none
DirectAccess 2012 not able to connect RRS feed

All replies

  • Hi Richard - the DCA Logs show the client inside the corporate network - have you run through all the releavnt checks to ensure the client is enabled for DA and that there is no config missing.

    Is the client DA enabled (in the GPO Group Required by DA)

    Have the GPO's been applied (check advanced setting of Windows Firewall for connection rules)

    Double check the computer certificates of both client and server

    Enable CAPI2 logging in the Event Viewer to check certificate errors

    Ensure Windows Firewall is enabled for Public / Private

    Use the DA troubleshooting client - http://www.microsoft.com/en-gb/download/details.aspx?id=41938



    john davies

    Saturday, July 26, 2014 5:51 AM
  • Thanks for your reply, John.  I was outside of the corporate network when I ran the Connectivity Assistant.  I wonder if that's the problem.

    I ran the DA Client Troubleshooting Tool and saw some issues. Again, I did this from outside of the corporate network.

    Issues I saw were:

    - No response from richardenterprises.net
    - Failed to connect to domain sysvol share
    - User tunnel tests failed

    How do I make the client know it's outside of the network?

    Tracelog from the DA Client Troubleshooting Tool:  https://onedrive.live.com/redir?resid=270A675D98E09864!111&authkey=!ANAcs7IPj2hbny0&ithint=file%2clog

    Thanks!

    Monday, July 28, 2014 3:06 AM
  • What is the status of your NLS server? Is it on-box with the DirectAccess server?

    Also what connection protocol are you trying to use 6to4, Teredo or IP-HTTPs?



    Ryan Betts MCSE, MCITP, MCSA, MCTS

    blog.ryanbetts.co.uk

    Monday, July 28, 2014 4:52 PM
  • The NLS server is on the DirectAccess server.  The client uses a hostname to find it, but the hostname isn't resolvable via public DNS.  Proper configuration on this part, correct?

    I'm honestly not sure which connection protocol I'm trying to use.  This was an inherited setup from a previous admin.  I believe we're using Teredo, but how would I even verify that?  I don't see it in the configuration.

    Review Remote Access configuration settings

    GPO SettingsGPO Settings

    RICHARDENTERPRISES

    DirectAccess server GPO name:

    DirectAccess Server Settings
    Client GPO name: DirectAccess Client
    Settings
    Remote ClientsRemote Clients

      • DirectAccess client access and remote management is enabled
      • DirectAccess security groups:
        DOMAIN\DA Computers
      • Force tunneling is disabled
      • Resource used to verify internal network
        connectivity:
        PING:SDSIDC03.richardenterprises.net
      • DirectAccess connection name: Richard Enterprises HQ DirectAccess
      • Helpdesk email address: Richard.long@richardenterprises.net
      • DirectAccess clients can select to use local DNS servers for name resolution
    Remote Access ServerRemote Access Server
    DirectAccess Configuration

    • Public name or address to which clients connect: 209.12.175.195
    • Network adapter connected to the external network: WAN Team.
    • Network adapter connected to the internal network: LAN Team.
    • Internal network subnets: 2002:46a8:346c:1::/64
    • The root certificate to which remote clients chain
      is:
      CN=smartdrive-richardDC03-CA, DC=richardenterprises, DC=net
    • IP-HTTPS certificate:
      209.12.175.195
    • Two-factor authentication is not enabled
    • Windows 7 client computers can connect via
      DirectAccess

    VPN is enabled

    • Clients not supported for DirectAccess can connect over VPN
    • VPN client address assignment: static address pools:
      Static Address Pools
      10.0.1.101 - 10.0.1.201
    • Authenticate VPN clients using Windows authentication

    Infrastructure ServersInfrastructure Servers

    • Network location server certificate:
      CN=richardDA01.smartdrive.net
    • DNS suffixes used by clients to determine DNS queries to be directed to
      internal DNS servers:
      Name Suffix DNS Server Address
      dev.richardsystems.com 2002:46a8:346c:3333::1
      staging.richardsystems.com 2002:46a8:346c:3333::1
      qa.richardsystems.com 2002:46a8:346c:3333::1
      richardsystems.net 2002:46a8:346c:3333::1
      richardsystems.com 2002:46a8:346c:3333::1
      monitor.richardsystems.com 2002:46a8:346c:3333::1
      richardDA01.richard.net
    • Local name resolution option:
      Use local name resolution if DNS servers
      are unavailable, or the name does not exist in DNS
  • Management server subnets used for remote client
    management:
    IP Address/IPv6 Prefix/Name
    SCCMDP01.richard.net
    SCCM-SS01.Monitor.richardsystems.com

  • Application ServersApplication Servers

    • DirectAccess client access and remote management is enabled. End-to-end
      authentication to specific application servers is disabled

    Monday, July 28, 2014 6:57 PM
  • NLS is correct yes.

    Teredo is basically the only connection protocol that will work efficently in my opinion. 6to4 requires the clients to have their own public IP's which hardly any will. IP-HTTPS is TCP and therefore handshakes, not to meantion the double encryption. The double encryption from SSL and IP-HTTPS was apparently nulled, but if you ready this post it clarifies that it's not technically true http://directaccess.richardhicks.com/2014/06/24/directaccess-ip-https-null-encryption-and-sstp-vpn/ I unfortunately learned this the hard way by deploying in production. IP-HTTP and NAT give TERRIBLE performance.

    For Teredo to work the external interface must both be configured with consecutive public IP's, and if you are using NLB there must also be secondary public IP's on each interface.

    Monday, July 28, 2014 7:14 PM
  • Hi Richard - Apologies for the delay in replying, - judging from the above all appears correct and looking at the logs nothing really unusual strikes me. However, although using hosts files a public DNS entry would be better in the long run with a public certificate for the IP-HTTPS. The former does not fix the issue though. Looking at the logs and the configuration you only have one IP (as Ryan Pointed Out) and therefore connectivity will only be via HTTPS. Therefore please open the event viewer on both the client and DA Server, and navigate to Applications and Services Logs, Microsoft, Windows, CAPI2, Operational. Enable Logging on both. Place the client on the Internet and try to connect to DA. Capture any errors in these logs a Certificates will usually be the issue.

    Although old this link still works well for troubleshooting

    http://www.windowsnetworking.com/articles-tutorials/trouble/7-Steps-Troubleshooting-DirectAccess-Clients.html


    john davies

    Tuesday, July 29, 2014 7:04 AM
  • John,

    Thanks for your reply.  Where do you see one IP configured?  I have two configured on the external facing NIC.

    I followed the link you suggested and got this output:

    Microsoft Windows [Version 6.3.9600]
    (c) 2013 Microsoft Corporation. All rights reserved.

    C:\Users\richard>netsh dns show state

    Name Resolution Policy Table Options
    --------------------------------------------------------------------

    Query Failure Behavior                : Always fall back to LLMNR and NetBIOS
                                            if the name does not exist in DNS or
                                            if the DNS servers are unreachable
                                            when on a private network

    Query Resolution Behavior             : Resolve only IPv6 addresses for names

    Network Location Behavior             : Let Network ID determine when Direct
                                            Access settings are to be used

    Machine Location                      : Outside corporate network

    Direct Access Settings                : Configured and Enabled

    DNSSEC Settings                       : Not Configured


    C:\Users\richard>netsh namespace show effectivepolicy

    DNS Effective Name Resolution Policy Table Settings


    Settings for SDSIDA01.richardenterprises.net
    ----------------------------------------------------------------------
    DirectAccess (Certification Authority)  :
    DirectAccess (IPsec)                    : disabled
    DirectAccess (DNS Servers)              :
    DirectAccess (Proxy Settings)           : Use default browser settings


    Settings for .monitor.richardenterprisessystems.com
    ----------------------------------------------------------------------
    DirectAccess (Certification Authority)  :
    DirectAccess (IPsec)                    : disabled
    DirectAccess (DNS Servers)              : 2002:46a8:346c:3333::1
    DirectAccess (Proxy Settings)           : Bypass proxy


    Settings for .richardenterprisessystems.com
    ----------------------------------------------------------------------
    DirectAccess (Certification Authority)  :
    DirectAccess (IPsec)                    : disabled
    DirectAccess (DNS Servers)              : 2002:46a8:346c:3333::1
    DirectAccess (Proxy Settings)           : Bypass proxy


    Settings for .richardenterprises.net
    ----------------------------------------------------------------------
    DirectAccess (Certification Authority)  :
    DirectAccess (IPsec)                    : disabled
    DirectAccess (DNS Servers)              : 2002:46a8:346c:3333::1
    DirectAccess (Proxy Settings)           : Bypass proxy


    Settings for .qa.richardenterprisessystems.com
    ----------------------------------------------------------------------
    DirectAccess (Certification Authority)  :
    DirectAccess (IPsec)                    : disabled
    DirectAccess (DNS Servers)              : 2002:46a8:346c:3333::1
    DirectAccess (Proxy Settings)           : Bypass proxy


    Settings for .staging.richardenterprisessystems.com
    ----------------------------------------------------------------------
    DirectAccess (Certification Authority)  :
    DirectAccess (IPsec)                    : disabled
    DirectAccess (DNS Servers)              : 2002:46a8:346c:3333::1
    DirectAccess (Proxy Settings)           : Bypass proxy


    Settings for .dev.richardenterprisessystems.com
    ----------------------------------------------------------------------
    DirectAccess (Certification Authority)  :
    DirectAccess (IPsec)                    : disabled
    DirectAccess (DNS Servers)              : 2002:46a8:346c:3333::1
    DirectAccess (Proxy Settings)           : Bypass proxy

    C:\Users\richard>ipconfig /all

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : richard-x240
       Primary Dns Suffix  . . . . . . . : richardenterprises.net
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : richardenterprises.net
                                           richardenterprisessystems.com
                                           monitor.richardenterprisessystems.com
                                           qa.richardenterprisessystems.com
                                           staging.richardenterprisessystems.com
                                           dev.richardenterprisessystems.com

    Wireless LAN adapter Local Area Connection* 13:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft Hosted Network Virtual Adapter
       Physical Address. . . . . . . . . : EA-2A-EA-0C-E2-8E
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes

    Wireless LAN adapter Local Area Connection* 12:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
       Physical Address. . . . . . . . . : E8-2A-EA-0C-E2-8F
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes

    Ethernet adapter Bluetooth Network Connection:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
       Physical Address. . . . . . . . . : E8-2A-EA-0C-E2-92
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes

    Wireless LAN adapter Wi-Fi:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 7260
       Physical Address. . . . . . . . . : E8-2A-EA-0C-E2-8E
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2600:1012:b127:be8e:fd9d:3679:f76d:187c(P
    referred)
       Temporary IPv6 Address. . . . . . : 2600:1012:b127:be8e:7c0d:e512:7d90:c46d(P
    referred)
       Link-local IPv6 Address . . . . . : fe80::fd9d:3679:f76d:187c%4(Preferred)
       IPv4 Address. . . . . . . . . . . : 192.168.1.2(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Lease Obtained. . . . . . . . . . : Wednesday, July 30, 2014 9:19:11 AM
       Lease Expires . . . . . . . . . . : Thursday, July 31, 2014 9:19:11 AM
       Default Gateway . . . . . . . . . : fe80::215:ffff:fe8f:9ec2%4
                                           192.168.1.1
       DHCP Server . . . . . . . . . . . : 192.168.1.1
       DHCPv6 IAID . . . . . . . . . . . : 384314090
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-3B-27-B3-28-D2-44-8C-13-06

       DNS Servers . . . . . . . . . . . : 192.168.1.1
       Primary WINS Server . . . . . . . : 192.168.1.1
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Ethernet adapter Ethernet:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : richardenterprises.net
       Description . . . . . . . . . . . : Intel(R) Ethernet Connection I218-LM
       Physical Address. . . . . . . . . : 28-D2-44-8C-13-06
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter isatap.{0A3ACF23-D6FD-47F6-91B8-E5E43DF81BAA}:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Teredo Tunneling Pseudo-Interface:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2001:0:d10c:afc3:3401:ede1:b92e:2f98(Pref
    erred)
       Link-local IPv6 Address . . . . . : fe80::3401:ede1:b92e:2f98%21(Preferred)
       Default Gateway . . . . . . . . . :
       DHCPv6 IAID . . . . . . . . . . . : 553648128
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-3B-27-B3-28-D2-44-8C-13-06

       NetBIOS over Tcpip. . . . . . . . : Disabled

    Tunnel adapter iphttpsinterface:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : iphttpsinterface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2002:46a8:346c:1000:bc7f:1f46:b190:e852(P
    referred)
       Temporary IPv6 Address. . . . . . : 2002:46a8:346c:1000:4e3:9a37:3998:f4ac(Pr
    eferred)
       Link-local IPv6 Address . . . . . : fe80::bc7f:1f46:b190:e852%22(Preferred)
       Default Gateway . . . . . . . . . :
       DHCPv6 IAID . . . . . . . . . . . : 369098752
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-3B-27-B3-28-D2-44-8C-13-06

       NetBIOS over Tcpip. . . . . . . . : Disabled

    C:\Users\richard>nltest /dsgetdc:
    Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

    C:\Users\richard>

    Thanks


    Wednesday, July 30, 2014 4:16 PM
  • Hi Richard - i may be mistaken but i was sure i saw just one in the logs - however, no dramas lets continue. Certainly looks as if everything is in place so far (with the exception of no public dns name and using IP). The certs seem correct, the troubleshooting shows that you are outside and trying to use IP HTTPS as the connection. I have had a similar instance (rare though) where a firewall / router was blocking connections. There is no packet inspection on your home / work router is there ? Are there any events on the server in the logs (try capi 2 again) and were there any events on the local machine under capi 2. Worst case email me here www.iconicit.co.uk - I could probably fix quicker rather than via the forums. Depends on how business critical this is.

    John Davies

    Wednesday, July 30, 2014 5:01 PM