DirectAccess corrupts the Active Directory computer membership


  • I´ve seen this couple of times around Windows Server 2012 R2 and Windows 7 clients, where when DA is implemented, _randomly_ at some point the membership of AD fails and computers start to receive an error that they cannot login to domain. This happends at LAN connection, so DA is not interfered here, but I assume it has broke the AD membership before.

    This was 100% proven, that these AD login problems happends ONLY with DA client computers. A computer without DA client GPO does not have this problem.

    Is there a known fix or hotifix for this?

    Please remember to mark my post as an answer, if I really helped you out, or vote if usefull. Thank you!

    • Edited by yannara Wednesday, March 21, 2018 9:27 AM
    Wednesday, March 21, 2018 9:23 AM

All replies

  • I have never seen this happen, but what could actually be happening is if the NLS server is suddenly unavailable for those Win7 clients, that could cause them to have all kinds of problems with authenticating to AD. If/when a DA client cannot see NLS, it will "think" it is outside the network and will try to connect via DA. More importantly, it will try sending all of your DNS lookups inside the DA tunnels, which aren't actually connected because you are inside the network. In this case, where a DA client is inside the network but NLS is offline (or the cert on NLS has expired), those DA clients will fail to resolve any server names, including your domain controllers. This could cause the behavior you have seen.

    This is part of the reason why you should always have NLS on its own server - if NLS stops working it is way harder to troubleshoot it when it's co-hosted on the DA server itself. On the other hand, if your NLS is running its own website on its own webserver, it's a very simple thing to keep up and running.

    My only other idea on this one, if you think it is not a problem with NLS, is to check and see if the customer is still running FRS in their environment. DirectAccess is not supported in an FRS domain, because FRS does all kinds of crazy stuff. It actually deletes GPOs randomly. You must be cut over to DFSR in order to support DirectAccess (or really to fully support having any Server 2012 domain controller in your network - the problems with FRS are not limited only to DA)

    Thursday, March 22, 2018 1:16 PM
  • This is very good guess, thanks Jordan. If NLS is not available, all DNS stops and it _looks_like_it_would_be_a_corruption. Previously I solved those situations to disjoin and re-join computer to domain to get rid of DA policies, it was only way. That´s why I had the understanding/feeling, it would be a AD corruption.

    Please remember to mark my post as an answer, if I really helped you out, or vote if usefull. Thank you!

    Sunday, March 25, 2018 6:14 PM