Link to home
Create AccountLog in
Avatar of Forinsight
Forinsight

asked on

Direct Access Configuration Error

Have you run into this error in installing and configuring:
Direct Access
Windows Server 2012 Standard
hyper-v
two network cards behind the edge
ip-https
isatap
6to4
nat64
icmp

Please advice how to troubleshoot this network ipv6 error.

Please find the error in a snapshot as attached.
direct-access-error-configuratio.pdf
Avatar of Forinsight
Forinsight

ASKER

Request for attention please. Paging the moderator.
Avatar of Keith Alabaster
Need more info.
What config have you used? DA only? Remote Access as well?
What amendments have you made to the config, post wizard completion?
Also - any reason why you have two nics on the DA server? You need two ip addresses if you are running the maximum service provision but not two nics. Obviously the one nic can have both consecutive ip addresses. What is the edge server? Has this been configured to allow the required UDP port traffic through?
the structure of my direct access 2012 is:
dc = corporate (internal) with one NIC 10.0.0.0/24 subnet
da = external (internet)   with two NICS 1) 10.0.0./24 (corporate connect) and 2) 192.198.10.0/24 subnet

configured the da to connect to corporate and to internet.

edge server: da behind the edge (two network adapters)

please accept my sincere thanks and appreciation for responding. this appears to be a complex configuration and you're the first to throw yourself into the fray so to speak after days of gasping for help.

installation and configuration of da is actually just a very easy task because it is automatic. it's the troubleshooting of errors that are very hard to crack.
The way it is 'generally' done..... would see the DA having just the one NIC as I mention above. Yes, the config is easy of you JUST use the wizard, and effectively select the default settings. The moment you start messing with it manually, DA becomes much more problematic. As above, did you select JUST DA through the wizard or did you select DA + remote access? The troubleshooting approach is significantly different. Most pick DA first on its own to get that bit working before adding the remote access service.

I'll assume you have the basics covered i.e. all devices have the IPv6 protocol enabled on the nics - I expect you use the IPv4 stack only on the internal network but the IPv6 stack really should be enabled as it allows the devices to talk amongst themselves (you can read the 2012 best-practices guide later to check that out if you wish).

Can you explain why you placed two nics in the DA server - really struggling why you have done this?
Are you setting up just the IP-HTTPS tunnel (all that most people want)?
Have you used the DA server to host the NLS service also or placed this on another internal box?
Can you provide the output of a Route Print on the DA box?
How have you configured the two nics in the DA? Which one has the gateway? DNS on both nics have their DNS service pointing to the internal DNS server - and that has a DNS Forwarder configured?
the add role module is all by default configuration. i don't have to select the da server because it's pre-selected as it's the only one available. what i only selected by checking is the box for remote access. i don't know why you considered this to be an issue.

i don't know your expertise but your statement that i need just 'use the ipv4' is indeed very confusing to me based on my little knowledge. but perhaps you may be right. I would follow your advice to review again the best practices.

by the way,  two-nics  configuration is one option in installing remote access behind the edge (two network adaptors) Since internal network should be separate and da is the same server as  edge server, that nic is the network connection to the dc on the corporate network with 10.0.0.0/24 subnet plugged to a local router/switch without internet connection. The other nic connects to the internet 192.168.10.0/24 subnet where clients connect via compatible protocol and plugged to a router/switch directly plugged to comcast modem.

Definitely as any other configuration on direct access  the default gateway is the external nic 192.168.10.0/24 subnet.

the dns is pointed to the corporate or internal NIC. nslookup shows that both dc and da communicate and name resolution is flawless.

but i think  your last question is something i missed or do not know how to do. the internal dns is not pointed to external NIC on the da because it could not communicate to it as it belongs to a different subnet. If, as you said, i need to setup a forwarder,  how do i do that since the dns is on dc 10.0.0.0/24 subnet? could i setup a forwarder there where it could not even communicate to the external NIC? guide me please.
That was the question I asked you - did you select Direct Access only or Direct Access + Remote Access - you have answered that question now which means the approach to trouble-shooting changes, - again, as I mentioned above.

The internal DNS does not need to point to the external nic. What is required is for both the internal and external nics on the DA server to be set to use the internal DNS Server's ip address. This is basic Windows configuration for a dual-nic server and not just a Direct Access/Remote Access configuration requirement.

Did you manage to get the Route Print outputs from the DA server? If so, can you attach them for viewing?
PS In answer to your point regarding experience, it is reasonably extensive. Besides implementing my own environment I am also an administrator on TechNet covering 2012 direct access topics.

http://mvp.microsoft.com/en-us/mvp/Keith%20Alabaster-4000709

Doesn't mean I always get it right or that I always know the answer to everything but I have as good a chance as many to try and assist you towards a resolution
you're indeed an accomplished master of your craft. thank you.

i'll follow your advice first and then attached the rout print outputs on both servers.
both internal and external NIC's use the internal dns server, but just the same the issue was NOT resolved.
based on your advice i removed ipv6 on both servers, dc and da,  on the internal or corporate nic. please see the error snapshots as attached. instead of network adapters as the only error before, now dns error appears as the second error.
error-with-making-both-nics-ipv4.jpg
dns-error-suggested-resolution-1.jpg
dns-suggesgted-resolution-2.jpg
"your statement that i need just 'use the ipv4' on the internal network/nic is indeed very confusing to me based on my little knowledge."

actually i roughly followed the Microsoft  "Test Lab Guide: Demonstrate DirectAccess Single Server Setup with Mixed IPV4 and IPV6 in Windows Server 2012" dated August , 2012. On this TLG,  Microsoft has used both ipv4 and ipv6 stacks to show their compatibility and flawless  workability especially when configured for Direct Access 2012.
recent posts do not mean you're wrong. there must be something i did or missed that generated the error. maybe it could be the overall setup. but perhaps you could help how the dns becomes an error here. i know dns is at your fingertips. i mean you are a master of dns. please tell me why just removing ipv6 but leaving ipv4 would mess the dns. thanks.
no solution!!!!
I am sure someone who is such a master of sarcasm will always triumph in the end
i'm sorry. i did not mean to sound that way. perhaps, it's the way i write my thoughts. english is a second language to me. and perhaps when  i could not get a logical process i get  a  bit carried to speak that way without any intention of hurting anyone's feeling. . but, i assure you I DO NOT MEAN IT. please forgive me.
ASKER CERTIFIED SOLUTION
Avatar of Keith Alabaster
Keith Alabaster
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer