Remove From My Forums

DA Clients running Windows 10 v2004 are not registering in AD DNS

问题
1

登录进行投票

Hello,

I have a new, small single-site DirectAccess 2-NIC Server 2016 VM serving a handful of Server 2016 and Windows 10 clients. The LAN is IPv4 only, and I'm using only IP-HTTPS for DA. All other IPv6 transition technologies are disabled on the clients via GPO. I also have the DA VM setup as an ISATAP router for manage-out with ISATAP limited by AD group and GPO to just the machines that need to manage-out and initiate RDP sessions to DA clients.

Here's where things get strange: Server 2016 DA clients register (and update) their IP-HTTPS IPv6 address in our internal AD DNS with no issue. Windows 10 DA clients do not. For the Win10 clients, manage-out (via RDP for example) works fine when using the IPv6 address instead of the host name. I have spent more hours than I care to admit with troubleshooting: going through countless Google searches, reading forum and blog posts, modifying AD, OU, and GPO settings, changing and uninstalling 3rd party AV products (that don't have a software firewall component), comparing DA troubleshooter logs, scouring event viewer entries, etc. At some point I realized all the Win10 clients are running the current 2004 build, so I decided to add a couple of laptops that are still running 1903. To my amazement, these clients registered IPv6 address, and I'm able to RDP by hostname from a manage-out machine. These Win10 clients are all in the same OU with the same AD group memberships.

Did something change in build 2004 that prevents the clients from registering their IPv6 address in DNS? The only differences I can find are in the event viewer system logs. The 2004 clients are littered with DNS Client Event warnings (IDs 8015 and 8018) stating that the system failed to register the A or AAAA resource records for the adapter name {long character sting here} on the DNS servers where the server IPs are the IPv4 IPs handed out by the IPv4 DHCP server of the network to which the machines are connected. I am not seeing any of these errors on the 1903 clients. I initially did not think much about this error because I'm also receiving the same error on the Server 2016 DA clients but of course those are able to register just fine internally, as noted above.

Has anyone else ran into this issue? Any ideas on how to fix it? Thanks.

2020年7月31日 18:37

全部回复

1

登录进行投票
Hello,

We have the same issue.

As i can see this is realy build (v2004) problem - client ignore NRPT settings, and trying to update DNS record via global server.

Today i found a workaround, which worked for us.
Try to do that:
1. Get DA server Internal int ipv6 address. You can take it from step 2 DA configuration wizard (Remote Access Server).
2. Set that IP as static prefered v6DNS server address on Client PC Network intreface, wich used for connection (wireless or lan).
- 已编辑 Fedor_Levin 2020年8月21日 11:28
2020年8月21日 10:20
2

登录进行投票

This work around worked great for me. I had also noticed that as of build 2004 remote DA connected clients no longer forwarded DDNS information when connected offsite. Internally they would register their IPv4 Intranet IP but once offsite no DDNS updates. All older builds of Windows 10 worked perfectly.

As a test I put wireshark on the DNS server and watched for DDNS packets coming in. All remote DA connected clients running older than build 2004 submitted DDNS packets. Build 2004 didn't. As soon as I put the static IPv6 IP address from the Ethernet card of the DA server into the IPv6 DNS settings on the DA connected clients they are now submitting DDNS requests into the DNS servers. I have been pulling my hair out with this issue ever since 2004 came out. Thank you for pointing out your workaround. I hope Microsoft fixes this DDNS issue for remotely connected DA clients in a future Windows update... But the conspiracy side of me kind of wonders if they are slowly wanting to break DA and push everyone towards their "always on VPN" solution? :-)

2020年8月23日 20:38
3

登录进行投票
I ran into this issue today, and found a fix. It appears Microsoft changed the default behavior of how DNS registration happens when connected remotely - and it appears that they did this as part of the evolution from DirectAccess to Always On VPN.

In order for Win 10 2004 to properly register in DNS,
The following registry entry must be defined on each DA client machine.

HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DisableNRPTForAdapterRegistration DWORD = 0

To enable this setting, open an elevated PowerShell window and run the following command.

New-ItemProperty -Path ‘HKLM:SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\’ -Name DisableNRPTForAdapterRegistration -PropertyType DWORD -Value 0 -Force

Once complete, restart the client device for the changes to take effect. After validation testing is complete, the registry entry can be deployed to DA clients using Active Directory group policy preferences.
- 已建议为答案 jtcrx 2020年9月20日 18:06
2020年8月31日 20:22
0

登录进行投票

Great! It works!

Thank you.

2020年9月1日 14:29
0

登录进行投票

This fixed our issue as well!!! Thanks!

2020年9月20日 18:07
0

登录进行投票

Thank you I've been troubleshooting this for hours and finally narrowed it down to Windows 1909 vs 2004. Then I started searching on isatap windows 2004 and I found this article nearly immediately. This made my day.

2020年10月22日 14:12