none
GPUpdate breaks DA connection RRS feed

  • Question

  • Hi,

    I have now one newly installed UAG SP1 server that has both portal and DA configured. DA is utilizing ISATAP and there are no firewall between UAG internal network and DCs. All works fine, but one strange thing is in the system.

    Everytime, when connected with DA to the organization, I run gpupdate /force /target:computer it breaks current DA connection. The connection is not restored until the computer is rebooted or connected to corporate network and then again to the Internet.

    Also during the gpupdate /force /target:computer it will not update computer policies. If I run just gpudate /force, the user policy is updated correctly, but not the computer policy.

    Any tips or tricks to look at?

    BR, TommiK

    Tuesday, January 18, 2011 5:25 PM

Answers

All replies

  • Are you able to update the computer policy when connected to the corpnet?  If not, then start troubleshooting there because it'll need the DirectAccess Client policy before it can even use DA anyway.

    Asside from that you can use gpresult before AND after the attempted gpupdate and compare the results.  If something's changing then you could be able to see what it is.  Do something like this from an elevated command prompt

    • gpresult /h res1.htm && gpupdate /force && gpresult /h res2.htm

    Then compare res1.htm to res2.htm and see if there's something different.


    MrShannon | TechNuggets Blog | Concurrency Blogs
    Tuesday, January 18, 2011 9:00 PM
  • FWIW - I quite often run gpupdate's on DA clients (for example when amending Windows Firewall settings for remote management) and have never experienced this...

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, January 18, 2011 9:17 PM
    Moderator
  • Hi,

    In corporate LAN all policies are updated correctly.

    I have verified that it does nothing when the gpupdate is done. It says almost immediately that the policy was not updated since there was no connection to domain controller.

    As mentioned, this only happens for computer policy, not for user policy. I am able to do the user policy update, but not the computer policy.

    I do have exprience of many other DA implementations and in all of those the gpupdate works fine with DA connection, so this is something new for me in this certain environment.

    Thanks.

    BR, TommiK

    Wednesday, January 19, 2011 5:38 AM
  • Hi Tommi,

    Does this happen for all DA clients or just one?

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Wednesday, January 19, 2011 1:48 PM
    Moderator
  • Hi,

    All clients so far - we are just running in the testing phase and all test clients are having the same issue.

    BR, TommiK

    Wednesday, January 19, 2011 2:26 PM
  • OK - then use MrShannon's advise and see what has changed that might have lead to this.

    I agree with Jason - I've run gpupdate probably over 1000 times on DA clients with no problem, so there's someone "off-label" about your configuration that we need to figure out.

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Friday, January 21, 2011 11:26 AM
    Moderator
  • Hi,

    I did run the test and everything that changes is the changes that I have made to UAG Client policy - additions to Name resolution - excluding certain addresses not to route through the DA tunnel.

    I also noticed today that it seems the DA is breaking connections also every now and then. It takes a while to get new connection after the connection was interrupted. So there need to be also something else wrong with the config. I haven't seen similar behaviour in any environments earlier.

    BR, TommiK

    Sunday, January 23, 2011 7:27 PM
  • You should enable IPsec logging on the UAG DirectAccess server and see if that gives you any useful information.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Tuesday, January 25, 2011 2:31 PM
    Moderator
  • Hi Tommi,

    I had a similar problem a few months ago where users lost connectivity when GPO's were refreshed.

    I managed to pin it down to the firewall policy for ICMPv6 traffic.
    The rule did not allow edge traversal, so the ICMPv6 packets that were sent to internal systems to verify connectivity were dropped.

    Otherwise, network monitor or wireshark is always a good way to start :)
    (Wireshark and the abrupt end of ICMPv6 packets, was what helped me to find that firewall rule)


    Best wishes,
    Jonas Blom
    Monday, January 31, 2011 8:50 AM
  • Hi Jonas,

    I'm not sure how Edge Traversal would affect DirectAccess clients from pinging intranet hosts.

    When Edge Traversal is disabled, but ICMPv6 Echo Request outbound is enabled, then the DirectAccess client will be able to ping intranet hosts. What you won't be able to do if Edge Traversal is disabled is ping the DirectAccess client from a host on the intranet.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    • Marked as answer by Erez Benari Wednesday, May 18, 2011 9:49 PM
    • Unmarked as answer by Tommi K Wednesday, June 29, 2011 8:06 PM
    Tuesday, February 1, 2011 11:42 AM
    Moderator
  • Hi Thomas,

    Sadly it was a while ago since I did the troubleshooting, so don't remember exactly what happened and what ICMPv6 packets that made the connection to corporate resources stop.

    Just recognised the symptoms and thought i should give some additional hints on possible things to look at.  :)

    Best wishes,
    Jonas Blom

    Wednesday, February 2, 2011 2:23 PM
  • Hi Jonas,

    No problems!

    Thanks for the help and participating in the conversation!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Friday, February 4, 2011 2:18 PM
    Moderator
  • Hi,

    I just wanted to follow this up, but the actual solution was found for this. A bit later, but still - the issue was with iphlpsvc.dll version - see KB article http://support.microsoft.com/kb979373

    BR, TommiK

    • Marked as answer by Tommi K Wednesday, June 29, 2011 8:06 PM
    Wednesday, June 29, 2011 8:06 PM