DirectAccess 2012 force tunneling

Similar Messages

• DirectAccess force tunneling - Web proxy (TMG) needs authentication

  Hello,
  I have deployed a DirectAccess 2012 server using computer certificate authentication. The clients are connecting to corporate resources over the WAN usin DirectAccess. Forced tunneling is a requirement. The DirectAccess is only configured for IPHTTPS using
  a single NIC behind a firewall.
  But there is a TMG web proxy in the corporate network that authenticates users. When these users connect over the Internet using devices that have DirectAccess enabled, they are not able to visit any sites as TMG blocks the connection. In the TMG logs, I
  see that the reason it is dropping these web connections are because the traffic is coming from an 'anonymous' user as per the logs.
  The proxy requires user authentication.
  Can someone please advise?
  Thanks in advance,
  SinghP80

  Yes I was able to resolve this by using the command below on the DA server:
  Set-DAClientDNSConfiguration -DNSSuffix '.' -ProxyServer ProxyFQDN:PortNumber
  Hope this helps you as well. Please let me know. if it does.
  Regards,
  SinghP80

• DirectAccess (2012 R2) Force Tunnel & Non-IE Browsers

  I'm setting up a DirectAccess solution with Force Tunneling enabled (don't ask why, the client demanded it). The solution is working flawlessly except for internet access for non-IE browsers. I have a proxy server entry in the nrpt for the '.' dnssuffix
  and IE is honoring that entry and routing all traffic over the DA tunnel to the proxy server correctly.
  however, non-IE browsers like firefox and chrome, while they are browsing the internet off of the DA infrastructure tunnel, are ignoring the proxy entry and browsing directly. (in the environment, the DA Server itself has access to the internet that
  is not proxy-filtered)
  It appears that the proxy server entry in the nrpt is only for IE, and not a global "client" setting. Firefox can still browse the web, but it appears that it's simply throwing the traffic at the DA server directly, which is in turn using its internet
  access as defined by the my clients firewall rules for infrastructure servers.
  or, am I missing something? it seems that the proxy server specified in the nrpt for the '.' dnssuffix should apply to all client traffic and not just IE...

  For anyone that happens to run across a similar issue, here's how I solved it:
  The main problem was that the '.' dns suffix in the nrpt policy that was set to route that suffix to a specified intranet proxy server didn't seem to apply to all traffic, non-ie broswers (such as firefox) would send traffic over the DA tunnel according
  to the force tunnel configuration, but wouldn't have their internet based traffic routed to the proxy server. instead, they would send internet traffic to the DA server, which would access the internet directly, effectively bypassing the corporate proxy and
  it's filtering rules.
  the infrastructure design problem at the client was that the server subnet is granted direct internet access that is not proxied, so the DA server had the ability to forward 6to4 internet traffic directly.
  we ended up changing the windows firewall on the DA server so that the default outgoing policy was set to block, and created explicit allow rules for only the internal subnets and the proxy servers, effectively killing the DA servers internet access, but
  allowing traffic to the internal infrastructure.
  this in turn killed DA clients' ability to browse the internet unfiltered. for non-IE clients or ftp applications a proxy server will now have to be manually (or potentially through group policy) be set, but it closed the loophole in the forced tunnel configuration
  for DA client's web browsing.

• Direct Access 2012 R2 - Problems with Force Tunneling and other questions

  I have just setup a Direct Access 2012 R2 server in my network, 2012 domain and all Windows 8 clients. 
  Internal CA environment (no external CRL) using a public issued cert for IPHTTPS tunnel, 2 interfaces for the DA server, 1 internal and 1 in the DMZ behind a NAT firewall (1 public IPv4 address) and my test clients are connecting fine to internal resources.
  1.  When I enable Force Tunneling the clients no longer are able to access the external internet.  Is there anything I need to add to make this work?
  2.  I am having trouble with our Remote Desktop Session Hosts.  I can only assume it has something to do with the DNS  as we have our AD domain performing internal DNS of the int.contoso.com domain and public DNS performing for the external
  Contoso.com domain (RDWA etc).  DA has only int.contoso.com set as a DNS Name Suffix in the Infrastructure Setup.  Should I add the external contoso.com Name Suffix in there too?
  3.  I have a Kaspersky Security Center server for centralized AV admin, can I still push out AV updates to the clients that connect with DA.  Do I add my KSC server to the Management Servers list in the Infrastructure Server Setup page on the DA
  setup.   Does that list allow those servers to access the DA clients?

  Hi,
  Let's solve problems one by one. Force tunneling. When enabled, all network trafic from DirectAccess clients goes throught IPSEC tunnels. Just configure a proxy on your DirectAccess clients (with a FQDN of course) and your clients should be able to surf
  internet again.
  RDS : Depend. Where are your RDS servers registred internal zone DNS or external DNS zone. If a DirectAccess client cannot resolve a name it does not know if it has to go throught the tunnel. At last can you ping your RDS Server?
  Remote Management : Right. Adding servers in this list allow them to use the IPSEC infrastructure tunnel (computer established tunnel) without users being logged.
  BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

• DirectAccess Force Tunneling via proxy server (TMG)

  Hello
  I am looking to enable Force Tunneling for DirectAccess.  All web traffic would then go via TMG proxy.  This is all fine, but in the past this was once configured and stopped IMAP from working?  
  The question is, would forced tunneling only send http/https traffic to the proxy by design and all other traffic directly out? Other traffic does traverse the proxy when internal to the LAN but I am sure DA treats this a little different in terms of what
  protocols are forwarded - Is this correct?
  If this is the case then I am assumming the firewall infrastructure is stopping IMAP?
  Thanks

  Hi There - it is a strong recommendation even in Microsoft deployments not to use Force Tunnelling unless you really have to. Using Force Tunnelling will always revert to IP-HTTPS which is still technically the slowest of the transition technologies. This
  means DirectAccess clients use only IP-HTTPS to obtain IPv6 connectivity to the DirectAccess servers over the IPv4 Internet.  IP-HTTPS has much higher overheads than IPv6, 6to4 or Teredo. Also your proxy server will handle every request and consume
  plenty of bandwidth and you cannot put NRPT exemptions in force tunnelling as all traffic has to come through the tunnel. There is also the small issue of captive portals. There are more things to list but the above should be enough to start an argument on
  why not to do it !!
  You could implement a split tunnel with enforced web proxy (seeing as you have TMG) as per the guide / recommendations by Shannon Fritz below (which works well in reality.
  http://www.concurrency.com/infrastructure/web-filtering-for-directaccess-users-55/
  Kr
  John Davies

• DirectAccess 2012 - Best way to deploy between two firewalls (NAT'd)

  We are deploying DirectAccess 2012 and have a requirement that traffic from the internet (red) must be proxied through the DMZ (yellow) before touching anything on the internal network (green). I will initially only be configuring it to use IP-HTTPS (no
  teredo). We have two firewalls, one on the perimeter (FW1), and one between the DMZ and internal networks (FW2).
  I'm trying to determine the best way of deploying this in our environment. I've come up with two possibilities:
  1. Deploy with two network cards, each connected to separate DMZs. In this scenario, NIC 1 would contain the internet facing IP in DMZ 1 (say 10.10.10.2 and NAT'd by FW1), and NIC2 would contain an internal facing IP on DMZ2 (say 10.10.11.2). NIC2 would
  be routable to the internal subnets via the internal firewall.
  Crude diagram:    Internet -> FW1 -> 10.10.10.2---DA---10.10.11.2 -> FW2 -> Internal network
  2. Deploy with one network card in the DMZ. This would be NAT'd by FW1, and then pass traffic through to to FW2. Since I'd be allowing all TCP/UDP traffic (as per MS) through FW2 to the primary network, this method seems unsafe to me.
  Crude diagram:   Internet -> FW1 -> 10.10.10.2---DA -> FW2 -> Internal network
  What is the best and most secure way to deploy this in the DMZ? I do not want to put an internal network IP directly on the DirectAccess server, as it needs to go through FW2 before reaching internal. The DA server should be isolated in the DMZ.
  Advice is appreciated.

  Hi,
  The first solution is better. The DA server is under the protection of FW1, and the DA server
  already offers certain security itself, such as the requirement of a Computer Certificate, domain membership (which mean domain authentication) and so on.
  Here is a related threads,
  DirectAccess 2012 + Security concerns
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/2e394a72-d263-449f-9ec2-02701aa8cb96/directaccess-2012-security-concerns?forum=winserver8gen
  Hope this helps.
  Steven Lee
  TechNet Community Support

• Modern UI apps do not connect to internet when using microsoft VPN (forced tunneling) (win 8.1)

  hi, i am running windows 8.1 on a Surface Pro 3, when i connect to VPN (microsoft) all apps on the desktop work as expected,
  when in modern UI, apps do not detect an intenet connection.
  i belive this is fixed in windows 8 using this hotfix:
  https://support.microsoft.com/kb/2797356?wa=wsignin1.0
  & Here:
  http://support.microsoft.com/kb/2876419
  these hofixes are for windows 8 & not 8.1...
  are there hotfixes for windows 8.1 available? (disabling forced tunneling is not an acceptable solution unfortunatley
  Thanks

  Hi,
  Actually this is a known issue and there is no effective method untill now. You can find related threads in Technet but none of them got a useful solution. However, I'm still keep researching and testing, aim to find a workaround method for this problem.
  If there is any progress in the future, I'll post the solution here.
  Thanks for your understanding.
  Roger Lu
  TechNet Community Support

• Add DirectAccess 2012 R2 to DirectAccess 2012 Cluster

  Does anyone know if it is supported or possible to add DirectAccess 2012 R2 to an existing DirectAccess 2012 cluster?
  Hoping to use this approach to upgrade and to DirectAccess 2012 R2 without creating a new cluster and configuration.
  Thanks

  I've never tried it, but I don't know of any reason why it wouldn't work. Server 2012 and above handle NLB/clustering quite a bit differently than UAG did, where the nodes are really more individualized and there's not a "master/member" mentality
  anymore. So when you add the new 2012 R2, if you experience problems with it or notice that no user sessions are flowing to it, you can simply remove it from the array again, and then you'll know for sure. :)
  If I had an environment online right now where I could test this for you I would, but I would give it a try if you have the server ready to go. Just make sure that you install the Remote Access Role, and also the NLB feature, to your new server before you
  try adding it to the array. You'll also need to have IP addressing and certificates in place on this new node before you will be able to join it successfully to the array.

• Security/Firewall recommendations for DirectAccess 2012 (Dual-NIC Edge Configuration)

  Hello all,
  We have installed and configured DirectAccess 2012 with the Edge Configuration with the thought that we would be able to install TMG directly on this server (as we did with the original 2008 DirectAccess/UAG). It appears that we cannot install TMG on Server
  2012 R2, so now we have a server directly connected to the outside world with public IP's assigned to it and no firewall other than Windows Firewall. I know that most organizations choose to configure DirectAccess behind an Edge device (hindsight being perfect,
  we should have as well) however we did not and it appears that we can't easily change this without completely reconfiguring DirectAccess (which took several days to get it right).
  So my question: What are the security/firewall recommendations for a DirectAccess server in an Edge scenario? I've Googled this and have not found much. Thanks in advance,
  Brad
  -Brad

  Its always good to have a Firewall infront of a domain joined machine and of course DA Server is not an exception.
  Server 2012 can work behind a Firewall with NAT functionality enabled or disabled.
  if you have a fully functional DA with EDGE profile enabled, still you can configue any firewall(without NATing functionality) without changing the configuration settings in DA.
  Also you can have TMG protecting your existing DA setup. Below is the link for it.
  http://www.isaserver.org/articles-tutorials/general/implementing-windows-server-2012-directaccess-behind-forefront-tmg-part1.html
  Please let me know, how it goes.

• DirectAccess 2012 - Writeable DC Required?

  Hi Everyone,
  I am looking to deploy DirectAccess 2012 Server into our DMZ environment and currently working through a Lab install.
  In our Lab we are seeing the prerequisite checks fail when we use a ReadOnly domain controller but when we switch it for a Writeable DC it proceeds without issue, is this expected behaviour?
  Thanks in advance.

  Hi Everyone,
  I am looking to deploy DirectAccess 2012 Server into our DMZ environment and currently working through a Lab install.
  In our Lab we are seeing the prerequisite checks fail when we use a ReadOnly domain controller but when we switch it for a Writeable DC it proceeds without issue, is this expected behaviour?
  Thanks in advance.
  Yes, I believe that experience is by design.
  "The server GPO is managed by one of the domain controllers in the Active Directory site associated with the server, or if domain controllers in that site are read-only, by a write-enabled domain controller closest to the Remote Access server."
  Source:
  http://technet.microsoft.com/en-us/library/jj134148.aspx#bkmk_1_6_AD
  Jason Jones |
  Microsoft MVP | Silversands Ltd | My Blogs:
  http://blog.msedge.org.uk and
  http://blog.msfirewall.org.uk

• DirectAccess 2012 behind two NATs

  Hi Guys
  I am trying to setup a DirectAccess 2012 server with single NIC on a VM as below
  basically if I get a public IP NAT'd with port 443 via main firewall to a private IP (10.20.1.1 /16) and then if I get this private IP again NAT'd via another firewall with port 443 to the DirectAccess server IP (192.168.2.2/18), will this setup work as
  I will have to do this due to the current network topology at our business ?
  thank you in advance.

  Hi,
  It is supported.  In Windows Server 2012, direct access server can be deployed behind a NAT device with support for only one single network interface and removes the public IPv4 address prerequisite.
  For detailed information, please refer to the link below,
  Windows Server 2012 Direct Access – Part 1 What’s New
  http://blogs.technet.com/b/meamcs/archive/2012/05/03/windows-server-2012-direct-access-part-1-what-s-new.aspx
  Best Regards.
  Steven Lee
  TechNet Community Support

• Updates and Hotfixes for DirectAccess 2012 R2 and Windows 8.1

  for some of you who use DirectAccess probably familiar with the following link
  Recommended hotfixes and updates for Windows Server 2012 DirectAccess
  as far as I know and according to TechNet, DirectAccess hasn't change a bit from 2012 to 2012 R2 servers.
  I use DirectAccess on Windows Server 2012 R2 and I'm surprised to see that there is no single update from that list the applicable with either Server 2012 R2.
  if it's true - shouldn't there be a documentation that talks about the differences of the DirectAccess Client\Server from 2012\8 to 2012 R2 \ 8.1?
  I'm asking because I want to make sure those updates are already include or not needed for 2012 R2\8.1 and not "forgotten" or something.
  Tamir Levy

  I was afraid that you'll said that
  I hate to be the annoying guy but take a look at this KB article:
  http://support.microsoft.com/kb/2787534
  Applied to: Windows 8\2012,
  Doesn't Apply to: Windows 8.1\2012 R2
  and - for a fact, doesn't include in Windows 8.1\2012 R2 as this bug still exists in those operating systems.
  another annoying fact - No other update was released for these version yet.
  this example approves that not every hotfix \ updates that was released for 8\2012 before 8.1\2012 R2, is already included in 8.1\2012 R2
  and allow me to add another fact.
  when you configure DirectAccess via the remote access wizard it creates a WMI query called
  DirectAccess - Laptop Only WMI Filter.
  after you create it in Windows Server 2012 R2 - look at the WMI Query and you'll see that by default it doesn't apply to version 6.3! the version for Windows 8.1.
  if you want to add the support for Windows 8.1 you have to modify manually the query which is of course, not supported by Microsoft.
  That is just another symptom that makes me wonder if Microsoft did ANY change or update to DirectAccess 2012 R2
  Tamir Levy

• DirectAccess 2012 not able to connect

  I've got a Direct Access 2012 instance running and clients are unable to connect. I'm really not sure why. I've got all green check marks in the Operations Status page.
  I've uploaded the DCA results
  https://onedrive.live.com/redir?resid=270A675D98E09864!109&authkey=!ACNgL-_6rvNy5Co&ithint=file%2ccab
  https://onedrive.live.com/redir?resid=270A675D98E09864!110&authkey=!AFUtqtOirbg3UxI&ithint=file%2ctxt

  John,
  Thanks for your reply.  Where do you see one IP configured?  I have two configured on the external facing NIC.
  I followed the link you suggested and got this output:
  Microsoft Windows [Version 6.3.9600]
  (c) 2013 Microsoft Corporation. All rights reserved.
  C:\Users\richard>netsh dns show state
  Name Resolution Policy Table Options
  Query Failure Behavior                : Always fall back to LLMNR and NetBIOS
                                          if the name does not exist
  in DNS or
                                          if the DNS servers are
  unreachable
                                          when on a private network
  Query Resolution Behavior             : Resolve only IPv6 addresses for names
  Network Location Behavior             : Let Network ID determine when Direct
                                          Access settings are to
  be used
  Machine Location                      : Outside corporate network
  Direct Access Settings                : Configured and Enabled
  DNSSEC Settings                       : Not Configured
  C:\Users\richard>netsh namespace show effectivepolicy
  DNS Effective Name Resolution Policy Table Settings
  Settings for SDSIDA01.richardenterprises.net
  DirectAccess (Certification Authority)  :
  DirectAccess (IPsec)                    : disabled
  DirectAccess (DNS Servers)              :
  DirectAccess (Proxy Settings)           : Use default browser settings
  Settings for .monitor.richardenterprisessystems.com
  DirectAccess (Certification Authority)  :
  DirectAccess (IPsec)                    : disabled
  DirectAccess (DNS Servers)              : 2002:46a8:346c:3333::1
  DirectAccess (Proxy Settings)           : Bypass proxy
  Settings for .richardenterprisessystems.com
  DirectAccess (Certification Authority)  :
  DirectAccess (IPsec)                    : disabled
  DirectAccess (DNS Servers)              : 2002:46a8:346c:3333::1
  DirectAccess (Proxy Settings)           : Bypass proxy
  Settings for .richardenterprises.net
  DirectAccess (Certification Authority)  :
  DirectAccess (IPsec)                    : disabled
  DirectAccess (DNS Servers)              : 2002:46a8:346c:3333::1
  DirectAccess (Proxy Settings)           : Bypass proxy
  Settings for .qa.richardenterprisessystems.com
  DirectAccess (Certification Authority)  :
  DirectAccess (IPsec)                    : disabled
  DirectAccess (DNS Servers)              : 2002:46a8:346c:3333::1
  DirectAccess (Proxy Settings)           : Bypass proxy
  Settings for .staging.richardenterprisessystems.com
  DirectAccess (Certification Authority)  :
  DirectAccess (IPsec)                    : disabled
  DirectAccess (DNS Servers)              : 2002:46a8:346c:3333::1
  DirectAccess (Proxy Settings)           : Bypass proxy
  Settings for .dev.richardenterprisessystems.com
  DirectAccess (Certification Authority)  :
  DirectAccess (IPsec)                    : disabled
  DirectAccess (DNS Servers)              : 2002:46a8:346c:3333::1
  DirectAccess (Proxy Settings)           : Bypass proxy
  C:\Users\richard>ipconfig /all
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : richard-x240
     Primary Dns Suffix  . . . . . . . : richardenterprises.net
     Node Type . . . . . . . . . . . . : Hybrid
     IP Routing Enabled. . . . . . . . : No
     WINS Proxy Enabled. . . . . . . . : No
     DNS Suffix Search List. . . . . . : richardenterprises.net
                                         richardenterprisessystems.com
                                         monitor.richardenterprisessystems.com
                                         qa.richardenterprisessystems.com
                                         staging.richardenterprisessystems.com
                                         dev.richardenterprisessystems.com
  Wireless LAN adapter Local Area Connection* 13:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft Hosted Network Virtual Adapter
     Physical Address. . . . . . . . . : EA-2A-EA-0C-E2-8E
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
  Wireless LAN adapter Local Area Connection* 12:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
     Physical Address. . . . . . . . . : E8-2A-EA-0C-E2-8F
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
  Ethernet adapter Bluetooth Network Connection:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
     Physical Address. . . . . . . . . : E8-2A-EA-0C-E2-92
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
  Wireless LAN adapter Wi-Fi:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 7260
     Physical Address. . . . . . . . . : E8-2A-EA-0C-E2-8E
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
     IPv6 Address. . . . . . . . . . . : 2600:1012:b127:be8e:fd9d:3679:f76d:187c(P
  referred)
     Temporary IPv6 Address. . . . . . : 2600:1012:b127:be8e:7c0d:e512:7d90:c46d(P
  referred)
     Link-local IPv6 Address . . . . . : fe80::fd9d:3679:f76d:187c%4(Preferred)
     IPv4 Address. . . . . . . . . . . : 192.168.1.2(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Lease Obtained. . . . . . . . . . : Wednesday, July 30, 2014 9:19:11 AM
     Lease Expires . . . . . . . . . . : Thursday, July 31, 2014 9:19:11 AM
     Default Gateway . . . . . . . . . : fe80::215:ffff:fe8f:9ec2%4
                                         192.168.1.1
     DHCP Server . . . . . . . . . . . : 192.168.1.1
     DHCPv6 IAID . . . . . . . . . . . : 384314090
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-3B-27-B3-28-D2-44-8C-13-06
     DNS Servers . . . . . . . . . . . : 192.168.1.1
     Primary WINS Server . . . . . . . : 192.168.1.1
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Ethernet adapter Ethernet:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . : richardenterprises.net
     Description . . . . . . . . . . . : Intel(R) Ethernet Connection I218-LM
     Physical Address. . . . . . . . . : 28-D2-44-8C-13-06
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter isatap.{0A3ACF23-D6FD-47F6-91B8-E5E43DF81BAA}:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter Teredo Tunneling Pseudo-Interface:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv6 Address. . . . . . . . . . . : 2001:0:d10c:afc3:3401:ede1:b92e:2f98(Pref
  erred)
     Link-local IPv6 Address . . . . . : fe80::3401:ede1:b92e:2f98%21(Preferred)
     Default Gateway . . . . . . . . . :
     DHCPv6 IAID . . . . . . . . . . . : 553648128
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-3B-27-B3-28-D2-44-8C-13-06
     NetBIOS over Tcpip. . . . . . . . : Disabled
  Tunnel adapter iphttpsinterface:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : iphttpsinterface
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv6 Address. . . . . . . . . . . : 2002:46a8:346c:1000:bc7f:1f46:b190:e852(P
  referred)
     Temporary IPv6 Address. . . . . . : 2002:46a8:346c:1000:4e3:9a37:3998:f4ac(Pr
  eferred)
     Link-local IPv6 Address . . . . . : fe80::bc7f:1f46:b190:e852%22(Preferred)
     Default Gateway . . . . . . . . . :
     DHCPv6 IAID . . . . . . . . . . . : 369098752
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-3B-27-B3-28-D2-44-8C-13-06
     NetBIOS over Tcpip. . . . . . . . : Disabled
  C:\Users\richard>nltest /dsgetdc:
  Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
  C:\Users\richard>
  Thanks

• NAP on 2008 R2 with DirectAccess 2012 RC

  I'm running IPsec NAP on two indentically configured Windows 2008 R2 servers that are also standalone CAs for NAP.
  I'm in the testing phases of a Windows 2012 RC DirectAccess server that is behind a NAT. Certificates from our domain CA (not the standalone ones for NAP) are used so Win7 clients can also connect. When the computer establishes a DirectAccess connection
  it's unable to connect to any resource that are part of NAP (only non-NAP resources, exceptions are available). napstat reveals that the client is healthly (it also has the health certificate).
  Here's how the Connection Security Rules look on a client:
  The first four were automatically generated by the DirectAccess server, the other four are for NAP purposes (before a DA test server was introduced).
  It appears these settings don't coexist all that well. If I go to my DA server and click "Enforce corporate compliance for DirectAccess with NAP" I have even less connectivity (unable to reach DA server from clients in DA...).
  What am I doing wrong, are additonal logs, information needed to better assist me.

  Hi,
  Thanks for your post.
  You may check the following article to troubleshoot this issue. Hope it helps.
  The Cable Guy: DirectAccess with Network Access Protection (NAP)
  http://technet.microsoft.com/en-us/magazine/ff758668.aspx
  DirectAccess with NAP Troubleshooting Guidance
  http://technet.microsoft.com/en-US/library/ff621421(v=ws.10).aspx
  DirectAccess with NAP Architecture Overview
  http://technet.microsoft.com/en-us/library/ff528481(v=ws.10).aspx
  Best Regards,
  Aiden
  Aiden Cao
  TechNet Community Support

• DirectAccess 2012 has wrong DNS servers listed

  Hello,
  I'm setting up DirectAccess on Server 2012 and having issues with the wrong DNS servers continually added to the configuration. My setup is as follows, 2 Server 2008 R2 DCs running DNS, both have a static IPv4 and IPv6 addresses.  The DirectAccess
  server has a single NIC behind a NAT device and also has static IPv4 and IPv6 addresses.  My problem is that I keep getting a DNS: Not working properly error on the dashboard.  It says:
  Error:
  Enterprise DNS servers (fd7e:ed10:5cb6:7777::ac10:a22, fd7e:ed10:5cb6:7777::ac10:a21) used by DirectAccess clients for name resolution are not responding.  This might affect DirectAccess client connectivity to corporate resources.
  The thing is these are not nor ever have been the IP addresses of my DC/DNS servers.  I've removed them by using the configuration editor but with each restart of the server they reappear.  I examined the DirectAccess Server
  Settings GPO and they are listed in the Extra Registry Settings section buy I am unable to edit that portion.  I've read other threads on this forum that state I need to add the IPv6 address of the DA server as the DNS server but I still get DNS errors
  when I do that and after a restart the same two DNS servers show up again.
  Anyone have any ideas?  Your assistance is greatly appreciated.

  Hi,
  Thanks for you reply and sorry for relying so late.
  Did you point the DNS server address to the IP address of the internal NIC? Maybe you can refer to the similar thread below:
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/df08fa06-d3fc-4ca9-b4a2-85824a10819a/direct-access-server-dns-error?forum=winserver8setup
  Best regards,
  Susie