DirectAccess partially working.
Rebuilt DirectAccess due to NIC failure and have some frustating points that I can't seem to get past.
Basic scenario is three server running Server 2008 Enterprise and Windows 7 Ultimate clients.
Server 1 is Domain Controller (DC1) with associated services on it.
Server 2 is File Server (APP1) with TS sesseions for clients to connect to.
Server 3 is DirectAccss Server (DA1) with two NIC's, one internal (static inside IP) and one external with two consecutive public static IP's assigned.
Setup system sometime ago using the TLG Base configuration and TLG Demonstrate DirectAccess guides.
System has been working fine since setup.
Due to a possible NIC failure on the intranet side of the DA1 server, the DA configuration went haywire.
Repairing the adapter started showing the network as being in a "Work" profile environment.
In order to get it back to the "Domain" profile, I had to disjoin the domain, reboot, join the domain again using the same name, reboot and the NIC showed the correct "Domain" profile.
Sometimes the repair of the adapter shows the iphttpstunnel in lowercase in the Device Manager with the yellow exclamation icon.
Generally I have to disable and uninstall the iphpptstunnel adapters, uninstall the problematic NIC as well, rescan the hardware in order to get the adapter to rebuild properly.
Funny thing is that both NICs are on the same motherboard and both are from the same manufaturer (Marvel), yet only one has ever gone south on me.
The "Internet" facing NIC has never failed or needed rebuilding.
I've regenerated the certificates for the DA IP-HTTPS portion, but not the CA Root since the domain didn't crash.
After re-running the DA setup and verifying that DA monitoring has all the interfaces up (at least the arrow icon is pointing up), off to the client.
Using the DA Connectivity Assistant for verification of the service, I have collected this information for anyone who can help.
Part 1:
In-house on the LAN, client's all connect fine and the Assistant agrees - of course.
Part 2:
Client outside the LAN, on the Internet using a Verizon USB modem, DA Assistant shows connectivity to the DA server and internal resources as expected.
Seems to be using the 6TO4 adapter with the 2002: addresses and ISATAP fe80: address. Has a Teredo 2001: address as well but I'm not sure it's using it. IPHTTPS shows diconnected
Part 3:
Same client outside the LAN, on the Internet using either a Droid phone hotspot or connected to remote office LAN (no domain servers in outlying offices), DA Assistant shows failures on connection.
Has no 6TO4 address, no ISATAP address, has Teredo 2001: address (still not sure if it's used). IPHTTPS shows disconnected.
Part 4:
DA Connectivity working probes on in-house LAN connection
DirectAccess Connectivity Assistant Logs
GREEN: Corporate connectivity is working correctly.
Probes List
PASS - PING: 2002:42ef:7032:1:0:5efe:c0a8:6503
PASS - PING: SCFD4-DC1-2K8.DO.SCFD4.ORG
PASS - PING: 2002:42ef:7032:1:0:5efe:c0a8:6505
PASS - PING: SCFD4-FS1-2K8.DO.SCFD4.ORG
PASS - FILE:
\\2002:42ef:7032:1:0:5efe:c0a8:6505\files\DA_Connection_Text.txt
PASS - FILE:
\\SCFD4-FS1-2K8.DO.SCFD4.ORG\files\DA_Connection_Text.txt
PASS - PING: 2002:42ef:7032:1:0:5efe:c0a8:6507
PASS - PING: SCFD4-DA1-2K8.DO.SCFD4.ORG
DTE List
PASS - PING: 2002:42ef:7032:1:0:5efe:c0a8:6507
Part 5:
DA Connectivity working probes using Verizon USB Modem
DirectAccess Connectivity Assistant Logs
GREEN: Corporate connectivity is working correctly.
Probes List
PASS - PING: 2002:42ef:7032:1:0:5efe:c0a8:6503
PASS - PING: SCFD4-DC1-2K8.DO.SCFD4.ORG
PASS - PING: 2002:42ef:7032:1:0:5efe:c0a8:6505
PASS - PING: SCFD4-FS1-2K8.DO.SCFD4.ORG
PASS - FILE:
\\2002:42ef:7032:1:0:5efe:c0a8:6505\files\DA_Connection_Text.txt
PASS - FILE:
\\SCFD4-FS1-2K8.DO.SCFD4.ORG\files\DA_Connection_Text.txt
PASS - PING: 2002:42ef:7032:1:0:5efe:c0a8:6507
PASS - PING: SCFD4-DA1-2K8.DO.SCFD4.ORG
DTE List
PASS - PING: 2002:42ef:7032:1:0:5efe:c0a8:6507
Part 6:
DA Connectivity working probes using either Droid hotspot or external LAN (or other connections)
DirectAccess Connectivity Assistant Logs
RED: Corporate connectivity is not working.
Your computer cannot connect to the DirectAccess server. If the problem persists, contact your administrator.
Probes List
PASS - PING: 2002:42ef:7032:1:0:5efe:c0a8:6503
FAIL - PING: SCFD4-DC1-2K8.DO.SCFD4.ORG
PASS - PING: 2002:42ef:7032:1:0:5efe:c0a8:6505
FAIL - PING: SCFD4-FS1-2K8.DO.SCFD4.ORG
FAIL - FILE:
\\2002:42ef:7032:1:0:5efe:c0a8:6505\files\DA_Connection_Text.txt
FAIL - FILE:
\\SCFD4-FS1-2K8.DO.SCFD4.ORG\files\DA_Connection_Text.txt
FAIL - The server name resolved successfully, but failed to access PING: 2002:42ef:7032:1:0:5efe:c0a8:6507
FAIL - PING: SCFD4-DA1-2K8.DO.SCFD4.ORG
DTE List
FAIL - PING: 2002:42ef:7032:1:0:5efe:c0a8:6507
Part 7:
All Machine Location tests determine correct placement of clients either inside or outside the network.
Windows Advanced Firewall tests show SA's populated when Verizon USB is used. SA's are missing anytime the connection shows failed.
All Teredo Show State show client on the client's and server on the DA server.
Interesting note that I can't figure out is httpstunnel show state:
netsh int httpstunnel show interfaces
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32\LogSpace\{9D9DBD90-FC71-456C-B222-E8E330F7C51C}>netsh int httpstunnel show interfaces
Interface IPHTTPSInterface (Group Policy) Parameters
------------------------------------------------------------
Role : client
URL :
https://scfd4-da1-2k8.scfd4.org:443/IPHTTPS
Last Error Code : 0x2afc
Interface Status : failed to connect to the IPHTTPS server. Waiting to reconnect
This shows up on the client's when they don't connect. In-house the error code is 0x0, interface status is IPHTTPS interface deactivated.
I believe is is my client's connection problem and why some can connect and some cant. It seems to be related to the client's connection the Internet and whether certian types of IPv6 traffic are allowed or not.
How do I troubleshoot this IPHTTPS problem?
November 16th, 2011 8:29pm