I've been trying to get a simple DirectAccess configuration going with Windows Server 2012r2 and am having problems with client connectivity while connected to the intranet.
The server is configured as a single-interface behind edge device. I followed the technet guidelines and did not use the simple configuration wizard as I must maintain compatibility w/ IPv4 networks and windows 7 clients. I was earlier able to remote in from an external network with my windows 7 test client and everything worked fine - including connecting to devices on both the intranet and the internet.
The issue seems to arise when the device is connected directly to the intranet.
- It can see intranet resources but attempting to connect to internet resources fails.
- Pinging google.com immediately (with no timeout delay) returns no DNS record exists.
- Running nslookup on the client while connected to the intranet shows me the correct IPv4 address of the default local DNS server which does have records for google.com
- DirectAccess client access and remote management is enabled
- DirectAccess security groups:
EOSMITH\DirectAccess Computers - Resource Group - Force tunneling is enabled
- Resource used to verify internal network connectivity:
HTTP:http://directaccess-WebProbeHost.eosmith.net
PING:eos-svr-v01.eosmith.net
PING:eos-svr-v02.eosmith.net
- DirectAccess connection name: Workplace Connection
- DirectAccess clients can select to use local DNS servers for name resolution
- Public name or address to which clients connect: remote.eosmith.org
- Network adapter connected to the external network (via NAT device): Ethernet
- Internal network subnets: fde3:1688:f28f:1::/64
- The root certificate to which remote clients chain is:
CN=eosmith-EOS-SVR-V14-CA, DC=eosmith, DC=net - IP-HTTPS certificate:
remote.eosmith.org - Two-factor authentication is not enabled
- Windows 7 client computers can connect via DirectAccess
- Clients not supported for DirectAccess can connect over VPN
- VPN client address assignment: DHCP server.
- Authenticate VPN clients using Windows authentication
- Network location server certificate:
CN=eos-svr-v25.eosmith.net - DNS suffixes used by clients to determine DNS queries to be directed to internal DNS servers:
Name Suffix DNS Server Address <Any Suffix> fde3:1688:f28f:3333::1
eos-svr-v25.eosmith.net remote.eosmith.org - Local name resolution option:
Use local name resolution if DNS servers are unavailable, or the name does not exist in DNS - Management server subnets used for remote client management:
IP Address/IPv6 Prefix/Name eos-svr-v03.eosmith.net
netsh dnsclient show state while connected to the intranet as follows:
Name Resolution Policy Table Options
--------------------------------------------------------------------
Query Failure Behavior : Always fall back to LLMNR and NetBIOS
if the name does not exist in DNS or
if the DNS servers are unreachable
when on a private network
Query Resolution Behavior : Resolve both IPv4 and IPv6
addresses for names
Network Location Behavior : Never use Direct Access settings
Machine Location : Inside corporate network
Direct Access Settings : Not Configured
DNSSEC Settings : Not Configured
netsh namespace show policy results as follows:
DNS Name Resolution Policy Table Settings
DA Server settings summary as follows:
GPO SettingsRemote Clients
EOSMITH
DirectAccess server GPO name: DirectAccess Server Settings Client GPO name: DirectAccess Client Settings
Remote Access Server
DirectAccess Configuration
VPN is enabled
Infrastructure Servers
Application Servers
- DirectAccess client access and remote management is enabled. End-to-end authentication to specific application servers is disabled
- Edited by Macelsters Friday, May 29, 2015 4:57 PM