none
DirectAccess clients DNS resolving issue RRS feed

  • Question

  • Hallo,

    I am configured da. Then I go to DA server components monitor I see

    green icons near: Teredo Relay, Teredo server, Isatap, DNS server.

    Then I checked my client configuration with:

    netsh namespace show effectivepolicy

    I see result: 

     

    DNS Effective Name Resolution Policy Table Settings
    
    Settings for .mydomain.lt
    ----------------------------------------------------------------------
    Certification authority                : DC=lt, DC=mydomain, CN=mydomain-ROOTCA
    DNSSEC (Validation)                  : disabled
    IPsec settings                           : disabled
    DirectAccess (DNS Servers)       : 2002:xxxx:xxxx:1:0:5efe:172.30.16.xxx
                                                              2002:xxxx:xxxx:1:0:5efe:172.30.16.xxx
    DirectAccess (Proxy Settings)           : Bypass proxy
    Settings for crl.mydomain.lt
    ----------------------------------------------------------------------
    .....


    Then I trying to ping DNS servers with 2002:xxxx:xxxx:1:0:5efe:172.30.16.xxx, 2002:xxxx:xxxx:1:0:5efe:172.30.16.xxx. Ping OK.

    After this I ping two external IPv4 adresses of my DirectAccess server and Ping OK too.

    Then I tryining to ping fqdns of my DA server and dns server I getting "Ping request could not find host DA".

    I tryed to check Teredo connectivity Link: http://technet.microsoft.com/en-us/library/ee844188(WS.10).aspx and I see problem then

    run command: From the netsh advfirewall prompt, run the set store gpo=”DomainName\DirectAccess Policy-{3491980e-ef3c-4ed3-b176-a4420a810f12}” command. I see result "Unable to contacts the specified domain. Make sure that the domain is valid and accesible, and then try your request again"

    Please help me resolve this problems

     


    • Edited by DimiKo Tuesday, December 27, 2011 1:37 PM
    Tuesday, December 27, 2011 12:41 PM

Answers

  • I see a couple of things:

    1. You are not getting an IPv6 address. You need to have an IPv6 address on your client from either the 6to4, Teredo or IP-HTTPS adapters for DA to work. I see you are connecting with a mobile broadband card - there are known problems with 6to4 sometimes causing trouble when using these kinds of cards. Please disable 6to4 (so that Teredo will attempt to connect instead) by typing the command netsh interface 6to4 set state disabled on the laptop.

    2. Is the Windows Firewall turned off on the laptop? If so, please turn it on and then do another Group Policy refresh while you are connected to the corporate network so that the Firewall can get all of its settings. The Windows Firewall needs to be active on both the server and on the clients for DA to work.

    • Marked as answer by DimiKo Thursday, January 5, 2012 2:31 PM
    • Unmarked as answer by DimiKo Thursday, January 5, 2012 2:32 PM
    • Marked as answer by DimiKo Thursday, January 5, 2012 2:32 PM
    • Unmarked as answer by DimiKo Thursday, January 5, 2012 2:35 PM
    • Marked as answer by DimiKo Monday, January 16, 2012 12:32 PM
    Tuesday, January 3, 2012 2:18 PM
  • You should only need one public DNS host record created. This record is for IP-HTTPS, the public DNS name is one that you need to choose for IP-HTTPS to listen on, and it's host record needs to point at the primary IPv4 address of your server. Location of your CRL record depends on what SSL certificate you are using on the server for IP-HTTPS. If you are using an SSL cert that was issued by your internal CA server, I recommend you give that up and go purchase a certificate from a public CA. When you do this, then you do not have to worry about the CRL because they take care of it for you.

    In your responses you keep mentioning "da.mydomain.it" - I assumed you were doing this so that your real public URL stayed hidden. This is the IP-HTTPS listener name and this is the place where you have to create a real DNS host record, point it at the primary public IP of the server, and acquire an SSL certificate for this name to place onto the server.

    • Marked as answer by DimiKo Monday, January 16, 2012 12:32 PM
    Tuesday, January 10, 2012 11:55 AM
  • Your IP-HTTPS doesn't work because the IP-HTTPS URL da.mydomain.lt is in the corp DNS suffix of .mydomain.lt

    This is a split-brain DNS scenario, where you should add "da.mydomain.lt" as an exemption entry in NRPT.

    In UAG DA this exemption gets added automatically, but you are using Windows 2008 R2 DA, so you'll have to add this entry manually.

    You can read about it here:

    http://technet.microsoft.com/en-us/library/ee382323(WS.10).aspx

    • Marked as answer by DimiKo Monday, January 16, 2012 12:32 PM
    Tuesday, January 10, 2012 4:52 PM
  • This log looks good! Usually the final verifier that DirectAccess is functional is the existance of IPsec tunnels, and your log shows successful tunnels.

    To include another DNS namespace in your DA connection you must add the new suffix into your NRPT. Add *.mydomain2.It into the NRPT and point it at the same DNS servers that your primary DNS suffix is pointing to.

    The Connectivity Assistant is showing that status because it hasn't been configured with a connectivity verifier yet. A connectivity verifier is basically an intranet website or file sitting somewhere inside your corporate network that the DCA queries. If it can see the specified website or file, the DCA (DirectAccess Connectivity Assistant) reports a status of "good", and if it cannot see the item you specified then it reports "bad" (even if DirectAccess is actually connected successfully). Here is a link that will get you started on configuring and deploying the DCA:

    http://technet.microsoft.com/en-us/library/ff453413(WS.10).aspx

    Just a quick tip, don't use your NLS website as a connectivity verifier, DA clients cannot see the NLS website while they are connected over DA by design :) This is a very common mistake.

    • Marked as answer by DimiKo Monday, January 16, 2012 12:31 PM
    Monday, January 16, 2012 11:51 AM

All replies

  • Hello ,

        Here i can see that your command "netsh namespace show effectivepolicy" only shows you the settings for mydomain.it not for the exemption for the fully qualified domain name (FQDN) of the network location server.

    Check your NLS configuration

    Regards



    • Edited by Dharm Singh Tuesday, December 27, 2011 5:22 PM
    Tuesday, December 27, 2011 5:22 PM
  • It shows nls too, because I pasted only first records.

    All records for command "netsh namespace show effectivepolicy"

     

    Settings for .mydomain.lt
    ----------------------------------------------------------------------
    Certification authority                 : DC=lt, DC=mydomain, CN=mydomain-ROOTCA
    DNSSEC (Validation)                     : disabled
    IPsec settings                          : disabled
    DirectAccess (DNS Servers)              : 2002:xxxx:xxxx:1:0:5efe:172.30.16.xxx
                                              2002:xxxx:xxxx:1:0:5efe:172.30.16.xxx
    DirectAccess (Proxy Settings)           : Bypass proxy
    
    
    
    Settings for crl.mydomain.lt
    ----------------------------------------------------------------------
    Certification authority                 : DC=lt, DC=mydomain, CN=mydomain-ROOTCA
    DNSSEC (Validation)                     : disabled
    IPsec settings                          : disabled
    DirectAccess (DNS Servers)              : 
    DirectAccess (Proxy Settings)           : Bypass proxy
    
    
    
    Settings for nls.mydomain.lt
    ----------------------------------------------------------------------
    Certification authority                 : DC=lt, DC=mydomain, CN=mydomain-ROOTCA
    DNSSEC (Validation)                     : disabled
    IPsec settings                          : disabled
    DirectAccess (DNS Servers)              : 
    DirectAccess (Proxy Settings)           : Bypass proxy

     

    I tryed command nltest /dsgetdc: and got error: Getting DC name failed: Status =  1355 0x54b ERROR_NO_SUCH_DOMAIN

    Firewall on DA server turned of for testing

    Any suggestions?





    • Edited by DimiKo Wednesday, December 28, 2011 11:58 AM
    Tuesday, December 27, 2011 8:11 PM
  • Well, right now your DA is definitely not going to work if you have disabled the Windows Firewall on the DA server. Windows Firewall is an integral part to the way DirectAccess functions. By disabling it you have completely broken DirectAccess...

    Once you re-enable the firewall, go through the activation steps again to make sure the settings get put back into the Firewall and then try your connection again. If it's still not working, install the DirectAccess Connectivity Assistant onto your test client machine - the logs that it outputs will provide a lot of good information that we can use to help you troubleshoot.

    Thanks!

    Tuesday, January 3, 2012 1:47 AM
  • I enabled Firewall on DA server, I got same errors

    Can you look at this informatian? what I got from DA Connectivity Assistant: 

     

    RED: Corporate connectivity is not working.
    Microsoft DirectAccess Connectivity Assistant is not properly configured. Please contact your administrator if this problem persists.
    3/1/2012 6:27:57 (UTC)
    
    
    C:\Windows\system32\LogSpace\{E7085A1A-2B5B-497E-B376-D9AEAE9C0892}>ipconfig /all 
    
    Windows IP Configuration
    
       Host Name . . . . . . . . . . . . : HP
       Primary Dns Suffix  . . . . . . . : mydomain.lt
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : mydomain.lt
    
    Ethernet adapter Local Area Connection 3:
    
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Vodafone Mobile Broadband Network Adapter (Huawei) #2
       Physical Address. . . . . . . . . : 00-1E-10-1F-XX-XX
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::4da4:21ce:e6f4:5e06%21(Preferred) 
       IPv4 Address. . . . . . . . . . . : 10.1.xx.xxx(Preferred) 
       Subnet Mask . . . . . . . . . . . : 255.255.255.252
       Lease Obtained. . . . . . . . . . : 2012 m. sausio 3 d. 08:26:58
       Lease Expires . . . . . . . . . . : 2012 m. sausio 3 d. 10:27:54
       Default Gateway . . . . . . . . . : 10.1.xx.xxx
       DHCP Server . . . . . . . . . . . : 10.1.xx.xxx
       DHCPv6 IAID . . . . . . . . . . . : 402660880
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-4C-AB-5A-D8-xx-xx-xx-xx-xx
       DNS Servers . . . . . . . . . . . : 213.226.xxx.xxx
                                           193.219.xx.xx
       NetBIOS over Tcpip. . . . . . . . : Enabled
    
    Wireless LAN adapter Wireless Network Connection:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Broadcom 43224AG 802.11a/b/g/draft-n Wi-Fi Adapter
       Physical Address. . . . . . . . . : 00-26-82-64-XX-XX
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
    
    Ethernet adapter Bluetooth Network Connection:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
       Physical Address. . . . . . . . . : 00-27-13-C2-XX-XX
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
    
    Ethernet adapter Local Area Connection:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : mydomain.lt
       Description . . . . . . . . . . . : Marvell Yukon 88E8072 PCI-E Gigabit Ethernet Controller
       Physical Address. . . . . . . . . : D8-D3-85-22-XX-XX
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
    
    Tunnel adapter isatap.{4FB7BD38-DE1F-4413-8765-5DA961445EAC}:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    
    Tunnel adapter Local Area Connection* 11:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    
    Tunnel adapter isatap.{E5319B00-34A8-4D84-AC71-08E554A8C8C6}:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    
    Tunnel adapter isatap.mydomain.lt:
    
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Default Gateway . . . . . . . . . : 
       NetBIOS over Tcpip. . . . . . . . : Disabled
    
    Tunnel adapter isatap.{C9E042A0-04D0-4767-8B8E-A5792348373F}:
    
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Default Gateway . . . . . . . . . : 
       NetBIOS over Tcpip. . . . . . . . : Disabled
    
    Tunnel adapter iphttpsinterface:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : iphttpsinterface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    
    Tunnel adapter 6TO4 Adapter:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Microsoft 6to4 Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    
    C:\Windows\system32\LogSpace\{E7085A1A-2B5B-497E-B376-D9AEAE9C0892}>netsh int teredo show state 
    Teredo Parameters
    ---------------------------------------------
    Type                    : client
    Server Name             : 195.xxx.xx.x (Group Policy) 
    Client Refresh Interval : 30 seconds
    Client Port             : unspecified
    State                   : probe (primary server)
    Client Type             : teredo client
    Network                 : unmanaged
    
    
    C:\Windows\system32\LogSpace\{E7085A1A-2B5B-497E-B376-D9AEAE9C0892}>netsh int httpstunnel show interfaces 
    
    Interface IPHTTPSInterface (Group Policy)  Parameters
    ------------------------------------------------------------
    Role                       : client
    URL                        : https://da.mydomain.lt:443/IPHTTPS
    Last Error Code            : 0x0
    Interface Status           : IPHTTPS interface deactivated 
    
    
    C:\Windows\system32\LogSpace\{E7085A1A-2B5B-497E-B376-D9AEAE9C0892}>netsh dns show state 
    
    Name Resolution Policy Table Options 
    -------------------------------------------------------------------- 
    
    Query Failure Behavior                : Always fall back to LLMNR and NetBIOS
                                            if the name does not exist in DNS or
                                            if the DNS servers are unreachable
                                            when on a private network
    
    Query Resolution Behavior             : Resolve only IPv6 addresses for names
    
    Network Location Behavior             : Let Network ID determine when Direct
                                            Access settings are to be used
    
    Machine Location                      : Outside corporate network
    
    Direct Access Settings                : Configured and Enabled
    
    DNSSEC Settings                       : Not Configured
    
    
    C:\Windows\system32\LogSpace\{E7085A1A-2B5B-497E-B376-D9AEAE9C0892}>netsh name show policy 
    
    DNS Name Resolution Policy Table Settings
    
    Settings for nls.mydomain.lt
    ----------------------------------------------------------------------
    Certification authority                 : DC=lt, DC=mydomain, CN=mydomain-ROOTCA
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (DNS Servers)              : 
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : Bypass proxy
    
    
    
    Settings for .mydomain.lt
    ----------------------------------------------------------------------
    Certification authority                 : DC=lt, DC=mydomain, CN=mydomain-ROOTCA
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (DNS Servers)              : 2002:xxxx:5206:1:0:5efe:172.xx.xx.x30
                                              2002:xxxx:5206:1:0:5efe:172.xx.xx.x00
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : Bypass proxy
    
    
    
    
    C:\Windows\system32\LogSpace\{E7085A1A-2B5B-497E-B376-D9AEAE9C0892}>netsh name show effective 
    
    DNS Effective Name Resolution Policy Table Settings
    
    
    Settings for nls.mydomain.lt
    ----------------------------------------------------------------------
    Certification authority                 : DC=lt, DC=mydomain, CN=mydomain-ROOTCA
    DNSSEC (Validation)                     : disabled
    IPsec settings                          : disabled
    DirectAccess (DNS Servers)              : 
    DirectAccess (Proxy Settings)           : Bypass proxy
    
    
    
    Settings for .mydomain.lt
    ----------------------------------------------------------------------
    Certification authority                 : DC=lt, DC=mydomain, CN=mydomain-ROOTCA
    DNSSEC (Validation)                     : disabled
    IPsec settings                          : disabled
    DirectAccess (DNS Servers)              : 2002:xxxx:5206:1:0:5efe:172.xx.xx.x30
                                              2002:xxxx:5206:1:0:5efe:172.xx.xx.x00
    DirectAccess (Proxy Settings)           : Bypass proxy
    
    
    
    
    C:\Windows\system32\LogSpace\{E7085A1A-2B5B-497E-B376-D9AEAE9C0892}>netsh int ipv6 show int level=verbose  
    
    Interface Loopback Pseudo-Interface 1 Parameters
    ----------------------------------------------
    IfLuid                             : loopback_0
    IfIndex                            : 1
    State                              : connected
    Metric                             : 50
    Link MTU                           : 4294967295 bytes
    Reachable Time                     : 32000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : disabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    
    Interface Wireless Network Connection Parameters
    ----------------------------------------------
    IfLuid                             : wireless_0
    IfIndex                            : 16
    State                              : disconnected
    Metric                             : 5
    Link MTU                           : 1500 bytes
    Reachable Time                     : 41500 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 1
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    
    Interface isatap.{4FB7BD38-DE1F-4413-8765-5DA961445EAC} Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_4
    IfIndex                            : 11
    State                              : disconnected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 29000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    
    Interface Local Area Connection* 11 Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_5
    IfIndex                            : 12
    State                              : connected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 11000 ms
    Base Reachable Time                : 15000 ms
    Retransmission Interval            : 2000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    
    Interface Local Area Connection Parameters
    ----------------------------------------------
    IfLuid                             : ethernet_6
    IfIndex                            : 10
    State                              : disconnected
    Metric                             : 10
    Link MTU                           : 1500 bytes
    Reachable Time                     : 41000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 1
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : enabled
    Other Stateful Configuration       : enabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    
    Interface isatap.{E5319B00-34A8-4D84-AC71-08E554A8C8C6} Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_6
    IfIndex                            : 15
    State                              : disconnected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 34500 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    
    Interface isatap.mydomain.lt Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_7
    IfIndex                            : 17
    State                              : connected
    Metric                             : 10
    Link MTU                           : 1280 bytes
    Reachable Time                     : 31500 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    
    Interface isatap.{C9E042A0-04D0-4767-8B8E-A5792348373F} Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_8
    IfIndex                            : 19
    State                              : connected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 39000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    
    Interface Bluetooth Network Connection Parameters
    ----------------------------------------------
    IfLuid                             : ethernet_9
    IfIndex                            : 14
    State                              : disconnected
    Metric                             : 50
    Link MTU                           : 1477 bytes
    Reachable Time                     : 17000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 1
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    
    Interface iphttpsinterface Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_9
    IfIndex                            : 22
    State                              : disconnected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 38000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 1
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : enabled
    Other Stateful Configuration       : enabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    
    Interface 6TO4 Adapter Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_10
    IfIndex                            : 23
    State                              : disconnected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 25500 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : disabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    
    Interface Local Area Connection 3 Parameters
    ----------------------------------------------
    IfLuid                             : ethernet_11
    IfIndex                            : 21
    State                              : connected
    Metric                             : 30
    Link MTU                           : 1500 bytes
    Reachable Time                     : 19500 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 1
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : enabled
    Other Stateful Configuration       : enabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    
    
    C:\Windows\system32\LogSpace\{E7085A1A-2B5B-497E-B376-D9AEAE9C0892}>netsh advf show currentprofile 
    
    Public Profile Settings: 
    ----------------------------------------------------------------------
    State                                 OFF
    Firewall Policy                       BlockInbound,AllowOutbound
    LocalFirewallRules                    N/A (GPO-store only)
    LocalConSecRules                      N/A (GPO-store only)
    InboundUserNotification               Enable
    RemoteManagement                      Disable
    UnicastResponseToMulticast            Enable
    
    Logging:
    LogAllowedConnections                 Disable
    LogDroppedConnections                 Disable
    FileName                              %systemroot%\system32\LogFiles\Firewall\pfirewall.log
    MaxFileSize                           4096
    
    Ok.
    
    
    C:\Windows\system32\LogSpace\{E7085A1A-2B5B-497E-B376-D9AEAE9C0892}>netsh advfirewall monitor show consec 
    
    Global Settings: 
    ----------------------------------------------------------------------
    IPsec:
    StrongCRLCheck                        0:Disabled
    SAIdleTimeMin                         5min
    DefaultExemptions                     ICMP
    IPsecThroughNAT                       Never
    AuthzUserGrp                          None
    AuthzComputerGrp                      None
    
    StatefulFTP                           Enable
    StatefulPPTP                          Enable
    
    Main Mode:
    KeyLifetime                           60min,0sess
    SecMethods                            DHGroup2-AES128-SHA256,DHGroup2-AES128-SHA1,DHGroup2-3DES-SHA1
    ForceDH                               No
    
    Categories:
    BootTimeRuleCategory                  Windows Firewall
    FirewallRuleCategory                  Windows Firewall
    StealthRuleCategory                   Windows Firewall
    ConSecRuleRuleCategory                Windows Firewall
    
    
    Quick Mode:
    QuickModeSecMethods                   ESP:SHA1-None+60min+100000kb,ESP:SHA1-AES128+60min+100000kb,ESP:SHA1-3DES+60min+100000kb,AH:SHA1+60min+100000kb
    QuickModePFS                          None
    
    Security Associations:
    
    No SAs match the specified criteria.
    
    
    C:\Windows\system32\LogSpace\{E7085A1A-2B5B-497E-B376-D9AEAE9C0892}>Certutil -store my  
    my
    ================ Certificate 0 ================
    Serial Number: xxxxxxxxxxxxxxxxxxxxxxxx
    Issuer: CN=mydomain-ROOTCA, DC=mydomain, DC=lt
     NotBefore: 2011.12.08 16:33
     NotAfter: 2012.12.07 16:33
    Subject: EMPTY (DNS Name=HP.mydomain.lt)
    Non-root Certificate
    Template: 1.3.6.1.4.1.311.21.8.12336345.6597069.1788089.8498174.7138791.248.13583503.1881168
    Cert Hash(sha1):xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      Key Container = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      Simple container name: le-mydomain-DomainMachineAuthentication!0028DirectAccess!xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      Provider = Microsoft RSA SChannel Cryptographic Provider
    Private key is NOT exportable
    Encryption test passed
    CertUtil: -store command completed successfully.
    
    C:\Windows\system32\LogSpace\{E7085A1A-2B5B-497E-B376-D9AEAE9C0892}>Systeminfo
    
    Host Name:                 HP
    OS Name:                   Microsoft Windows 7 Enterprise 
    OS Version:                6.1.7601 Service Pack 1 Build 7601
    OS Manufacturer:           Microsoft Corporation
    OS Configuration:          Member Workstation
    OS Build Type:             Multiprocessor Free
    Registered Owner:          Laikinas
    Registered Organization:   
    Product ID:                00392-918-5000002-85588
    Original Install Date:     2011.04.29, 10:23:15
    System Boot Time:          2012.01.03, 07:43:55
    System Manufacturer:       Hewlett-Packard
    System Model:              HP ProBook
    System Type:               X86-based PC
    Processor(s):              1 Processor(s) Installed.
                               [01]: x64 Family 16 Model 6 Stepping 2 AuthenticAMD ~1491 Mhz
    BIOS Version:              Hewlett-Packard 68CPP Ver. F.06, 2010.01.25
    Windows Directory:         C:\Windows
    System Directory:          C:\Windows\system32
    Boot Device:               \Device\HarddiskVolume1
    System Locale:             lt;Lithuanian
    Input Locale:              en-us;English (United States)
    Time Zone:                 (UTC+02:00) Helsinki, Kyiv, Riga, Sofia, Tallinn, Vilnius
    Total Physical Memory:     1.789 MB
    Available Physical Memory: 1.187 MB
    Virtual Memory: Max Size:  3.578 MB
    Virtual Memory: Available: 2.818 MB
    Virtual Memory: In Use:    760 MB
    Page File Location(s):     C:\pagefile.sys
    Domain:                    mydomain.lt
    Logon Server:              N/A
    Hotfix(s):                 65 Hotfix(s) Installed.
                               [01]: KB982861
                               [02]: KB982861
                               [03]: 982861
                               [04]: KB958830
                               [05]: KB971033
                               [06]: KB2305420
                               [07]: KB2393802
                               [08]: KB2425227
                               [09]: KB2446710
                               [10]: KB2479943
                               [11]: KB2484033
                               [12]: KB2488113
                               [13]: KB2491683
                               [14]: KB2492386
                               [15]: KB2497640
                               [16]: KB2502285
                               [17]: KB2503658
                               [18]: KB2503665
                               [19]: KB2505438
                               [20]: KB2506212
                               [21]: KB2506223
                               [22]: KB2506928
                               [23]: KB2507618
                               [24]: KB2508272
                               [25]: KB2508429
                               [26]: KB2509553
                               [27]: KB2510531
                               [28]: KB2511250
                               [29]: KB2511455
                               [30]: KB2515325
                               [31]: KB2518869
                               [32]: KB2522422
                               [33]: KB2524375
                               [34]: KB2533552
                               [35]: KB2536275
                               [36]: KB2536276
                               [37]: KB2539635
                               [38]: KB2541014
                               [39]: KB2544893
                               [40]: KB2545698
                               [41]: KB2547666
                               [42]: KB2552343
                               [43]: KB2560656
                               [44]: KB2563227
                               [45]: KB2564958
                               [46]: KB2567680
                               [47]: KB2570947
                               [48]: KB2572077
                               [49]: KB2579686
                               [50]: KB2588516
                               [51]: KB2607576
                               [52]: KB2618444
                               [53]: KB2618451
                               [54]: KB2619339
                               [55]: KB2620704
                               [56]: KB2620712
                               [57]: KB2633171
                               [58]: KB2633952
                               [59]: KB2639417
                               [60]: KB2641690
                               [61]: KB958488
                               [62]: KB976002
                               [63]: KB976902
                               [64]: KB976932
                               [65]: KB982018
    Network Card(s):           4 NIC(s) Installed.
                               [01]: Marvell Yukon 88E8072 PCI-E Gigabit Ethernet Controller
                                     Connection Name: Local Area Connection
                                     Status:          Media disconnected
                               [02]: Bluetooth Device (Personal Area Network)
                                     Connection Name: Bluetooth Network Connection
                                     Status:          Media disconnected
                               [03]: Broadcom 43224AG 802.11a/b/g/draft-n Wi-Fi Adapter
                                     Connection Name: Wireless Network Connection
                                     Status:          Media disconnected
                               [04]: Vodafone Mobile Broadband Network Adapter (Huawei)
                                     Connection Name: Local Area Connection 3
                                     DHCP Enabled:    Yes
                                     DHCP Server:     10.1.xx.xxx
                                     IP address(es)
                                     [01]: 10.1.xx.xxx
                                     [02]: fe80::4da4:21ce:e6f4:5e06
    
    C:\Windows\system32\LogSpace\{E7085A1A-2B5B-497E-B376-D9AEAE9C0892}>whoami /groups  
    
    GROUP INFORMATION
    -----------------
    
    Group Name                             Type             SID          Attributes                                        
    ====================================== ================ ============ ==================================================
    BUILTIN\Administrators                 Alias            S-1-5-32-544 Enabled by default, Enabled group, Group owner    
    Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
    NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
    Mandatory Label\System Mandatory Level Label            S-1-16-16384                                                   
    


     


    • Edited by DimiKo Tuesday, January 3, 2012 6:48 AM
    Tuesday, January 3, 2012 6:46 AM
  • I see a couple of things:

    1. You are not getting an IPv6 address. You need to have an IPv6 address on your client from either the 6to4, Teredo or IP-HTTPS adapters for DA to work. I see you are connecting with a mobile broadband card - there are known problems with 6to4 sometimes causing trouble when using these kinds of cards. Please disable 6to4 (so that Teredo will attempt to connect instead) by typing the command netsh interface 6to4 set state disabled on the laptop.

    2. Is the Windows Firewall turned off on the laptop? If so, please turn it on and then do another Group Policy refresh while you are connected to the corporate network so that the Firewall can get all of its settings. The Windows Firewall needs to be active on both the server and on the clients for DA to work.

    • Marked as answer by DimiKo Thursday, January 5, 2012 2:31 PM
    • Unmarked as answer by DimiKo Thursday, January 5, 2012 2:32 PM
    • Marked as answer by DimiKo Thursday, January 5, 2012 2:32 PM
    • Unmarked as answer by DimiKo Thursday, January 5, 2012 2:35 PM
    • Marked as answer by DimiKo Monday, January 16, 2012 12:32 PM
    Tuesday, January 3, 2012 2:18 PM
  • Jordan is right.

    In addition to his suggestions, also note that you currently configured your NRPT with no DNS64.

    Is this intentional? This means that you will not be able to access any server that has only IPv4 addresses. For example, if your DC is Windows Server 2003, you will not have DA connectivity. If your DC is Windows Server 2008, note that the DNS server doesn't listen on ISATAP addresses unless you install a KB to fix that - so without it you will not have DA connectivity.

    Anyway, it is recommended that you change the NRPT entry to use the UAG DNS64 address.

     

     

    Tuesday, January 3, 2012 9:48 PM
  • I see a couple of things:

    2. Is the Windows Firewall turned off on the laptop? If so, please turn it on and then do another Group Policy refresh while you are connected to the corporate network so that the Firewall can get all of its settings. The Windows Firewall needs to be active on both the server and on the clients for DA to work.

    Thank you Jordan, it is very helpful

    Now I can connect with terredo, but have other two issues. I cannot connect with 6to4 tunnel and IPHTTPS

    About 6to4, is it problem only with mobile broadband card?

    I tried to troubleshout 6to4 tunnel adapter settings on client and see this:

    >>>reg query HKLM\SYSTEM\CurrentControlSet\Services\tcpip6\Parameters /v DisabledComponents
    
    ERROR: The system was unable to find the specified registry key or value.
    
    >>>reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\TCPIP\v6Transition /v 6to4_RouterName
    
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TCPIP\v6Transition
        6to4_RouterName    REG_SZ    195.xxx.xx.x
    
    
    >>>netsh interface 6to4 show relay
    Relay Name             : 195.xxx.xx.x (Group Policy)
    Use Relay              : default
    Resolution Interval    : default
    
    
    >>>netsh interface 6to4 show state
    6to4 Service State     : enabled
    Undo on Service Stop   : default
    
    >>>netsh -c advfirewall
    
    netsh advfirewall>set store gpo="mydomain.lt\DirectAccess Policy-{3491980e-ef3c-4ed3-b176-a4420a810f12}"
    Ok.
    
    netsh advfirewall>consec show rule name="DirectAccess Policy-ClientToDnsDc"
    
    Rule Name:                            DirectAccess Policy-ClientToDnsDc
    ----------------------------------------------------------------------
    Enabled:                              Yes
    Profiles:                             Private,Public
    Type:                                 Static
    Mode:                                 Tunnel
    LocalTunnelEndpoint:                  Any
    RemoteTunnelEndpoint:                 2002:****:5206::****:5206
    Endpoint1:                            Any
    Endpoint2:                            2002:****:5206:1:0:5efe:xxx.xx.xx.xxx-2002
    :****:5206:1:0:5efe:xxx.xx.xx.xxx,2002:****:5206:1:0:5efe:xxx.xx.xx.yyy-2002:c3b
    6:5206:1:0:5efe:xxx.xx.xx.yyy
    Protocol:                             Any
    Action:                               RequireInRequireOut
    Auth1:                                ComputerCert
    Auth1CAName:                          DC=lt, DC=mydomain, CN=mydomain-ROOTCA
    Auth1CertMapping:                     No
    Auth1ExcludeCAName:                   No
    Auth1CertType:                        Root
    Auth1HealthCert:                      No
    Auth2:                                UserNTLM
    MainModeSecMethods:                   DHGroup2-AES128-SHA256,DHGroup2-AES128-SHA
    1,DHGroup2-3DES-SHA1
    QuickModeSecMethods:                  ESP:SHA1-AES192+60min+100000kb,ESP:SHA1-AE
    S128+60min+100000kb
    ExemptIPsecProtectedConnections:      No
    ApplyAuthorization:                   No
    Ok.
    
    netsh advfirewall>exit
    
    >>>route print
    ===========================================================================
    Interface List
     33...00 1e xx ......Vodafone Mobile Broadband Network Adapter (Huawei)
     #4
     16...00 26 xx ......Broadcom 43224AG 802.11a/b/g/draft-n Wi-Fi Adapter
    
     14...00 27 xx ......Bluetooth Device (Personal Area Network)
     10...d8 d3 xx ......Marvell Yukon 88E8072 PCI-E Gigabit Ethernet Contr
    oller
      1...........................Software Loopback Interface 1
     11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
     12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
     15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
     17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
     19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
     22...00 00 00 00 00 00 00 e0 iphttpsinterface
     36...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
    ===========================================================================
    
    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0      10.1.27.129      10.1.yyy.yyy     30
          10.1.zz.zzz  255.255.255.224         On-link       10.1.yyy.yyy    286
          10.1.yyy.yyy  255.255.255.255         On-link       10.1.yyy.yyy    286
          10.1.27.159  255.255.255.255         On-link       10.1.yyy.yyy    286
            127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
            127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
      127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
            224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
            224.0.0.0        240.0.0.0         On-link       10.1.yyy.yyy    286
      255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      255.255.255.255  255.255.255.255         On-link       10.1.yyy.yyy    286
    ===========================================================================
    Persistent Routes:
      None
    
    IPv6 Route Table
    ===========================================================================
    Active Routes:
     If Metric Network Destination      Gateway
     12     58 ::/0                     On-link
      1    306 ::1/128                  On-link
     12     58 2001::/32                On-link
     12    306 2001:0:****:5206:c1:****:****:40ab/128
                                        On-link
     33    286 fe80::/64                On-link
     12    306 fe80::/64                On-link
     19    296 fe80::5efe:10.1.yyy.yyy/128
                                        On-link
     12    306 fe80::c1:****:****:40ab/128
                                        On-link
     33    286 fe80::3139:a1e3:b7a:1576/128
                                        On-link
      1    306 ff00::/8                 On-link
     12    306 ff00::/8                 On-link
     33    286 ff00::/8                 On-link
    ===========================================================================
    Persistent Routes:
      None
    
    >>>ping 2002:****:5206::****:5206
    
    Pinging 2002:****:5206::****:5206 with 32 bytes of data:
    Reply from 2002:****:5206::****:5206: time=507ms
    Reply from 2002:****:5206::****:5206: time=447ms
    Reply from 2002:****:5206::****:5206: time=637ms
    Reply from 2002:****:5206::****:5206: time=58ms
    
    Ping statistics for 2002:****:5206::****:5206:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 58ms, Maximum = 637ms, Average = 412ms
    
    >>>tracert -d 2002:****:5206::****:5206
    
    Tracing route to 2002:****:5206::****:5206 over a maximum of 30 hops
    
      1     *        *        *     Request timed out.
      2   505 ms   540 ms   680 ms  2002:****:5206::****:5206
    
    Trace complete.
    

     

    The IPv6 route table should have ::/0 route with the Gateway address set to the IPv6 address in RemoteTunnelEndpoint. The IPv6 route table should also have 2002::/16 route with the Gateway address set to On-link


    Can you explain for me why I can't see this records?

     

     

    Thursday, January 5, 2012 3:02 PM
  • Jordan is right.

    In addition to his suggestions, also note that you currently configured your NRPT with no DNS64.

    Is this intentional? This means that you will not be able to access any server that has only IPv4 addresses. For example, if your DC is Windows Server 2003, you will not have DA connectivity. If your DC is Windows Server 2008, note that the DNS server doesn't listen on ISATAP addresses unless you install a KB to fix that - so without it you will not have DA connectivity.

    Anyway, it is recommended that you change the NRPT entry to use the UAG DNS64 address.

     

     

    No, it is not intentional. I have DA Server 2008 R2 and all other servers is R2 too.

    Please explain me how can I correctly change my NRPT table? 

    Is it not correct???

    DNS Effective Name Resolution Policy Table Settings

    
    Settings for nls.mydomain.lt
    ----------------------------------------------------------------------
    Certification authority                 : DC=lt, DC=mydomain, CN=mydomain-ROOTCA
    DNSSEC (Validation)                     : disabled
    IPsec settings                          : disabled
    DirectAccess (DNS Servers)              : 
    DirectAccess (Proxy Settings)           : Bypass proxy
    
    
    
    Settings for .mydomain.lt
    ----------------------------------------------------------------------
    Certification authority                 : DC=lt, DC=mydomain, CN=mydomain-ROOTCA
    DNSSEC (Validation)                     : disabled
    IPsec settings                          : disabled
    DirectAccess (DNS Servers)              : 2002:xxxx:5206:1:0:5efe:172.xx.xx.x30
                                              2002:xxxx:5206:1:0:5efe:172.xx.xx.x00
    DirectAccess (Proxy Settings)           : Bypass proxy
    

    Thursday, January 5, 2012 3:10 PM
  • I wouldn't worry about 6to4. There are enough common problems with it that I tend to disable it on all my installs anyway. You can simply create a GPO that disables the 6to4 adapter and assign this GPO to all of your DA client computers, then you don't have to worry about it.

    Teredo will pick up most of the time, when it cannot (if UDP is blocked by a firewall for instance) then IP-HTTPS will take over. How are you testing to know that IP-HTTPS doesn't work? Are you manually disabling the 6to4 and Teredo adapters?

    To double-check that your NRPT settings are correct, open "Step 3" of the UAG DirectAccess wizards and go to the "DNS Suffixes" screen. Your entry for *.mydomain.It should say DNS64 next to it. Is that true or do you have a specific DNS server address populated in there?

    Thursday, January 5, 2012 3:19 PM
  •  

    1. In "DNS Suffixes" screen in "IPV6 Adress of the DNS server" I have to adresses in for  *.mydomain.It 

     

    2002:xxxx:xxxx:1:0:5efe:172.xx.xx.x30

    2002:xxxx:xxxx:1:0:5efe:172.xx.xx.x00

    2. I manually disable 6to4 for testing now. I will create GPO for this in the future. Should I disable Isatap or Teredo too? 

    3. Trying to troubleshoot IPHTTPS:

    >>>netsh interface httpstunnel show interfaces

    Interface IPHTTPSInterface (Group Policy)  Parameters

    ------------------------------------------------------------

    Role                       : client

    URL                        : https://da.mydomain.lt:443/IPHTTPS

    Last Error Code            : 0x2afc

    Interface Status           : failed to connect to the IPHTTPS server. Waiting to reconnect

    >>>Ipconfig

    Tunnel adapter iphttpsinterface:

     

       Media State . . . . . . . . . . . : Media disconnected

       Connection-specific DNS Suffix  . :

       Description . . . . . . . . . . . : iphttpsinterface

       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

       DHCP Enabled. . . . . . . . . . . : No

       Autoconfiguration Enabled . . . . : Yes

     

    Then I pinging da.mydomain.lt it's success but it reached by IPv6 adress of DA 2002:xxxx:xxxx:1:0:5efe:172.xx.xx.xx5

     

    and I cannot reach https://da.mydomain.lt:443/IPHTTPS via internet explorer


     

     

     



    • Edited by DimiKo Friday, January 6, 2012 7:48 AM
    Friday, January 6, 2012 7:45 AM
  • In the DNS Suffixes part of the wizard do you have the option to set *.mydomain.It to "DNS64"? That is how it should be set.

    However...I just looked back over the post and realized you don't mention UAG anywhere. You are running the UAG version of DirectAccess right? Or are you running native DA? (this forum is for the Forefront products)

    Either way, if it's working with Teredo then we should probably focus on IP-HTTPS. IP-HTTPS problems usually have something to do with DNS or certificates. The fact that you cannot browse to https://da.mydomain.it:443/IPHTTPS is a problem (it should show you a 403 page with no certificate warning messages). Can you confirm that you have a public DNS host record created for this name and that it resolves correctly to the primary public IP address of your server?

    Friday, January 6, 2012 2:55 PM
  • I didn't registered any public adresses.

    If I have two public adresses on my da interface: firstIP v4 and secondIP v4.

    Should I create two records in my public DNS for CRL and DA both linked to the firstIP v4 adress?

    Tuesday, January 10, 2012 8:50 AM
  • You should only need one public DNS host record created. This record is for IP-HTTPS, the public DNS name is one that you need to choose for IP-HTTPS to listen on, and it's host record needs to point at the primary IPv4 address of your server. Location of your CRL record depends on what SSL certificate you are using on the server for IP-HTTPS. If you are using an SSL cert that was issued by your internal CA server, I recommend you give that up and go purchase a certificate from a public CA. When you do this, then you do not have to worry about the CRL because they take care of it for you.

    In your responses you keep mentioning "da.mydomain.it" - I assumed you were doing this so that your real public URL stayed hidden. This is the IP-HTTPS listener name and this is the place where you have to create a real DNS host record, point it at the primary public IP of the server, and acquire an SSL certificate for this name to place onto the server.

    • Marked as answer by DimiKo Monday, January 16, 2012 12:32 PM
    Tuesday, January 10, 2012 11:55 AM
  • Your IP-HTTPS doesn't work because the IP-HTTPS URL da.mydomain.lt is in the corp DNS suffix of .mydomain.lt

    This is a split-brain DNS scenario, where you should add "da.mydomain.lt" as an exemption entry in NRPT.

    In UAG DA this exemption gets added automatically, but you are using Windows 2008 R2 DA, so you'll have to add this entry manually.

    You can read about it here:

    http://technet.microsoft.com/en-us/library/ee382323(WS.10).aspx

    • Marked as answer by DimiKo Monday, January 16, 2012 12:32 PM
    Tuesday, January 10, 2012 4:52 PM
  • Nice catch Yaniv! Guess I'm used to being pampered by UAG :)
    Tuesday, January 10, 2012 4:56 PM
  • Thanks awfully!!!

     

    I add two dns entries to my public ISP DNS  "crl.mydomain.lt" and "da.mydomain.lt" to my first external ip interface.

    I disable teredo and 6to4 ant iphttps is working now. I can use my shared drives on fileserver and connect to DC.

     

    But why "Microsoft DA Connectivity Assistant" on client show me a message "Corporate connectivity is not working correctly"?

    I have second DNS zone mydomain2.lt on same DC, how can I configure it for direcaccess?  

     

    Can you check my configuration last time? Is it all good in my config?

    Thank you in advance

     

    RED: Corporate connectivity is not working.
    Microsoft DirectAccess Connectivity Assistant is not properly configured. Please contact your administrator if this problem persists.
    16/1/2012 8:57:29 (UTC)
    
    
    C:\Windows\system32\LogSpace\{FAF59ECD-434F-4989-891C-7A4CB44DD010}>ipconfig /all 
    
    Windows IP Configuration
    
       Host Name . . . . . . . . . . . . : HP
       Primary Dns Suffix  . . . . . . . : mydomain.lt
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : mydomain.lt
    
    Ethernet adapter Local Area Connection 3:
    
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Vodafone Mobile Broadband Network Adapter (Huawei) #2
       Physical Address. . . . . . . . . : 00-1E-10-1F-7F-B6
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::4da4:21ce:e6f4:5e06%16(Preferred) 
       IPv4 Address. . . . . . . . . . . : 10.1.xx.xxx(Preferred) 
       Subnet Mask . . . . . . . . . . . : 255.255.255.252
       Lease Obtained. . . . . . . . . . : 2012 m. sausio 16 d. 10:32:45
       Lease Expires . . . . . . . . . . : 2012 m. sausio 16 d. 12:32:43
       Default Gateway . . . . . . . . . : 10.1.xx.xxx
       DHCP Server . . . . . . . . . . . : 10.1.xx.xxx
       DHCPv6 IAID . . . . . . . . . . . : 402660880
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-4C-AB-5A-D8-D3-85-22-22-9F
       DNS Servers . . . . . . . . . . . : 213.226.xxx.xxx
                                           193.219.xx.xx
       NetBIOS over Tcpip. . . . . . . . : Enabled
    
    Wireless LAN adapter Wireless Network Connection:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : Home
       Description . . . . . . . . . . . : Broadcom 43224AG 802.11a/b/g/draft-n Wi-Fi Adapter
       Physical Address. . . . . . . . . : 00-26-82-64-XX-XX
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
    
    Ethernet adapter Bluetooth Network Connection:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
       Physical Address. . . . . . . . . : 00-27-13-C2-XX-XX
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
    
    Ethernet adapter Local Area Connection:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : mydomain.lt
       Description . . . . . . . . . . . : Marvell Yukon 88E8072 PCI-E Gigabit Ethernet Controller
       Physical Address. . . . . . . . . : D8-D3-85-22-XX-XX
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
    
    Tunnel adapter isatap.mydomain.lt:
    
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Default Gateway . . . . . . . . . : 
       NetBIOS over Tcpip. . . . . . . . : Disabled
    
    Tunnel adapter iphttpsinterface:
    
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : iphttpsinterface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2002:c3b6:5206:2:c77:cdcb:777:1111(Preferred) 
       Temporary IPv6 Address. . . . . . : 2002:c3b6:5206:2:3333:7af6:ca77:5ff9(Preferred) 
       Link-local IPv6 Address . . . . . : fe80::c51:cdcb:681:1efc%17(Preferred) 
       Default Gateway . . . . . . . . . : fe80::cc43:e414:40a4:c44%17
       NetBIOS over Tcpip. . . . . . . . : Disabled
    
    Tunnel adapter isatap.Home:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    
    Tunnel adapter isatap.{E5319B00-34A8-4D84-AC71-08E554A8C8C6}:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    
    Tunnel adapter isatap.{C9E042A0-04D0-4767-8B8E-A5792348373F}:
    
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::5efe:10.1.xx.xxx%25(Preferred) 
       Default Gateway . . . . . . . . . : 
       DNS Servers . . . . . . . . . . . : 213.226.xxx.xxx
                                           193.219.xx.xx
       NetBIOS over Tcpip. . . . . . . . : Disabled
    
    C:\Windows\system32\LogSpace\{FAF59ECD-434F-4989-891C-7A4CB44DD010}>netsh int teredo show state 
    Teredo Parameters
    ---------------------------------------------
    Type                    : disabled
    Server Name             : 195.xxx.xx.o (Group Policy) 
    Client Refresh Interval : 30 seconds
    Client Port             : unspecified
    State                   : offline
    Error                   : none
    
    
    C:\Windows\system32\LogSpace\{FAF59ECD-434F-4989-891C-7A4CB44DD010}>netsh int httpstunnel show interfaces 
    
    Interface IPHTTPSInterface (Group Policy)  Parameters
    ------------------------------------------------------------
    Role                       : client
    URL                        : https://da.mydomain.lt:443/IPHTTPS
    Last Error Code            : 0x0
    Interface Status           : IPHTTPS interface active 
    
    
    C:\Windows\system32\LogSpace\{FAF59ECD-434F-4989-891C-7A4CB44DD010}>netsh dns show state 
    
    Name Resolution Policy Table Options 
    -------------------------------------------------------------------- 
    
    Query Failure Behavior                : Always fall back to LLMNR and NetBIOS
                                            if the name does not exist in DNS or
                                            if the DNS servers are unreachable
                                            when on a private network
    
    Query Resolution Behavior             : Resolve only IPv6 addresses for names
    
    Network Location Behavior             : Let Network ID determine when Direct
                                            Access settings are to be used
    
    Machine Location                      : Outside corporate network
    
    Direct Access Settings                : Configured and Enabled
    
    DNSSEC Settings                       : Not Configured
    
    
    C:\Windows\system32\LogSpace\{FAF59ECD-434F-4989-891C-7A4CB44DD010}>netsh name show policy 
    
    DNS Name Resolution Policy Table Settings
    
    Settings for da.mydomain.lt
    ----------------------------------------------------------------------
    Certification authority                 : DC=lt, DC=mydomain, CN=mydomain-ROOTCA
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (DNS Servers)              : 
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : Bypass proxy
    
    
    
    Settings for .mydomain.lt
    ----------------------------------------------------------------------
    Certification authority                 : DC=lt, DC=mydomain, CN=mydomain-ROOTCA
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (DNS Servers)              : 2002:xxxx:5206:1:0:5efe:172.xx.xx.x30
                                              2002:xxxx:5206:1:0:5efe:172.xx.xx.x00
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : Bypass proxy
    
    
    
    Settings for nls.mydomain.lt
    ----------------------------------------------------------------------
    Certification authority                 : DC=lt, DC=mydomain, CN=mydomain-ROOTCA
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (DNS Servers)              : 
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : Bypass proxy
    
    
    
    
    C:\Windows\system32\LogSpace\{FAF59ECD-434F-4989-891C-7A4CB44DD010}>netsh name show effective 
    
    DNS Effective Name Resolution Policy Table Settings
    
    
    Settings for da.mydomain.lt
    ----------------------------------------------------------------------
    Certification authority                 : DC=lt, DC=mydomain, CN=mydomain-ROOTCA
    DNSSEC (Validation)                     : disabled
    IPsec settings                          : disabled
    DirectAccess (DNS Servers)              : 
    DirectAccess (Proxy Settings)           : Bypass proxy
    
    
    
    Settings for .mydomain.lt
    ----------------------------------------------------------------------
    Certification authority                 : DC=lt, DC=mydomain, CN=mydomain-ROOTCA
    DNSSEC (Validation)                     : disabled
    IPsec settings                          : disabled
    DirectAccess (DNS Servers)              : 2002:xxxx:5206:1:0:5efe:172.xx.xx.x30
                                              2002:xxxx:5206:1:0:5efe:172.xx.xx.x00
    DirectAccess (Proxy Settings)           : Bypass proxy
    
    
    
    Settings for nls.mydomain.lt
    ----------------------------------------------------------------------
    Certification authority                 : DC=lt, DC=mydomain, CN=mydomain-ROOTCA
    DNSSEC (Validation)                     : disabled
    IPsec settings                          : disabled
    DirectAccess (DNS Servers)              : 
    DirectAccess (Proxy Settings)           : Bypass proxy
    
    
    
    
    C:\Windows\system32\LogSpace\{FAF59ECD-434F-4989-891C-7A4CB44DD010}>netsh int ipv6 show int level=verbose  
    
    Interface Loopback Pseudo-Interface 1 Parameters
    ----------------------------------------------
    IfLuid                             : loopback_0
    IfIndex                            : 1
    State                              : connected
    Metric                             : 50
    Link MTU                           : 4294967295 bytes
    Reachable Time                     : 42500 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : disabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    
    Interface Wireless Network Connection Parameters
    ----------------------------------------------
    IfLuid                             : wireless_0
    IfIndex                            : 13
    State                              : disconnected
    Metric                             : 5
    Link MTU                           : 1500 bytes
    Reachable Time                     : 21000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 1
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    
    Interface Local Area Connection Parameters
    ----------------------------------------------
    IfLuid                             : ethernet_6
    IfIndex                            : 10
    State                              : disconnected
    Metric                             : 20
    Link MTU                           : 1500 bytes
    Reachable Time                     : 37000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 1
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : enabled
    Other Stateful Configuration       : enabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    
    Interface isatap.mydomain.lt Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_6
    IfIndex                            : 21
    State                              : connected
    Metric                             : 25
    Link MTU                           : 1280 bytes
    Reachable Time                     : 38000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    
    Interface Bluetooth Network Connection Parameters
    ----------------------------------------------
    IfLuid                             : ethernet_9
    IfIndex                            : 12
    State                              : disconnected
    Metric                             : 50
    Link MTU                           : 1477 bytes
    Reachable Time                     : 33000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 1
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    
    Interface iphttpsinterface Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_9
    IfIndex                            : 17
    State                              : connected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 20000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 1
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    
    Interface isatap.Home Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_10
    IfIndex                            : 22
    State                              : disconnected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 15000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    
    Interface Local Area Connection 3 Parameters
    ----------------------------------------------
    IfLuid                             : ethernet_11
    IfIndex                            : 16
    State                              : connected
    Metric                             : 50
    Link MTU                           : 1500 bytes
    Reachable Time                     : 25000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 1
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : enabled
    Other Stateful Configuration       : enabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    
    Interface isatap.{E5319B00-34A8-4D84-AC71-08E554A8C8C6} Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_12
    IfIndex                            : 23
    State                              : disconnected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 21500 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    
    Interface isatap.{C9E042A0-04D0-4767-8B8E-A5792348373F} Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_14
    IfIndex                            : 25
    State                              : connected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 20500 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    
    
    C:\Windows\system32\LogSpace\{FAF59ECD-434F-4989-891C-7A4CB44DD010}>netsh advf show currentprofile 
    
    Public Profile Settings: 
    ----------------------------------------------------------------------
    State                                 ON
    Firewall Policy                       BlockInbound,AllowOutbound
    LocalFirewallRules                    N/A (GPO-store only)
    LocalConSecRules                      N/A (GPO-store only)
    InboundUserNotification               Enable
    RemoteManagement                      Disable
    UnicastResponseToMulticast            Enable
    
    Logging:
    LogAllowedConnections                 Disable
    LogDroppedConnections                 Disable
    FileName                              %systemroot%\system32\LogFiles\Firewall\pfirewall.log
    MaxFileSize                           4096
    
    Ok.
    
    
    C:\Windows\system32\LogSpace\{FAF59ECD-434F-4989-891C-7A4CB44DD010}>netsh advfirewall monitor show consec 
    
    Global Settings: 
    ----------------------------------------------------------------------
    IPsec:
    StrongCRLCheck                        0:Disabled
    SAIdleTimeMin                         5min
    DefaultExemptions                     ICMP
    IPsecThroughNAT                       Never
    AuthzUserGrp                          None
    AuthzComputerGrp                      None
    
    StatefulFTP                           Enable
    StatefulPPTP                          Enable
    
    Main Mode:
    KeyLifetime                           60min,0sess
    SecMethods                            DHGroup2-AES128-SHA256,DHGroup2-AES128-SHA1,DHGroup2-3DES-SHA1
    ForceDH                               No
    
    Categories:
    BootTimeRuleCategory                  Windows Firewall
    FirewallRuleCategory                  Windows Firewall
    StealthRuleCategory                   Windows Firewall
    ConSecRuleRuleCategory                Windows Firewall
    
    
    Quick Mode:
    QuickModeSecMethods                   ESP:SHA1-None+60min+100000kb,ESP:SHA1-AES128+60min+100000kb,ESP:SHA1-3DES+60min+100000kb,AH:SHA1+60min+100000kb
    QuickModePFS                          None
    
    Security Associations:
    
    Main Mode SA at 01/16/2012 10:57:29                      
    ----------------------------------------------------------------------
    Local IP Address:                     2002:c3b6:5206:2:3333:7af6:ca77:5ff9
    Remote IP Address:                    2002:c3b6:5207::c3b6:5207
    Auth2 Local ID:                       mydomain\dimitrian-te
    Auth2 Remote ID:                      host/DA.mydomain.lt
    Auth1:                                ComputerCert
    Auth2:                                UserKerb
    MM Offer:                             None-AES128-SHA256
    Cookie Pair:                          6236c322e81cbd22:bccca8f3da62b50c
    Health Cert:                          No
    
    Main Mode SA at 01/16/2012 10:57:29                      
    ----------------------------------------------------------------------
    Local IP Address:                     2002:c3b6:5206:2:3333:7af6:ca77:5ff9
    Remote IP Address:                    2002:c3b6:5206::c3b6:5206
    Auth1:                                ComputerCert
    Auth2:                                UserNTLM
    MM Offer:                             None-AES128-SHA256
    Cookie Pair:                          945485c710c30c20:28e35b4ee5454077
    Health Cert:                          No
    
    Quick Mode SA at 01/16/2012 10:57:29                     
    ----------------------------------------------------------------------
    Local IP Address:                     2002:c3b6:5206:2:3333:7af6:ca77:5ff9
    Remote IP Address:                    2002:c3b6:5207::c3b6:5207
    Local Port:                           Any
    Remote Port:                          Any
    Protocol:                             Any
    Direction:                            Both
    QM Offer:                             ESP:SHA1-AES192+60min+100000kb
    PFS:                                  None
    
    Quick Mode SA at 01/16/2012 10:57:29                     
    ----------------------------------------------------------------------
    Local IP Address:                     2002:c3b6:5206:2:3333:7af6:ca77:5ff9
    Remote IP Address:                    2002:c3b6:5206::c3b6:5206
    Local Port:                           Any
    Remote Port:                          Any
    Protocol:                             Any
    Direction:                            Both
    QM Offer:                             ESP:SHA1-AES192+60min+100000kb
    PFS:                                  None
    
    
    IPsec Statistics
    ----------------
    
    Active Assoc                : 3
    Offload SAs                 : 0
    Pending Key                 : 0
    Key Adds                    : 24
    Key Deletes                 : 27
    ReKeys                      : 0
    Active Tunnels              : 2
    Bad SPI Pkts                : 15
    Pkts not Decrypted          : 0
    Pkts not Authenticated      : 0
    Pkts with Replay Detection  : 0
    Confidential Bytes Sent     : 508,608
    Confidential Bytes Received : 1,163,384
    Authenticated Bytes Sent    : 566,040
    Authenticated Bytes Received: 1,163,384
    Transport Bytes Sent        : 0
    Transport Bytes Received    : 0
    Bytes Sent In Tunnels       : 566,040
    Bytes Received In Tunnels   : 1,163,384
    Offloaded Bytes Sent        : 0
    Offloaded Bytes Received    : 0
    
    Ok.
    
    
    C:\Windows\system32\LogSpace\{FAF59ECD-434F-4989-891C-7A4CB44DD010}>Certutil -store my  
    my
    ================ Certificate 0 ================
    Serial Number: 34e3074d000100000157
    Issuer: CN=mydomain-ROOTCA, DC=mydomain, DC=lt
     NotBefore: 2011.12.08 16:33
     NotAfter: 2012.12.07 16:33
    Subject: EMPTY (DNS Name=HP.mydomain.lt)
    Non-root Certificate
    Template: mydomain-DomainMachineAuthentication(DirectAccess), mydomain - Domain Machine Authentication (DirectAccess)
    Cert Hash(sha1): *************************
      Key Container = **************************
      Simple container name: ************************
      Provider = Microsoft RSA SChannel Cryptographic Provider
    Private key is NOT exportable
    Encryption test passed
    CertUtil: -store command completed successfully.
    
    C:\Windows\system32\LogSpace\{FAF59ECD-434F-4989-891C-7A4CB44DD010}>Systeminfo
    
    Host Name:                 HP
    OS Name:                   Microsoft Windows 7 Enterprise 
    OS Version:                6.1.7601 Service Pack 1 Build 7601
    OS Manufacturer:           Microsoft Corporation
    OS Configuration:          Member Workstation
    OS Build Type:             Multiprocessor Free
    Registered Owner:          Laikinas
    Registered Organization:   
    Product ID:                00392-918-5000002-85588
    Original Install Date:     2011.04.29, 10:23:15
    System Boot Time:          2012.01.16, 10:17:41
    System Manufacturer:       Hewlett-Packard
    System Model:              HP ProBook 4415s
    System Type:               X86-based PC
    Processor(s):              1 Processor(s) Installed.
                               [01]: x64 Family 16 Model 6 Stepping 2 AuthenticAMD ~2100 Mhz
    BIOS Version:              Hewlett-Packard 68CPP Ver. F.06, 2010.01.25
    Windows Directory:         C:\Windows
    System Directory:          C:\Windows\system32
    Boot Device:               \Device\HarddiskVolume1
    System Locale:             lt;Lithuanian
    Input Locale:              en-us;English (United States)
    Time Zone:                 (UTC+02:00) Helsinki, Kyiv, Riga, Sofia, Tallinn, Vilnius
    Total Physical Memory:     1.789 MB
    Available Physical Memory: 1.030 MB
    Virtual Memory: Max Size:  3.578 MB
    Virtual Memory: Available: 2.701 MB
    Virtual Memory: In Use:    877 MB
    Page File Location(s):     C:\pagefile.sys
    Domain:                    mydomain.lt
    Logon Server:              N/A
    Hotfix(s):                 65 Hotfix(s) Installed.
                               [01]: KB982861
                               [02]: KB982861
                               [03]: 982861
                               [04]: KB958830
                               [05]: KB971033
                               [06]: KB2305420
                               [07]: KB2393802
                               [08]: KB2425227
                               [09]: KB2446710
                               [10]: KB2479943
                               [11]: KB2484033
                               [12]: KB2488113
                               [13]: KB2491683
                               [14]: KB2492386
                               [15]: KB2497640
                               [16]: KB2502285
                               [17]: KB2503658
                               [18]: KB2503665
                               [19]: KB2505438
                               [20]: KB2506212
                               [21]: KB2506223
                               [22]: KB2506928
                               [23]: KB2507618
                               [24]: KB2508272
                               [25]: KB2508429
                               [26]: KB2509553
                               [27]: KB2510531
                               [28]: KB2511250
                               [29]: KB2511455
                               [30]: KB2515325
                               [31]: KB2518869
                               [32]: KB2522422
                               [33]: KB2524375
                               [34]: KB2533552
                               [35]: KB2536275
                               [36]: KB2536276
                               [37]: KB2539635
                               [38]: KB2541014
                               [39]: KB2544893
                               [40]: KB2545698
                               [41]: KB2547666
                               [42]: KB2552343
                               [43]: KB2560656
                               [44]: KB2563227
                               [45]: KB2564958
                               [46]: KB2567680
                               [47]: KB2570947
                               [48]: KB2572077
                               [49]: KB2579686
                               [50]: KB2588516
                               [51]: KB2607576
                               [52]: KB2618444
                               [53]: KB2618451
                               [54]: KB2619339
                               [55]: KB2620704
                               [56]: KB2620712
                               [57]: KB2633171
                               [58]: KB2633952
                               [59]: KB2639417
                               [60]: KB2641690
                               [61]: KB958488
                               [62]: KB976002
                               [63]: KB976902
                               [64]: KB976932
                               [65]: KB982018
    Network Card(s):           4 NIC(s) Installed.
                               [01]: Marvell Yukon 88E8072 PCI-E Gigabit Ethernet Controller
                                     Connection Name: Local Area Connection
                                     Status:          Media disconnected
                               [02]: Bluetooth Device (Personal Area Network)
                                     Connection Name: Bluetooth Network Connection
                                     Status:          Media disconnected
                               [03]: Broadcom 43224AG 802.11a/b/g/draft-n Wi-Fi Adapter
                                     Connection Name: Wireless Network Connection
                                     Status:          Media disconnected
                               [04]: Vodafone Mobile Broadband Network Adapter (Huawei)
                                     Connection Name: Local Area Connection 3
                                     DHCP Enabled:    Yes
                                     DHCP Server:     10.1.xx.xxx
                                     IP address(es)
                                     [01]: 10.1.xx.xxx
                                     [02]: fe80::4da4:21ce:e6f4:5e06
    
    C:\Windows\system32\LogSpace\{FAF59ECD-434F-4989-891C-7A4CB44DD010}>whoami /groups  
    
    GROUP INFORMATION
    -----------------
    
    Group Name                             Type             SID          Attributes                                        
    ====================================== ================ ============ ==================================================
    BUILTIN\Administrators                 Alias            S-1-5-32-544 Enabled by default, Enabled group, Group owner    
    Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
    NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
    Mandatory Label\System Mandatory Level Label            S-1-16-16384                                                   
    


    • Edited by DimiKo Monday, January 16, 2012 11:11 AM
    Monday, January 16, 2012 9:23 AM
  • This log looks good! Usually the final verifier that DirectAccess is functional is the existance of IPsec tunnels, and your log shows successful tunnels.

    To include another DNS namespace in your DA connection you must add the new suffix into your NRPT. Add *.mydomain2.It into the NRPT and point it at the same DNS servers that your primary DNS suffix is pointing to.

    The Connectivity Assistant is showing that status because it hasn't been configured with a connectivity verifier yet. A connectivity verifier is basically an intranet website or file sitting somewhere inside your corporate network that the DCA queries. If it can see the specified website or file, the DCA (DirectAccess Connectivity Assistant) reports a status of "good", and if it cannot see the item you specified then it reports "bad" (even if DirectAccess is actually connected successfully). Here is a link that will get you started on configuring and deploying the DCA:

    http://technet.microsoft.com/en-us/library/ff453413(WS.10).aspx

    Just a quick tip, don't use your NLS website as a connectivity verifier, DA clients cannot see the NLS website while they are connected over DA by design :) This is a very common mistake.

    • Marked as answer by DimiKo Monday, January 16, 2012 12:31 PM
    Monday, January 16, 2012 11:51 AM
  • Another issue that I see is that the NRPT exemption is configured to bypass proxy:

    Settings for da.mydomain.lt
    ----------------------------------------------------------------------
    Certification authority                 : DC=lt, DC=mydomain, CN=mydomain-ROOTCA
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (DNS Servers)              :
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : Bypass proxy

    This was a bug in earlier versions of UAG, and was fixed in UAG SP1 (so I recommend you upgrade).

    This bypass means that when your DirectAccess client is behind a Web Proxy, and requires it to connect to the IP-HTTPS URL, the NRPT entry will enforce the connection to bypass the proxy configuration and connect directly instead. The recommended proxy setting for NRPT exemptions is "Use default".

    Without fixing this, you'll only experience issues when your client uses a web proxy to reach the internet.

    Monday, January 16, 2012 4:37 PM
  • is it a bug then I use native DA?

    When I check Monitoring node on DA server, It shows me sometimes that second dns server is unavailable, but i can ping it

    • Edited by DimiKo Tuesday, January 17, 2012 8:06 AM
    Tuesday, January 17, 2012 7:04 AM
  • Oh, right.

    I forgot you're not using UAG.

    Well, if you care about the client behind proxy scenario, then you can manually fix NRPT in the GPO by using Group Policy Management Console.

    About the unreachable DNS server, what operation system is this DNS server running?

    Windows Server 2008 R2 should be ok. but if it's running Windows Server 2008 then, then it might not be listening on the ISATAP address (check here for fix: http://support.microsoft.com/kb/958194)

    Tuesday, January 17, 2012 9:03 AM
  • It's running on 2008 R2, but I didn't update it.

    Now I try to configure my intranet web sites to working on client, should i add them to nrpt table? example sharepoint.mydomain.lt 

    Tuesday, January 17, 2012 10:58 AM
  • Then make sure the DNS server is configured to listen on the ISATAP address.

    About the NRPT, you already configured all of the .mydomain.lt DNS suffix to be routed over DA. So you don't need to add anything for your sharepoint server to work. you only need to add NRPT exemptions for external servers that have the .mydomain.lt suffix and you want them to be reachable over the internet (just like da.mydomain.lt).

    Tuesday, January 17, 2012 11:56 AM
  • Windows Firewall needs to be enabled on both server and client for DA to work? Is this correct?
    Monday, June 10, 2013 3:43 PM
  • Yes, that is correct.
    Monday, June 10, 2013 4:38 PM