DA Multisite Server 2019 Bugs RRS feed

  • Question

  • hey guys,

    Technet here says that IPV6 must be configured on the corporate network when using multi-site. Is this the case? I've setup a lab with two sites and four DA servers with GSLB etc. I can get the infrastructure tunnel to come up and can RDP to domain controllers but the user tunnel doesnt come up, can only ping stuff. The connectivity status remains "connecting.." 

    We can't go down the road of IPv6 so need to know, we will move to Always On if this is the case as we need multi site.

    • Edited by Amayacitta Tuesday, January 1, 2019 8:57 AM Changed title to reflect issue more accurately
    Thursday, December 20, 2018 11:08 AM

All replies

  • No, you definitely do NOT need IPv6 inside your network in order to use Multi-Site DirectAccess. I have lots of customers running Multi-Site setups in entirely IPv4 internal networks.

    If you want to be able to do manage-out functionality, that is when IPv6 becomes required in a Multi-Site environment.

    Thursday, December 20, 2018 1:33 PM
  • Ok thanks, I'll continue to diagnose. It's weird I get infrastructure connectivity but the user tunnels don't come up fully. 

    Here is an extract of the log, the DirectAccess-WebProbeHost is reachable from the corporate network and all DA servers. Not sure why it cant be reached, I can ping it when connected and get an IPv6 response no problem. I've masked some of the information below with X's.

    20/12/2018 13:39:24]: Running IPsec infrastructure tunnel tests.
    [20/12/2018 13:39:24]: Successfully connected to domain sysvol share, found 33 policies.
    [20/12/2018 13:39:24]: Running IPsec intranet tunnel tests.
    [20/12/2018 13:39:24]: Successfully reached fdXX:XX5e:d40c:2222::1, RTT is 2 msec.
    [20/12/2018 13:39:36]: Failed to connect to fdXX:XX5e:d40c:2222::2 with status TimedOut.
    [20/12/2018 13:39:48]: Failed to connect to fdXX:XX5e:d40c:2223::1 with status TimedOut.
    [20/12/2018 13:40:00]: Failed to connect to fdXX:XX5e:d40c:2223::2 with status TimedOut.
    [20/12/2018 13:40:30]: Failed to connect to HTTP probe at http://directaccess-WebProbeHost.XX.XXXXX.XX.XX

    This only happened when enabling multi-site, with a single site it all functioned OK.

    • Edited by Amayacitta Thursday, December 20, 2018 1:43 PM
    Thursday, December 20, 2018 1:42 PM
  • One thing I noticed was under step 2 when I hit configure, I see an internal IPv6 prefix. If I compare this to the client IPv6 prefixes for each entry point, the client prefix for entry point one has the same global ID as the internal IPv6 Prefix. It has a unique subnet though so I'm guessing thats OK as it doesn't overlap. the client prefix for entry point 2 has a completely different global ID and subnet.

    Before joining the multi-site I had IPv4 on external and internal adaptors, I never configured the internal IPv6 prefix. 

    This is on server 2019 by the way, I'm hoping they haven't changed something.

    Thursday, December 20, 2018 2:02 PM
  • Update. I reverted the config back to a single site and it works fine again.

    I've got a case open with Microsoft to find out what is up.

    Thursday, December 20, 2018 5:47 PM
  • Unfortunately, I'm not getting anywhere with Microsoft Support at the moment, their help desk is understaffed and overloaded. Christmas is always a fun time.

    Does anyone else have a multi site DA setup to compare some things? Here is the troubleshooter log which shows the infrastructure dynamic tunnel endpoint is UP and working (the first one in the list below). Which explains why I can RDP to my domain controllers and ping internal resources successfully. The second one below is the user/intranet tunnel, this does't come up. I assume the last two will never come up as they are on the site I'm not connecting to, If I was to flick my GSLB priorities I think the second two will work... i'll test that later.

    [24/12/2018 11:04:54]: Successfully reached fd78:89a7:XXXX:2222::1, RTT is 13 msec.
    [24/12/2018 11:05:05]: Failed to connect to fd78:89a7:XXXX:2222::2 with status TimedOut.
    [24/12/2018 11:05:17]: Failed to connect to fd78:89a7:XXXX:2223::1 with status TimedOut.
    [24/12/2018 11:05:29]: Failed to connect to fd78:89a7:XXXX:2223::2 with status TimedOut.

    When I do an IP config from a DA server in my second entry point I see both infrastructure and intranet DTE addresses on the IP-HTTPS adapter. 

    Tunnel adapter Microsoft IP-HTTPS Platform Interface:

       Connection-specific DNS Suffix  . :
       IPv6 Address. . . . . . . . . . . : fd78:89a7:XXXX:2223::1
       IPv6 Address. . . . . . . . . . . : fd78:89a7:XXXX:2223::2
       IPv6 Address. . . . . . . . . . . : fd9f:eb5e:XXXX:2223::1
       Link-local IPv6 Address . . . . . : fe80::346c:f0b5:47b4:9ac6%3
       Default Gateway . . . . . . . . . :

    When I do the same from a DA server in my first entry point I only see an IPv6 address for the infrastructure tunnel, not the intranet tunnel. I think this is the cause of the issue but can't explain why or work out how to fix it.

    Does anyone else have a setup they can look at to compare?

    • Edited by Amayacitta Saturday, December 29, 2018 11:36 AM remved ipv6 addresses
    Monday, December 24, 2018 11:50 AM
  • Seems the issue of the intranet DTE not being present on the first entry point, applies to 2019 server only. I've just flattened it all and rolled back to 2016 with the same configuration, and have no issues at all. I also tried rebuilding 2019 from scratch just in case i made a mistake but the same issue repeats itself.

    I'll follow this up with Microsoft and hopefully a hotfix can be made.

    • Edited by Amayacitta Saturday, December 29, 2018 11:39 AM
    Saturday, December 29, 2018 11:38 AM
  • Microsoft have acknowledged this is a bug for 2019, along with another bug where the client IPV6 prefix route is not published properly. Waiting for a hotfix still, apparently there is a beta hotfix but I can’t get access to it.
    Friday, January 18, 2019 8:40 PM