none
Connectivity Assistant says "corporate network names cannot be resolved" RRS feed

  • Question

  • I've stood up a UAG server, and on the client the Connectivity Assistant is telling me that "Corporate network names cannot be resolved". I've worked through multiple troubleshooting articles, and have found on the client one or more Extended Mode 4984 errors. I found this article:

    http://technet.microsoft.com/en-us/library/ee844114%28v=ws.10%29.aspx

    and worked through it. In particular, I see the required quick and main mode SAs mentioned in that article (via "netsh advfirewall monitor show mmsa" and "netsh advfirewall monitor show qmsa"), even though I see a 4653 Main Mode audit failure immediately after the 4894 Extended Mode audit failure - the details of both are below.

    I get these errors when I switch my network connection on my laptop from the corporate network to a public IP address, with the latter connection being on the same switch to which our firewall is connected - the BIOS of the laptop turns off the wireless when it detects that the wired interface comes up live.

    If anyone has thoughts on how I can go about troubleshooting this, I'd really appreciate it.

    Thanks,

    Kurt

     
    ----------Begin 4984 Event Detail----------
    An IPsec extended mode negotiation failed. The corresponding main mode security association has been deleted.

    Local Endpoint:
        Principal Name:        NT AUTHORITY\ANONYMOUS LOGON
        Network Address:    2002:xxxx:yyyy::xxxx:yyyy
        Keying Module Port:    500

    Remote Endpoint:
        Principal Name:        host/G1.example.com
        Network Address:    2002:aaaa:bbbb::aaaa:bbbb
        Keying Module Port:    500

    Additional Information:
        Keying Module Name:    AuthIP
        Authentication Method:    NTLM V2
        Role:            Initiator
        Impersonation State:    Enabled
        Quick Mode Filter ID:    252766

    Failure Information:
        Failure Point:        Local computer
        Failure Reason:        IKE authentication credentials are unacceptable

        State:            Sent second (SSPI) payload
    ----------End 4984 Event Detail----------

    ----------Begin 4653 Event Detail----------
    An IPsec main mode negotiation failed.

    Local Endpoint:
        Local Principal Name:    -
        Network Address:    2001:0:xxxx:yyyy:24ad:1eee:bccd:89cd
        Keying Module Port:    500

    Remote Endpoint:
        Principal Name:        -
        Network Address:    2002:aaaa:bbbb::aaaa:bbbb
        Keying Module Port:    500

    Additional Information:
        Keying Module Name:    IKEv1
        Authentication Method:    Unknown authentication
        Role:            Initiator
        Impersonation State:    Not enabled
        Main Mode Filter ID:    0

    Failure Information:
        Failure Point:        Local computer
        Failure Reason:        No policy configured

        State:            No state
        Initiator Cookie:        36a5be545c0922e8
        Responder Cookie:    0000000000000000
    ----------End 4653 Event Detail----------
    Tuesday, July 3, 2012 10:16 PM

Answers

  • Hi Kurt,

    As Anders said, you are using inside.example.com both as a connectivity verifier and as your network location server. This configuration is invalid.

    The network location server is designed to be resolved only from inside your corporate network, and cannot be reached by DirectAccess clients due to an exemption entry in NRPT. The connectivity verifier, however, should be resolved and reachable via DirectAccess in order to indicate corporate connectivity correctly.

    Please change the connectivity verifier for DirectAccess connectivity assistant to a different URL.

    • Marked as answer by Kurt Buff Wednesday, July 11, 2012 8:17 PM
    Wednesday, July 11, 2012 4:02 PM

All replies

  • Before investigating further, check that the DNS64 service is started and set to Automatic...some of the UAG updates reconfigure the service to Manual after applying them (very annoying that!) which can cause that error to appear.

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Tuesday, July 3, 2012 10:49 PM
    Moderator
  • JJ,

    Thanks - I just checked, and the service is running and set to Automatic, running in the Network Service context - I assume you meant the "Microsoft Forefront UAG DNS64 Service", correct?

    Kurt

    Tuesday, July 3, 2012 11:22 PM
  • Can you post the entire DCA log when outside the corporate network?

    Hth, Anders Janson Enfo Zipper

    Wednesday, July 4, 2012 8:33 AM
  • Sure - I'm on vacation, but have my work laptop at home. I hope it fits in this reply.

    <big>DirectAccess Connectivity Assistant Logs</big>


    RED: Corporate connectivity is not working.
    Corporate network names cannot be resolved. If the problem persists, contact your administrator.
    5/7/2012 22:17:23 (UTC)


    Probes List
    PASS - PING: 2002:4332:xxxx::4332:xxxx
    FAIL - HTTP: https://inside.example.com

    DTE List
    PASS - PING: 2002:4332:xxxx::4332:xxxx
    PASS - PING: 2002:4332:yyyy::4332:yyyy

    ipconfig /all
    netsh int teredo show state
    netsh int httpstunnel show interfaces
    netsh dns show state
    netsh name show policy
    netsh name show effective
    netsh adv mon show mmsa
    netsh nap client show state
    wevtutil query-events Microsoft-Windows-NetworkAccessProtection/Operational /count:20 /format:text /rd:true
    netsh int ipv6 show int level=verbose
    netsh advf show currentprofile
    netsh advfirewall monitor show consec
    Certutil -store my
    Systeminfo
    whoami /groups
    <big>
    ipconfig /all</big><textarea cols="100" rows="35">*************************************************************************** ipconfig /all *************************************************************************** Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. [IT-KBUFF7] Thu 07/05/2012 15:17:23.72 C:\Windows\system32\LogSpace\{D092AEA2-D55E-45F3-9CC3-42761EBF0355} #ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : it-kbuff7 Primary Dns Suffix . . . . . . . : example.com Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : example.com hsd1.wa.comcast.net. Ethernet adapter Local Area Connection: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection Physical Address. . . . . . . . . : D4-BE-D9-22-09-B6 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Wireless LAN adapter Wireless Network Connection: Connection-specific DNS Suffix . : hsd1.wa.comcast.net. Description . . . . . . . . . . . : Intel(R) Centrino(R) Advanced-N 6205 Physical Address. . . . . . . . . : 8C-70-5A-03-84-24 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::483f:894:5771:3fa2%13(Preferred) IPv4 Address. . . . . . . . . . . : 192.168.151.108(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : Thursday, July 05, 2012 3:06:36 PM Lease Expires . . . . . . . . . . : Friday, July 06, 2012 3:06:36 PM Default Gateway . . . . . . . . . : 192.168.151.1 DHCP Server . . . . . . . . . . . : 192.168.151.1 DHCPv6 IAID . . . . . . . . . . . : 294416474 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-19-14-C0-8C-70-5A-03-84-24 DNS Servers . . . . . . . . . . . : 8.8.8.8 75.75.75.75 75.75.76.76 NetBIOS over Tcpip. . . . . . . . : Enabled Ethernet adapter Bluetooth Network Connection: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network) Physical Address. . . . . . . . . : 7C-E9-D3-C0-3E-4C DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Tunnel adapter isatap.hsd1.wa.comcast.net.: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : hsd1.wa.comcast.net. Description . . . . . . . . . . . : Microsoft ISATAP Adapter Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Tunnel adapter isatap.{994805F9-636B-4A7B-A70D-91BE01E6E921}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2 Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Tunnel adapter iphttpsinterface: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : iphttpsinterface Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Tunnel adapter Teredo Tunneling Pseudo-Interface: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv6 Address. . . . . . . . . . . : 2001:0:4332:yyyy:246c:cc9:bc5f:f480(Preferred) Link-local IPv6 Address . . . . . : fe80::246c:cc9:bc5f:f480%15(Preferred) Default Gateway . . . . . . . . . : :: NetBIOS over Tcpip. . . . . . . . : Disabled Tunnel adapter isatap.{1CE3B0C4-475D-4D09-BD7D-33E729293D3C}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3 Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes [IT-KBUFF7] Thu 07/05/2012 15:17:24.09 C:\Windows\system32\LogSpace\{D092AEA2-D55E-45F3-9CC3-42761EBF0355} #</textarea>


    <big>
    netsh int teredo show state</big><textarea cols="100" rows="35">*************************************************************************** netsh int teredo show state *************************************************************************** Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. [IT-KBUFF7] Thu 07/05/2012 15:17:23.59 C:\Windows\system32\LogSpace\{D092AEA2-D55E-45F3-9CC3-42761EBF0355} #netsh int teredo show state Teredo Parameters --------------------------------------------- Type : client Server Name : 67.50.118.38 (Group Policy) Client Refresh Interval : 30 seconds Client Port : unspecified State : qualified Client Type : teredo client Network : unmanaged NAT : restricted NAT Special Behaviour : UPNP: No, PortPreserving: Yes Local Mapping : 192.168.151.108:62262 External NAT Mapping : 67.160.11.127:62262 [IT-KBUFF7] Thu 07/05/2012 15:17:25.90 C:\Windows\system32\LogSpace\{D092AEA2-D55E-45F3-9CC3-42761EBF0355} #</textarea>
    <big>
    netsh int httpstunnel show interfaces</big><textarea cols="100" rows="35">*************************************************************************** netsh int httpstunnel show interfaces *************************************************************************** Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. [IT-KBUFF7] Thu 07/05/2012 15:17:23.59 C:\Windows\system32\LogSpace\{D092AEA2-D55E-45F3-9CC3-42761EBF0355} #netsh int httpstunnel show interfaces Interface IPHTTPSInterface (Group Policy) Parameters ------------------------------------------------------------ Role : client URL : https://outside.example.com:443/IPHTTPS Last Error Code : 0x0 Interface Status : IPHTTPS interface deactivated [IT-KBUFF7] Thu 07/05/2012 15:17:25.87 C:\Windows\system32\LogSpace\{D092AEA2-D55E-45F3-9CC3-42761EBF0355} #</textarea>
    <big>
    netsh dns show state</big><textarea cols="100" rows="35">*************************************************************************** netsh dns show state *************************************************************************** Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. [IT-KBUFF7] Thu 07/05/2012 15:17:23.58 C:\Windows\system32\LogSpace\{D092AEA2-D55E-45F3-9CC3-42761EBF0355} #netsh dns show state Name Resolution Policy Table Options -------------------------------------------------------------------- Query Failure Behavior : Always fall back to LLMNR and NetBIOS if the name does not exist in DNS or if the DNS servers are unreachable when on a private network Query Resolution Behavior : Resolve only IPv6 addresses for names Network Location Behavior : Let Network ID determine when Direct Access settings are to be used Machine Location : Outside corporate network Direct Access Settings : Configured and Enabled DNSSEC Settings : Not Configured [IT-KBUFF7] Thu 07/05/2012 15:17:25.91 C:\Windows\system32\LogSpace\{D092AEA2-D55E-45F3-9CC3-42761EBF0355} #</textarea>
    <big>
    netsh name show policy</big><textarea cols="100" rows="35">*************************************************************************** netsh name show policy *************************************************************************** Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. [IT-KBUFF7] Thu 07/05/2012 15:17:23.61 C:\Windows\system32\LogSpace\{D092AEA2-D55E-45F3-9CC3-42761EBF0355} #netsh name show policy DNS Name Resolution Policy Table Settings Settings for inside.example.com ---------------------------------------------------------------------- Certification authority : DC=com, DC=example, CN=example-Issuing-CA-1 DNSSEC (Validation) : disabled DNSSEC (IPsec) : disabled DirectAccess (DNS Servers) : DirectAccess (IPsec) : disabled DirectAccess (Proxy Settings) : Use default browser settings Settings for outside.example.com ---------------------------------------------------------------------- Certification authority : DC=com, DC=example, CN=example-Issuing-CA-1 DNSSEC (Validation) : disabled DNSSEC (IPsec) : disabled DirectAccess (DNS Servers) : DirectAccess (IPsec) : disabled DirectAccess (Proxy Settings) : Use default browser settings Settings for .example.com ---------------------------------------------------------------------- Certification authority : DC=com, DC=example, CN=example-Issuing-CA-1 DNSSEC (Validation) : disabled DNSSEC (IPsec) : disabled DirectAccess (DNS Servers) : 2002:4332:xxxx::4332:xxxx DirectAccess (IPsec) : disabled DirectAccess (Proxy Settings) : Bypass proxy [IT-KBUFF7] Thu 07/05/2012 15:17:25.90 C:\Windows\system32\LogSpace\{D092AEA2-D55E-45F3-9CC3-42761EBF0355} #</textarea>
    <big>
    netsh name show effective</big><textarea cols="100" rows="35">*************************************************************************** netsh name show effective *************************************************************************** Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. [IT-KBUFF7] Thu 07/05/2012 15:17:23.75 C:\Windows\system32\LogSpace\{D092AEA2-D55E-45F3-9CC3-42761EBF0355} #netsh name show effective DNS Effective Name Resolution Policy Table Settings Settings for inside.example.com ---------------------------------------------------------------------- Certification authority : DC=com, DC=example, CN=example-Issuing-CA-1 DNSSEC (Validation) : disabled IPsec settings : disabled DirectAccess (DNS Servers) : DirectAccess (Proxy Settings) : Use default browser settings Settings for outside.example.com ---------------------------------------------------------------------- Certification authority : DC=com, DC=example, CN=example-Issuing-CA-1 DNSSEC (Validation) : disabled IPsec settings : disabled DirectAccess (DNS Servers) : DirectAccess (Proxy Settings) : Use default browser settings Settings for .example.com ---------------------------------------------------------------------- Certification authority : DC=com, DC=example, CN=example-Issuing-CA-1 DNSSEC (Validation) : disabled IPsec settings : disabled DirectAccess (DNS Servers) : 2002:4332:xxxx::4332:xxxx DirectAccess (Proxy Settings) : Bypass proxy [IT-KBUFF7] Thu 07/05/2012 15:17:25.91 C:\Windows\system32\LogSpace\{D092AEA2-D55E-45F3-9CC3-42761EBF0355} #</textarea>
    <big>
    netsh adv mon show mmsa</big><textarea cols="100" rows="35">*************************************************************************** netsh adv mon show mmsa *************************************************************************** Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. [IT-KBUFF7] Thu 07/05/2012 15:17:23.70 C:\Windows\system32\LogSpace\{D092AEA2-D55E-45F3-9CC3-42761EBF0355} #netsh adv mon show mmsa Main Mode SA at 07/05/2012 15:17:25 ---------------------------------------------------------------------- Local IP Address: 2001:0:4332:yyyy:246c:cc9:bc5f:f480 Remote IP Address: 2002:4332:yyyy::4332:yyyy Auth2 Local ID: NT AUTHORITY\SYSTEM Auth2 Remote ID: host/G1.example.com Auth1: ComputerCert Auth2: UserKerb MM Offer: None-AES128-SHA256 Cookie Pair: da4dcd03b49be0bb:43d9b7e44e0b771a Health Cert: No Main Mode SA at 07/05/2012 15:17:25 ---------------------------------------------------------------------- Local IP Address: 2001:0:4332:yyyy:246c:cc9:bc5f:f480 Remote IP Address: 2002:4332:yyyy::4332:yyyy Auth2 Local ID: example\kbuff Auth2 Remote ID: host/G1.example.com Auth1: ComputerCert Auth2: UserKerb MM Offer: None-AES128-SHA256 Cookie Pair: 8e2e5fcf1fd14e9e:528c5b2c9f2dfc71 Health Cert: No Main Mode SA at 07/05/2012 15:17:25 ---------------------------------------------------------------------- Local IP Address: 2002:4332:yyyy:8100:60e1:5c94:a5b:376f Remote IP Address: 2002:4332:xxxx::4332:xxxx Auth1: ComputerCert Auth2: UserNTLM MM Offer: None-AES128-SHA256 Cookie Pair: d11403dd976f7926:0cfcbc436eb1cdf4 Health Cert: No Main Mode SA at 07/05/2012 15:17:25 ---------------------------------------------------------------------- Local IP Address: 2001:0:4332:yyyy:246c:cc9:bc5f:f480 Remote IP Address: 2002:4332:xxxx::4332:xxxx Auth1: ComputerCert Auth2: UserNTLM MM Offer: None-AES128-SHA256 Cookie Pair: fd4a9ae4df119e8e:bec6a4bbf97347b1 Health Cert: No Main Mode SA at 07/05/2012 15:17:25 ---------------------------------------------------------------------- Local IP Address: 2001:0:4332:yyyy:246c:cc9:bc5f:f480 Remote IP Address: 2002:4332:xxxx::4332:xxxx Auth1: ComputerCert Auth2: UserNTLM MM Offer: None-AES128-SHA256 Cookie Pair: fc178356ce702fd2:a356f6078c25dc72 Health Cert: No Main Mode SA at 07/05/2012 15:17:25 ---------------------------------------------------------------------- Local IP Address: 2001:0:4332:yyyy:246c:cc9:bc5f:f480 Remote IP Address: 2002:4332:xxxx::4332:xxxx Auth1: ComputerCert Auth2: UserNTLM MM Offer: None-AES128-SHA256 Cookie Pair: 9e128121765aafe3:0f94e2f74f13f1ce Health Cert: No Main Mode SA at 07/05/2012 15:17:25 ---------------------------------------------------------------------- Local IP Address: 2002:4332:yyyy:8100:60e1:5c94:a5b:376f Remote IP Address: 2002:4332:yyyy::4332:yyyy Auth2 Local ID: NT AUTHORITY\SYSTEM Auth2 Remote ID: host/G1.example.com Auth1: ComputerCert Auth2: UserKerb MM Offer: None-AES128-SHA256 Cookie Pair: 3793bbaa246388ec:fdf7c9bd6c156eec Health Cert: No Ok. [IT-KBUFF7] Thu 07/05/2012 15:17:25.91 C:\Windows\system32\LogSpace\{D092AEA2-D55E-45F3-9CC3-42761EBF0355} #</textarea>
    <big>
    netsh nap client show state</big><textarea cols="100" rows="35">*************************************************************************** netsh nap client show state *************************************************************************** Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. [IT-KBUFF7] Thu 07/05/2012 15:17:23.59 C:\Windows\system32\LogSpace\{D092AEA2-D55E-45F3-9CC3-42761EBF0355} #netsh nap client show state The "Network Access Protection Agent" service is not running. [IT-KBUFF7] Thu 07/05/2012 15:17:25.90 C:\Windows\system32\LogSpace\{D092AEA2-D55E-45F3-9CC3-42761EBF0355} #</textarea>
    <big>
    wevtutil query-events Microsoft-Windows-NetworkAccessProtection/Operational /count:20 /format:text /rd:true</big><textarea cols="100" rows="35">*************************************************************************** wevtutil query-events Microsoft-Windows-NetworkAccessProtection/Operational /count:20 /format:text /rd:true *************************************************************************** Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. [IT-KBUFF7] Thu 07/05/2012 15:17:23.62 C:\Windows\system32\LogSpace\{D092AEA2-D55E-45F3-9CC3-42761EBF0355} #wevtutil query-events Microsoft-Windows-NetworkAccessProtection/Operational /count:20 /format:text /rd:true [IT-KBUFF7] Thu 07/05/2012 15:17:23.89 C:\Windows\system32\LogSpace\{D092AEA2-D55E-45F3-9CC3-42761EBF0355} #</textarea>
    <big>
    netsh int ipv6 show int level=verbose</big><textarea cols="100" rows="35">*************************************************************************** netsh int ipv6 show int level=verbose *************************************************************************** Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. [IT-KBUFF7] Thu 07/05/2012 15:17:23.59 C:\Windows\system32\LogSpace\{D092AEA2-D55E-45F3-9CC3-42761EBF0355} #netsh int ipv6 show int level=verbose Interface Loopback Pseudo-Interface 1 Parameters ---------------------------------------------- IfLuid : loopback_0 IfIndex : 1 State : connected Metric : 50 Link MTU : 4294967295 bytes Reachable Time : 15500 ms Base Reachable Time : 30000 ms Retransmission Interval : 1000 ms DAD Transmits : 0 Site Prefix Length : 64 Site Id : 1 Forwarding : disabled Advertising : disabled Neighbor Discovery : disabled Neighbor Unreachability Detection : disabled Router Discovery : enabled Managed Address Configuration : disabled Other Stateful Configuration : disabled Weak Host Sends : disabled Weak Host Receives : disabled Use Automatic Metric : enabled Ignore Default Routes : disabled Advertised Router Lifetime : 1800 seconds Advertise Default Route : disabled Current Hop Limit : 0 Force ARPND Wake up patterns : disabled Directed MAC Wake up patterns : disabled Interface Wireless Network Connection Parameters ---------------------------------------------- IfLuid : wireless_0 IfIndex : 13 State : connected Metric : 25 Link MTU : 1500 bytes Reachable Time : 31500 ms Base Reachable Time : 30000 ms Retransmission Interval : 1000 ms DAD Transmits : 1 Site Prefix Length : 64 Site Id : 1 Forwarding : disabled Advertising : disabled Neighbor Discovery : enabled Neighbor Unreachability Detection : enabled Router Discovery : enabled Managed Address Configuration : enabled Other Stateful Configuration : enabled Weak Host Sends : disabled Weak Host Receives : disabled Use Automatic Metric : enabled Ignore Default Routes : disabled Advertised Router Lifetime : 1800 seconds Advertise Default Route : disabled Current Hop Limit : 0 Force ARPND Wake up patterns : disabled Directed MAC Wake up patterns : disabled Interface isatap.hsd1.wa.comcast.net. Parameters ---------------------------------------------- IfLuid : tunnel_4 IfIndex : 18 State : disconnected Metric : 50 Link MTU : 1280 bytes Reachable Time : 31000 ms Base Reachable Time : 30000 ms Retransmission Interval : 1000 ms DAD Transmits : 0 Site Prefix Length : 64 Site Id : 1 Forwarding : disabled Advertising : disabled Neighbor Discovery : enabled Neighbor Unreachability Detection : disabled Router Discovery : enabled Managed Address Configuration : disabled Other Stateful Configuration : disabled Weak Host Sends : disabled Weak Host Receives : disabled Use Automatic Metric : enabled Ignore Default Routes : disabled Advertised Router Lifetime : 1800 seconds Advertise Default Route : disabled Current Hop Limit : 0 Force ARPND Wake up patterns : disabled Directed MAC Wake up patterns : disabled Interface isatap.{994805F9-636B-4A7B-A70D-91BE01E6E921} Parameters ---------------------------------------------- IfLuid : tunnel_5 IfIndex : 19 State : disconnected Metric : 50 Link MTU : 1280 bytes Reachable Time : 26000 ms Base Reachable Time : 30000 ms Retransmission Interval : 1000 ms DAD Transmits : 0 Site Prefix Length : 64 Site Id : 1 Forwarding : disabled Advertising : disabled Neighbor Discovery : enabled Neighbor Unreachability Detection : disabled Router Discovery : enabled Managed Address Configuration : disabled Other Stateful Configuration : disabled Weak Host Sends : disabled Weak Host Receives : disabled Use Automatic Metric : enabled Ignore Default Routes : disabled Advertised Router Lifetime : 1800 seconds Advertise Default Route : disabled Current Hop Limit : 0 Force ARPND Wake up patterns : disabled Directed MAC Wake up patterns : disabled Interface Bluetooth Network Connection Parameters ---------------------------------------------- IfLuid : ethernet_6 IfIndex : 12 State : disconnected Metric : 50 Link MTU : 1477 bytes Reachable Time : 33000 ms Base Reachable Time : 30000 ms Retransmission Interval : 1000 ms DAD Transmits : 1 Site Prefix Length : 64 Site Id : 1 Forwarding : disabled Advertising : disabled Neighbor Discovery : enabled Neighbor Unreachability Detection : enabled Router Discovery : enabled Managed Address Configuration : disabled Other Stateful Configuration : disabled Weak Host Sends : disabled Weak Host Receives : disabled Use Automatic Metric : enabled Ignore Default Routes : disabled Advertised Router Lifetime : 1800 seconds Advertise Default Route : disabled Current Hop Limit : 0 Force ARPND Wake up patterns : disabled Directed MAC Wake up patterns : disabled Interface iphttpsinterface Parameters ---------------------------------------------- IfLuid : tunnel_6 IfIndex : 21 State : disconnected Metric : 50 Link MTU : 1280 bytes Reachable Time : 32000 ms Base Reachable Time : 30000 ms Retransmission Interval : 1000 ms DAD Transmits : 1 Site Prefix Length : 64 Site Id : 1 Forwarding : disabled Advertising : disabled Neighbor Discovery : enabled Neighbor Unreachability Detection : enabled Router Discovery : enabled Managed Address Configuration : disabled Other Stateful Configuration : disabled Weak Host Sends : disabled Weak Host Receives : disabled Use Automatic Metric : enabled Ignore Default Routes : disabled Advertised Router Lifetime : 1800 seconds Advertise Default Route : disabled Current Hop Limit : 0 Force ARPND Wake up patterns : disabled Directed MAC Wake up patterns : disabled Interface Local Area Connection Parameters ---------------------------------------------- IfLuid : ethernet_7 IfIndex : 14 State : disconnected Metric : 5 Link MTU : 1500 bytes Reachable Time : 27500 ms Base Reachable Time : 30000 ms Retransmission Interval : 1000 ms DAD Transmits : 1 Site Prefix Length : 64 Site Id : 1 Forwarding : disabled Advertising : disabled Neighbor Discovery : enabled Neighbor Unreachability Detection : enabled Router Discovery : enabled Managed Address Configuration : disabled Other Stateful Configuration : disabled Weak Host Sends : disabled Weak Host Receives : disabled Use Automatic Metric : enabled Ignore Default Routes : disabled Advertised Router Lifetime : 1800 seconds Advertise Default Route : disabled Current Hop Limit : 0 Force ARPND Wake up patterns : disabled Directed MAC Wake up patterns : disabled Interface Teredo Tunneling Pseudo-Interface Parameters ---------------------------------------------- IfLuid : tunnel_7 IfIndex : 15 State : connected Metric : 50 Link MTU : 1280 bytes Reachable Time : 13000 ms Base Reachable Time : 15000 ms Retransmission Interval : 2000 ms DAD Transmits : 0 Site Prefix Length : 64 Site Id : 1 Forwarding : disabled Advertising : disabled Neighbor Discovery : enabled Neighbor Unreachability Detection : enabled Router Discovery : enabled Managed Address Configuration : disabled Other Stateful Configuration : disabled Weak Host Sends : disabled Weak Host Receives : disabled Use Automatic Metric : enabled Ignore Default Routes : disabled Advertised Router Lifetime : 1800 seconds Advertise Default Route : disabled Current Hop Limit : 0 Force ARPND Wake up patterns : disabled Directed MAC Wake up patterns : disabled Interface isatap.{1CE3B0C4-475D-4D09-BD7D-33E729293D3C} Parameters ---------------------------------------------- IfLuid : tunnel_8 IfIndex : 20 State : disconnected Metric : 50 Link MTU : 1280 bytes Reachable Time : 19500 ms Base Reachable Time : 30000 ms Retransmission Interval : 1000 ms DAD Transmits : 0 Site Prefix Length : 64 Site Id : 1 Forwarding : disabled Advertising : disabled Neighbor Discovery : enabled Neighbor Unreachability Detection : disabled Router Discovery : enabled Managed Address Configuration : disabled Other Stateful Configuration : disabled Weak Host Sends : disabled Weak Host Receives : disabled Use Automatic Metric : enabled Ignore Default Routes : disabled Advertised Router Lifetime : 1800 seconds Advertise Default Route : disabled Current Hop Limit : 0 Force ARPND Wake up patterns : disabled Directed MAC Wake up patterns : disabled [IT-KBUFF7] Thu 07/05/2012 15:17:25.88 C:\Windows\system32\LogSpace\{D092AEA2-D55E-45F3-9CC3-42761EBF0355} #</textarea>
    <big>
    netsh advf show currentprofile</big><textarea cols="100" rows="35">*************************************************************************** netsh advf show currentprofile *************************************************************************** Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. [IT-KBUFF7] Thu 07/05/2012 15:17:23.58 C:\Windows\system32\LogSpace\{D092AEA2-D55E-45F3-9CC3-42761EBF0355} #netsh advf show currentprofile Private Profile Settings: ---------------------------------------------------------------------- State ON Firewall Policy BlockInbound,AllowOutbound LocalFirewallRules N/A (GPO-store only) LocalConSecRules N/A (GPO-store only) InboundUserNotification Enable RemoteManagement Disable UnicastResponseToMulticast Enable Logging: LogAllowedConnections Disable LogDroppedConnections Disable FileName %systemroot%\system32\LogFiles\Firewall\pfirewall.log MaxFileSize 4096 Ok. [IT-KBUFF7] Thu 07/05/2012 15:17:25.88 C:\Windows\system32\LogSpace\{D092AEA2-D55E-45F3-9CC3-42761EBF0355} #</textarea>
    <big>
    netsh advfirewall monitor show consec</big><textarea cols="100" rows="35">*************************************************************************** netsh advfirewall monitor show consec *************************************************************************** Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. [IT-KBUFF7] Thu 07/05/2012 15:17:23.75 C:\Windows\system32\LogSpace\{D092AEA2-D55E-45F3-9CC3-42761EBF0355} #netsh advfirewall monitor show consec Global Settings: ---------------------------------------------------------------------- IPsec: StrongCRLCheck 0:Disabled SAIdleTimeMin 5min DefaultExemptions ICMP IPsecThroughNAT Never AuthzUserGrp None AuthzComputerGrp None StatefulFTP Enable StatefulPPTP Enable Main Mode: KeyLifetime 60min,0sess SecMethods DHGroup2-AES128-SHA256,DHGroup2-AES128-SHA1,DHGroup2-3DES-SHA1 ForceDH No Categories: BootTimeRuleCategory Windows Firewall FirewallRuleCategory Windows Firewall StealthRuleCategory Windows Firewall ConSecRuleRuleCategory Windows Firewall Quick Mode: QuickModeSecMethods ESP:SHA1-None+60min+100000kb,ESP:SHA1-AES128+60min+100000kb,ESP:SHA1-3DES+60min+100000kb,AH:SHA1+60min+100000kb QuickModePFS None Security Associations: Main Mode SA at 07/05/2012 15:17:25 ---------------------------------------------------------------------- Local IP Address: 2001:0:4332:yyyy:246c:cc9:bc5f:f480 Remote IP Address: 2002:4332:yyyy::4332:yyyy Auth2 Local ID: NT AUTHORITY\SYSTEM Auth2 Remote ID: host/G1.example.com Auth1: ComputerCert Auth2: UserKerb MM Offer: None-AES128-SHA256 Cookie Pair: da4dcd03b49be0bb:43d9b7e44e0b771a Health Cert: No Main Mode SA at 07/05/2012 15:17:25 ---------------------------------------------------------------------- Local IP Address: 2001:0:4332:yyyy:246c:cc9:bc5f:f480 Remote IP Address: 2002:4332:yyyy::4332:yyyy Auth2 Local ID: example\kbuff Auth2 Remote ID: host/G1.example.com Auth1: ComputerCert Auth2: UserKerb MM Offer: None-AES128-SHA256 Cookie Pair: 8e2e5fcf1fd14e9e:528c5b2c9f2dfc71 Health Cert: No Main Mode SA at 07/05/2012 15:17:25 ---------------------------------------------------------------------- Local IP Address: 2002:4332:yyyy:8100:60e1:5c94:a5b:376f Remote IP Address: 2002:4332:xxxx::4332:xxxx Auth1: ComputerCert Auth2: UserNTLM MM Offer: None-AES128-SHA256 Cookie Pair: d11403dd976f7926:0cfcbc436eb1cdf4 Health Cert: No Main Mode SA at 07/05/2012 15:17:25 ---------------------------------------------------------------------- Local IP Address: 2001:0:4332:yyyy:246c:cc9:bc5f:f480 Remote IP Address: 2002:4332:xxxx::4332:xxxx Auth1: ComputerCert Auth2: UserNTLM MM Offer: None-AES128-SHA256 Cookie Pair: fd4a9ae4df119e8e:bec6a4bbf97347b1 Health Cert: No Main Mode SA at 07/05/2012 15:17:25 ---------------------------------------------------------------------- Local IP Address: 2001:0:4332:yyyy:246c:cc9:bc5f:f480 Remote IP Address: 2002:4332:xxxx::4332:xxxx Auth1: ComputerCert Auth2: UserNTLM MM Offer: None-AES128-SHA256 Cookie Pair: fc178356ce702fd2:a356f6078c25dc72 Health Cert: No Main Mode SA at 07/05/2012 15:17:25 ---------------------------------------------------------------------- Local IP Address: 2001:0:4332:yyyy:246c:cc9:bc5f:f480 Remote IP Address: 2002:4332:xxxx::4332:xxxx Auth1: ComputerCert Auth2: UserNTLM MM Offer: None-AES128-SHA256 Cookie Pair: 9e128121765aafe3:0f94e2f74f13f1ce Health Cert: No Main Mode SA at 07/05/2012 15:17:25 ---------------------------------------------------------------------- Local IP Address: 2002:4332:yyyy:8100:60e1:5c94:a5b:376f Remote IP Address: 2002:4332:yyyy::4332:yyyy Auth2 Local ID: NT AUTHORITY\SYSTEM Auth2 Remote ID: host/G1.example.com Auth1: ComputerCert Auth2: UserKerb MM Offer: None-AES128-SHA256 Cookie Pair: 3793bbaa246388ec:fdf7c9bd6c156eec Health Cert: No Quick Mode SA at 07/05/2012 15:17:25 ---------------------------------------------------------------------- Local IP Address: 2001:0:4332:yyyy:246c:cc9:bc5f:f480 Remote IP Address: 2002:4332:xxxx::4332:xxxx Local Port: Any Remote Port: Any Protocol: Any Direction: Both QM Offer: ESP:SHA1-AES192+60min+100000kb PFS: None Quick Mode SA at 07/05/2012 15:17:25 ---------------------------------------------------------------------- Local IP Address: 2001:0:4332:yyyy:246c:cc9:bc5f:f480 Remote IP Address: 2002:4332:yyyy::4332:yyyy Local Port: Any Remote Port: Any Protocol: Any Direction: Both QM Offer: ESP:SHA1-AES192+60min+100000kb PFS: None Quick Mode SA at 07/05/2012 15:17:25 ---------------------------------------------------------------------- Local IP Address: 2001:0:4332:yyyy:246c:cc9:bc5f:f480 Remote IP Address: 2002:4332:xxxx::4332:xxxx Local Port: Any Remote Port: Any Protocol: Any Direction: Both QM Offer: ESP:SHA1-AES192+60min+100000kb PFS: None Quick Mode SA at 07/05/2012 15:17:25 ---------------------------------------------------------------------- Local IP Address: 2001:0:4332:yyyy:246c:cc9:bc5f:f480 Remote IP Address: 2002:4332:xxxx::4332:xxxx Local Port: Any Remote Port: Any Protocol: Any Direction: Both QM Offer: ESP:SHA1-AES192+60min+100000kb PFS: None Quick Mode SA at 07/05/2012 15:17:25 ---------------------------------------------------------------------- Local IP Address: 2001:0:4332:yyyy:246c:cc9:bc5f:f480 Remote IP Address: 2002:4332:xxxx::4332:xxxx Local Port: Any Remote Port: Any Protocol: Any Direction: Both QM Offer: ESP:SHA1-AES192+60min+100000kb PFS: None IPsec Statistics ---------------- Active Assoc : 5 Offload SAs : 0 Pending Key : 0 Key Adds : 15 Key Deletes : 11 ReKeys : 0 Active Tunnels : 5 Bad SPI Pkts : 0 Pkts not Decrypted : 0 Pkts not Authenticated : 0 Pkts with Replay Detection : 0 Confidential Bytes Sent : 1,645,456 Confidential Bytes Received : 1,581,384 Authenticated Bytes Sent : 1,776,208 Authenticated Bytes Received: 1,581,384 Transport Bytes Sent : 0 Transport Bytes Received : 0 Bytes Sent In Tunnels : 1,776,208 Bytes Received In Tunnels : 1,581,384 Offloaded Bytes Sent : 0 Offloaded Bytes Received : 0 Ok. [IT-KBUFF7] Thu 07/05/2012 15:17:26.91 C:\Windows\system32\LogSpace\{D092AEA2-D55E-45F3-9CC3-42761EBF0355} #</textarea>
    <big>
    Certutil -store my</big><textarea cols="100" rows="35">*************************************************************************** Certutil -store my *************************************************************************** Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. [IT-KBUFF7] Thu 07/05/2012 15:17:23.81 C:\Windows\system32\LogSpace\{D092AEA2-D55E-45F3-9CC3-42761EBF0355} #Certutil -store my my ================ Certificate 0 ================ Serial Number: 236d43c000000000046c Issuer: CN=example-Issuing-CA-1, DC=example, DC=com NotBefore: 5/22/2012 1:34 PM NotAfter: 5/22/2013 1:34 PM Subject: CN=IT-KBUFF7.example.com Certificate Template Name (Certificate Type): Machine Non-root Certificate Template: Machine, Computer Cert Hash(sha1): 5d 98 ae b2 af 26 b1 30 fa f2 cf 4d 34 ba 47 54 53 5e 1e c2 Key Container = b6e892159f431edc4233745b9cc10f4c_f330131e-0b2e-4b73-8b3d-1126da8ecac3 Simple container name: le-Machine-e20091f3-f740-45ab-8148-9efbe8a072a3 Provider = Microsoft RSA SChannel Cryptographic Provider Private key is NOT exportable Encryption test passed CertUtil: -store command completed successfully. [IT-KBUFF7] Thu 07/05/2012 15:17:25.67 C:\Windows\system32\LogSpace\{D092AEA2-D55E-45F3-9CC3-42761EBF0355} #</textarea>
    <big>
    Systeminfo</big><textarea cols="100" rows="35">*************************************************************************** Systeminfo *************************************************************************** Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. [IT-KBUFF7] Thu 07/05/2012 15:17:23.73 C:\Windows\system32\LogSpace\{D092AEA2-D55E-45F3-9CC3-42761EBF0355} #Systeminfo Host Name: IT-KBUFF7 OS Name: Microsoft Windows 7 Enterprise OS Version: 6.1.7601 Service Pack 1 Build 7601 OS Manufacturer: Microsoft Corporation OS Configuration: Member Workstation OS Build Type: Multiprocessor Free Registered Owner: example-it Registered Organization: Product ID: 55041-011-2696075-86440 Original Install Date: 4/12/2012, 3:41:12 PM System Boot Time: 7/5/2012, 3:06:12 PM System Manufacturer: Dell Inc. System Model: Latitude E6520 System Type: x64-based PC Processor(s): 1 Processor(s) Installed. [01]: Intel64 Family 6 Model 42 Stepping 7 GenuineIntel ~2601 Mhz BIOS Version: Dell Inc. A12, 2/28/2012 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (UTC-08:00) Pacific Time (US & Canada) Total Physical Memory: 8,073 MB Available Physical Memory: 4,744 MB Virtual Memory: Max Size: 16,263 MB Virtual Memory: Available: 12,325 MB Virtual Memory: In Use: 3,938 MB Page File Location(s): C:\pagefile.sys Domain: example.com Logon Server: N/A Hotfix(s): 87 Hotfix(s) Installed. [01]: 982861 [02]: KB958830 [03]: KB2425227 [04]: KB2479943 [05]: KB2484033 [06]: KB2488113 [07]: KB2491683 [08]: KB2492386 [09]: KB2505438 [10]: KB2506014 [11]: KB2506212 [12]: KB2506928 [13]: KB2507618 [14]: KB2509553 [15]: KB2511250 [16]: KB2511455 [17]: KB2512715 [18]: KB2515325 [19]: KB2518869 [20]: KB2522422 [21]: KB2529073 [22]: KB2532531 [23]: KB2533552 [24]: KB2534111 [25]: KB2536275 [26]: KB2536276 [27]: KB2541014 [28]: KB2544893 [29]: KB2545698 [30]: KB2547666 [31]: KB2552343 [32]: KB2556532 [33]: KB2560656 [34]: KB2563227 [35]: KB2564958 [36]: KB2567680 [37]: KB2570947 [38]: KB2572077 [39]: KB2579686 [40]: KB2584146 [41]: KB2585542 [42]: KB2588516 [43]: KB2603229 [44]: KB2604115 [45]: KB2607047 [46]: KB2619339 [47]: KB2620704 [48]: KB2620712 [49]: KB2621440 [50]: KB2631813 [51]: KB2633873 [52]: KB2633952 [53]: KB2640148 [54]: KB2641653 [55]: KB2641690 [56]: KB2644615 [57]: KB2645640 [58]: KB2647518 [59]: KB2653956 [60]: KB2654428 [61]: KB2656356 [62]: KB2656373 [63]: KB2656411 [64]: KB2658846 [65]: KB2659262 [66]: KB2660075 [67]: KB2660649 [68]: KB2665364 [69]: KB2667402 [70]: KB2675157 [71]: KB2676562 [72]: KB2677070 [73]: KB2679255 [74]: KB2685939 [75]: KB2686831 [76]: KB2688338 [77]: KB2690533 [78]: KB2695962 [79]: KB2699779 [80]: KB2699988 [81]: KB2709162 [82]: KB2709630 [83]: KB2709715 [84]: KB2709981 [85]: KB2718704 [86]: KB976902 [87]: KB982018 Network Card(s): 4 NIC(s) Installed. [01]: Bluetooth Device (Personal Area Network) Connection Name: Bluetooth Network Connection Status: Media disconnected [02]: Intel(R) Centrino(R) Advanced-N 6205 Connection Name: Wireless Network Connection DHCP Enabled: Yes DHCP Server: 192.168.151.1 IP address(es) [01]: 192.168.151.108 [02]: fe80::483f:894:5771:3fa2 [03]: Intel(R) 82579LM Gigabit Network Connection Connection Name: Local Area Connection Status: Media disconnected [04]: Aventail VPN Adapter Connection Name: Local Area Connection 2 DHCP Enabled: No IP address(es) [IT-KBUFF7] Thu 07/05/2012 15:17:36.30 C:\Windows\system32\LogSpace\{D092AEA2-D55E-45F3-9CC3-42761EBF0355} #</textarea>
    <big>
    whoami /groups</big><textarea cols="100" rows="35">*************************************************************************** whoami /groups *************************************************************************** Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. [IT-KBUFF7] Thu 07/05/2012 15:17:23.72 C:\Windows\system32\LogSpace\{D092AEA2-D55E-45F3-9CC3-42761EBF0355} #whoami /groups GROUP INFORMATION ----------------- Group Name Type SID Attributes ====================================== ================ ============ ================================================== BUILTIN\Administrators Alias S-1-5-32-544 Enabled by default, Enabled group, Group owner Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group Mandatory Label\System Mandatory Level Label S-1-16-16384 [IT-KBUFF7] Thu 07/05/2012 15:17:23.89 C:\Windows\system32\LogSpace\{D092AEA2-D55E-45F3-9CC3-42761EBF0355} #</textarea>

    Thursday, July 5, 2012 10:21 PM
  • I'd say that your DA tunnel is just fine but that your internal name resolution is not which would be causing the problems.

    You stated above that the DNS64 service is up and running, are all your DC's added as infrastructure servers? Furthermore, I see that the NAP service is not running - are you using NAP? If you are, and the service is not running, this would prevent the client from sending a SOH to the NAP server and thus not being able to obtain a health cert.

    Another note, another wild guess is that your inside.example.com site is your NLS site - you are using that as a connectivity probe which will (should not, cannot) work. It should be totally unreachable from the outside. As you fail to reach it, I am assuming that it is excluded on the DNS suffix list. Change the proble to something more suitable (for instance, create a share on a infrastructure server and place a text file there) for the testing.

    DCA does not update itself as quickly as would be desirable and causes a lot of "false positives" in the sense that the DCA reports failure but it actually does work... Moral of the story, test instead of trusting the DCA...


    Hth, Anders Janson Enfo Zipper

    Friday, July 6, 2012 10:22 AM
  • At this point, no, not all of my DCs are infrastructure servers. I have two DCs in the US office running Win2k8R2, and two foreign offices each with a DC running Win2k3R2. I originally tried a configuration with all of the DCs as infrastructure servers, then pared it down to include only the DCs in the US office.

    We are not using NAP at this point.

    The site inside.example.com does not resolve from my laptop when at home, and does resolve when I have it at the office, so that should be fine.

    DCA will show this error very soon (within just a minute or so) and keep showing it for as long as I have a session running while not on the production network. All tests that I've been able to perform do work, however.

    I think I'll add the two DCs in the foreign offices back into the pool of infrastructure servers, and see what that gets me.

    Kurt

    Friday, July 6, 2012 6:52 PM
  • As long as you have a probe that fails to resolve, you will have this error message. Change the verifier to something that actually can be connected to from the outside.

    Hth, Anders Janson Enfo Zipper

    Monday, July 9, 2012 9:46 AM
  • As long as you have a probe that fails to resolve, you will have this error message. Change the verifier to something that actually can be connected to from the outside.

    Hth, Anders Janson Enfo Zipper

    Perhaps I'm not understanding - I thought that https://inside.example.com *should not* be resolvable from the outside - that is what I thought https://outside.example.com was for.

    Was I misapprehending something?

    I'm in the process of updating the GPOs with the rest of the DCs, and will test once they've propagated and report back.

    Kurt

    Monday, July 9, 2012 4:20 PM
  • To follow up: I updated the GPOs to include all of the DCs, and have rebooted the UAG server twice and my laptop twice as well.

    Still no joy.

    Kurt

    Monday, July 9, 2012 11:59 PM
  • Hi Kurt,

    As Anders said, you are using inside.example.com both as a connectivity verifier and as your network location server. This configuration is invalid.

    The network location server is designed to be resolved only from inside your corporate network, and cannot be reached by DirectAccess clients due to an exemption entry in NRPT. The connectivity verifier, however, should be resolved and reachable via DirectAccess in order to indicate corporate connectivity correctly.

    Please change the connectivity verifier for DirectAccess connectivity assistant to a different URL.

    • Marked as answer by Kurt Buff Wednesday, July 11, 2012 8:17 PM
    Wednesday, July 11, 2012 4:02 PM
  • Hi Kurt,

    As Anders said, you are using inside.example.com both as a connectivity verifier and as your network location server. This configuration is invalid.

    The network location server is designed to be resolved only from inside your corporate network, and cannot be reached by DirectAccess clients due to an exemption entry in NRPT. The connectivity verifier, however, should be resolved and reachable via DirectAccess in order to indicate corporate connectivity correctly.

    Please change the connectivity verifier for DirectAccess connectivity assistant to a different URL.

    Ah - that's something I didn't understand. I'll go back to review the configuration and figure that out. Thanks for clarifying.

    Kurt

    Wednesday, July 11, 2012 4:32 PM
  • Yaniv and Anders,

    Thanks so much for your help. It now appears to be working correctly - the DCA systray icon is pleasingly plain.

    Kurt

    Wednesday, July 11, 2012 8:18 PM