Good afternoon,
I've recently been attempting to configure DirectAccess for my domain. I have gotten to the point where I thought I had everything configured properly but I am receiving errors on the DA server as well as on my test clients. I am attempting to resolve issues on the DA server first before worrying about the clients.
Right now I have three issues in my Ops Status page in the Remote Access Mgnt Console: IP-HTTPS listener is inactive; IPsec says no valid cert which chains to root/intermediate certificate configured; and DNS says enterprise DNS servers are not responding.
My DA server has 2 NICs; one in my domain LAN, one in my DMZ. There is a Cisco ASA(firewall) between the DMZ nic and the public internet.
On the DNS issue - I am seeing evidence (in ASA logs) that the DA server is trying to resolve local domain DNS queries through the DMZ nic and it's failing to do so. Also, the DNS item in Ops Status jumps between OK, Warning and Critical periodically; which supports my theory that sometimes it's trying to communicate over the DMZ nic.
For the IP-HTTPS listener inactive part - I'm confused here because "netsh interface httpstunnel show interface" shows IPHTTPS interface is active:
PS C:\Windows\system32> netsh interface httpstunnel show interface Interface IPHTTPSInterface Parameters ------------------------------------------------------------ Role : server URL : https://access.mydomain.com:443/IPHTTPS Client authentication mode : none Last Error Code : 0x0 Interface Status : IPHTTPS interface active
From searching the web, it seems that the IPsec error is all about certificates, which makes sense... Firstly, I issued a cert from my domain CA for access.mydomain.com and selected it on the "Network Adapters" page of 'Step 2' in the DA setup/config page. On the 'Authentication' page of the same 'Step 2' wizard, I selected the root CA cert for my domain, as we have no intermediate CA present. We already had an existing machine cert autoenrollment policy for the entire domain present & working.
Here's output of certutil -store my
PS C:\Windows\system32> certutil -store my my "Personal" ================ Certificate 0 ================ Serial Number: (removed) Issuer: CN=dc1, DC=mydomain, DC=com NotBefore: 4/14/2015 9:01 AM NotAfter: 4/13/2017 9:01 AM Subject: CN=access.mydomain.com, O=---, S=VA, C=US Non-root Certificate Template: WebServer2008, Web Server 2008 Cert Hash(sha1): (hash removed) Key Container = (removed) Unique container name: (removed) Provider = Microsoft Software Key Storage Provider Encryption test passed ================ Certificate 1 ================ Serial Number: (removed) Issuer: CN=DirectAccess-RADIUS-Encrypt-DAHost.mydomain.com NotBefore: 4/14/2015 10:52 AM NotAfter: 4/14/2020 7:02 AM Subject: CN=DirectAccess-RADIUS-Encrypt-DAHost.mydomain.com Signature matches Public Key Root Certificate: Subject matches Issuer Cert Hash(sha1): (removed) Key Container = (removed) Simple container name: (removed) Provider = Microsoft Strong Cryptographic Provider Private key is NOT exportable Encryption test passed ================ Certificate 2 ================ Serial Number: (removed) Issuer: CN=dc1, DC=mydomain, DC=com NotBefore: 4/9/2015 2:42 PM NotAfter: 4/8/2016 2:42 PM Subject: CN=DAHost.mydomain.com Certificate Template Name (Certificate Type): Machine Non-root Certificate Template: Machine, Computer Cert Hash(sha1): (removed) Key Container = (removed) Simple container name: (removed) Provider = Microsoft RSA SChannel Cryptographic Provider Private key is NOT exportable Encryption test passed CertUtil: -store command completed successfully. PS C:\Windows\system32>
Output of get-daserver:
PS C:\Windows\system32> get-daserver DAInstallType : FullInstall InternetInterface : DMZ InternalInterface : LAN ConnectToAddress : access.mydomain.com SslCertificate : [Subject] CN=access.mydomain.com, O=OCC, S=VA, C=US [Issuer] CN=dc1, DC=mydomain, DC=com [Serial Number] (removed) [Not Before] 4/14/2015 9:01:37 AM [Not After] 4/13/2017 9:01:37 AM [Thumbprint] (removed) GpoName : mydomain.com\DirectAccess Server Settings InternalIPv6Prefix : {fdeb:f1d5:df35:1::/64} ClientIPv6Prefix : fdeb:f1d5:df35:1000::/64 UserAuthentication : UserPasswd ComputerCertAuthentication : Enabled IPsecRootCertificate : [Subject] CN=dc1, DC=mydomain, DC=com [Issuer] CN=dc1, DC=mydomain, DC=com [Serial Number] (removed) [Not Before] 9/20/2013 3:39:12 PM [Not After] 9/21/2018 3:48:55 PM [Thumbprint] (removed) IntermediateRootCertificate : False TeredoState : Disabled IsSingleNic : False IsNatDeployed : True HealthCheck : Disabled
For what it's worth, I have no idea if any of these issues are actually preventing my test client from connecting; but it makes the most sense to me to try to start fixing the issues on the DA server before the client.
If there is any additional information I can provide from somewhere, to help figure out what I need to do to fix this, I will gladly do so. I have yet to find any relevant event log entries on the host, nor have I located any actual log files yet.