLMNR and NetBIOS

                                            if the name does not exist in DNS or

                                            if the DNS servers are unreachable

                                            when on a private network

     

    Query Resolution Behavior             : Resolve only IPv6 addresses for names

     

    Network Location Behavior             : Let Network ID determine when Direct

                                            Access settings are to be used

     

    Machine Location                      : Outside corporate network

     

    Direct Access Settings                : Configured and Enabled

     

    DNSSEC Settings                       : Not Configured

     

     So, now on to further troubleshooting...

    • Marked as answer by MrShannon Monday, May 10, 2010 4:29 PM
    Monday, May 10, 2010 4:28 PM

All replies

  • I think it should be:

    Let Network ID determine when DirectAccess settings are to be used.

    Are you sure the client is receiving the Group Policy settings?

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, May 7, 2010 11:01 PM
  • The policy is being applied, but I am not sure if the settings in it are correct.

    I am trying to follow the troubleshooting at http://technet.microsoft.com/en-us/library/ee844172(WS.10).aspx and since I am using UAG DA (not just DA), I changed the command in step 6 to “set store gpo=”DomainName\UAG DirectAccess: Client{3491980e-ef3c-4ed3-b176-a4420a810f12}”” which is the policy the UAG generated.  I get the message “ok” but when I do step 7, “consec show rule name=”DirectAccess Policy-ClientToDnsDc”” I get error that “No rules match the specified criteria.”

    So instead I tried "consec show rule name=all" to see all the rules and I get this:

    Rule Name:                            UAG DirectAccess Client - Exempt NLA
    ----------------------------------------------------------------------
    Enabled:                              Yes
    Profiles:                             Private,Public
    Type:                                 Static
    Mode:                                 Tunnel
    LocalTunnelEndpoint:                  Any
    RemoteTunnelEndpoint:                 Any
    Endpoint1:                            2002:cffa:530a:8000::/49
    Endpoint2:                            2002:cffa:530a:8000:0:5efe:10.54.0.86-2002:cffa:530a:8000:0:5efe:10.54.0.86
    Port1:                                Any
    Port2:                                443
    Protocol:                             TCP
    Action:                               NoAuthentication
    ExemptIPsecProtectedConnections:      No
    ApplyAuthorization:                   No

    Rule Name:                            UAG DirectAccess Client - Clients Corp Tunnel
    ----------------------------------------------------------------------
    Enabled:                              Yes
    Profiles:                             Private,Public
    Type:                                 Static
    Mode:                                 Tunnel
    LocalTunnelEndpoint:                  Any
    RemoteTunnelEndpoint:                 2002:cffa:530a::cffa:530a
    Endpoint1:                            Any
    Endpoint2:                            2002:cffa:530a:8000::/49
    Protocol:                             Any
    Action:                               RequireInRequireOut
    Auth1:                                ComputerCert
    Auth1CAName:                          DC=com, DC=corp, CN=Corp  Enterprise Root CA 2010
    Auth1CertMapping:                     No
    Auth1ExcludeCAName:                   No
    Auth1CertType:                        Intermediate
    Auth1HealthCert:                      No
    Auth2:                                UserKerb
    MainModeSecMethods:                   DHGroup2-AES128-SHA256,DHGroup2-AES128-SHA
    1,DHGroup2-3DES-SHA1
    QuickModeSecMethods:                  ESP:SHA1-AES192+60min+100000kb
    ExemptIPsecProtectedConnections:      No
    ApplyAuthorization:                   No

    Rule Name:                            UAG DirectAccess Client - Clients Access Enabling Tunnel - All
    ----------------------------------------------------------------------
    Enabled:                              Yes
    Profiles:                             Private,Public
    Type:                                 Static
    Mode:                                 Tunnel
    LocalTunnelEndpoint:                  Any
    RemoteTunnelEndpoint:                 2002:cffa:530b::cffa:530b
    Endpoint1:                            Any
    Endpoint2:                            2002:cffa:530a:8001::8003:1e01-2002:cffa:5
    30a:8001::8003:1e01,2002:cffa:530a:8000:200:5efe:128.3.30.1-2002:cffa:530a:8000:
    200:5efe:128.3.30.1,2002:cffa:530a:8001::800e:1e01-2002:cffa:530a:8001::800e:1e0
    1,2002:cffa:530a:8000:200:5efe:128.14.30.1-2002:cffa:530a:8000:200:5efe:128.14.3
    0.1,2002:cffa:530a:8001::a0b:5-2002:cffa:530a:8001::a0b:5,2002:cffa:530a:8000:0:
    5efe:10.11.0.5-2002:cffa:530a:8000:0:5efe:10.11.0.5,2002:cffa:530a:8001::8008:1e
    01-2002:cffa:530a:8001::8008:1e01,2002:cffa:530a:8000:200:5efe:128.8.30.1-2002:c
    ffa:530a:8000:200:5efe:128.8.30.1,2002:cffa:530a:8001::8001:1e02-2002:cffa:530a:
    8001::8001:1e02,2002:cffa:530a:8000:200:5efe:128.1.30.2-2002:cffa:530a:8000:200:
    5efe:128.1.30.2,2002:cffa:530a:8001::a36:65-2002:cffa:530a:8001::a36:65,2002:cff
    a:530a:8000:0:5efe:10.54.0.101-2002:cffa:530a:8000:0:5efe:10.54.0.101,2002:cffa:
    530a:8000:0:5efe:10.54.0.101-2002:cffa:530a:8000:0:5efe:10.54.0.101,2002:cffa:53
    0a:8001::a36:66-2002:cffa:530a:8001::a36:66,2002:cffa:530a:8000:0:5efe:10.54.0.1
    02-2002:cffa:530a:8000:0:5efe:10.54.0.102,2002:cffa:530a:8001::800c:1e01-2002:cf
    fa:530a:8001::800c:1e01,2002:cffa:530a:8000:200:5efe:128.12.30.1-2002:cffa:530a:
    8000:200:5efe:128.12.30.1,2002:cffa:530a:8001::a06:5-2002:cffa:530a:8001::a06:5,
    2002:cffa:530a:8000:0:5efe:10.6.0.5-2002:cffa:530a:8000:0:5efe:10.6.0.5,2002:cff
    a:530a:8001::a36:52-2002:cffa:530a:8001::a36:52,2002:cffa:530a:8000:0:5efe:10.54
    .0.82-2002:cffa:530a:8000:0:5efe:10.54.0.82,2002:cffa:530a:8000:0:5efe:10.54.0.8
    2-2002:cffa:530a:8000:0:5efe:10.54.0.82,2002:cffa:530b::cffa:530b-2002:cffa:530b
    ::cffa:530b
    Protocol:                             Any
    Action:                               RequireInRequireOut
    Auth1:                                ComputerCert
    Auth1CAName:                          DC=com, DC=corp, CN=Corp Enterprise Root CA 2010
    Auth1CertMapping:                     No
    Auth1ExcludeCAName:                   No
    Auth1CertType:                        Intermediate
    Auth1HealthCert:                      No
    Auth2:                                UserNTLM
    MainModeSecMethods:                   DHGroup2-AES128-SHA256,DHGroup2-AES128-SHA
    1,DHGroup2-3DES-SHA1
    QuickModeSecMethods:                  ESP:SHA1-AES192+60min+100000kb
    ExemptIPsecProtectedConnections:      No
    ApplyAuthorization:                   No
    Ok.

    I'm not sure if any of that is relevant to UAG DA, but I don't see anything in there about the NRPT which is empty.

    Saturday, May 8, 2010 1:22 PM
  • Turns out the workstation I was testing on was running Windows 7 Pro and you must use Enterprise or Ultimate for DirectAccess to work.

    http://www.microsoft.com/windows/enterprise/products/windows-7/features.aspx

    Now that I have Enterprise installed I do have settings for my NRPT.

     

    Name Resolution Policy Table Options

    --------------------------------------------------------------------

     

    Query Failure Behavior                : Always fall back to LLMNR and NetBIOS

                                            if the name does not exist in DNS or

                                            if the DNS servers are unreachable

                                            when on a private network

     

    Query Resolution Behavior             : Resolve only IPv6 addresses for names

     

    Network Location Behavior             : Let Network ID determine when Direct

                                            Access settings are to be used

     

    Machine Location                      : Outside corporate network

     

    Direct Access Settings                : Configured and Enabled

     

    DNSSEC Settings                       : Not Configured

     

     So, now on to further troubleshooting...

    • Marked as answer by MrShannon Monday, May 10, 2010 4:29 PM
    Monday, May 10, 2010 4:28 PM
  • Interesting, never tried it on Win7 pro...makes sense though ;)
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Proposed as answer by Lindberg Friday, August 28, 2015 9:05 AM
    Monday, May 10, 2010 8:00 PM
  • Correct.

    DA isn't supported on Win7 Professional Edition.

    To see the entries and status of the NRPT, try

    netsh namespace show policy

    and

    netsh namespace show effectivepolicy

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Tuesday, May 11, 2010 2:09 PM