none
Client cannot connect to corp. network UAG2010 SP1 RRS feed

  • Question

  • Hi!

    I have a lab environment to try out Direct Access.

    I got a server with Server 2008R2 and UAG 2010SP1

    DC & CA: Server 2008

    NLS: Server 2008 IIS

    The problem is when the client is outside of the network. I can ping the UAG server via IPv6 so the ipsec tunnel is up. But i cannot access the NLS/Corp. Network.

    Here's the DCA log. The thing i can see is that IPHTTPS is disabled, but from what I know I shouldn't need it. Can anyone point me in the right direction?

    Thanks in advance

    RED: Corporate connectivity is not working.
    Windows is unable to resolve corporate network names.  Please contact your administrator if this problem persists.
    4/7/2012 7:26:15 (UTC)
    
    
    Probes List
    PASS		PING: 2002:3e14:caf::3e14:caf
    FAIL		HTTP: https://nls.demo.xxx.se
    
    DTE List
    PASS		PING: 2002:3e14:caf::3e14:caf
    PASS		PING: 2002:3e14:cae::3e14:cae
    
    C:\Windows\system32\LogSpace\{EA3290A7-2514-4170-9C5C-27B8EB9E3690}>ipconfig /all 
    
    Windows IP Configuration
    
       Host Name . . . . . . . . . . . . : LANE7W7
       Primary Dns Suffix  . . . . . . . : demo.xxx.se
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : demo.xxx.se
    
    PPP adapter Telia mobilt bredband:
    
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Telia mobilt bredband
       Physical Address. . . . . . . . . : 
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 90.233.175.123(Preferred) 
       Subnet Mask . . . . . . . . . . . : 255.255.255.255
       Default Gateway . . . . . . . . . : 0.0.0.0
       DNS Servers . . . . . . . . . . . : 195.67.199.18
                                           195.67.199.19
       Primary WINS Server . . . . . . . : 10.11.12.13
       Secondary WINS Server . . . . . . : 10.11.12.14
       NetBIOS over Tcpip. . . . . . . . : Disabled
    
    Ethernet adapter Bluetooth Network Connection:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
       Physical Address. . . . . . . . . : 00-27-13-4A-ED-AF
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
    
    Wireless LAN adapter Wireless Network Connection:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Intel(R) WiFi Link 5100 AGN
       Physical Address. . . . . . . . . : 00-1E-65-F4-6D-AE
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
    
    Ethernet adapter Local Area Connection:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Broadcom NetLink (TM) Gigabit Ethernet
       Physical Address. . . . . . . . . : 18-A9-05-98-FA-FB
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    
    Tunnel adapter isatap.{A0871521-46C1-4DA9-9068-5C118B177940}:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    
    Tunnel adapter isatap.{F972BBF2-617E-4912-A6A1-881EE9C5E6A6}:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    
    Tunnel adapter Local Area Connection* 11:
    
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2001:0:3e14:cae:c42:24e8:a516:5084(Preferred) 
       Link-local IPv6 Address . . . . . : fe80::c42:24e8:a516:5084%11(Preferred) 
       Default Gateway . . . . . . . . . : 
       NetBIOS over Tcpip. . . . . . . . : Disabled
    
    Tunnel adapter isatap.{B2461B67-E391-44C9-BFE7-A25D10B77EFF}:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    
    Tunnel adapter isatap.{EB1F5BA0-02D0-45B6-93A7-B60FF8507F2F}:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    
    Tunnel adapter 6TO4 Adapter:
    
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Microsoft 6to4 Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2002:5ae9:af7b::5ae9:af7b(Preferred) 
       Default Gateway . . . . . . . . . : 2002:3e14:cae::3e14:cae
       DNS Servers . . . . . . . . . . . : 195.67.199.18
                                           195.67.199.19
       NetBIOS over Tcpip. . . . . . . . : Disabled
    
    Tunnel adapter iphttpsinterface:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : iphttpsinterface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    
    C:\Windows\system32\LogSpace\{EA3290A7-2514-4170-9C5C-27B8EB9E3690}>netsh int teredo show state 
    Teredo Parameters
    ---------------------------------------------
    Type                    : client
    Server Name             : 62.20.12.174 (Group Policy) 
    Client Refresh Interval : 30 seconds
    Client Port             : unspecified
    State                   : qualified
    Client Type             : teredo host-specific relay
    Network                 : unmanaged
    NAT                     : none (global connectivity)
    NAT Special Behaviour   : UPNP: No, PortPreserving: No
    Local Mapping           : 90.233.175.123:56087
    External NAT Mapping    : 90.233.175.123:56087
    
    
    C:\Windows\system32\LogSpace\{EA3290A7-2514-4170-9C5C-27B8EB9E3690}>netsh int httpstunnel show interfaces 
    
    Interface IPHTTPSInterface (Group Policy)  Parameters
    ------------------------------------------------------------
    Role                       : client
    URL                        : https://directaccess.demo.xxx.se:443/IPHTTPS
    Last Error Code            : 0x0
    Interface Status           : IPHTTPS interface deactivated 
    
    
    C:\Windows\system32\LogSpace\{EA3290A7-2514-4170-9C5C-27B8EB9E3690}>netsh dns show state 
    
    Name Resolution Policy Table Options 
    -------------------------------------------------------------------- 
    
    Query Failure Behavior                : Always fall back to LLMNR and NetBIOS
                                            if the name does not exist in DNS or
                                            if the DNS servers are unreachable
                                            when on a private network
    
    Query Resolution Behavior             : Resolve only IPv6 addresses for names
    
    Network Location Behavior             : Let Network ID determine when Direct
                                            Access settings are to be used
    
    Machine Location                      : Outside corporate network
    
    Direct Access Settings                : Configured and Enabled
    
    DNSSEC Settings                       : Not Configured
    
    
    C:\Windows\system32\LogSpace\{EA3290A7-2514-4170-9C5C-27B8EB9E3690}>netsh name show policy 
    
    DNS Name Resolution Policy Table Settings
    
    Settings for nls.demo.xxx.se
    ----------------------------------------------------------------------
    Certification authority                 : DC=se, DC=xxx, DC=demo, CN=demo-DEMODC01-CA
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (DNS Servers)              : 
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : Use default browser settings
    
    
    
    Settings for directaccess.demo.xxx.se
    ----------------------------------------------------------------------
    Certification authority                 : DC=se, DC=xxx, DC=demo, CN=demo-DEMODC01-CA
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (DNS Servers)              : 
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : Use default browser settings
    
    
    
    Settings for .demo.xxx.se
    ----------------------------------------------------------------------
    Certification authority                 : DC=se, DC=xxx, DC=demo, CN=demo-DEMODC01-CA
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (DNS Servers)              : 2002:3e14:caf::3e14:caf
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : Bypass proxy
    
    
    
    
    C:\Windows\system32\LogSpace\{EA3290A7-2514-4170-9C5C-27B8EB9E3690}>netsh name show effective 
    
    DNS Effective Name Resolution Policy Table Settings
    
    
    Settings for nls.demo.xxx.se
    ----------------------------------------------------------------------
    Certification authority                 : DC=se, DC=xxx, DC=demo, CN=demo-DEMODC01-CA
    DNSSEC (Validation)                     : disabled
    IPsec settings                          : disabled
    DirectAccess (DNS Servers)              : 
    DirectAccess (Proxy Settings)           : Use default browser settings
    
    
    
    Settings for directaccess.demo.xxx.se
    ----------------------------------------------------------------------
    Certification authority                 : DC=se, DC=xxx, DC=demo, CN=demo-DEMODC01-CA
    DNSSEC (Validation)                     : disabled
    IPsec settings                          : disabled
    DirectAccess (DNS Servers)              : 
    DirectAccess (Proxy Settings)           : Use default browser settings
    
    
    
    Settings for .demo.xxx.se
    ----------------------------------------------------------------------
    Certification authority                 : DC=se, DC=xxx, DC=demo, CN=demo-DEMODC01-CA
    DNSSEC (Validation)                     : disabled
    IPsec settings                          : disabled
    DirectAccess (DNS Servers)              : 2002:3e14:caf::3e14:caf
    DirectAccess (Proxy Settings)           : Bypass proxy
    
    
    
    
    C:\Windows\system32\LogSpace\{EA3290A7-2514-4170-9C5C-27B8EB9E3690}>netsh int ipv6 show int level=verbose  
    
    Interface Loopback Pseudo-Interface 1 Parameters
    ----------------------------------------------
    IfLuid                             : loopback_0
    IfIndex                            : 1
    State                              : connected
    Metric                             : 50
    Link MTU                           : 4294967295 bytes
    Reachable Time                     : 39000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : disabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : enabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    
    Interface Wireless Network Connection Parameters
    ----------------------------------------------
    IfLuid                             : wireless_0
    IfIndex                            : 13
    State                              : disconnected
    Metric                             : 20
    Link MTU                           : 1500 bytes
    Reachable Time                     : 23000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 1
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : enabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    
    Interface isatap.{A0871521-46C1-4DA9-9068-5C118B177940} Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_4
    IfIndex                            : 24
    State                              : disconnected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 22000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : enabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    
    Interface isatap.{F972BBF2-617E-4912-A6A1-881EE9C5E6A6} Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_5
    IfIndex                            : 26
    State                              : disconnected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 24500 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : enabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    
    Interface Local Area Connection Parameters
    ----------------------------------------------
    IfLuid                             : ethernet_6
    IfIndex                            : 12
    State                              : disconnected
    Metric                             : 10
    Link MTU                           : 1500 bytes
    Reachable Time                     : 43500 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 1
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : enabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    
    Interface Local Area Connection* 11 Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_6
    IfIndex                            : 11
    State                              : connected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 10000 ms
    Base Reachable Time                : 15000 ms
    Retransmission Interval            : 2000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : enabled
    Weak Host Receives                 : enabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    
    Interface isatap.{B2461B67-E391-44C9-BFE7-A25D10B77EFF} Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_7
    IfIndex                            : 27
    State                              : disconnected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 30500 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : enabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    
    Interface isatap.{EB1F5BA0-02D0-45B6-93A7-B60FF8507F2F} Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_8
    IfIndex                            : 22
    State                              : disconnected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 17500 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : enabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    
    Interface Bluetooth Network Connection Parameters
    ----------------------------------------------
    IfLuid                             : ethernet_9
    IfIndex                            : 15
    State                              : disconnected
    Metric                             : 50
    Link MTU                           : 1500 bytes
    Reachable Time                     : 35500 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 1
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : enabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    
    Interface 6TO4 Adapter Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_9
    IfIndex                            : 23
    State                              : connected
    Metric                             : 40
    Link MTU                           : 1280 bytes
    Reachable Time                     : 15000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : disabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : enabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    
    Interface iphttpsinterface Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_11
    IfIndex                            : 25
    State                              : disconnected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 20000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 1
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : enabled
    Other Stateful Configuration       : enabled
    Weak Host Sends                    : enabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    
    
    C:\Windows\system32\LogSpace\{EA3290A7-2514-4170-9C5C-27B8EB9E3690}>netsh advf show currentprofile 
    
    Public Profile Settings: 
    ----------------------------------------------------------------------
    State                                 ON
    Firewall Policy                       BlockInbound,AllowOutbound
    LocalFirewallRules                    N/A (GPO-store only)
    LocalConSecRules                      N/A (GPO-store only)
    InboundUserNotification               Enable
    RemoteManagement                      Disable
    UnicastResponseToMulticast            Enable
    
    Logging:
    LogAllowedConnections                 Disable
    LogDroppedConnections                 Disable
    FileName                              %systemroot%\system32\LogFiles\Firewall\pfirewall.log
    MaxFileSize                           4096
    
    Ok.
    
    
    C:\Windows\system32\LogSpace\{EA3290A7-2514-4170-9C5C-27B8EB9E3690}>netsh advfirewall monitor show consec 
    
    Global Settings: 
    ----------------------------------------------------------------------
    IPsec:
    StrongCRLCheck                        0:Disabled
    SAIdleTimeMin                         5min
    DefaultExemptions                     ICMP
    IPsecThroughNAT                       Never
    AuthzUserGrp                          None
    AuthzComputerGrp                      None
    
    StatefulFTP                           Enable
    StatefulPPTP                          Enable
    
    Main Mode:
    KeyLifetime                           60min,0sess
    SecMethods                            DHGroup2-AES128-SHA256,DHGroup2-AES128-SHA1,DHGroup2-3DES-SHA1
    ForceDH                               No
    
    Categories:
    BootTimeRuleCategory                  Windows Firewall
    FirewallRuleCategory                  Windows Firewall
    StealthRuleCategory                   Windows Firewall
    ConSecRuleRuleCategory                Windows Firewall
    
    
    Quick Mode:
    QuickModeSecMethods                   ESP:SHA1-None+60min+100000kb,ESP:SHA1-AES128+60min+100000kb,ESP:SHA1-3DES+60min+100000kb,AH:SHA1+60min+100000kb
    QuickModePFS                          None
    
    Security Associations:
    
    Main Mode SA at 07/04/2012 09:26:15                      
    ----------------------------------------------------------------------
    Local IP Address:                     2002:5ae9:af7b::5ae9:af7b
    Remote IP Address:                    2002:3e14:caf::3e14:caf
    Auth1:                                ComputerCert
    Auth2:                                UserNTLM
    MM Offer:                             None-AES128-SHA256
    Cookie Pair:                          f9dab82528961f98:3e7090b8c2f7cbaf
    Health Cert:                          No
    
    Main Mode SA at 07/04/2012 09:26:15                      
    ----------------------------------------------------------------------
    Local IP Address:                     2001:0:3e14:cae:c42:24e8:a516:5084
    Remote IP Address:                    2002:3e14:caf::3e14:caf
    Auth1:                                ComputerCert
    Auth2:                                UserNTLM
    MM Offer:                             None-AES128-SHA256
    Cookie Pair:                          cdb18e28f971160b:35295487f9a91139
    Health Cert:                          No
    
    Quick Mode SA at 07/04/2012 09:26:15                     
    ----------------------------------------------------------------------
    Local IP Address:                     2002:5ae9:af7b::5ae9:af7b
    Remote IP Address:                    2002:3e14:caf::3e14:caf
    Local Port:                           Any
    Remote Port:                          Any
    Protocol:                             Any
    Direction:                            Both
    QM Offer:                             ESP:SHA1-AES192+60min+100000kb
    PFS:                                  None
    
    
    IPsec Statistics
    ----------------
    
    Active Assoc                : 2
    Offload SAs                 : 0
    Pending Key                 : 0
    Key Adds                    : 17
    Key Deletes                 : 16
    ReKeys                      : 0
    Active Tunnels              : 1
    Bad SPI Pkts                : 0
    Pkts not Decrypted          : 0
    Pkts not Authenticated      : 0
    Pkts with Replay Detection  : 0
    Confidential Bytes Sent     : 124,688
    Confidential Bytes Received : 304,984
    Authenticated Bytes Sent    : 138,464
    Authenticated Bytes Received: 304,984
    Transport Bytes Sent        : 0
    Transport Bytes Received    : 0
    Bytes Sent In Tunnels       : 138,464
    Bytes Received In Tunnels   : 304,984
    Offloaded Bytes Sent        : 0
    Offloaded Bytes Received    : 0
    
    Ok.
    
    
    C:\Windows\system32\LogSpace\{EA3290A7-2514-4170-9C5C-27B8EB9E3690}>Certutil -store my  
    my
    ================ Certificate 0 ================
    Serial Number: 14e7b52b00000000000c
    Issuer: CN=demo-DEMODC01-CA, DC=demo, DC=xxx, DC=se
     NotBefore: 2012-07-02 12:44
     NotAfter: 2013-07-02 12:44
    Subject: CN=LANE7W7.demo.xxx.se
    Certificate Template Name (Certificate Type): Machine
    Non-root Certificate
    Template: Machine, Computer
    Cert Hash(sha1): 2f 71 b2 87 ea 41 7f 5d b7 53 ca e3 b7 74 f7 ea de 2f 86 7a
      Key Container = d33dd9dabcb1ffb2d6d92199ab89624f_5aaf1ec2-7269-4235-bb21-72f1dda6df59
      Simple container name: le-Machine-b629c70a-2c7f-4a40-a761-adcfb6bb4b9c
      Provider = Microsoft RSA SChannel Cryptographic Provider
    Private key is NOT exportable
    Encryption test passed
    CertUtil: -store command completed successfully.
    
    C:\Windows\system32\LogSpace\{EA3290A7-2514-4170-9C5C-27B8EB9E3690}>Systeminfo
    
    Host Name:                 LANE7W7
    OS Name:                   Microsoft Windows 7 Enterprise 
    OS Version:                6.1.7601 Service Pack 1 Build 7601
    OS Manufacturer:           Microsoft Corporation
    OS Configuration:          Member Workstation
    OS Build Type:             Multiprocessor Free
    Registered Owner:          Windows User
    Registered Organization:   xxxxxxxxxxxxxxxx
    Product ID:                55041-006-2418292-86878
    Original Install Date:     2012-05-30, 10:37:11
    System Boot Time:          2012-07-04, 07:10:45
    System Manufacturer:       Hewlett-Packard
    System Model:              HP Compaq 6730b (KU216ET#AK8)
    System Type:               x64-based PC
    Processor(s):              1 Processor(s) Installed.
                               [01]: Intel64 Family 6 Model 23 Stepping 10 GenuineIntel ~2401 Mhz
    BIOS Version:              Hewlett-Packard 68PDD Ver. F.13, 2009-12-08
    Windows Directory:         C:\Windows
    System Directory:          C:\Windows\system32
    Boot Device:               \Device\HarddiskVolume2
    System Locale:             sv;Swedish
    Input Locale:              sv;Swedish
    Time Zone:                 (UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna
    Total Physical Memory:     3ÿ996 MB
    Available Physical Memory: 2ÿ943 MB
    Virtual Memory: Max Size:  7ÿ991 MB
    Virtual Memory: Available: 6ÿ602 MB
    Virtual Memory: In Use:    1ÿ389 MB
    Page File Location(s):     C:\pagefile.sys
    Domain:                    demo.xxx.se
    Logon Server:              N/A
    Hotfix(s):                 86 Hotfix(s) Installed.
                               [01]: 982861
                               [02]: KB971033
                               [03]: KB2305420
                               [04]: KB2393802
                               [05]: KB2425227
                               [06]: KB2475792
                               [07]: KB2479628
                               [08]: KB2479943
                               [09]: KB2484033
                               [10]: KB2485376
                               [11]: KB2487426
                               [12]: KB2488113
                               [13]: KB2491683
                               [14]: KB2492386
                               [15]: KB2505438
                               [16]: KB2506014
                               [17]: KB2506212
                               [18]: KB2506928
                               [19]: KB2507618
                               [20]: KB2509553
                               [21]: KB2511250
                               [22]: KB2511455
                               [23]: KB2515325
                               [24]: KB2522422
                               [25]: KB2529073
                               [26]: KB2532531
                               [27]: KB2533552
                               [28]: KB2536275
                               [29]: KB2536276
                               [30]: KB2541014
                               [31]: KB2544893
                               [32]: KB2545698
                               [33]: KB2547666
                               [34]: KB2552343
                               [35]: KB2560656
                               [36]: KB2563227
                               [37]: KB2564958
                               [38]: KB2567680
                               [39]: KB2570947
                               [40]: KB2579686
                               [41]: KB2584146
                               [42]: KB2585542
                               [43]: KB2603229
                               [44]: KB2604115
                               [45]: KB2618451
                               [46]: KB2619339
                               [47]: KB2620704
                               [48]: KB2620712
                               [49]: KB2621440
                               [50]: KB2631813
                               [51]: KB2633952
                               [52]: KB2640148
                               [53]: KB2641690
                               [54]: KB2644615
                               [55]: KB2645640
                               [56]: KB2653956
                               [57]: KB2654428
                               [58]: KB2656356
                               [59]: KB2656373
                               [60]: KB2656411
                               [61]: KB2658846
                               [62]: KB2659262
                               [63]: KB2660075
                               [64]: KB2660649
                               [65]: KB2667402
                               [66]: KB2675157
                               [67]: KB2676562
                               [68]: KB2677070
                               [69]: KB2679255
                               [70]: KB2685939
                               [71]: KB2686831
                               [72]: KB2688338
                               [73]: KB2690533
                               [74]: KB2695962
                               [75]: KB2699779
                               [76]: KB2699988
                               [77]: KB2709162
                               [78]: KB2709630
                               [79]: KB2709715
                               [80]: KB2709981
                               [81]: KB2718704
                               [82]: KB958488
                               [83]: KB976002
                               [84]: KB976902
                               [85]: KB976932
                               [86]: KB982018
    Network Card(s):           4 NIC(s) Installed.
                               [01]: Broadcom NetLink (TM) Gigabit Ethernet
                                     Connection Name: Local Area Connection
                                     Status:          Media disconnected
                               [02]: Intel(R) WiFi Link 5100 AGN
                                     Connection Name: Wireless Network Connection
                                     Status:          Media disconnected
                               [03]: Bluetooth Device (Personal Area Network)
                                     Connection Name: Bluetooth Network Connection
                                     Status:          Media disconnected
                               [04]: Cisco Systems VPN Adapter for 64-bit Windows
                                     Connection Name: Local Area Connection 2
                                     Status:          Hardware not present
    
    C:\Windows\system32\LogSpace\{EA3290A7-2514-4170-9C5C-27B8EB9E3690}>whoami /groups  
    
    GROUP INFORMATION
    -----------------
    
    Group Name                             Type             SID          Attributes                                        
    ====================================== ================ ============ ==================================================
    BUILTIN\Administrators                 Alias            S-1-5-32-544 Enabled by default, Enabled group, Group owner    
    Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
    NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
    Mandatory Label\System Mandatory Level Label            S-1-16-16384                                                   
    
    /Per

    Wednesday, July 4, 2012 12:39 PM

Answers

  • So the NLS should be OK then.

    If I read and understand the above correctly, then the probe should fail and also you cannot use the NLS as a way of determining if things are working. If the NLS is a machine that is not an infrastructure machine (DC, SCCM, WSUS etc) then you can create another A record in DNS and see if you can reach by using that name.

    You have a Teredo tunnel active and your MMSA and QMSA seems to be ok. Can you, for instance, browse your DC? E.g. \\NameOfDC\Netlogon?

    Don't pay to much attention to what the DCA reports, try instead and remember that the NLS is of limits so that is no good for testing or for use as a probe.

    • Edited by Anders Janson Thursday, July 5, 2012 6:25 PM
    • Marked as answer by Zewker Friday, July 6, 2012 7:43 AM
    Thursday, July 5, 2012 6:24 PM

All replies

  • Seems like you are using your NLS server as a probe.

    Furthermore it seems like the NLS is reachable through the tunnel - something it cannot be.

    It has to be set to [Excluded] in the DNS Suffixes configuration.


    Hth, Anders Janson Enfo Zipper

    Wednesday, July 4, 2012 2:53 PM
  • Seems like you are using your NLS server as a probe.

    Furthermore it seems like the NLS is reachable through the tunnel - something it cannot be.

    It has to be set to [Excluded] in the DNS Suffixes configuration.


    Hth, Anders Janson Enfo Zipper

    Hi!

    The NLS is already excluded in the DNS Suffixes configuration.
    Thursday, July 5, 2012 7:20 AM
  • So the NLS should be OK then.

    If I read and understand the above correctly, then the probe should fail and also you cannot use the NLS as a way of determining if things are working. If the NLS is a machine that is not an infrastructure machine (DC, SCCM, WSUS etc) then you can create another A record in DNS and see if you can reach by using that name.

    You have a Teredo tunnel active and your MMSA and QMSA seems to be ok. Can you, for instance, browse your DC? E.g. \\NameOfDC\Netlogon?

    Don't pay to much attention to what the DCA reports, try instead and remember that the NLS is of limits so that is no good for testing or for use as a probe.

    • Edited by Anders Janson Thursday, July 5, 2012 6:25 PM
    • Marked as answer by Zewker Friday, July 6, 2012 7:43 AM
    Thursday, July 5, 2012 6:24 PM
  • Hi!

    I could not reach the DC however i can reach another server I have in the domain by name and administrative shares. \\servername\c$. So it would seem that I have access.

    The cause of the DC being unreachable I don't know yet, I have to troubleshoot the DNS in my lab environment I think.

    Thank you for your help! Much appreciated.

    Friday, July 6, 2012 7:43 AM
  • Apart of looking at your DNS, also verify that your infrastructure server list is ok and that the DC(s) is listed there with the correct name and IP address.

    Hth, Anders Janson Enfo Zipper

    Friday, July 6, 2012 10:26 AM