none
UAG Direct Access problems RRS feed

  • Question

  • I ran all the wizards , everything looks good but i encounter some problems.
    I follow the troubleshooting steps on http://www.windowsnetworking.com/articles_tutorials/7-Steps-Troubleshooting-DirectAccess-Clients.html

    I can see the Connection Rules in the Advanced Firewall 

    Running netshdns show state


    Name Resolution Policy Table Options
    --------------------------------------------------------------------

    Query Failure Behavior                : Always fall back to LLMNR and NetBIOS
                                            if the name does not exist in DNS or
                                            if the DNS servers are unreachable
                                            when on a private network

    Query Resolution Behavior             : Resolve only IPv6 addresses for names

    Network Location Behavior             : Never use Direct Access settings

    Machine Location                      : Outside corporate network

    Direct Access Settings                : Not Configured

    DNSSEC Settings                       : Not Configured

    Name Resolution Policy Table Options
    --------------------------------------------------------------------

    Query Failure Behavior                : Always fall back to LLMNR and NetBIOS
                                            if the name does not exist in DNS or
                                            if the DNS servers are unreachable
                                            when on a private network

    Query Resolution Behavior             : Resolve only IPv6 addresses for names

    Network Location Behavior             : Never use Direct Access settings

    Machine Location                      : Outside corporate network

    Direct Access Settings                : Not Configured

    DNSSEC Settings                       : Not Configured


    Then I run netsh namespace show effectivepolicy

    DNS Effective Name Resolution Policy Table Settings
    Note: DirectAccess settings would be turned off when computer is inside corporat
    e network

    Tuesday, August 21, 2012 5:21 PM

All replies

  • Make sure that the DirectAccess Clients GPO was successfully applied to your test machine. If that looks good, check this out: http://www.ivonetworks.com/news/2011/08/network-location-behavior-never-use-direct-access-settings/

    I noticed the "Never use Direct Access settings" verbiage in your output - this happens if the registry key I mention in that article gets set to 2.

    Tuesday, August 21, 2012 6:23 PM
  • Hi Jordan,

    I also having the same issue and I have tried your steps. But I don't see a reg key in my registry as shown in your link. I'm using UAG/DA and under this HKLM\Software\Policies\Microsoft\Windows NT\DNSClient I only see this key only -DnsSecureNameQueryFallback=0.

    Anything wrong here? I have checked with a working DA client also I didn't find the key you mentioned in your post. I have compared the DAClient Registry values and couldn't find a different value applied in the non working registry.

    this is my non working DA Client -

    C:\Windows\system32>netsh dnsclient sh sta
    Name Resolution Policy Table Options
    --------------------------------------------------------------------
    Query Failure Behavior                : Only use LLMNR and NetBIOS if the
                                            name does not exist in DNS
    Query Resolution Behavior             : Resolve only IPv6 addresses for names
    Network Location Behavior             : Never use Direct Access settings
    Machine Location                      : Inside corporate network
    Direct Access Settings                : Not Configured
    DNSSEC Settings                       : Not Configured

    below is the registry values for the DNSClient Registry key -

    Key Name:          HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient
    Class Name:        <NO CLASS>
    Last Write Time:   11/26/2012 - 10:25 AM
    Value 0
      Name:            DnsSecureNameQueryFallback
      Type:            REG_DWORD
      Data:            4


    Key Name:          HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig
    Class Name:        <NO CLASS>
    Last Write Time:   11/26/2012 - 9:43 AM

    Key Name:          HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig\UAGDA Rule 1
    Class Name:        <NO CLASS>
    Last Write Time:   11/26/2012 - 9:43 AM
    Value 0
      Name:            Version
      Type:            REG_DWORD
      Data:            0x1

    Value 1
      Name:            ConfigOptions
      Type:            REG_DWORD
      Data:            0x4

    Value 2
      Name:            Name
      Type:            REG_MULTI_SZ
      Data:            .corp.contoso.com

    Value 3
      Name:            DirectAccessDNSServers
      Type:            REG_SZ
      Data:            #####################

    Value 4
      Name:            DirectAccessQueryIPSECRequired
      Type:            REG_DWORD
      Data:            0

    Value 5
      Name:            DirectAccessQueryIPSECEncryption
      Type:            REG_DWORD
      Data:            0

    Value 6
      Name:            IPSECCARestriction
      Type:            REG_SZ
      Data:            DC=com, DC=contoso, DC=corp, CN=corp-DC1-CA

    Value 7
      Name:            DirectAccessProxyName
      Type:            REG_SZ
      Data:            

    Value 8
      Name:            DirectAccessProxyType
      Type:            REG_DWORD
      Data:            0


    Key Name:          HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig\UAGDA Rule 2
    Class Name:        <NO CLASS>
    Last Write Time:   11/26/2012 - 9:43 AM
    Value 0
      Name:            Version
      Type:            REG_DWORD
      Data:            0x1

    Value 1
      Name:            ConfigOptions
      Type:            REG_DWORD
      Data:            0x4

    Value 2
      Name:            Name
      Type:            REG_MULTI_SZ
      Data:            nls.corp.contoso.com

    Value 3
      Name:            DirectAccessDNSServers
      Type:            REG_SZ
      Data:            

    Value 4
      Name:            DirectAccessQueryIPSECRequired
      Type:            REG_DWORD
      Data:            0

    Value 5
      Name:            DirectAccessQueryIPSECEncryption
      Type:            REG_DWORD
      Data:            0

    Value 6
      Name:            IPSECCARestriction
      Type:            REG_SZ
      Data:            DC=com, DC=contoso, DC=corp, CN=corp-DC1-CA

    Value 7
      Name:            DirectAccessProxyName
      Type:            REG_SZ
      Data:            

    Value 8
      Name:            DirectAccessProxyType
      Type:            REG_DWORD
      Data:            0x1

    Please help me to understand where the issue is.

    Thanks before hand

    Monday, November 26, 2012 3:53 PM
  • I would go ahead and create the registry key, set it to zero, and reboot the computer. See if that clears up the issue.
    Monday, November 26, 2012 5:17 PM