I have setup DirectAccess on a Windows Server 2012. The DC is on a Hyper-V running Windows Server 2008.
DirectAccess is working for both Windows 7 and Windows 8. This issue I am having is that I have about 8 different servers, but I cannot RDP into 2 of them. One is our Hyper-V Server that is not on the domain, the other is the DirectAccess Server. If I were to use the VPN connection we previously were using, then I can connect to both of these servers.
- Edited by Bill Fry Monday, March 31, 2014 11:25 PM
What happens when you ping those server names from your DirectAccess client? A DA client needs to be able to resolve your internal resources to IPv6 addresses, by routing that DNS request through the DirectAccess server. For your non-domain-joined server, you may just have to add an entry into your internal DNS so that it knows how to resolve the name properly. DA is only aware of the namespaces that are in the NRPT, which is the "DNS" screen inside Step 3 of the DirectAccess Config wizards. So if your internal DNS suffix is ".company.local", and your NRPT only has an inclusion entry for "*.company.local" - then if that server does not have a DNS record that ends in .company.local, the DA client cannot see it.
From the client, if I ping the external IP address, I get a response. If I ping the internal address, it fails. Pinging the computer name fails but the server.domain.com resolves. I tried using both the internal and external IP addresses in RDP but no connection.
Over a DirectAccess connection, you cannot connect to internal resources via IPv4 addresses. DirectAccess is all IPv6 traffic from the client, so contacting "10.10.10.100" or anything similar is never going to work. Always use DNS names when contacting resources from a DA client (or type out the IPv6 addresses, but who's going to do that?) :)
Try creating an A record in your DNS for the non-domain-joined server. Choose a name, add it to DNS and point it at the internal IP of that server. Then give that change a little bit to replicate around, and then try contacting that server via DNS name, not the IP.
Most of the servers, I can RDP into when connected to DirectAccess. It is just the DirectAccess server itself that I cannot access. The other problem in the testing is that we use Office365 for email, etc. Once the laptop is connected via DirectAccess, we cannot setup Outlook to connect to the Office365 service. When entering a user email address in the setup of Outlook, it times out after a period of time.
That sounds like your Autodiscover DNS records need some consideration. For example, if you are running split brain DNS (the same DNS namespace internally as publically), and in your DirectAccess configuration you have *.mydomain.com included inside the NRPT (the DNS screen of Step 3) - then when Outlook makes a call to autodiscover.mydomain.com, it is trying to push that traffic inside the DirectAccess tunnels and through your internal network, rather than out to O365.
You might just need to identify what names Outlook is trying to talk to and add them into the NRPT as exclusions, so that those name requests do not attempt to traverse the DA tunnels, but rather flow over the regular internet connection the user is on.