This is driving me nuts!

I have a DirectAccess server set up on Server 2012. This is behind a NAT so is configured with a single NIC and using IPHTTPS / NAT64 / DNS64.

Inbound connections are working fine, but the clients (Win7) are not registering their IPHTTPS addresses in DNS - a problem for managing out.

Corporate DNS resolution is working on the clients - they can ping the DNS servers on their NAT64 addresses. I can ping the clients from the DA sevrer on their IPHTTPS addresses.

I'm not really clear how the DNS registration is supposed to work in this scenario. Normally a client will register directly with it's configured DNS server. If I understand correclty, with DirectAcces and DNS64 the client send DNS requests to the DA server which relays them to the actual DNS servers translating the replies to a NAT64 address. But what about DNS registration, does this go direct to the DNS servers or is it relayed via the DA server?

To complicate matters I'm running ISATAP internally due to a legacy 2008r2 DirectAccess setup. I intend to decomission this so am not looking to get ISATAP working on the 2012 DA setup. I have therefore set OnlySendAQuery to True on the DA 2012 server to ensure it's DNS lookups return IP4 addresses which get translated by DNS64 rather than ISATAP addresses which would get passed through. (I know the manage out machines will need IP6 connectivity - but I'll worry about this later - trying to focus on the DNS registration problem for now.)

Things I have checked:-

 - Dynamic Updates on the DNS zone are enabled (Nonsecure & Secure).

 - "Register this connections address in DNS" is ticked in the IPv6 properties on the client. 

 - ipconfig /registerdns doesn't help.

Can anyone shed any light on how the process is supposed to work and what the problem might be?

Thanks,

Tim

Hi Tim,

Check the following thread:

http://social.technet.microsoft.com/Forums/forefront/en-US/420f0d90-ab97-41af-8745-62d0a2251359/direct-access-2012-client-dns-registration-problem

Ophir.

Thanks Ophir, I've tried setting "Only Secure" in the client GPO for DNS update security level but this hasn't helped.

I am having this same exact issue. Did you ever find a solution? If I manually add a record for the client, I can ping, and RDP, but Remote Assistance or browsing to the machine doesn't work.

check the security on the clients ipv4 DNS entry. If the DHCP server/service account has rights, but the client not, chances are that the client cannot update his "own" record to ipv6