Hi,

I'm trying to setup Direct Access on a Windows 2012 R2 server and I'm running into what is hopefully a pretty easy problem to resolve.

I've followed the instructions to setup a simple setup for DA on a Windows 2012 R2 server with everything all on one server and I'm running behind a TMG 2010 server.  On the TMG server I've published the my DA server using a server publishing rule based on these instructions http://danstoncloud.com/blogs/simplebydesign/archive/2013/04/04/tmg-can-be-a-good-friend-of-directaccess.aspx

The setup seems pretty straight forward, but now when I'm testing my clients I'm getting the NameResolutionFailure error when I try and connect when I'm not on our internal network.

The problem I'm pretty sure is DNS related because when my test Windows 8.1 client is on our internal network everything works fine. 

When I plug the machine into an external network, I get the NameResolutionFailure error for the DA client. If I try and ping anything address on our domain name I get an error that the address is unresolvable.  I can ping any other domain name address fine.

On my DA server, on the DNS tab of the Infrastructure Server setup I have the following entries:

mydomain.com              fdf3:137e:5133:ce07:1000::127

directaccess.mydomain.com

DirectAccess-NLS.mydomain.com

directaccess.mydomain.com is the publicly resolvable name of my DA 2012 R2 server that is bound the external IP address published on my TMG 2010 server.  This name is not resolvable when on any internal machines.

If I execute the get-DNSClientNRPTPolicy command I get this:

Namespace                        : DirectAccess-NLS.mydomain.com
QueryPolicy                      :
SecureNameQueryFallback          :
DirectAccessIPsecCARestriction   :
DirectAccessProxyName            :
DirectAccessDnsServers           :
DirectAccessEnabled              :
DirectAccessProxyType            : UseDefault
DirectAccessQueryIPsecEncryption :
DirectAccessQueryIPsecRequired   : False
NameServers                      :
DnsSecIPsecCARestriction         :
DnsSecQueryIPsecEncryption       :
DnsSecQueryIPsecRequired         : False
DnsSecValidationRequired         : False
NameEncoding                     : Utf8WithoutMapping

Namespace                        : directaccess.mydomain.com
QueryPolicy                      :
SecureNameQueryFallback          :
DirectAccessIPsecCARestriction   :
DirectAccessProxyName            :
DirectAccessDnsServers           :
DirectAccessEnabled              :
DirectAccessProxyType            : UseDefault
DirectAccessQueryIPsecEncryption :
DirectAccessQueryIPsecRequired   : False
NameServers                      :
DnsSecIPsecCARestriction         :
DnsSecQueryIPsecEncryption       :
DnsSecQueryIPsecRequired         : False
DnsSecValidationRequired         : False
NameEncoding                     : Utf8WithoutMapping

Namespace                        : .mydomain.com
QueryPolicy                      :
SecureNameQueryFallback          :
DirectAccessIPsecCARestriction   :
DirectAccessProxyName            :
DirectAccessDnsServers           : fdf3:137e:5133:ce07:1000::127
DirectAccessEnabled              :
DirectAccessProxyType            : NoProxy
DirectAccessQueryIPsecEncryption :
DirectAccessQueryIPsecRequired   : False
NameServers                      :
DnsSecIPsecCARestriction         :
DnsSecQueryIPsecEncryption       :
DnsSecQueryIPsecRequired         : False
DnsSecValidationRequired         : False
NameEncoding                     : Utf8WithoutMapping

So I'm thinking that the issue is related to the fact that the NRPT table says that directaccess.mydomain.com address there is no DNS specified.  In fact it seems like that entry shouldn't even be there.  When I was configuring DA for the first time, I got a warning that said:

Warning: The NRPT entry for the DNS suffix .serverdomain.local contains the public name used by client computers to connect to the Remote Access server. Add the name Servername.serverdomain.local as an exemption in the NRPT.

I wasn't sure what this meant at the time but I'm guessing it's relevant to this problem.

Can some one give some help with this?

Thanks in advance

Nick

 

 

• Edited by Nick Palmer Tuesday, January 14, 2014 10:15 PM

Hi Benoit,

Thanks for the information about the other protocols. I've tested from a second client machine with those protocols still turned on and I'm able to connect to DA with no issues as far as I can tell but since I won't be using them I will look at turning them off later.

All of my newer (Windows 2008 and above servers) have both an IPV4 and an IPV6 address.  The machines I can currently ping from my test DA client are the older Windows 2003 machines that I haven't assigned a IPV6 address to yet and only have an IPV4 address assigned.

I looked at the link you provided and here is what I have for my config on my DA server.

Description               : ISATAP Configuration
State                     : Default
Router                    : isatap
ResolutionState           : Default
ResolutionIntervalSeconds : 60

and

State               : Enabled
AcceptInterface     : {Ethernet}
SendInterface       : {Ethernet}
OnlySendAQuery      : False
LatencyMilliseconds : 300
AlwaysSynthesize    : False
ExclusionList       : {0:0:0:0:0:ffff::/96}
PrefixMapping       : {fdfd:1374:5130:7777::/96,0.0.0.0/0}

So the OnlySendAQuery property is already set to false.  I also checked the DNS record for my DA server and I have both an A record and an AAAA record for the server.

From my DA server I can ping any internal machine using either ping <machine> which gives me the IPV4 address or ping <machine> -6 for the IPV6 address and both of those work.  From the DA machine I can also use the net view \\<machine> for any machine which has an IPV6 address and it works.

So I don't know if the problem is DNS or something else but it seems like it's definitely related to IPV6 addresses.

Thanks

Nick