In a strange reversal of my previous luck with DA I now have a situation where when the Windows 7 client is connected to the Internet and using DA it works but when I plug it back into the office network it doesn't.  We had IPv6 disabled before via the DisabledComponents registry key, I'm wondering if maybe when the DA client gets back onto the IPv4-only office network it's not able to get around because it's trying IPv6 and not getting anywhere.  I tried setting DisabledComponents to 0x20 so it would "prefer" IPv4 but that didn't seem to make much of a difference.  When I do a "netsh dns show state" it does say "Resolve only IPv6 addresses for names" for Query Resolution Behavior, not sure if that's what is messing things up or not.  Any ideas??

Hi,

The result of your netsh query is correct.

What is not working when your client is connected inside your network?

Gerald

Maybe your Network Location server is unreachable from your DirectAccess client?

Basically it seems like DNS isn't working - like maybe it's still trying to talk to the public IP of the DA server to get it's DNS.  If I ping google.com or one of our corporate machines that are on the inside of the firewall while I'm using the DA connection it returns an IPv6 address.  When I'm "on the inside" and I try to ping either google.com OR one of our local servers it sits there for a long time and eventually returns "ping request could not find host..."  However if I ping the internal server by IP it comes back just fine.

When the internal TCPIP configuration is incorrect, the laptop will not be able to contact the NLS server, will assume that it is outside the corporate network and will begin the DirectAccess connection. Also, your firewall will then use a private/public profile while Inside your corporate network and this is not good.

It seems that your network configuration while inside your local network is causing the problem because you don't have DNS resolution and the NLS server is configured using a FQDN in the DirectAccess Console.

 
Do you receive a correct IP configuration from your DHCP server?

I think you should look there first.

Even to me, it looks that, clients might be facing some issues in reaching NLS Servers.

Please run the below command when you are inside LAN and let us know, how it goes.

"netsh name show eff"

Expected response:

DNS Effective Name Resolution Policy Table Settings

Note: DirectAccess settings would be turned off when computer is inside corporat
e network.

If you are facing these issues recently, make sure SSL Certificates at NLS are not expired.

I am getting the IPv4 settings from my DHCP server and they look correct.  The IPv6 address is the "link-local" fe80:: address.  I even tried adding the IPv4 address of one of the internal servers to the hosts file and it still won't ping by name.  It's like it's not even trying to use the DNS servers that are configured on the adapter.

netsh name show eff returns this:

DNS Effective Name Resolution Policy Table Settings

Settings for .
----------------------------------------------------------------------
Certification authority                 : 
DNSSEC (Validation)                     : disabled
IPsec settings                          : disabled
DirectAccess (DNS Servers)              : fd04:f33:4cf3:3333::1
DirectAccess (Proxy Settings)           : Bypass proxy

If your DirectAccess client cannot contact NLS while located on LAN, it will be using NRPT informations. According to your extract you enabled the force tunneling mode. This means that name resolution for any domain must be performed by DNS64/NAT64. Your client cannot reach NLS or NLS response was different from HTTP 200.

I agree with BenoitS. I think you can't contact your NLS, which forces the DirectAccess Client to connect with DirectAccess. But most often DirectAccess connectivity isn't accessable from the internal network.

Make sure you can probe your NLS from the internal network.