Direct Access Wizard Failure

Similar Messages

• Direct access server reporting NAT64 Translation failure

  We are seeing strange issue , Direct Access server 2012 is reporting NAT64 warning.
  I am trying to isolate causing could not find any useful information.
  DA server is behind firewall having Ipv4 internal address.
  Error I see on dash board is
  NAT64 translation failures might be preventing remote clients from accessing IPv4-only servers in the corporate network.
  Any help appreciated.

  NAT64 is an internal component of DirectAccess and there really isn't anything that you configure manually for it. Seeing a message about NAT64 having trouble is more than likely being caused by some kind of external influence on that server. For example,
  many of the quirky error messages or problems that we see during DirectAccess implementations are caused by security policies being present in the domain. For example, if you plug in a new server to use as your DA server, if you do not block inheritance in
  Group Policy, as soon as you join that new server to your domain it may receive settings from existing GPOs in your network. Sometimes those GPOs conflict with the things that DirectAccess needs, and they have therefore broken DA before you even set it up.
  If you are setting this up as a new DA server, I recommend removing the Remote Access role, blocking inheritance in Group Policy so that none of your preexisting GPOs get applied to it, and starting the configuration again.

• Server 2012 Direct Access Single NIC cant get it to work

  Hi,
  I am having some real issues with setting up Direct Access with Server 2012 and a Windows 8 client, it simply won’t work at all.
  First of all I should describe my setup:
  I have an internet connection with a static IPv4 address on the external network adapter of the router
  The internal network address (the address of the router which has the internet connection) is 192.168.1.1
  Server1 (windows 2008 R2 Standard) has a static IPv4 address 192.168.1.2 and has some ports forwarded from the router (443, 25, 80) this server is a domain controller, email server, and has the DNS, DHCP and
  certificate services
  Server 2 (Windows 2008 R2 standard) has static IPv4 address 192.168.1.3 it has no ports forwarded from the router as it has no services accessed externally, it is used as a file server and print server, backup
  domain controller and backup DNS.
  Server 3 (Windows 2012) has static IPv4 address 192.168.1.4 and has the Remote Access server role installed along with all the other default features and roles it requires in the setup process.
  These servers have all got an IPv6 address which I assume the server has configured automatically, there has been no deliberate configurations made to disable IPv6
  I have no UAG or proxy server or anything else to route packets to internal servers. Just this router which has the option for port forwarding (I assume that’s NAT isn’t it?) sorry don’t know much about that
  area.
  I go through the setup wizard in remote access to configure direct access, in the external URL I have entered da.mydomain.com and created a host A record in my external domain name providers DNS which points
  the da record to my external IP address. The wizard creates all the GPO’s, scoped correctly, and applied to a Windows 8 client. The operational status shows its all working and I got green ticks. However, when I connect the client to the internal network it
  doesn’t seem to have correctly got the DA settings. I run the following in powershell
  Get-DnsClientNrptPolicy
  Nothing displays – at all
  Get-NCSIPolicyConfiguration
  Description                   
  : NCSI Configuration
  CorporateDNSProbeHostAddress  
  : fdd8:dd4a:ea42:7777::7f00:1
  CorporateDNSProbeHostName     
  : directaccess-corpConnectivityHost.mydomain.local
  CorporateSitePrefixList       
  : {fdd8:dd4a:ea42:1::/64, fdd8:dd4a:ea42:7777::/96, fdd8:dd4a:ea42:1000::1/128,
  fdd8:dd4a:ea42:1000::2/128}
  CorporateWebsiteProbeURL      
  : http://directaccess-WebProbeHost.mydomain.local
  DomainLocationDeterminationURL : https://DirectAccess-NLS.mydomain.local:62000/insideoutside
  Get-DAConnectionStatus
  Get-DAConnectionStatus : Network Connectivity Assistant service is stopped or not responding.
  At line:1 char:1
  + Get-DAConnectionStatus
  + ~~~~~~~~~~~~~~~~~~~~~~
  + CategoryInfo         
  : NotSpecified: (MSFT_DAConnectionStatus:root/StandardCi...onnectionStatus) [Get-DAConnect
     ionStatus], CimException
  + FullyQualifiedErrorId : Windows System Error 1753,Get-DAConnectionStatus
  I go into services.msc and find that the network connectivity assistant is not started, it wont start either something must trigger it but I have no idea how to get it triggered to start… this might be my only
  source of problem perhaps but on a more network level question:
  If I have such ports as 80, and 443 (which I assume DA uses in some form with a public IPv4 internet address) directed at server 1, how does the DA connection get to server 3 which has the DA role installed?
  I could create another record on the server which also opens port 443 to server as well as for server 1, but then how would the router know which server to pass the DA connection to if the same port is open for two different servers?
  Either way, this first issue is that the client doesn’t seem to have the ability to connect internally correctly yet, so maybe this connectivity service is a good place to start? My understanding is that the
  networks icon in the system tray should show that there is a corporate connection, but it doesn’t. also, the client seems to have the NLS certificate in the computer certificate store, so the cert side of things is working and the GPO side is working.
  Many thanks
  Steve

  ahh i see, so just to enlighten me even further...
  If a company has two web servers that would mean they would need two different public facing IP addresses so they can route to each internal web server. If, like the big companies have, they
  may have many web servers (possibly more than 100) I’m assuming that simply buying more public IP addresses would have a limit, especially since the IPv4 address space is pretty much exhausted. So is this where proxy systems come into play like ISA and Forefront,
  is this what they do?
  I assume if such a product was implemented you could go down to just one or two public IP addresses, point all traffic to the ISA server and that in turn would do all the routing of packets
  to each server behind the NAT/router (probably based on some sort of domain name or sub domain namespace as it’s parameter for forwarding?)
  Secondly, what I have done is installed windows server 2012 and used that as a direct access client (I read on another forum that the windows 8 RP doesn’t have the enterprise bits to make this
  work). I have got much further with the 2012 server acting as a client (installed on laptop, installed desktop experience and wireless LAN), 
  but when I run the following command on my DA client I get the following status
  Get-DAConnectionStatus
  Status:                 
  connectedlocally
  Substatus:          
  none
  This appears to work fine, when im connected to the local network. But then I disconnect and run the command again and I get the following:
  Status:                 
  Error
  Substatus:          
  NameResolutionFailure
  On my router what I did is temporarily disable port 443 going to my original server and instead opened it up pointing to my other server, so 443 traffic should be going to my DA server now, but I don’t understand why its giving the name resolution failure
  status. I have a host A record called “da” with my domain hoster, and entered the full domain namespace in the DA wizard as da.mydomain.com (the Host A record has been up there for more than a week so it’s propagated through the net)
  So, a bit further but stuck again.

• ConfigMgr Clients connection over direct access.

  My test client machine is running Windows 8.1 and connecting to network through Direct Access. I am running SCCM 2012 R2 on Windows Server 2012.
  Test Machine: NYWIN8
  SCCM Server: SCCM01
  Domain: demo.local
  I would like to understand how configmgr handles clients connecting through direct access. What all functionality is available for such clients?
  On my client machine is see following errors:
  FSPSTATEMESSAGE.LOG
  Failed in WinHttpSendRequest API, ErrorCode = 0x2ee7
  [CCMHTTP] ERROR: URL=HTTP://SCCM01.demo.local/SMS_FSP/.sms_fsp, Port=80, Options=480, Code=12007, Text=ERROR_WINHTTP_NAME_NOT_RESOLVED
  POLICYAGENT.LOG
  Policy
  http://SCCM01.demo.local/SMS_MP/.sms_pol?WRC10000.SHA256:BE60C5A54E508758261E6EDAE80AB21576A214309B9E1E19EE1D5A96C4508EC4 is not available.
  DATATRANSFERSERVICE.LOG
  DTS job {E6FAADEE-F22E-4E89-92EE-C2D9C10C3056} BITS job {9C444FAB-FD3C-4A6B-B8A4-81DA159E4E45} failed to download source file
  http://SCCM01.demo.local:80/SMS_MP/.sms_pol?WRC10000.SHA256:BE60C5A54E508758261E6EDAE80AB21576A214309B9E1E19EE1D5A96C4508EC4 to destination C:\Windows\CCM\Temp\{C9AA0DDC-BD37-442D-A00E-EE7404D47C12}.tmp with error 0x80190194
  DTS job {E6FAADEE-F22E-4E89-92EE-C2D9C10C3056} BITS job {9C444FAB-FD3C-4A6B-B8A4-81DA159E4E45} partially completed 0/1 with error 0x80190194 context 5
  Software Catalog Update Endpoint
  Failed to open portal registry key 'Software\Policies\Microsoft\CCM'. maybe haven't been created yet. Error 0x80070002
  WEDMTRACE.LOG
  No CCM Identification blob
  CAS.LOG
  The number of discovered DPs(including Branch DP and Multicast) is 0
  SMSCLIUI.LOG
  Failed to set DNSSuffix value to the registry.
  Are there any issues due to connecting using direct access?

  When I try to deploy any software (7-ZIP or Notepad++) to this client I get following error:
  The software change returned error code 0x87D00607(-2016410105).
  I can deploy same software fine to other machines connecting on LAN.
  Server Logs:
  Portlctl
  PORTALWEB's previous status was 0 (0 = Online, 1 = Failed, 4 = Undefined)
  PORTALWEBs http check returned hr=0, bFailed=0
  awbsctl
  AWEBSVCs http check returned hr=0, bFailed=0
  AWEBSVC's previous status was 0 (0 = Online, 1 = Failed, 4 = Undefined)
  Client Logs:
  CAS
  The number of discovered DPs(including Branch DP and Multicast) is 0
  CCMEVAL
  Client's current MP is http://SCCM01.DEMO.local and is accessible
  ClientLocation
  Current AD forest name is Demo.local, domain name is Demo.local
  Domain joined client is in Intranet
  Rotating assigned management point, new management point [1] is: SCCM01.demo.local (7958) with capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>
  Assigned MP changed from <SCCM01.demo.local> to <SCCM01.demo.local>.
  ContentTransferManager
  No data since 11/13/2013
  CTM job {F6085C09-4C39-489E-A6F6-2C268398B7F2} successfully processed download completion.
  DataTransfer
  DTS job {B227AB6E-6D0F-4709-B8C6-AA8B66CBBE2D} BITS job {AE61D01C-E251-45FA-8B2C-2E22DDD91016} failed to download source file
  http://SCCM01.demo.local:80/SMS_MP/.sms_pol?WRC10000.SHA256:BE60C5A54E508758261E6EDAE80AB21576A214309B9E1E19EE1D5A96C4508EC4 to destination C:\Windows\CCM\Temp\{22619283-47B1-445A-9262-C1FA54AD0F64}.tmp with error 0x80190194
  DTS job {B227AB6E-6D0F-4709-B8C6-AA8B66CBBE2D} BITS job {AE61D01C-E251-45FA-8B2C-2E22DDD91016} partially completed 0/1 with error 0x80190194 context 5
  Filebits
  BranchCache Is Not Enabled
  Failed to check PeerDistribution status. NOT able to do branch cache.
  FSPSTATEMESSAGE
  Failed in WinHttpSendRequest API, ErrorCode = 0x2ee7
  [CCMHTTP] ERROR: URL=HTTP://SCCM01.demo.local/SMS_FSP/.sms_fsp, Port=80, Options=480, Code=12007, Text=ERROR_WINHTTP_NAME_NOT_RESOLVED
  Successfully sent location services HTTP failure message.
  InternetProxy
  Failed to get proxy for url 'HTTP://SCCM01.demo.local/SMS_FSP/.sms_fsp'. Error 0x87d00215
  InventoryAgent
  Inventory: 9 Collection Task(s) failed.
  SCCLIENT
  Event maps to notification type = Application Enforcement Failed   (Microsoft.SoftwareCenter.Client.Data.WmiConnectionManager at EventWatcher_EventArrived)
  SMSCLIUI
  Failed to set DNSSuffix value to the registry.
  IPCONFIG /ALL from CLIENT:
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : NYWIN8
     Primary Dns Suffix  . . . . . . . : demo.local
     Node Type . . . . . . . . . . . . : Hybrid
     IP Routing Enabled. . . . . . . . : No
     WINS Proxy Enabled. . . . . . . . : No
     DNS Suffix Search List. . . . . . : demo.local
     System Quarantine State . . . . . : Not Restricted
  Ethernet adapter vEthernet (Internal):
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #3
     Physical Address. . . . . . . . . : 00-15-5D-01-0B-07
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
     Link-local IPv6 Address . . . . . : fe80::d3f:4e51:c648:7b26%26(Preferred)
     Autoconfiguration IPv4 Address. . : 169.254.123.38(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.0.0
     Default Gateway . . . . . . . . . :
     DHCPv6 IAID . . . . . . . . . . . : 872420701
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-EA-A9-CE-E0-DB-55-D2-5E-59
     DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                         fec0:0:0:ffff::2%1
                                         fec0:0:0:ffff::3%1
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Ethernet adapter vEthernet (External):
     Connection-specific DNS Suffix  . : home
     Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #2
     Physical Address. . . . . . . . . : 84-A6-C8-AF-03-DE
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
     Link-local IPv6 Address . . . . . : fe80::9cb5:5132:1f47:e7c6%24(Preferred)
     IPv4 Address. . . . . . . . . . . : 192.168.1.5(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Lease Obtained. . . . . . . . . . : Thursday, January 2, 2014 1:27:53 PM
     Lease Expires . . . . . . . . . . : Saturday, January 4, 2014 12:27:55 PM
     Default Gateway . . . . . . . . . : 192.168.1.1
     DHCP Server . . . . . . . . . . . : 192.168.1.1
     DHCPv6 IAID . . . . . . . . . . . : 730113736
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-EA-A9-CE-E0-DB-55-D2-5E-59
     DNS Servers . . . . . . . . . . . : 192.168.1.1
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Wireless LAN adapter Local Area Connection* 3:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
     Physical Address. . . . . . . . . : 84-A6-C8-AF-03-DF
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
  Ethernet adapter Bluetooth Network Connection:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
     Physical Address. . . . . . . . . : 84-A6-C8-AF-03-E2
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
  Ethernet adapter Ethernet:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . : home
     Description . . . . . . . . . . . : Realtek PCIe FE Family Controller
     Physical Address. . . . . . . . . : E0-DB-55-D2-5E-59
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter isatap.home:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . : home
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter iphttpsinterface:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : iphttpsinterface
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv6 Address. . . . . . . . . . . : fd64:fc00:d17b:1000:e1a7:9cc8:c3c7:d819(Preferred)
     Temporary IPv6 Address. . . . . . : fd64:fc00:d17b:1000:c598:7f17:e286:369d(Preferred)
     Link-local IPv6 Address . . . . . : fe80::e1a7:9cc8:c3c7:d819%10(Preferred)
     Default Gateway . . . . . . . . . :
     DHCPv6 IAID . . . . . . . . . . . : 369098752
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-EA-A9-CE-E0-DB-55-D2-5E-59
     NetBIOS over Tcpip. . . . . . . . : Disabled
  Tunnel adapter isatap.{DC7D2C63-1506-49EC-A40F-AA4E56DE4001}:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes

• Direct Access Migration of Root CA

  We have a Domain Controller "DC01" which has the Enterprise Certificate Services role installed and the CA on this Domain Controller is named "DC01"
  The CDP location on the CA "DC01" is <servername> so effectively it's LDAP://DC01 (only LDAP is published on the certificates, no http etc.)
  The CA "DC01" issues the version1 "Computer" certificates with AutoEnrollment to all clients and all our internal clients and external clients have a "Computer" certificate from CA "DC01"
  Now we have an UAG SP3 server with Direct Access and all our clients connect successfull with Direct Access as it's setup now
  In the UAG configuration (wizard) on the IPsec Certificate Authentication screen on the option "Use a certificate from a trusted root CA" the "DC01" Root CA certificate is selected
  As Microsoft best-practises we want to move the Enterprise Certificate Services to a new member server "CS01" and effectively create a new Root CA "CS01"
  As we use the version1 "Computer" certificate template we cannot select "reenroll all certificate holders"
  so idea is to duplicate the "Computer" certificate template as a v2 template that supersedes the version1 computer template, this effectively replaces all current Computer certificates based on the old v1 computer template on clients.
  Then all clients get a new "Computer" certificate from the new Root CA but in the UAG Direct Access configuration the "IPsec Certificate Authentication" "Use a certificate from a trusted root CA" the old "DC01" Root CA
  certificate is still selected
  Question1; will this lock out clients that have a new Computer certificate from the new Root CA but the UAG Direct Access configuration still use the Root CA certificate from the old DC01 CA?
  Another idea is NOT to supersede the the version1 Computer certificate but AutoEnroll the new v2 duplicated Computer template.
  This means that clients will have a Computer certificate from the old CA "DC01" but also a Computer certificate from the new CA "CS1"
  Question2; can a client have 2 computer certificates (1 from old DC01 ca and 1 from new CS01 ca) and connect Direct Access and will this still work?

  Yes, the clients will still connect with two different certificates. I haven't had your exact situation before, but I have had to deal with a CA server that died, and we had to replace it with a new one. We stood up a new CA, issued "Computer"
  certificates again from the new CA (the old certs still existed on all the client computers) - and then switched the UAG settings over to the new root CA. This worked.
  I do recommend deleting the old certificates from the client computers if possible, so that there is no potential for conflict down the road, but the above scenario worked fine for us and I have also worked with numerous companies that have multiple machine-type
  certificates on their client computers and as long as they have one which meets the DA criteria and chains up to the CA that is active in the UAG config, it'll build tunnels.

• Office 365 Direct Access SCCM

  Hi,
  Recently we deployed a bunch of laptops using SCCM (windows 8.1) but having a partial issue with Office 365 via Software Center.
  When laptops are within domain:
  - Office 365 installs during OSD
  - Office 365 installs via Software Center
  When laptops are within domain via Direct Access:
  - Office 365 downloads but fails at installing.
  "exitcode: 17002"
  "The software change returned error code 0x426A(17002)"
  <![LOG[++++++ App enforcement completed (2 seconds) for App DT "VisioProRetail" [ScopeId_538AD476-A160-422A-81FA-BE714BFAD0B1/DeploymentType_3d6a46b6-ffca-477c-b200-cc3392085b38], Revision: 2, User SID: S-1-5-21-2507967118-3678214798-1188983363-2612] ++++++]LOG]!><time="11:33:58.291-600" date="07-10-2014" component="AppEnforce" context="" type="1" thread="6188" file="appprovider.cpp:2448">
  <![LOG[+++ Starting Install enforcement for App DT "VisioProRetail" ApplicationDeliveryType - ScopeId_538AD476-A160-422A-81FA-BE714BFAD0B1/DeploymentType_3d6a46b6-ffca-477c-b200-cc3392085b38, Revision - 2, ContentPath - C:\WINDOWS\ccmcache\d, Execution Context - System]LOG]!><time="11:34:17.546-600" date="07-10-2014" component="AppEnforce" context="" type="1" thread="6188" file="appprovider.cpp:1702">
  <![LOG[ A user is logged on to the system.]LOG]!><time="11:34:17.546-600" date="07-10-2014" component="AppEnforce" context="" type="1" thread="6188" file="appprovider.cpp:2083">
  <![LOG[ Performing detection of app deployment type VisioProRetail(ScopeId_538AD476-A160-422A-81FA-BE714BFAD0B1/DeploymentType_3d6a46b6-ffca-477c-b200-cc3392085b38, revision 2) for user.]LOG]!><time="11:34:17.550-600" date="07-10-2014" component="AppEnforce" context="" type="1" thread="6188" file="appprovider.cpp:2148">
  <![LOG[+++ Application not discovered. [AppDT Id: ScopeId_538AD476-A160-422A-81FA-BE714BFAD0B1/DeploymentType_3d6a46b6-ffca-477c-b200-cc3392085b38, Revision: 2]]LOG]!><time="11:34:17.580-600" date="07-10-2014" component="AppEnforce" context="" type="1" thread="6188" file="localapphandler.cpp:291">
  <![LOG[ App enforcement environment:
  Context: Machine
  Command line: setup.exe /configure configuration.xml
  Allow user interaction: No
  UI mode: 1
  User token: not null
  Session Id: 3
  Content path: C:\WINDOWS\ccmcache\d
  Working directory: ]LOG]!><time="11:34:17.580-600" date="07-10-2014" component="AppEnforce" context="" type="1" thread="6188" file="appcontext.cpp:85">
  <![LOG[ Prepared working directory: C:\WINDOWS\ccmcache\d]LOG]!><time="11:34:17.582-600" date="07-10-2014" component="AppEnforce" context="" type="1" thread="6188" file="appcontext.cpp:189">
  <![LOG[ Prepared command line: "C:\WINDOWS\ccmcache\d\setup.exe" /configure configuration.xml]LOG]!><time="11:34:17.584-600" date="07-10-2014" component="AppEnforce" context="" type="1" thread="6188" file="appcontext.cpp:338">
  <![LOG[ Executing Command line: "C:\WINDOWS\ccmcache\d\setup.exe" /configure configuration.xml with user context]LOG]!><time="11:34:17.585-600" date="07-10-2014" component="AppEnforce" context="" type="1" thread="6188" file="appexcnlib.cpp:201">
  <![LOG[ Working directory C:\WINDOWS\ccmcache\d]LOG]!><time="11:34:17.586-600" date="07-10-2014" component="AppEnforce" context="" type="1" thread="6188" file="appexcnlib.cpp:215">
  <![LOG[ Post install behavior is BasedOnExitCode]LOG]!><time="11:34:17.615-600" date="07-10-2014" component="AppEnforce" context="" type="1" thread="6188" file="appcommon.cpp:1094">
  <![LOG[ Waiting for process 440 to finish. Timeout = 120 minutes.]LOG]!><time="11:34:17.617-600" date="07-10-2014" component="AppEnforce" context="" type="1" thread="6188" file="appexcnlib.cpp:1958">
  <![LOG[ Process 440 terminated with exitcode: 17002]LOG]!><time="11:34:19.687-600" date="07-10-2014" component="AppEnforce" context="" type="1" thread="6188" file="appexcnlib.cpp:1967">
  <![LOG[ Looking for exit code 17002 in exit codes table...]LOG]!><time="11:34:19.689-600" date="07-10-2014" component="AppEnforce" context="" type="1" thread="6188" file="appexcnlib.cpp:505">
  <![LOG[ Unmatched exit code (17002) is considered an execution failure.]LOG]!><time="11:34:19.690-600" date="07-10-2014" component="AppEnforce" context="" type="2" thread="6188" file="appexcnlib.cpp:591">
  <![LOG[++++++ App enforcement completed (2 seconds) for App DT "VisioProRetail" [ScopeId_538AD476-A160-422A-81FA-BE714BFAD0B1/DeploymentType_3d6a46b6-ffca-477c-b200-cc3392085b38], Revision: 2, User SID: S-1-5-21-2507967118-3678214798-1188983363-2612] ++++++]LOG]!><time="11:34:19.692-600" date="07-10-2014" component="AppEnforce" context="" type="1" thread="6188" file="appprovider.cpp:2448">
  I have seen some other post where they suggest it is a permission issue but in my case there are no pop up windows and the content was cached to user directory.
  Also confirming that source folder (files and file sizes) are all matching compare to local cached folder.
  Administrator full access to file (myself logged in as administrator)
  Thank you,
  Jono
  Jonathan

  Hi,
  Found out what the issue was... not really a issue to be honest.
  As I am managing SCCM at the same thing, I have office 365, Visio and Project installation as a separated package.
  When I try to run Visio and Project while Office (Lync and Outlook) are running, it will instantly fails.
  Once I turned those software off, it works like magic.
  Regards,
  Jono
  Jonathan

• Direct Access to Database in JDeveloper 11g TP4@FusionWebApplication?

  Hi,
  i have added a Database (Application Resources --> Connection --> Database --> "myDB") to my Application. I can creat Business Components et cetera with the wizard... all works...
  Now I have a simple Java-Class and i want a access to one table in my Database... must i creat a new Connection like
  Connection c = DriverManager.getConnection("jdbc:oracle:thin:@" + host + ":" + port + ":" + sid, user, pw); (simple java-code)
  or is there a chance for direct access to "myDB"?

  If you just want the connection information raw, you could try something like:
  package test.model;
  import oracle.adf.share.ADFContext;
  import oracle.jdeveloper.db.adapter.DatabaseProvider;
  public class Class1 {
      public static void main(String[] args) throws Throwable  {
            DatabaseProvider cd = (DatabaseProvider)ADFContext.getCurrent().getADFConfig().getConnectionsContext().lookup("scott_local");           
            System.out.println("ConnURL= "+cd.getConnectionURL());
            System.out.println("Host = "+cd.getProperty(DatabaseProvider.HOSTNAME_CLASS_REFTYPE));
            System.out.println("Port = "+cd.getProperty(DatabaseProvider.PORT_CLASS_REFTYPE));
            System.out.println("SID = "+cd.getProperty(DatabaseProvider.SID_CLASS_REFTYPE));
            System.out.println("Username = "+cd.getProperty(DatabaseProvider.USERNAME_CLASS_REFTYPE));
            System.out.println("Password = "+cd.getProperty(DatabaseProvider.PASSWORD_CLASS_REFTYPE));
  }

• Direct Access Management Servers, what are the entry good for?

  In the advanced Direct Access setup wizard you have the ability to enter your management servers. I haven't been able to find an explanation of why, what is it good for? If I understand everything correct DA gives full access to the subnet so why is it of
  interest to list some servers as "management servers"?

  Hi,
  Management servers are servers that you are able to access from the da client Before logged on as a user.
  Your domain controllers are by default infrastructure servers, but in many cases you want to add for example SCCM, NAP and other servers to be accessable prior logon.
  If you are using the manage-out functionality in DirectAccess, and want to access a client prior anyone is logged on, the management server is also needed there.
  http://technet.microsoft.com/en-us/library/jj574200.aspx
  Microsoft Certified Trainer
  MCSE: Desktop, Server, Private Cloud, Messaging
  Blog: http://365lab.net

• Enterprise DNS servers are not responding when using Windows NLB with Direct Access 2012

  Hi
  We have installed Direct Access 2012 as one server installation:
  - Two network cards. First one in DMZ and second one in internal network
  - Two consecutive IP addresses configured in DMZ because of Teredo
  - PKI because of Win7 Clients IPSec
  - Our corporate network is native IPv4 so we use DNS64/NAT64 and DA-server is configured as DNS
  - DA-servers are VMWare virtual machines 
  One server installation works fine and now we want to use Windows NLB as load balancing. NLB installation goes fine too,
  but problem is DNS. If we still try to use DA-server as DNS there comes error message below
  None of the enterprise DNS servers 2002:xxxx:xxxx:3333::1 used by DirectAccess clients for name resolution are responding. This might affect DirectAccess client connectivity to corporate resources.
  When trying to configure DNS using Infrastructure access setup, DNS cannot be validated when using DA-servers DIP or cluster VIP. Only domain local DNS looks to be ok but those have no IPv6 addressess. So how DNS should be configured when using multicast
  NLB? 
  Tried to remove name suffix then adding again => Detect DNS server => DA-server IPv6 address found => validate => The specified DNS server is not responding...
  Then tried to ping detected address => General failure
  NLB clusters are configured as multicast and static ARPs are configured too. Both clusters can be connected from those subnets as they should be. 
  Any clues how to fix this?
  ~ Jukka ~

  Hi,
  Your question falls into the paid support category which requires a more in-depth level of support.  Please visit the below link to see the various
  paid support options that are available to better meet your needs.
  http://support.microsoft.com/default.aspx?id=fh;en-us;offerprophone
  Regards,
  Mike
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Access 2010 Linked to Sharepoint online - avoid direct access to sharepoint stored data

  Hello,
  I have an access 2010 application (front end)  connected to SharePoint online team site (as back end).
  I wish to allow my users to work with the front end but to avoid direct access to the data on SharePoint Online.
  The user will open the access application and it will auto connect & work with SharePoint online.
  How can I implement this?
  Thank you for your help

  Hi,
  According to your description, my understanding is that you want to use Access 2010 to connect the SharePoint Online data.
  In Access 2010, you can connect the SharePoint list as a external datasource like the capture below. It will need to input url and user credentials to access SharePoint site in the wizard. If you want to connect automatically, you will need write some custom
  Micro code to achieve it.
  If you have some question about Micro code to connect SharePoint list automatically, I suggest you can create a new thread in Access Development, you will get more detailed information from there.
  https://social.msdn.microsoft.com/Forums/office/en-US/home?forum=accessdev
  Thanks
  Best Regards
  Jerry Guo
  TechNet Community Support

• Direct Access: DNS error on Operations Status (DNS server not responding)

  Hi!
  I am testing Direct Access on Windows 2012 R2 Standard. So far I have deployed the Remote Access role to our server "ABC-DA1". I have completed the configuration wizard for a Single NIC deployment and defined a FQDN as the "public name"
  (da.domain.com).
  After completing the wizard I go to the the Operations Status page and find the an error telling me one of the DNS servers is unavailable. The mentioned server is no longer operational as it was running on an old Win2k8R2 DC server that was demoted. 
  Is there a way to remove the reference to the old server? I have 3 new DNS servers running on the new Domain Controllers but it seems like the old DC did not completely remove itself.
  Below is a screenshot of the operations status.
  Thank you for your help :)

  Hi,
  Please go to the Name Resolution Policy and check if you can change the DNS server there.
  Computer Configuration -> Policies -> Windows Settings -> Name Resolution Policy
  Hope this helps.
  Jeremy Wu
  TechNet Community Support

• EA4500, setting 'HTTPs' admin access only, failure CCC upgrading

  Got a new EA4500 yesterday, it came with traditional browser-based firmware.
  Then I changed its Admin access to HTTPs only, disabled HTTP.
  I downloaded CCC upgrading wizard, registered CCC account.
  When I tried to upgrade to CCC firmware, it kept trying to detect and finally told 'can not detect a device to upgrade'.
  When I enabled HTTP admin access and tried to upgrade CCC again, it worked.
  Does somebody encounter similar issue?
  If HTTP enabling is a necessary condition for CCC upgrading, shall such message be prompt at least, when the tool failed to detect applicable device?

  Which group are you talking about?
  I have a group for all direct access machines, You have to specify this group during the wizard.
  The permission issue seems to be related to the script trying to modify group policy
  I have tired with the default polices the wizard creates and also specifying 2 blank policies.

• Deploy direct access

  HI,
  I'm trying to deploy a simple direct access while i'm working with wizard of DA I receive the following error message:
  please note that my domain's name: Notovich.com
  and my public DNS name is: notovich.asuscomm.com or
  notovich.dynalias.org
  Please advise if I need to purchase new domain that is similar to my local domain name. Maybe this is the reason?

  Hi,
  I think I might be able to help, because the error is actually quit simple. The NLS (Network Location Server) url cannot be the same as your DirectAccess Service url. You need two different hostnames, for example:
  directaccess.yourdomain.com
  inside.yourdomain.local (or inside.yourdomain.com)
  The hostname "directaccess.yourdomain.com" should point to your external IP Address of your DirectAccess Server, be resolvable from the internet, this is where your DirectAccess Client will connect to.
  The hostname "inside.yourdomain.local" should point to an internal Web Server. It doesn't matter to which server, it is just a simple URL, could be anything you have. But... this hostname should 'NOT' and I repeat 'NOT' be resolvable from the internet.
  Client use the NLS url to detect whether they are connected locally to your local intranet or to the internet.
  I hope this information makes more sense to you.
  Boudewijn Plomp, BPMi Infrastructure & Security | Please remember, if you see a post that helped you please click "Vote as Helpful" and if it answered your question, please click "Mark as Answer".

• Direct Access URLs in Release 2

  What is the format for direct access URLs in release 2? I recall seeing somewhere that it had changed.
  Thanks.

  I found the documentation. It is in the help file /help/sblpath.htm.

• Direct Access on Windows Server 2012 R2 and IPV6

  I have a question about IPV6 and Direct Access in Server 2012 R2. Without using UAG is it still mandatory to have IPV6 enabled in the intranet?
  Kristopher Turner | Not the brightest bulb but by far not the dimmest bulb.

  Hi,
  DirectAccess uses IPv6 with IPsec to create a secure connection between DirectAccess client computers and the internal corporate network.
  However, DirectAccess does not necessarily require connectivity to the IPv6 Internet or native IPv6 support on internal networks. Instead, it automatically configures and uses IPv6 transition technologies to tunnel IPv6 traffic across the IPv4 Internet (6to4,
  Teredo, IP-HTTPS) and across your IPv4-only intranet (NAT64 or ISATAP).
  For detailed information, please view the link below,
  Plan the DirectAccess Infrastructure
  http://technet.microsoft.com/en-us/library/jj574101.aspx
  Hope this helps.
  Steven Lee
  TechNet Community Support