Server 2012 Direct Access Single NIC cant get it to work

Hi,

I am having some real issues with setting up Direct Access with Server 2012 and a Windows 8 client, it simply wont work at all.

First of all I should describe my setup:

I have an internet connection with a static IPv4 address on the external network adapter of the router

The internal network address (the address of the router which has the internet connection) is 192.168.1.1

Server1 (windows 2008 R2 Standard) has a static IPv4 address 192.168.1.2 and has some ports forwarded from the router (443, 25, 80) this server is a domain controller, email server, and has the DNS, DHCP and certificate services

Server 2 (Windows 2008 R2 standard) has static IPv4 address 192.168.1.3 it has no ports forwarded from the router as it has no services accessed externally, it is used as a file server and print server, backup domain controller and backup DNS.

Server 3 (Windows 2012) has static IPv4 address 192.168.1.4 and has the Remote Access server role installed along with all the other default features and roles it requires in the setup process.

These servers have all got an IPv6 address which I assume the server has configured automatically, there has been no deliberate configurations made to disable IPv6

I have no UAG or proxy server or anything else to route packets to internal servers. Just this router which has the option for port forwarding (I assume thats NAT isnt it?) sorry dont know much about that area.

I go through the setup wizard in remote access to configure direct access, in the external URL I have entered da.mydomain.com and created a host A record in my external domain name providers DNS which points the da record to my external IP address. The wizard creates all the GPOs, scoped correctly, and applied to a Windows 8 client. The operational status shows its all working and I got green ticks. However, when I connect the client to the internal network it doesnt seem to have correctly got the DA settings. I run the following in powershell

Get-DnsClientNrptPolicy

Nothing displays at all

Get-NCSIPolicyConfiguration

Description                    : NCSI Configuration

CorporateDNSProbeHostAddress   : fdd8:dd4a:ea42:7777::7f00:1

CorporateDNSProbeHostName      : directaccess-corpConnectivityHost.mydomain.local

CorporateSitePrefixList        : {fdd8:dd4a:ea42:1::/64, fdd8:dd4a:ea42:7777::/96, fdd8:dd4a:ea42:1000::1/128,

                                 fdd8:dd4a:ea42:1000::2/128}

CorporateWebsiteProbeURL       : http://directaccess-WebProbeHost.mydomain.local

DomainLocationDeterminationURL : https://DirectAccess-NLS.mydomain.local:62000/insideoutside

Get-DAConnectionStatus

Get-DAConnectionStatus : Network Connectivity Assistant service is stopped or not responding.

At line:1 char:1

+ Get-DAConnectionStatus

+ ~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : NotSpecified: (MSFT_DAConnectionStatus:root/StandardCi...onnectionStatus) [Get-DAConnect

   ionStatus], CimException

    + FullyQualifiedErrorId : Windows System Error 1753,Get-DAConnectionStatus

I go into services.msc and find that the network connectivity assistant is not started, it wont start either something must trigger it but I have no idea how to get it triggered to start this might be my only source of problem perhaps but on a more network level question:

If I have such ports as 80, and 443 (which I assume DA uses in some form with a public IPv4 internet address) directed at server 1, how does the DA connection get to server 3 which has the DA role installed? I could create another record on the server which also opens port 443 to server as well as for server 1, but then how would the router know which server to pass the DA connection to if the same port is open for two different servers?

Either way, this first issue is that the client doesnt seem to have the ability to connect internally correctly yet, so maybe this connectivity service is a good place to start? My understanding is that the networks icon in the system tray should show that there is a corporate connection, but it doesnt. also, the client seems to have the NLS certificate in the computer certificate store, so the cert side of things is working and the GPO side is working.

Many thanks

Steve

August 2nd, 2012 4:58pm

Hi,

First of all if you only have one public IP address then you will need to NAT 443 to the 2012 DA server. if not then it is not going to work.

Sorry I cannot help on the client front.

Free Windows Admin Tool Kit Click here and download it now
August 2nd, 2012 5:53pm

ok, one step to my understanding....

on my router i can create several records under an option called "open ports" this is seperate to "port forwarding". a record is a server ip address, and within this record i can configure about 12 ports. in my server1 record i have an entry for 443.

if i create a second record for my server 3 and also place the entry for 443 in there do you think this would be sufficient enough to get the packet to the server 3, or am i going to need some other routing solution to make this work?

secondly, i really dont want to spend more money on software or equipment just to forward or NAT a port (sorry if my terminology is no accurate i dont fully understand the difference between forwarding and NAT, if there is one), would there be a way to forward or NAT port 443 onto my DA server if it goes to server 1 first, or is this where i have to have products like forefront?

one of server 2012's objectives with DA was to open it up to the masses of small and medium businesses, there must be many others who have a setup like mine, 1 router and only a couple of servers behind it.

Steve

August 2nd, 2012 6:53pm

Hi,

You do not need any more equipment but you do need more public IP's if you are going to use a router in front.

Routes work on an IP level and so when it see's traffic on port 443 you can only NAT the traffic to one internal IP address. As you already have NAT'ing to server 1 then you cannot NAT server 3 on port 443.

DA on 2012 stops the requirements that was a blocker for some companies. e.g. 2 public IP's and a PKI. then MS have done that. But it does not get away from how the internet works at a IPv4 level.

Free Windows Admin Tool Kit Click here and download it now
August 3rd, 2012 11:32am

ahh i see, so just to enlighten me even further...

If a company has two web servers that would mean they would need two different public facing IP addresses so they can route to each internal web server. If, like the big companies have, they may have many web servers (possibly more than 100) Im assuming that simply buying more public IP addresses would have a limit, especially since the IPv4 address space is pretty much exhausted. So is this where proxy systems come into play like ISA and Forefront, is this what they do?

I assume if such a product was implemented you could go down to just one or two public IP addresses, point all traffic to the ISA server and that in turn would do all the routing of packets to each server behind the NAT/router (probably based on some sort of domain name or sub domain namespace as its parameter for forwarding?)

Secondly, what I have done is installed windows server 2012 and used that as a direct access client (I read on another forum that the windows 8 RP doesnt have the enterprise bits to make this work). I have got much further with the 2012 server acting as a client (installed on laptop, installed desktop experience and wireless LAN),  but when I run the following command on my DA client I get the following status

Get-DAConnectionStatus

Status:                  connectedlocally

Substatus:           none

This appears to work fine, when im connected to the local network. But then I disconnect and run the command again and I get the following:

Status:                  Error

Substatus:           NameResolutionFailure

On my router what I did is temporarily disable port 443 going to my original server and instead opened it up pointing to my other server, so 443 traffic should be going to my DA server now, but I dont understand why its giving the name resolution failure status. I have a host A record called da with my domain hoster, and entered the full domain namespace in the DA wizard as da.mydomain.com (the Host A record has been up there for more than a week so its propagated through the net)

So, a bit further but stuck again.

August 3rd, 2012 1:02pm

Are you using the Windows 8 Release Preview for your client?  If so, that won't work.  If doesn't have all the necessary bits as Windows 8 Professional won't have DirectAccess, only Windows 8 Enterprise will.  I believe there is a Windows 8 Enterprise preview, but it's not available to the general public.  The recommendation I've read is to use Windows 2012 RC for a client.

Rich

Free Windows Admin Tool Kit Click here and download it now
August 13th, 2012 10:53pm

Yeah i tried using the Windows 2012 RC as a client, and although i got a bit further i couldnt get it to work properly. i will just wait until windows 8 enterprise is made available to me and try again later. thanks
August 14th, 2012 12:08pm

Im having the same problem except I am using win8 Ent

I created this setup a few days ago and got the correct responses from the Get commands but could not get the client to talk to the server once it was online out of the 2012 network. because of some other issues I rebuilt the entire setup, 2012 essentials and win 8 ent client. now I get the following 

PS C:\Windows\system32> Get-NCSIPolicyConfiguration

Description                    : NCSI Configuration
CorporateDNSProbeHostAddress   :
CorporateDNSProbeHostName      :
CorporateSitePrefixList        :
CorporateWebsiteProbeURL       :
DomainLocationDeterminationURL :

 

PS C:\Windows\system32> Get-DnsClientNrptPolicy
PS C:\Windows\system32>
PS C:\Windows\system32> Get-DAConnectionStatus
Get-DAConnectionStatus : Network Connectivity Assistant service is stopped or not responding.
At line:1 char:1
+ Get-DAConnectionStatus
+ ~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (MSFT_DAConnectionStatus:root/StandardCi...onnectionStatus) [Get-DAConnect
   ionStatus], CimException
    + FullyQualifiedErrorId : Windows System Error 1753,Get-DAConnectionStatus

PS C:\Windows\system32>

I have searched the internet for this issue and all roads lead to the preview version of windows and recommend using win 8 enterprise, which I am using

Free Windows Admin Tool Kit Click here and download it now
October 22nd, 2012 2:57pm

just to update the above message

I ran "gpresult /r /scope:computer" to see what policies were applied and found that the directaccess policies were excluded due to wmi. changing directaccess to apply the policy to all computers resolved this I now get information on both tests but still fail on connectionstatus.

October 22nd, 2012 5:17pm

This is just prelimimary.  I've tried it both ways, with a single public IP address and with two consecutive ones.  I've had limited success with the two public addresses (e.g. Topology = Edge), but have had no success with either a single NIC address behind a NAT, or two NICs.
Free Windows Admin Tool Kit Click here and download it now
November 1st, 2012 4:11am

same problem here:

PS C:\> Get-DAConnectionStatus


Status    : Error
Substatus : NameResolutionFailure

the client is connected and can access ressource in the internal Network. The status from the Client is connecting...
January 18th, 2013 1:13pm

I have the same NameResolutionFailure only when DirectAccess server act as domain controller.
Free Windows Admin Tool Kit Click here and download it now
January 21st, 2013 6:33pm

Did you ever find out why you was getting this message? I have the same issue but everything works fine.

Thanks

February 12th, 2013 1:39pm

Did you ever find out why you was getting this message? I have the same issue but everything works fine.

Thanks

hi, i solved this with changing the Ressource in the NetworkConnectivityAssistant Page
  • Proposed as answer by Hutchnet Tuesday, February 12, 2013 12:27 PM
Free Windows Admin Tool Kit Click here and download it now
February 12th, 2013 3:25pm

Thanks for getting back, yes I found the same issue.

Do you know of any step by step to add additional resource's, ie a remote web server?

February 12th, 2013 3:27pm

no, but more Information about NCA found here:

http://technet.microsoft.com/en-us/library/jj134232.aspx

Free Windows Admin Tool Kit Click here and download it now
February 12th, 2013 3:39pm

If you're getting the error, "forwarding is disabled on the internal network adapter," then run the following PowerShell command:

Set-NetIPInterface -InterfaceAlias 'Ethernet' -Forwarding Enabled

January 29th, 2014 7:11pm

If you're getting the error, "forwarding is disabled on the internal network adapter," then run the following PowerShell command:

Set-NetIPInterface -InterfaceAlias 'Ethernet' -Forwarding Enabled

This is the single most important comment on the interwebs at the moment, to getting DA to work with a single network adapter and IPV4 config. Thanks Chris, i bow to your insights!
Free Windows Admin Tool Kit Click here and download it now
February 24th, 2014 7:41am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics