none
Direct Access - Losing connectivity to the Domain Controller

    Question

  • Hello,

    Please help me identify why my Direct Access server is losing access to the Domain Controller. 

    Background:

    - we already have a running DA setup, but a single-NIC one

    - dual-NIC setup is what I'm trying to do

    - IMPORTANT: The internal NIC is in the same VLAN as the running single-NIC server, which means this is not a firewall issue

    Configuration:

    - gateway specified only on the external adapter

    - DNS specified only on the internal adapter

    - Bindings: Internal network interface is listed first in the list of connections.

    - Static route is specified for the internal network

    What's happening:

    - everything looks ok when the Direct Access server boots up, dashboard green etc.

    - after about 20-25 minutes, connection to the Domain Controllers is lost

    - Domain Controllers remain pingable

    - Get-DAEntryPoint : A domain controller cannot be reached for [domain.name]

    Tried going through the event viewer but could not find anything that could point me in the right direction. Any help is appreciated.

    Kind regards,

    Wojciech

    EDIT:

    Forgot to mention. I have a second server prepared in a similar way when it comes to the NIC configuration as I plan on setting up a NLB cluster. The difference is that I had not completed the Direct Access initial setup. This server does not experience any issues with domain connectivity. Which means this is 100% not network related, but probably it's a GPO/DA setup problem. 

    • Edited by rozanw Wednesday, June 13, 2018 2:53 PM
    Wednesday, June 13, 2018 2:26 PM

All replies

  • Hi,

     

    Have a nice day! Thanks for your question. 

     

    Please check the DA’s network adapter if it is connected to the domain network like below.

     

    Did you specify DNS server for DA?

     

    Please check if DA_server GPO is applied to DA server using the command gpresult /r on DA server to verify it.

     

    Is there now one NIC on DA?

     

    For testing purpose, please turn off the firewall both on DA and DC.

     

    Here is an article talked about this topic in detail. Hope this helps. I look forward hearing your good news.

    Troubleshooting Setting the Entry Point Domain Controller

    https://docs.microsoft.com/en-us/windows-server/remote/remote-access/ras/multisite/troubleshoot/troubleshooting-setting-the-entry-point-domain-controller

     

    Highly appreciate your effort and time. If you have any question and concern, please feel free to let me know.

     

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, June 14, 2018 5:42 AM
  • Hi,

    The internal adapter is connected to the domain network.

    The DNS servers are specified on that adapter. Even when I lose the connectivity, I can still resolve domain resources with nslookup. 

    The DA GPO is properly applied to the system. 

    There are 2 NICs, but even when I disable the external one, the problem still occurs. 

    Firewall is off by default on our servers, except the DA. But even turning it off does not make any difference. I enabled logging on the FW, but does not show any dropped packet.

    I'm not using multisite, so the article you recommend does not help me.

    Kind regards,

    Wojciech

    Thursday, June 14, 2018 10:58 AM
  • Hello,

    Actually, I was able find where the problem is. But I'm still having a hard time figuring out what exactly caused it. 

    Since I saw the connectivity jumping from working to not working, I installed Wireshark on the DA server and did some testing. Each time when I initiated a connectivity to the domain, when the source port I had assigned was below 6000, I had access. However the moment I went above port 6000, the connection could not be established. 

    We have this policy in place:
    Hive HKEY_LOCAL_MACHINE
    Key path SOFTWARE\Microsoft\Rpc\Internet
    Value name Ports
    Value type REG_MULTI_SZ
    Lines
    Line Value
    1 5010-6000

    Which matches my findings and would explain this odd behavior. 

    Now there are still a few mysteries:
    1) Those problems only occur after the initial setup of Direct Access. So at first glance, I should look ad the DA Servers Policy. But I went through it and either I missed something, I don't know what to look for or there is nothing that would control this. 
    2) We have another DA setup that does not have this problem. I've compared the server policies but could not find any particular differences regarding port numbers. I also checked the Get-NetNatTransitionConfiguration cmdlet, but the output is the same. 

    I'll still be looking myself and I'll have my Team help me, but I'd appreciate if you could let me know if this shed some light and if you might have some ideas on what to check. 

    Kind regards,

    Wojciech

    Tuesday, June 19, 2018 8:58 AM