Direct Access client DNS Registration q.
Hi All,
We have Direct Access installed, configured and mostly working on Windows 2012 R2 server supporting WIN 8.1 clients (only).
All internal resources are accessible and have good name resolution, etc.
However, I now have to enable "manage out" functionality. SCCM based Remote Assistance etc.
There are various guides and I think manage out is working correctly. There is a major sticking point in that the clients are attempted to register DNS names on the local DHCP server (home/office) router and registration never reaches corporate DNS servers.
I have enable "secure only" DNS registration by Group Policy.
We use split tunneling for clients.
The Direct Access server is behind a NAT firewall. (CISCO) So the only effective transition tech is IP-HTTPS.
Many thanks for any assistance in pointing me in the right direction.
Hi,
>>There is a major sticking point in that the clients are attempted to register DNS names on the local DHCP server (home/office) router and registration never reaches corporate DNS servers.
Did you deploy the IPv6 in your corpnet? If no, it's normal.
If we use the IPv4 in the corpnet, the NAT64 and DNS64 will be enabled on the DirectAccess server. When the DirectAccess client sends the DNS update packet, according to the NRPT, the packet will be sent to the DirectAccess server. DirectAccess
server will on behalf of the client to register the AAAA record.
Best Regards.
Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Similar Messages
-
Ok So I have windows 8.1 with Direct Access Client and it works fine when I am able to check and uncheck proxy settings - which is a bit of a pain and seems unnecessary (I hope). If I take the laptop to a Starbucks I get the error that the proxy server is
not responding so it never redirects for me to "accept" the rules.
If I uncheck my proxy settings it then redirects and connects to their internet wifi and off I go - DA connects and all is well.
I am using a GPO to configure the proxy settings as shown (all options are greyed out for the users)Hi,
Your problem is a classic one when using that kind of proxy settings, unfortunately.
To solve this without the need of user interaction, there are two solutions that will sort this out for you. In your case, if you want to use your corporate connection for internet traffic even over da, I'd opt for alternative 1 or 2 depending on what you are
trying to achieve.
1. WPAD (Web Proxy Auto Discovery protocol http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol) - it actually uses the Automatic browser configuration checkbox on your client and looks for the file wpad.dat on a specific web server that you Pointout
with either dns-record called wpad or DHCP option 252.
2. Auto configuration script (pac script http://en.wikipedia.org/wiki/Proxy_auto-config) - uses the same kind of file as above. The difference is that you get the possiblity, like you want in your scenario to target what users that should get the script.
See this below article for more details on the options you have.
http://technet.microsoft.com/en-us/library/dd361918.aspx
http://techlib.barracuda.com/display/WSFLEXv41/How+to+Configure+Proxy+Settings+Using+Group+Policy+Management
Let us know if you need further assistance!
/Johan
MCT | MCSE: Private Cloud/Server, Desktop Infrastructure -
Routing back to Direct Access Clients - is this possible?
Hi,
We have been using direct access for the past few months successfully, however the one problem we are still having is we can't use programs that require a route back to the Direct Access client (such as managing a Hyper-V machine on the local lan), using SourceOffsite
or even using Remote Desktop to remote onto a direct access client or ping the direct access client.
Our local LAN uses Ipv4 and we can route fine to the Direct Access clients from the Direct Access Server where the tunnel terminates but not from any other machine on the network. Do I need to change the direct access configuration to allow this or do I need
to somehow create a route on my LAN for the direct access clients?
Thanks in advance
DavidI found out how to do this in this useful article and tested it and it is working fine - thanks.
http://www.packtpub.com/article/configuring-manage-out-to-directaccess-clients -
Windows Server 2012 - Direct Access clients and the Windows 8 firewall
Hi,
We're running a simple proof-of-concept for Server 2012 Direct Access, we have a single DA server behind a firewall using NAT. We have a number of client devices setup for DA and running Windows 8.
Our issue is that we can only get the Windows 8 direct access clients to connect (when outside the corporate network) and work with the windows firewall disabled (public network profile).
With the windows firewall disabled everything works exactly as expected. When outside the corporate network the client detects the network state (public network profile), connects via DA and all internal resources can be accessed successfully...fantastic.
Is there some specific guidance on manually configuring the windows 8 firewall for Direct Access ? We've tried the obvious TCP:443 with edge traversal enabled but without success.
Much of the information we have found relates to UAG rather than Windows 2012 DA.
Any assistance is appreciated.Hi,
There isn’t any specific configuration on the firewall.
Just confirm that port 443 can be forwarded to DirectAccess server.
Of course, make sure you are using IPsec first.
Check the links:
STEP 6: Test DirectAccess Client Connectivity from Behind a NAT Device
http://technet.microsoft.com/en-us/library/hh831524.aspx#TeredoCLIENT1
DirectAccess for Windows Server 2012 Installation & Configuration Guide
http://syscomlab.blog.com/2012/09/directaccess-for-windows-server-2012-guide/
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Direct Access client getting NameResolutionFailure error
Hi,
I'm trying to setup Direct Access on a Windows 2012 R2 server and I'm running into what is hopefully a pretty easy problem to resolve.
I've followed the instructions to setup a simple setup for DA on a Windows 2012 R2 server with everything all on one server and I'm running behind a TMG 2010 server. On the TMG server I've published the my DA server using a server publishing rule
based on these instructions
http://danstoncloud.com/blogs/simplebydesign/archive/2013/04/04/tmg-can-be-a-good-friend-of-directaccess.aspx
The setup seems pretty straight forward, but now when I'm testing my clients I'm getting the NameResolutionFailure error when I try and connect when I'm not on our internal network.
The problem I'm pretty sure is DNS related because when my test Windows 8.1 client is on our internal network everything works fine.
When I plug the machine into an external network, I get the NameResolutionFailure error for the DA client. If I try and ping anything address on our domain name I get an error that the address is unresolvable. I can ping any other domain name address fine.
On my DA server, on the DNS tab of the Infrastructure Server setup I have the following entries:
mydomain.com fdf3:137e:5133:ce07:1000::127
directaccess.mydomain.com
DirectAccess-NLS.mydomain.com
directaccess.mydomain.com is the publicly resolvable name of my DA 2012 R2 server that is bound the external IP address published on my TMG 2010 server. This name is not resolvable when on any internal machines.
If I execute the get-DNSClientNRPTPolicy command I get this:
Namespace : DirectAccess-NLS.mydomain.com
QueryPolicy :
SecureNameQueryFallback :
DirectAccessIPsecCARestriction :
DirectAccessProxyName :
DirectAccessDnsServers :
DirectAccessEnabled :
DirectAccessProxyType : UseDefault
DirectAccessQueryIPsecEncryption :
DirectAccessQueryIPsecRequired : False
NameServers :
DnsSecIPsecCARestriction :
DnsSecQueryIPsecEncryption :
DnsSecQueryIPsecRequired : False
DnsSecValidationRequired : False
NameEncoding : Utf8WithoutMapping
Namespace : directaccess.mydomain.com
QueryPolicy :
SecureNameQueryFallback :
DirectAccessIPsecCARestriction :
DirectAccessProxyName :
DirectAccessDnsServers :
DirectAccessEnabled :
DirectAccessProxyType : UseDefault
DirectAccessQueryIPsecEncryption :
DirectAccessQueryIPsecRequired : False
NameServers :
DnsSecIPsecCARestriction :
DnsSecQueryIPsecEncryption :
DnsSecQueryIPsecRequired : False
DnsSecValidationRequired : False
NameEncoding : Utf8WithoutMapping
Namespace : .mydomain.com
QueryPolicy :
SecureNameQueryFallback :
DirectAccessIPsecCARestriction :
DirectAccessProxyName :
DirectAccessDnsServers : fdf3:137e:5133:ce07:1000::127
DirectAccessEnabled :
DirectAccessProxyType : NoProxy
DirectAccessQueryIPsecEncryption :
DirectAccessQueryIPsecRequired : False
NameServers :
DnsSecIPsecCARestriction :
DnsSecQueryIPsecEncryption :
DnsSecQueryIPsecRequired : False
DnsSecValidationRequired : False
NameEncoding : Utf8WithoutMapping
So I'm thinking that the issue is related to the fact that the NRPT table says that directaccess.mydomain.com address there is no DNS specified. In fact it seems like that entry shouldn't even be there. When I was configuring DA for the first
time, I got a warning that said:
Warning: The NRPT entry for the DNS suffix .serverdomain.local contains the public name used by client computers to connect to the Remote Access server. Add the name Servername.serverdomain.local as an exemption in the NRPT.
I wasn't sure what this meant at the time but I'm guessing it's relevant to this problem.
Can some one give some help with this?
Thanks in advance
NickHi,
So here is what I did. First the IP information from my DA server IPHTTPS address from ipconfig /all
Tunnel adapter IPHTTPSInterface:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : IPHTTPSInterface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : fdfd:1374:5130:1000::1(Preferred)
IPv6 Address. . . . . . . . . . . : fdfd:1374:5130:1000::2(Preferred)
IPv6 Address. . . . . . . . . . . : fdfd:1374:5130:1000:2400:8f5a:a931:1ff8(Preferred)
Link-local IPv6 Address . . . . . : fe80::2400:8f5a:a931:1ff8%17(Preferred)
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 436207616
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-4F-8E-38-00-15-5D-00-96-05
NetBIOS over Tcpip. . . . . . . . : Disabled
So the address of my IPHTTPS address appears to be -S using this address as the source and going to an internal machine with an IPV6 address and got this:
tracert -S fdfd:1374:5130:1000:2400:8f5a:a931:1ff8 testserver
Tracing route to testserver.mydomain.com [fdfd:1374:5130:ce07:1000::220]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms daserver.mydomain.com [fdfd:1374:5130:1000:2400:8f5a:a931:1ff8]
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14
So it looks like from the IPHTTPS address I can't get to any internal IPV6 addresses on my internal IPV6 network I think right? I did a route print on the DA server and got this:
===========================================================================
Interface List
12...00 15 5d 00 96 05 ......Microsoft Hyper-V Network Adapter
1...........................Software Loopback Interface 1
14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
16...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
17...00 00 00 00 00 00 00 e0 IPHTTPSInterface
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.16.0.21 172.16.0.127 261
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
172.16.0.0 255.255.240.0 On-link 172.16.0.127 261
172.16.0.127 255.255.255.255 On-link 172.16.0.127 261
172.16.15.255 255.255.255.255 On-link 172.16.0.127 261
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 172.16.0.127 261
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 172.16.0.127 261
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 172.16.0.21 Default
===========================================================================
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
12 261 ::/0 fdfd:1374:5130:ce07:1000::21
1 306 ::1/128 On-link
12 4205 fdfd:1374:5130::/48 fdfd:1374:5130:ce07:1000::21
17 306 fdfd:1374:5130:1000::/64 On-link
17 306 fdfd:1374:5130:1000::/128 On-link
17 306 fdfd:1374:5130:1000::1/128 On-link
17 306 fdfd:1374:5130:1000::2/128 On-link
17 306 fdfd:1374:5130:1000:2400:8f5a:a931:1ff8/128 On-link
12 261 fdfd:1374:5130:7777::/96 On-link
12 261 fdfd:1374:5130:ce07::/64 On-link
12 261 fdfd:1374:5130:ce07:1000::127/128 On-link
12 261 fdfd:1374:5130:ce07:6b8c:21b9:52b4:e7c5/128 On-link
12 261 fe80::/64 On-link
17 306 fe80::/64 On-link
17 306 fe80::2400:8f5a:a931:1ff8/128 On-link
12 261 fe80::e00f:6c15:fde4:6491/128 On-link
1 306 ff00::/8 On-link
12 261 ff00::/8 On-link
17 306 ff00::/8 On-link
===========================================================================
Persistent Routes:
If Metric Network Destination Gateway
0 4294967295 fdfd:1374:5130:1000::/64 On-link
0 4200 fdfd:1374:5130::/48 fdfd:1374:5130:ce07:1000::21
0 256 fdfd:1374:5130:ce07::/64 On-link
0 4294967295 fdfd:1374:5130:7777::/96 On-link
0 4294967295 ::/0 fdfd:1374:5130:ce07:1000::21
===========================================================================
Am I missing a route here?
Thanks -
Win8.1 Direct Access Client Stuck at "Connecting"
I'm experimenting with Direct Access in a lab setting with 1 client and 3 2012 R2 servers. The client is running Windows 8.1 Enterprise.
The client is always able to connect to the Direct Access server but is unable to ping or connect to the 2 servers that don't have RAS installed. Moreover, this behavior migrates to whichever server is running Remote Access Server: So, if I remove the role
and install on another server, the client is able to communicate with the new server, but not the old.
The connection from the client to the server is via IP-HTTPS (only option available to me in this environment). The client is able to reliably determine when it's on the Internet versus the intranet. However, when on the Internet, it stays in a "Connecting"
state and never connects, but I'm still able to access the DA server.
Does anyone have any ideas on how to resolve this?I managed to resolve the issue. I'm posting here in the hope that this may help another newbie to DA.
Here's what caused my issue: As I mentioned, this was a lab environment where the limited number of machines were fulfilling multiple roles. In particular, the DA Server was also a backup domain controller running DNS. In my research, I came across a comment
on http://directaccessguide.com that mentioned that the DA Server runs DNS64 to support clients; that made me suspicious that the regular DNS server was in some way conflicting. And, in fact, before this server was
made a backup DC, DA was functioning just fine. Removing the backup DC role resolved the issue.
So the takeaway is this: Don't run the regular DNS service on the DA Server; if you do, you will get DA client connectivity only to the DA Server. -
Cannot apply Direct Access Client GPO on Windows 8.1 Enterprise client
Hi, I have made a Direct Access environment on Windows Server 2012 R2 Essential.
All setting seems to be ok, but i'm completely stuck when i have to export the DA client GPO to the client computer.
The client computer is a Win8.1 Enterprise, already joined to the domain.
When execute the command gpupdate /force, it complete successfully but when i do a gpresult /R i have nothing in the "Applied Group Policy Object" field (N/A) while i should have the Default domain GPO and the DA client GPO.
What is wrong at this state ?
ThanksMy user1 is in the "DirectAccess" group.
In all the tutorial i saw, i have never seen you have to add the computer object to this group but only the user.
Anyway, i have just add it to the group.
From my first post, here is what i did.
ran a Group Policy Result, from the DC to the client.
It give me the error RPC unavailable.
So i open the local policies on the client > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall >
Domain Profile > double click on "Windows Firewall: Allow inbound remote administration exception" > tick enable
I reran the Group Policy Results, and it work this time.
Now i have the result for the User1 on TECH2 client pc.
On details pane > Denied GPOs
The DA client setting is deny with the reason "access denied" ...
Now on the client computer after a GPRESULT /R
Computer settings
Applied Group Policy Object
Default Domain Policy
Local Group Policy
The following GPOs were not applied because they were filtered out
DirectAccess Client Setting
Filtering: Denied (Security)
DirectAccess Server Settings
Filtering: Denied (Security) -> normal -
Cannot connect to direct access clients from management servers
I have direct access setup on a Server 2012 machine and I have successfully added clients to it. Clients can reach internal resources and everything seems to be working great inbound. However, I am having some trouble with outbound management.
From the Direct Access server I can ping, RDP, browse files, etc... From the management server I have defined in the DA setup I can only ping the machines and nothing else.
I had worked with some MS tech support to get to this point, and they had me configure my DA server and the few management server with status IPv6 addresses. I'm not sure if this is necessary or if outbound managment should work using ISATAP?
My DA server is Server 2012, and the clients are Windows 8 and Windows 8.1.You should be able to make outbound management work using either ISATAP or native IPv6. If you have configured native IPv6 and it's not working, there may be some kind of routing issue with the way that IPv6 is setup in your environment, or even a piece
of networking equipment that is not IPv6 capable.
If you're interested in trying the ISATAP route to see if you can get it working that way, Chapter 3 in this is dedicated to the setting up of ISATAP: http://www.packtpub.com/microsoft-directaccess-best-practices-and-troubleshooting/book
(sorry, not trying to be self-serving, but these kinds of questions are exactly the reason why I put the book together) -
Good morning/afternoon/evening TechNet,
I've finally gotten a DA client connected to the corporate network utilizing an external network. I'm having a couple issues, one, not being able to ping the server from a computer that's on the same domain(I'm able to ping the DA client from the DA server).
I'm not sure if there is a firewall setting that needs to be open on the client for incoming echo requests? Second, we use a client management system called BMC and I would like the direct access server to be able to utilize the BMC server so that I can manage
the DA client whenever its on the network. I noticed on the DA server that "Step 3" offers an area where it allows you to add servers that will be used for direct access client management. Would I just need to populate the server in here and then
open appropriate firewall rules so that the DA server has access to them? Lastly, Trying to "mstsc" into the DA client what would I need to open up on both sides so that I'm able to do this?
Sorry about the horrible grammar but I've been up 24+ hours getting this awesome but pain in the butt Direct Access feature working.
Thank you as always!
-Liqsh0tI'm afraid it's a bit more complicated than adding a server into the list in Step 3 :)
When a DirectAccess client is connecting into a corporate network that is IPv4 (I assume yours is, most are), it can reach into your IPv4 servers because the DA server is doing NAT64/DNS64 translations, turning all of your DirectAccess IPv6 packets into
IPv4 packets before they head inside the network. But even though this happens in the background without you really knowing about it, the key thing there is that all DirectAccess traffic is IPv6. This means the clients can only be contacted via IPv6. If you
have IPv6 inside your network, then you can route outbound fairly easily to your DA client computers. If you are all IPv4 inside as most companies are, then you have to either roll IPv6 out inside your network, at least partially, or you have to utilize ISATAP
inside your network in order to create a sort of "virtual IPv6 cloud" that runs on top of your IPv4 internal network. This enables your internal management systems (like the BMC servers and helpdesk computers for RDP access outbound) to have a connection
into the IPv6 world, which then enables them some routing capability to get out to the IPv6-connected DA clients. In addition to this IPv6 or ISATAP setup, you also need to configure WFAS rules on the DA clients so that they will allow this traffic.
There is some info on setting up ISATAP here: http://blogs.technet.com/b/jasonjones/archive/2013/04/19/limiting-isatap-services-to-directaccess-manage-out-clients.aspx
Otherwise one of the chapters in this book is also dedicated to the setup of a selective ISATAP environment, to be used for the purposes of DirectAccess outward management: https://www.packtpub.com/virtualization-and-cloud/microsoft-directaccess-best-practices-and-troubleshooting -
Server 2012 Direct Access Single NIC cant get it to work
Hi,
I am having some real issues with setting up Direct Access with Server 2012 and a Windows 8 client, it simply won’t work at all.
First of all I should describe my setup:
I have an internet connection with a static IPv4 address on the external network adapter of the router
The internal network address (the address of the router which has the internet connection) is 192.168.1.1
Server1 (windows 2008 R2 Standard) has a static IPv4 address 192.168.1.2 and has some ports forwarded from the router (443, 25, 80) this server is a domain controller, email server, and has the DNS, DHCP and
certificate services
Server 2 (Windows 2008 R2 standard) has static IPv4 address 192.168.1.3 it has no ports forwarded from the router as it has no services accessed externally, it is used as a file server and print server, backup
domain controller and backup DNS.
Server 3 (Windows 2012) has static IPv4 address 192.168.1.4 and has the Remote Access server role installed along with all the other default features and roles it requires in the setup process.
These servers have all got an IPv6 address which I assume the server has configured automatically, there has been no deliberate configurations made to disable IPv6
I have no UAG or proxy server or anything else to route packets to internal servers. Just this router which has the option for port forwarding (I assume that’s NAT isn’t it?) sorry don’t know much about that
area.
I go through the setup wizard in remote access to configure direct access, in the external URL I have entered da.mydomain.com and created a host A record in my external domain name providers DNS which points
the da record to my external IP address. The wizard creates all the GPO’s, scoped correctly, and applied to a Windows 8 client. The operational status shows its all working and I got green ticks. However, when I connect the client to the internal network it
doesn’t seem to have correctly got the DA settings. I run the following in powershell
Get-DnsClientNrptPolicy
Nothing displays – at all
Get-NCSIPolicyConfiguration
Description
: NCSI Configuration
CorporateDNSProbeHostAddress
: fdd8:dd4a:ea42:7777::7f00:1
CorporateDNSProbeHostName
: directaccess-corpConnectivityHost.mydomain.local
CorporateSitePrefixList
: {fdd8:dd4a:ea42:1::/64, fdd8:dd4a:ea42:7777::/96, fdd8:dd4a:ea42:1000::1/128,
fdd8:dd4a:ea42:1000::2/128}
CorporateWebsiteProbeURL
: http://directaccess-WebProbeHost.mydomain.local
DomainLocationDeterminationURL : https://DirectAccess-NLS.mydomain.local:62000/insideoutside
Get-DAConnectionStatus
Get-DAConnectionStatus : Network Connectivity Assistant service is stopped or not responding.
At line:1 char:1
+ Get-DAConnectionStatus
+ ~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo
: NotSpecified: (MSFT_DAConnectionStatus:root/StandardCi...onnectionStatus) [Get-DAConnect
ionStatus], CimException
+ FullyQualifiedErrorId : Windows System Error 1753,Get-DAConnectionStatus
I go into services.msc and find that the network connectivity assistant is not started, it wont start either something must trigger it but I have no idea how to get it triggered to start… this might be my only
source of problem perhaps but on a more network level question:
If I have such ports as 80, and 443 (which I assume DA uses in some form with a public IPv4 internet address) directed at server 1, how does the DA connection get to server 3 which has the DA role installed?
I could create another record on the server which also opens port 443 to server as well as for server 1, but then how would the router know which server to pass the DA connection to if the same port is open for two different servers?
Either way, this first issue is that the client doesn’t seem to have the ability to connect internally correctly yet, so maybe this connectivity service is a good place to start? My understanding is that the
networks icon in the system tray should show that there is a corporate connection, but it doesn’t. also, the client seems to have the NLS certificate in the computer certificate store, so the cert side of things is working and the GPO side is working.
Many thanks
Steveahh i see, so just to enlighten me even further...
If a company has two web servers that would mean they would need two different public facing IP addresses so they can route to each internal web server. If, like the big companies have, they
may have many web servers (possibly more than 100) I’m assuming that simply buying more public IP addresses would have a limit, especially since the IPv4 address space is pretty much exhausted. So is this where proxy systems come into play like ISA and Forefront,
is this what they do?
I assume if such a product was implemented you could go down to just one or two public IP addresses, point all traffic to the ISA server and that in turn would do all the routing of packets
to each server behind the NAT/router (probably based on some sort of domain name or sub domain namespace as it’s parameter for forwarding?)
Secondly, what I have done is installed windows server 2012 and used that as a direct access client (I read on another forum that the windows 8 RP doesn’t have the enterprise bits to make this
work). I have got much further with the 2012 server acting as a client (installed on laptop, installed desktop experience and wireless LAN),
but when I run the following command on my DA client I get the following status
Get-DAConnectionStatus
Status:
connectedlocally
Substatus:
none
This appears to work fine, when im connected to the local network. But then I disconnect and run the command again and I get the following:
Status:
Error
Substatus:
NameResolutionFailure
On my router what I did is temporarily disable port 443 going to my original server and instead opened it up pointing to my other server, so 443 traffic should be going to my DA server now, but I don’t understand why its giving the name resolution failure
status. I have a host A record called “da” with my domain hoster, and entered the full domain namespace in the DA wizard as da.mydomain.com (the Host A record has been up there for more than a week so it’s propagated through the net)
So, a bit further but stuck again. -
Configuration of Direct Access 2012
Good morning.
I have tried to set up Direct Access from what I see is pretty much a 30-40 minute job, but has turned out to be something of a pain. Having followed the video on youtube for Windows Server 2012 with Basic PKI configuration and Windows 7 clients. I
have set up a working DA server with no issues and all green ticks.
Here's a run down.
I have a DC (2012) with the CA already installed.
I have a virtual DA (2012) set up with the advanced settings.
I have a a TMG 2010 server as the firewall with a Non-Web Publishing rule designed to forward HTTPS requests to the DA on the internal network.
The set up went as planned and I followed the instruction to set up the PKI and all computers have picked up a computer Certificate for the CA so that the internal root is validated.
The Certificates that I chose for the DA server were as follows;
DirectAccess-NLS.mydomain.local
remote.my-external-domain-name.co.uk
both published from my internal CA so that the root of the certificates were valid.
I have a Third party wildcard cert ( *.my-external-domain-name.co.uk ) for TMG to allow other connection such as VPN and web access.
DA Config:
Step 1: Remote Clients
I set up the DA server as per the video, set the DirectAccessClient group, and in the
Network Connectivity Assistant The resource was filled in with the
http://diectaccess-WebProbeHost URL.
Step 2: Remote Access Server
The Network Topology was set to Behind an edge device (with single network adapter), and then is says to type in the 'PUBLIC NAME' used by clients to connect to the Remove Access Server. Here I typed in the external DNS
name remote.my-external-domain-name.co.uk.
Network Adapters had the one ethernet and an IPv6 address. The
Select Certificate sued to authenticate IP-HTTPS connections has the CN=remote.my-external-domain-name.co.uk.
Authentication is set to AD and I used the root certificate of the CA for
use computer certificates. I also Enabled windows 7 client computers to connect via DirectAccess.
Step 3: Infrastructure Servers
Network Location Sevrer had the NLS is deployed on this server with the
DirectAccess-NLS cert.
DNS had the internal domain and the DirectAccess-NLS. the Internal domain was pointing to the IPv4 address of the DA. I read that I need to put the external name suffix of remote.my-external-domain-name.co.uk entry in and pointed that
to the internal DA IPv4 address also.
DNS Suffix List was set automatically and I also added my external domain name just in case.
Managerment was straight forward and I pointed to our System Centre 2012 R2 server.
Upon clicking finish and applying the GPO policies everything went according to plan. All green ticks. I did a GPupdate on the client I was testing and the GPO policies came through.
Now the issue I have is that on the internal network I get the Last Error 0x80190190 unable to connect to server. Now I am sure that this should say active as it is inside the network. I get the same error out side. When I check the DA server for
netsh int https sh int it returns the value that client authentication = NONE. I set it up to use computer certificates and even is I uncheck that it does not change.
It there a straight forward thing I missed or is it to do with publishing in TMG. Internally the direct access client will not connect as it will find the NLS in the internal DNS as I have the host record for both the server FQDN and the DirectAccess-NLS
potining to the IPv4 address. I also have the external remote.my-external-domain-name.co.uk entry in the internal DNS to point to the internal IPv4.
I have opened the ports for 443, 62000 on the DA for the IIS inbound and outbound.
I have a windows 8 client but need to test it as Windows 8 is supposed to work just like that.
What am I doing wrong here?? Any ideas would be much appreciated.Thank you for this Jordan.
I have now got it working. The next step is to make sure my applications are all using Names rather than IP addresses.
I have basically setup the system as per my original thread that follows, NOT in BOLD.
I have tried to set up Direct Access from what I see is pretty much a 30-40 minute job, but has turned out to be something of a pain. Having followed the video on youtube for Windows Server 2012 with Basic PKI configuration and Windows 7 clients. I have
set up a working DA server with no issues and all green ticks.
Here's a run down.
I have a DC (2012) with the CA already installed.
I have a virtual DA (2012) set up with the advanced settings.
I have a a TMG 2010 server as the firewall with a Non-Web Publishing rule designed to forward HTTPS requests to the DA on the internal network.
The set up went as planned and I followed the instruction to set up the PKI and all computers have picked up a computer Certificate for the CA so that the internal root is validated.
The Certificates that I chose for the DA server were as follows;
DirectAccess-NLS.mydomain.local
remote.my-external-domain-name.co.uk
both published from my internal CA so that the root of the certificates were valid.
I have a Third party wildcard cert ( *.my-external-domain-name.co.uk ) for TMG to allow other connection such as VPN and web access.
DA Config:
Step
1: Remote Clients
I set up the DA server as per the video, set the DirectAccessClient group, and in the Network Connectivity Assistant The resource was
filled in with the http://diectaccess-WebProbeHost URL.
Step
2: Remote Access Server
The Network Topology was set to Behind
an edge device (with single network adapter), and then is says to type in the 'PUBLIC NAME' used by clients to connect to the Remove Access Server. Here I typed in the external DNS name remote.my-external-domain-name.co.uk.
Network Adapters had the one ethernet and an IPv6 address. The Select
Certificate sued to authenticate IP-HTTPS connections has the CN=remote.my-external-domain-name.co.uk.
Authentication is set to AD and I used the root certificate of the CA for use
computer certificates. I also Enabled windows 7 client computers to connect via DirectAccess.
Step
3: Infrastructure Servers
Network Location Sevrer had the NLS
is deployed on this server with the DirectAccess-NLS cert.
DNS had the internal domain and the DirectAccess-NLS. the Internal domain was pointing to the IPv4 address of the DA. I read that I need
to put the external name suffix of remote.my-external-domain-name.co.uk entry in and pointed that to the internal DA IPv4 address also.
DNS Suffix List was set automatically and I also added my external domain name just in case.
Managerment was straight forward and I pointed to our System Centre 2012 R2 server.
Upon clicking finish and applying the GPO policies everything went according to plan. All green ticks. I did a GPupdate on the client I was testing and the GPO policies came through.
I have set up TMG as per the isa.org forum
http://www.isaserver.org/articles-tutorials/general/implementing-windows-server-2012-directaccess-behind-forefront-tmg-part2.html .
@ Jordan - I ensured that I had a separate external IP address for the requests from the clients to TMG as I publish websites internally.
I used a third party wildcard cert for the IP-HTTPS connect part in DA Config Step 2.
All the rest of the DA set up was pretty much out of the box as stated above. -
ConfigMgr Clients connection over direct access.
My test client machine is running Windows 8.1 and connecting to network through Direct Access. I am running SCCM 2012 R2 on Windows Server 2012.
Test Machine: NYWIN8
SCCM Server: SCCM01
Domain: demo.local
I would like to understand how configmgr handles clients connecting through direct access. What all functionality is available for such clients?
On my client machine is see following errors:
FSPSTATEMESSAGE.LOG
Failed in WinHttpSendRequest API, ErrorCode = 0x2ee7
[CCMHTTP] ERROR: URL=HTTP://SCCM01.demo.local/SMS_FSP/.sms_fsp, Port=80, Options=480, Code=12007, Text=ERROR_WINHTTP_NAME_NOT_RESOLVED
POLICYAGENT.LOG
Policy
http://SCCM01.demo.local/SMS_MP/.sms_pol?WRC10000.SHA256:BE60C5A54E508758261E6EDAE80AB21576A214309B9E1E19EE1D5A96C4508EC4 is not available.
DATATRANSFERSERVICE.LOG
DTS job {E6FAADEE-F22E-4E89-92EE-C2D9C10C3056} BITS job {9C444FAB-FD3C-4A6B-B8A4-81DA159E4E45} failed to download source file
http://SCCM01.demo.local:80/SMS_MP/.sms_pol?WRC10000.SHA256:BE60C5A54E508758261E6EDAE80AB21576A214309B9E1E19EE1D5A96C4508EC4 to destination C:\Windows\CCM\Temp\{C9AA0DDC-BD37-442D-A00E-EE7404D47C12}.tmp with error 0x80190194
DTS job {E6FAADEE-F22E-4E89-92EE-C2D9C10C3056} BITS job {9C444FAB-FD3C-4A6B-B8A4-81DA159E4E45} partially completed 0/1 with error 0x80190194 context 5
Software Catalog Update Endpoint
Failed to open portal registry key 'Software\Policies\Microsoft\CCM'. maybe haven't been created yet. Error 0x80070002
WEDMTRACE.LOG
No CCM Identification blob
CAS.LOG
The number of discovered DPs(including Branch DP and Multicast) is 0
SMSCLIUI.LOG
Failed to set DNSSuffix value to the registry.
Are there any issues due to connecting using direct access?When I try to deploy any software (7-ZIP or Notepad++) to this client I get following error:
The software change returned error code 0x87D00607(-2016410105).
I can deploy same software fine to other machines connecting on LAN.
Server Logs:
Portlctl
PORTALWEB's previous status was 0 (0 = Online, 1 = Failed, 4 = Undefined)
PORTALWEBs http check returned hr=0, bFailed=0
awbsctl
AWEBSVCs http check returned hr=0, bFailed=0
AWEBSVC's previous status was 0 (0 = Online, 1 = Failed, 4 = Undefined)
Client Logs:
CAS
The number of discovered DPs(including Branch DP and Multicast) is 0
CCMEVAL
Client's current MP is http://SCCM01.DEMO.local and is accessible
ClientLocation
Current AD forest name is Demo.local, domain name is Demo.local
Domain joined client is in Intranet
Rotating assigned management point, new management point [1] is: SCCM01.demo.local (7958) with capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>
Assigned MP changed from <SCCM01.demo.local> to <SCCM01.demo.local>.
ContentTransferManager
No data since 11/13/2013
CTM job {F6085C09-4C39-489E-A6F6-2C268398B7F2} successfully processed download completion.
DataTransfer
DTS job {B227AB6E-6D0F-4709-B8C6-AA8B66CBBE2D} BITS job {AE61D01C-E251-45FA-8B2C-2E22DDD91016} failed to download source file
http://SCCM01.demo.local:80/SMS_MP/.sms_pol?WRC10000.SHA256:BE60C5A54E508758261E6EDAE80AB21576A214309B9E1E19EE1D5A96C4508EC4 to destination C:\Windows\CCM\Temp\{22619283-47B1-445A-9262-C1FA54AD0F64}.tmp with error 0x80190194
DTS job {B227AB6E-6D0F-4709-B8C6-AA8B66CBBE2D} BITS job {AE61D01C-E251-45FA-8B2C-2E22DDD91016} partially completed 0/1 with error 0x80190194 context 5
Filebits
BranchCache Is Not Enabled
Failed to check PeerDistribution status. NOT able to do branch cache.
FSPSTATEMESSAGE
Failed in WinHttpSendRequest API, ErrorCode = 0x2ee7
[CCMHTTP] ERROR: URL=HTTP://SCCM01.demo.local/SMS_FSP/.sms_fsp, Port=80, Options=480, Code=12007, Text=ERROR_WINHTTP_NAME_NOT_RESOLVED
Successfully sent location services HTTP failure message.
InternetProxy
Failed to get proxy for url 'HTTP://SCCM01.demo.local/SMS_FSP/.sms_fsp'. Error 0x87d00215
InventoryAgent
Inventory: 9 Collection Task(s) failed.
SCCLIENT
Event maps to notification type = Application Enforcement Failed (Microsoft.SoftwareCenter.Client.Data.WmiConnectionManager at EventWatcher_EventArrived)
SMSCLIUI
Failed to set DNSSuffix value to the registry.
IPCONFIG /ALL from CLIENT:
Windows IP Configuration
Host Name . . . . . . . . . . . . : NYWIN8
Primary Dns Suffix . . . . . . . : demo.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : demo.local
System Quarantine State . . . . . : Not Restricted
Ethernet adapter vEthernet (Internal):
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #3
Physical Address. . . . . . . . . : 00-15-5D-01-0B-07
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::d3f:4e51:c648:7b26%26(Preferred)
Autoconfiguration IPv4 Address. . : 169.254.123.38(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 872420701
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-EA-A9-CE-E0-DB-55-D2-5E-59
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter vEthernet (External):
Connection-specific DNS Suffix . : home
Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #2
Physical Address. . . . . . . . . : 84-A6-C8-AF-03-DE
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::9cb5:5132:1f47:e7c6%24(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.5(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Thursday, January 2, 2014 1:27:53 PM
Lease Expires . . . . . . . . . . : Saturday, January 4, 2014 12:27:55 PM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 730113736
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-EA-A9-CE-E0-DB-55-D2-5E-59
DNS Servers . . . . . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Wireless LAN adapter Local Area Connection* 3:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
Physical Address. . . . . . . . . : 84-A6-C8-AF-03-DF
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Ethernet adapter Bluetooth Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
Physical Address. . . . . . . . . : 84-A6-C8-AF-03-E2
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Ethernet adapter Ethernet:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : home
Description . . . . . . . . . . . : Realtek PCIe FE Family Controller
Physical Address. . . . . . . . . : E0-DB-55-D2-5E-59
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.home:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : home
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter iphttpsinterface:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : iphttpsinterface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : fd64:fc00:d17b:1000:e1a7:9cc8:c3c7:d819(Preferred)
Temporary IPv6 Address. . . . . . : fd64:fc00:d17b:1000:c598:7f17:e286:369d(Preferred)
Link-local IPv6 Address . . . . . : fe80::e1a7:9cc8:c3c7:d819%10(Preferred)
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 369098752
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-EA-A9-CE-E0-DB-55-D2-5E-59
NetBIOS over Tcpip. . . . . . . . : Disabled
Tunnel adapter isatap.{DC7D2C63-1506-49EC-A40F-AA4E56DE4001}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes -
Direct Access DNS resolution local domain network
Hey guys,
some information to my test environment...
My direct access server and my DC are based on Windows Server 2012 R2. The direct access server has one nic. Port 443 requests are forwarded through an firewall to the direct access server. The configuration for direct access is based on the built in assistens
to configure it.
On client side i am using Windows 8.1 x64.
Now the to my problem...
If I do an ping or a gpupdate when i am not connected to my local company network, the server responds and gpupdate/ping works fine. As soon as i am connected to my local company network i am not able to do a gpupdate or a ping (error in resolving dns).
But i am able to use nslookup to query names.
Anyone a suggestion where the problem could be?Hi,
It seems that this problem is caused by the issue of Network Location Server.
Does the client know that it is connected to the local network?
When the client connects to the local network, it should show "Connected to network locally or through VPN".
Here is the screenshot of my lab server,
Aslo, we can use the command below to verify this,
netsh dns show state
The Machine location should be "Inside corporate network" when the client is connected to the local network.
If the client doesn't know that it is inside the corporate network, please check if client can access the Network Location Server.
Best Regards.
Steven Lee
TechNet Community Support -
Enterprise DNS servers are not responding when using Windows NLB with Direct Access 2012
Hi
We have installed Direct Access 2012 as one server installation:
- Two network cards. First one in DMZ and second one in internal network
- Two consecutive IP addresses configured in DMZ because of Teredo
- PKI because of Win7 Clients IPSec
- Our corporate network is native IPv4 so we use DNS64/NAT64 and DA-server is configured as DNS
- DA-servers are VMWare virtual machines
One server installation works fine and now we want to use Windows NLB as load balancing. NLB installation goes fine too,
but problem is DNS. If we still try to use DA-server as DNS there comes error message below
None of the enterprise DNS servers 2002:xxxx:xxxx:3333::1 used by DirectAccess clients for name resolution are responding. This might affect DirectAccess client connectivity to corporate resources.
When trying to configure DNS using Infrastructure access setup, DNS cannot be validated when using DA-servers DIP or cluster VIP. Only domain local DNS looks to be ok but those have no IPv6 addressess. So how DNS should be configured when using multicast
NLB?
Tried to remove name suffix then adding again => Detect DNS server => DA-server IPv6 address found => validate => The specified DNS server is not responding...
Then tried to ping detected address => General failure
NLB clusters are configured as multicast and static ARPs are configured too. Both clusters can be connected from those subnets as they should be.
Any clues how to fix this?
~ Jukka ~Hi,
Your question falls into the paid support category which requires a more in-depth level of support. Please visit the below link to see the various
paid support options that are available to better meet your needs.
http://support.microsoft.com/default.aspx?id=fh;en-us;offerprophone
Regards,
Mike
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. -
Hi everybody I am trying to Login with my lync Client out of my organization. So I am using lync as a remote user. I am in another organization, and I am using their coporate lan wired and wireless, but I cannot Login to lync in my organization.
I see that I cannot Access my edge Server on port 443 to authenticate directly, I know that Client in this organization use Internet Proxy to browse the Internet. they have a .pac in their ie Settings.
my question is; can lync Client use Internet Proxy Settings to reach the Destination? I mean the Access edge on port 443?
or it can use only Client direct Access to reach the edge Servers?
I Think that the answer is that I use tcp protocol and not http, and maybe that is the reason why I cannot use the Internet Explorer Proxy Settings to reach the Access edge Servers, different maybe is the case I Need to reach the reverse Proxy for live Meetings.
Hope my question is clear.
ThanksProxy settings are used to tell Internet Explorer the network address of an intermediary server (known as a proxy server) that is used between the browser and the Internet on some networks.
Lync client doesn’t use Internet Proxy Setting. You need to access the Edge service directly.
Lisa Zheng
TechNet Community Support
Maybe you are looking for
-
Hi, i hope someone can help me. When i make flv file in Video Encoder (3 min) i see the process i the window. But when i open Flash and Browse the flv file it stop after 1 min. I have make this before but now it´s problems. Whats wrong? Bets Regards
-
How can I get my mac to pop up an alert when my iPhone is ringing?
Back when I had an old Sony brick cell phone, I used Salling Clicker to interface with my Mac. One of the coolest features of this software was that anytime someone called me, and my phone was within bluetooth range of my mac, the volume on my mac wo
-
Difference between workbench request and customizing request in transport
Hi Experts, I am new to SAP BI7 work. i am having basic doubt in Transort request creations ususally we create the requests to transport the objects from Development system to further systems. can anyone please clarify me, what is the main deffere
-
Changing Pricing Conditions in SRM
Hi, Has anyone ever used either BADI PRC_DATA_SOURCES to change pricing conditions linked to a SC in SRM 5.0? Kind Regards,
-
File Tunnelling - Is it possible?
Hi. I have an unusual requirement which requires that I tunnel a file from an application folder onto a JMS queue without any transformation - i.e. pick up a file and drop into JMS queue without any mapping. I am wondering if it is possible to "tunne