locked
Direct Access 2012 DNS problems on 2 NICs RRS feed

  • Question

  • Hi Everyone,

    Bear with me, first-time Direct Access user...

    We're having troubles getting Direct Access 2012 to work. After running setup, the Operation Status for DNS is showing "Not working properly", with none of the DNS servers responding. Our test DA client can connect to DirectAccess, and the status monitor on the server shows it as connected, but that's as far as it gets. The client gets no network resources at all. (Probably no surprise since DNS isn't working.)

    Our setup

    Edge, 2 nics, both ipv4. (We don't use ipv6 on our network.) One nic outside the firewall to the internet, one on internal network. Each have a couple ivp4 DNS addresses set. (Internal using a couple internal DNS servers on a 172.16 network, and the external using a couple internet-facing DNS's.)

    We've ran through the basic wizard to set everything up, and it chose our DNS as a 2002:xxxx:xxxx:3333::1 address, which looks to be a 6to4 address for our external nic. Despite it being the address it came up with, Direct Access does not like it. Note our DirectAccess server does not have the DNS role installed.

    I've tried to use that same 2002: address to do nslookups right on the server, and it won't work either. Any lookup (internal or external sites) immediate responds with "no response from server". And trying to send pings to it results in a "general failure". (And I get the same results trying this on the DA client.)

    I've tried tweaking the DirectAccess DNS settings to use our two internal 172.16 DNS servers, but it results in the same problem: "Not working properly". Also, the addresses DirectAccess is trying to use are ipv6 versions of our 172.16 DNS addresses. I can't ping or nslookup those either.

    From reading other Technet posts, it seems most people get this to work just using the default 6to4 address already provided, so I'm not sure why it's not working for us. (Firewall issue, perhaps? Or are we missing something in our NIC setup?)

    Does anyone have any advice?

    Wednesday, May 15, 2013 8:40 PM

Answers

  • We found the problem. Direct Access won't even work without IPv6 enabled on both the network adapters, so we had them enabled on both, but blank/default. No static IPv6 or DNS specified.

    All we needed to do was give our internal-facing network adapter a static IPv6 address and preferred DNS server the same 2002:xxxx:xxxx:3333::1 tunnel address that DirectAccess was using. That did it; the DNS status went green, and clients could use Direct Access perfectly.

    Hope this helps.

    Wednesday, May 29, 2013 2:43 PM

All replies

  • We found the problem. Direct Access won't even work without IPv6 enabled on both the network adapters, so we had them enabled on both, but blank/default. No static IPv6 or DNS specified.

    All we needed to do was give our internal-facing network adapter a static IPv6 address and preferred DNS server the same 2002:xxxx:xxxx:3333::1 tunnel address that DirectAccess was using. That did it; the DNS status went green, and clients could use Direct Access perfectly.

    Hope this helps.

    Wednesday, May 29, 2013 2:43 PM
  • You can set DNS64 to listen for incoming connections on Loopback adapter by:

    1. netsh int ipv6 add address <loopback interface index><ipv6 address>/128

        Run the following command to obtain the necessary interface index information:
                netsh int ipv6 show int

    2. Set-NetDnsTransitionConfiguration -AcceptInterface "Loopback Pseudo-Interface"

    3. Check DNS64 config

        Get-NetDnsTransitionConfiguration

    Tuesday, January 27, 2015 4:43 PM