none
DirectAccess has stopped working after infrastructure upgrade - replaced domain CA server RRS feed

  • Question

  • Hi,

    I somehow seem to have broken my Direct Access setup, and I'm not sure what I did that is causing the problem.

    My Current setup is Direct Access running on a Windows 2012 R2 server published thru a TMG 2010 SP3 server.  All good. Been working with no issues for the last 3 or so years.

    So the day before things stopped working I moved our internal enterprise CA from an old Windows 2008 Server box to a new Windows 2012 R2 CA.  The old Windows 2008 box was also a DC so per the
    Microsoft process I backed up the CA, removed the CA from the old server, demoted the old server so it was no longer a DC and then deleted the server from the domain.  I then had a new 2012 R2 box waiting which
    I renamed to the name of the old CA server and then added this to my domain and then restored the CA. Everything seems to be working from what I can tell.

    But it's at this point that I think Direct Access stopped working and I'm not sure why. 

    My Direct Access clients can ping successfully any internal server and in the Direct Access console I can see the remote computers in the Direct Access console.

    But the Direct Access clients can't access any of the internal network servers.  But what is very strange is that there are two servers that I can access. I'm able to do a net view \\SERVERNAME for these
    two servers and it works.  If I try and do the same thing for other servers it fails even though I can ping those servers.

    If I run the Direct Access support tool from one of the clients I get this message at the top

    Error: Corporate connectivity is not working. Windows is unable to contact some remote resources due to network authentication failures. 9/3/2017 22:36:27 (UTC)

    Any idea what's happening?  I did have Direct Access setup to use certificates since I used to support Windows 7 Direct Access clients but we now only have Windows 8.1 and Windows 10 Direct Access clients so maybe I don't need that anymore?

    THanks in advance.

    Nick

    Sunday, March 12, 2017 6:35 PM

Answers

  • Hi,

    I finally got this resolved.  It looks like there were two issues.  Both were related to the Direct Access GPOs.  First a bit of background. Since setting up Direct Access several years ago I have retired some old domain controllers from our domain, but set up new domain controllers. The new domain controllers have different IP addresses than the older retired ones.  The last of the old domain controllers I just retired was also the Certificate server. This machine was added back to our domain with the same name and IP address so that I could do a CA restore.

    What happened was that the configuration information for Direct Access stored in the GPO pointed to all the old domain controller IP addresses.  When I removed the last domain controller that was also the certificate server I broke the authentication for the Direct Access clients.  At least that's what I think happened.  After Gérald pointed me at the GPO I looked at the one he specified and found all the old domain controllers listed.  I edited the GPO file using the registry tool he used and Direct Access still wasn't working. So I went looking for the IP addresses of my old domain controllers in the registry of the Direct Access server and found that the domain controller addresses were also listed in the Direct Access rules for the Windows firewall.  So I edited the GPO for those as well and replaced the addresses of the old domain controllers with my new domain controllers. After saving those changes and applying the updated GPOs to my Direct Access server and a test client I was able to connect.

    So hopefully this answer helps someone else.  And thanks Gérald for pointing me in the right direction.

    Nick

    • Marked as answer by Nick Palmer Wednesday, March 22, 2017 11:28 PM
    Wednesday, March 22, 2017 11:28 PM

All replies

  • Looks like an IPsec failure... Are you tunnels still working in your Windows Firewall ?

    Also, you removed a DC from your domain but DirectAccess may still try to use it because it's hardcoded in the Server's GPO when the first server is implemented.
    I think you can check in the Server's registry at HKLM\Software\Policies\Microsoft\Windows\RemoteAccess\Config\DomainControllers if you find the old DC's IP Address.
    The last time I had this problem, I had to edit the registry.pol of the server's GPO using a third party tool because the only other way I found was to remove then reinstall DirectAccess.

    Gérald

    Tuesday, March 14, 2017 11:33 AM
  • Hi Gérald,

    From what I can tell, the tunnels are working correctly. If I bring up the Windows Firewall on a client I can see the connections used by Direct Access.

    I think you maybe on to something with the GPO on the server. I looked at the DomainControllers key you said and it has wrong information in it. I also looked at the ManagementServerInfo key and it has some wrong servers in it also.

    But it sounds like modifying this isn't easy.  And I certainly don't want to have to re-install DirectAccess.  There must be a pretty common issue with people adding/removing domain controllers and other servers.

    What was the tool you ended up using to modify the registry.pol file. And not to sound clueless - even though I am, where would I find the registry.pol file to even look at or modify?

    Thanks

    Nick

    Tuesday, March 14, 2017 4:09 PM
  • Registry Workshop... It's a shareware...
    Tuesday, March 14, 2017 5:20 PM
  • Ok great, I found that program. Looks good.

    But now where do I edit the registry.pol file?  It seems like this comes from GPO so if I edit the registry on the Direct Access server that will just get written over when the GPO refreshes right?

    Thanks

    Tuesday, March 14, 2017 6:02 PM
  • The registry.pol is in the SYSVOL folder of your domain.

    You need to identify the "DirectAccess Server Settings"GPO first using GMPC (Details TAB).
    Note the Unique ID of the GPO then locate it in the SYSVOL.

    Ex: If your Unique ID is {0D8529C3-4D1B-42E5-952E-99AE64C5837B}

    You'll find the correct registry.pol in \\yourdomain.com\sysvol\yourdomain.com\Policies\{0D8529C3-4D1B-42E5-952E-99AE64C5837B}\Machine

    Don't forget to keep a backup if you need to rollback ;-)


    Tuesday, March 14, 2017 9:42 PM
  • Hi,

    I finally got this resolved.  It looks like there were two issues.  Both were related to the Direct Access GPOs.  First a bit of background. Since setting up Direct Access several years ago I have retired some old domain controllers from our domain, but set up new domain controllers. The new domain controllers have different IP addresses than the older retired ones.  The last of the old domain controllers I just retired was also the Certificate server. This machine was added back to our domain with the same name and IP address so that I could do a CA restore.

    What happened was that the configuration information for Direct Access stored in the GPO pointed to all the old domain controller IP addresses.  When I removed the last domain controller that was also the certificate server I broke the authentication for the Direct Access clients.  At least that's what I think happened.  After Gérald pointed me at the GPO I looked at the one he specified and found all the old domain controllers listed.  I edited the GPO file using the registry tool he used and Direct Access still wasn't working. So I went looking for the IP addresses of my old domain controllers in the registry of the Direct Access server and found that the domain controller addresses were also listed in the Direct Access rules for the Windows firewall.  So I edited the GPO for those as well and replaced the addresses of the old domain controllers with my new domain controllers. After saving those changes and applying the updated GPOs to my Direct Access server and a test client I was able to connect.

    So hopefully this answer helps someone else.  And thanks Gérald for pointing me in the right direction.

    Nick

    • Marked as answer by Nick Palmer Wednesday, March 22, 2017 11:28 PM
    Wednesday, March 22, 2017 11:28 PM
  • Did you try hitting the 'Refresh Management Servers' option from the configuration page? That removes old DC's and populates your GPO with any new ones it finds.

    Monday, November 6, 2017 3:20 AM
  • Hi,

    I didn't because I didn't know it was there. I guess next time I'll give that a try.

    Thanks

    Nick

    Tuesday, November 7, 2017 7:03 PM