none
DirectAccess Shows Configured and Disabled while Outside of the Network RRS feed

  • Question

  • I have a machine that shows some strange behavior with DirectAccess.  It can't resolve any names as far as I can tell, but the DCA shows it is connected properly.  Some of the unsual things I see in the DCA diagnostics are below.  Any ideas on what is going on here?

    Thanks,
    Ken


    Interface IPHTTPSInterface (Group Policy)  Parameters
    ------------------------------------------------------------
    Role                       : client
    URL                        : https://da.contoso.com:443/IPHTTPS
    Last Error Code            : 0x0
    Interface Status           : IPHTTPS interface active

    C:\Windows\system32\LogSpace\{87AF1F3E-599C-4BF9-BD45-B12ED47B38E6}>netsh dns show state

    Name Resolution Policy Table Options
    --------------------------------------------------------------------

    Query Failure Behavior                : Always fall back to LLMNR and NetBIOS
                                            if the name does not exist in DNS or
                                            if the DNS servers are unreachable
                                            when on a private network

    Query Resolution Behavior             : Resolve only IPv6 addresses for names

    Network Location Behavior             : Never use Direct Access settings

    Machine Location                      : Outside corporate network

    Direct Access Settings                : Configured and Disabled

    DNSSEC Settings                       : Not Configured

    C:\Windows\system32\LogSpace\{87AF1F3E-599C-4BF9-BD45-B12ED47B38E6}>netsh name show effective

    DNS Effective Name Resolution Policy Table Settings

    Note: DirectAccess settings would be turned off when computer is inside corporate network

    Tuesday, January 11, 2011 11:11 PM

Answers

All replies

  • This client is running Windows Enterprise not Pro, yes?

    The Network Location Behavior: Never use Direct Access settings entry should be: Network Location Behavior: Let Network ID determine when Direct
    Access settings are to be used

    Check the following regkey: HKLM\Software\Policies\Microsoft\Windows NT\DNSClient\EnableDAForAllNetworks and make sure it is set to 0 and not 2. You will probably need a reboot after the change. The values for the key are shown here: http://msdn.microsoft.com/en-us/library/ff957870(PROT.10).aspx

    Not sure why it got messed up, but that should fix it ;)

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, January 11, 2011 11:31 PM
    Moderator
  • Thanks Jason.  I'll give this a try and report back.

    Ken

    Tuesday, January 11, 2011 11:37 PM
  • Thank you JJ this worked a treat!

    No rebooted even required!

    PS - Any ideas what would cause this to happen? Very new to UAG and DA

    Hubs

    Monday, May 9, 2011 9:21 PM
  • No, but not seen that issue occur much...
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Erez Benari Monday, May 9, 2011 11:32 PM
    Monday, May 9, 2011 11:28 PM
    Moderator
  • This issue has happened to me occasionally as well.  Of course that Reg Key is also flipped when the DCA is selected as 'Use Local DNS' - so make sure you check that setting first.  But I also have situations where this registry key is flipped for some other reason.  I'd really like to know WHY.  It is prevelant enough to develop a script and a self-help document for DirectAccess users at my organization.
    Tuesday, May 10, 2011 2:25 PM
  • Interesting, not seen it that much...
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, May 10, 2011 3:14 PM
    Moderator
  • Why isn't DirectAccess supported on Pro?  It looks like the feature to do the dns resolution via "name resolution policy table" was disabled.  Otherwise the adapters all connect and I get a connection to the directaccess server, I just cannot resolve names.  Any advice?

    Saturday, September 22, 2012 3:56 PM
  • This issue has happened to me occasionally as well.  Of course that Reg Key is also flipped when the DCA is selected as 'Use Local DNS' - so make sure you check that setting first.  But I also have situations where this registry key is flipped for some other reason.  I'd really like to know WHY.  It is prevelant enough to develop a script and a self-help document for DirectAccess users at my organization.

    Did anybody get the bottom of the cause of the reg key getting flipped?  I've seen it a few times here and whilst it is simple to fix, it can get trickier when you can't gain admin access to the remote system...

    Cheers

    Carl


    Carl Barrett | Twitter: @Mosquat

    Friday, December 14, 2012 11:52 AM
  • No, we ended up putting that registry entry in group policy so it always get pushed down to the client. Thanks, Ken
    Friday, December 14, 2012 11:55 AM
  • This issue has happened to me occasionally as well.  Of course that Reg Key is also flipped when the DCA is selected as 'Use Local DNS' - so make sure you check that setting first.  But I also have situations where this registry key is flipped for some other reason.  I'd really like to know WHY.  It is prevelant enough to develop a script and a self-help document for DirectAccess users at my organization.

    Did anybody get the bottom of the cause of the reg key getting flipped?  I've seen it a few times here and whilst it is simple to fix, it can get trickier when you can't gain admin access to the remote system...

    Cheers

    Carl


    Carl Barrett | Twitter: @Mosquat

    Never really got to the bottom of it either, but I thought it must somehow be to do with DCA.

    In the end, I created a GPO that uses GP preferences to flip the registry key to the correct value on DA clients...however, this doesn't help people who can't do a gpupdate remotely becuase DA won't connect (catch 22!). However, it does at least fix it when they get back to the office and connect to the corp network...


    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Friday, December 14, 2012 11:58 AM
    Moderator
  • Thanks for the reply Jason - was considering the same myself but as you say can prove a problem for those off corp net.

    Had a guy recently that was in the middle of Germany and our nearest office was a 6 hour drive so no local admin support available.....we got him working eventually using VPN that we had to install for him...that part was the real fun bit.

    So still a bit of mystery then - I've recommended to our support team that they try advising the user to flip over to 'Prefer Local DNS' and then back again as a first step.  May be a quick fix in some situations but probably not ;)

    Cheers


    Carl Barrett | Twitter: @Mosquat

    Friday, December 14, 2012 12:05 PM
  • If switch to the "Local DNS resolution" in the DA Connectivity Assistant, it causes to flip this reg key over and vise versa. Perhaps you have DAC installed and your users sometime touch this setting occasionally. 
    Thursday, July 30, 2015 3:48 PM