goraek
asked on
DirectAccess on Server 2012
Hi Guys
We've configured DirectAccess on Server 2012.
Everything seems to be ok. Internally its connected, but external it's not.
We've checked everything but nothing we can see. I'm sure theres something, but not sure what it is.
When we did the netsh dns show state command, it shows Inside corporate network but its not even connected to the corp network.
Any ideas?
Cheers
We've configured DirectAccess on Server 2012.
Everything seems to be ok. Internally its connected, but external it's not.
We've checked everything but nothing we can see. I'm sure theres something, but not sure what it is.
When we did the netsh dns show state command, it shows Inside corporate network but its not even connected to the corp network.
Any ideas?
Cheers
how did you do the setup up - simple deployment or the full wizard
which client are you using win8 or win7
use netsh name show - this will show the NRPT table - make sure you internal domain names are showing up
what does the diagnostic report from the client say
which client are you using win8 or win7
use netsh name show - this will show the NRPT table - make sure you internal domain names are showing up
what does the diagnostic report from the client say
ASKER
thanks for the response.
this is just DA itself.
sorry, how do i check if the client is on LAN or externally?
i've setup this using both, and configuration appears to be working.
i believe i'm having issues with NLS, but not too sure if its working or not because it cant detect whether its inside or outside corporate network
we're running both win 7 and 8, but at the moment testing on win 8.
this is just DA itself.
sorry, how do i check if the client is on LAN or externally?
i've setup this using both, and configuration appears to be working.
i believe i'm having issues with NLS, but not too sure if its working or not because it cant detect whether its inside or outside corporate network
we're running both win 7 and 8, but at the moment testing on win 8.
ok win8 is the easiest to troubleshoot with
on the client start with
Get-daconnectionstatus
if its local you'll get this
Status : ConnectedLocally
Substatus : None
or it should be
Status : ConnectedRemotely
then if you are running windows 8 if you right click on the DA connection you should be able to run the diagnostics out and tell whether its failed to connect to something i.e. NLS, the other internal end points
if you use
netsh int httpstunnel show int
you should get if you are on the network
Interface IPHTTPSInterface (Group Policy) Parameters
-------------------------- ---------- ---------- ---------- ----
Role : client
URL : https://yourDAURL:443/IPHTTPS
Last Error Code : 0x0
Interface Status : IPHTTPS interface not installed.
Other corporate connectivity available.
If external and connected
Interface Status : IPHTTPS interface active
or it will show an error code
on the client start with
Get-daconnectionstatus
if its local you'll get this
Status : ConnectedLocally
Substatus : None
or it should be
Status : ConnectedRemotely
then if you are running windows 8 if you right click on the DA connection you should be able to run the diagnostics out and tell whether its failed to connect to something i.e. NLS, the other internal end points
if you use
netsh int httpstunnel show int
you should get if you are on the network
Interface IPHTTPSInterface (Group Policy) Parameters
--------------------------
Role : client
URL : https://yourDAURL:443/IPHTTPS
Last Error Code : 0x0
Interface Status : IPHTTPS interface not installed.
Other corporate connectivity available.
If external and connected
Interface Status : IPHTTPS interface active
or it will show an error code
ASKER
Yeah hence Im doing this on win 8 to troubleshoot.
I dont get the IPHTTPS interface active when externally connected.
Any reason to this? That's probably why it isnt working?
I dont get the IPHTTPS interface active when externally connected.
Any reason to this? That's probably why it isnt working?
ASKER
I just double checked and its giving me IPHTTPS interface deactivated.
does the DA connection from the charm bar still show as connecting at this point?
what does the get-daconnectionstatus show at this point?
can you run the advanced diagnostics and show the output
what does the get-daconnectionstatus show at this point?
can you run the advanced diagnostics and show the output
ASKER
This is what I get when I ran the health test.
Component RemoteAccessServer HealthState TimeStamp Id OperationStatus
--------- ------------------ ----------- --------- -- ---------------
Server localhost OK 6/11/2013 5:44:59 AM
6to4 localhost Disabled 6/11/2013 4:33:04 AM
Vpn Addressing localhost Disabled 6/11/2013 4:33:04 AM
Network Security localhost OK 6/11/2013 4:38:04 AM
Dns localhost OK 6/11/2013 4:38:49 AM
IP-Https localhost OK 6/11/2013 5:44:59 AM
Nat64 localhost OK 6/11/2013 4:38:04 AM
Dns64 localhost OK 6/11/2013 4:38:04 AM
IPsec localhost OK 6/11/2013 4:38:04 AM
Kerberos localhost OK 6/11/2013 5:44:58 AM
Domain Controller localhost OK 6/11/2013 4:38:10 AM
Management Servers localhost Disabled 6/11/2013 4:33:04 AM
Network Location ... localhost OK 6/11/2013 5:44:15 AM
Otp localhost Disabled 6/11/2013 4:33:04 AM
High Availability localhost Disabled 6/11/2013 4:33:04 AM
Isatap localhost Disabled 6/11/2013 4:33:04 AM
Vpn Connectivity localhost Disabled 6/11/2013 4:33:04 AM
Teredo localhost Disabled 6/11/2013 4:33:04 AM
Network Adapters localhost OK 6/11/2013 4:38:04 AM
Services localhost OK 6/11/2013 4:38:04 AM
Component RemoteAccessServer HealthState TimeStamp Id OperationStatus
--------- ------------------ ----------- --------- -- ---------------
Server localhost OK 6/11/2013 5:44:59 AM
6to4 localhost Disabled 6/11/2013 4:33:04 AM
Vpn Addressing localhost Disabled 6/11/2013 4:33:04 AM
Network Security localhost OK 6/11/2013 4:38:04 AM
Dns localhost OK 6/11/2013 4:38:49 AM
IP-Https localhost OK 6/11/2013 5:44:59 AM
Nat64 localhost OK 6/11/2013 4:38:04 AM
Dns64 localhost OK 6/11/2013 4:38:04 AM
IPsec localhost OK 6/11/2013 4:38:04 AM
Kerberos localhost OK 6/11/2013 5:44:58 AM
Domain Controller localhost OK 6/11/2013 4:38:10 AM
Management Servers localhost Disabled 6/11/2013 4:33:04 AM
Network Location ... localhost OK 6/11/2013 5:44:15 AM
Otp localhost Disabled 6/11/2013 4:33:04 AM
High Availability localhost Disabled 6/11/2013 4:33:04 AM
Isatap localhost Disabled 6/11/2013 4:33:04 AM
Vpn Connectivity localhost Disabled 6/11/2013 4:33:04 AM
Teredo localhost Disabled 6/11/2013 4:33:04 AM
Network Adapters localhost OK 6/11/2013 4:38:04 AM
Services localhost OK 6/11/2013 4:38:04 AM
ASKER
After I ran Get-DaConnectionStatus I get:
PS C:\Users\administrator> Get-DAConnectionStatus
Status : Error
Substatus : CouldNotContactDirectAcces sServer
This also shows Connecting
PS C:\Users\administrator> Get-DAConnectionStatus
Status : Error
Substatus : CouldNotContactDirectAcces
This also shows Connecting
ASKER
Here is the diagnostic
PS C:\Users\administrator> nltest /dsgetdc:directaccess.doma in.local
Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
PS C:\Users\administrator> Get-DAConnectionStatus
Status : Error
Substatus : CouldNotContactDirectAcces sServer
PS C:\Users\administrator> netsh int httpstunnel sh int
Interface IPHTTPSInterface (Group Policy) Parameters
-------------------------- ---------- ---------- ---------- ----
Role : client
URL : https://directaccess.domain.local:443/IPHTTPS
Last Error Code : 0x0
Interface Status : IPHTTPS interface deactivated
PS C:\Users\administrator> netsh dns sh state
Name Resolution Policy Table Options
-------------------------- ---------- ---------- ---------- ---------- --
Query Failure Behavior : Always fall back to LLMNR and NetBIOS
if the name does not exist in DNS or
if the DNS servers are unreachable
when on a private network
Query Resolution Behavior : Resolve only IPv6 addresses for names
Network Location Behavior : Let Network ID determine when Direct
Access settings are to be used
Machine Location : Outside corporate network
Direct Access Settings : Configured and Enabled
DNSSEC Settings : Not Configured
PS C:\Users\administrator> nltest /dsgetdc:directaccess.doma
Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
PS C:\Users\administrator> Get-DAConnectionStatus
Status : Error
Substatus : CouldNotContactDirectAcces
PS C:\Users\administrator> netsh int httpstunnel sh int
Interface IPHTTPSInterface (Group Policy) Parameters
--------------------------
Role : client
URL : https://directaccess.domain.local:443/IPHTTPS
Last Error Code : 0x0
Interface Status : IPHTTPS interface deactivated
PS C:\Users\administrator> netsh dns sh state
Name Resolution Policy Table Options
--------------------------
Query Failure Behavior : Always fall back to LLMNR and NetBIOS
if the name does not exist in DNS or
if the DNS servers are unreachable
when on a private network
Query Resolution Behavior : Resolve only IPv6 addresses for names
Network Location Behavior : Let Network ID determine when Direct
Access settings are to be used
Machine Location : Outside corporate network
Direct Access Settings : Configured and Enabled
DNSSEC Settings : Not Configured
ASKER
I ran the httpstunnel command again, now Im getting not installed:
PS C:\Users\administrator> netsh int httpstunnel sh int
Interface IPHTTPSInterface (Group Policy) Parameters
-------------------------- ---------- ---------- ---------- ----
Role : client
URL : https://directaccess.domain.local:443/IPHTTPS
Last Error Code : 0x0
Interface Status : IPHTTPS interface not installed.
Other corporate connectivity available.
Any ideas?
PS C:\Users\administrator> netsh int httpstunnel sh int
Interface IPHTTPSInterface (Group Policy) Parameters
--------------------------
Role : client
URL : https://directaccess.domain.local:443/IPHTTPS
Last Error Code : 0x0
Interface Status : IPHTTPS interface not installed.
Other corporate connectivity available.
Any ideas?
ASKER
By the way, how do we reset the 443 IIS cert binding? We've set this manually, but want to revert this back.
ASKER
I believe there's an issue with the certificate.
I cant browse to is externally. Is there something we need to do with the certificate?
I cant browse to is externally. Is there something we need to do with the certificate?
So the basic tests would be from the client ping the DA server address makes ste it resolves
then you can browse to it using the url that,you got above
this shouldn't display much but you can check the cert i.e. Make sure its trusted etc
are you using a 3rd party cert?
when you say you reset the binding do you mean you went into iis on the da server?
did you change to a different port.
if you run through the da setup wizard again for the step where you set the url and cert then that should do it....maybe make a change and apply and then change it back
then you can browse to it using the url that,you got above
this shouldn't display much but you can check the cert i.e. Make sure its trusted etc
are you using a 3rd party cert?
when you say you reset the binding do you mean you went into iis on the da server?
did you change to a different port.
if you run through the da setup wizard again for the step where you set the url and cert then that should do it....maybe make a change and apply and then change it back
ASKER
i can ping the url but unfortunately im not able to browse to it.
is there a guide to create a self-signed cert? i believe i did it correct.
yes thats correct, i made the change on DA server, manually binded port 433.
how do I remove the manual bind and use the default bind from DA setup?
is there a guide to create a self-signed cert? i believe i did it correct.
yes thats correct, i made the change on DA server, manually binded port 433.
how do I remove the manual bind and use the default bind from DA setup?
the self signed cert i am talking about it created via the DA wizard. Are you talking about one you created and signed with an internal CA?
i would almost think about redoing the config
i would almost think about redoing the config
ASKER
i've re-done the config many times, still no go.
I'm just not able to connect externally, and everything seems all fine.
I'm just not able to connect externally, and everything seems all fine.
the reason for redoing the config so reset the binding on IIS
have you checked the config for the NRPT table to ensure it includes all the domain names of you internal domain
on the client side do it have the group policies applied correctly
does it have the certificate trusted?
does it have the firewall on
have you checked the config for the NRPT table to ensure it includes all the domain names of you internal domain
on the client side do it have the group policies applied correctly
does it have the certificate trusted?
does it have the firewall on
ASKER
Interesting enough, I found a guide:
Prerequisites for Using DirectAccess
Before you can use DirectAccess for Windows 8:
• Your computer must be running the Windows 8 Release Preview (or later) image or Windows 8 Release Preview Enterprise Edition or later.
• Your computer must be joined to a deployed domain.
• You must have a physical smart card and smart card reader. If you have a physical smart card but haven’t used it to connect to the corporate network using IT VPN, you must reset or unblock your smart card PIN. You can also reset your PIN if you have forgotten it. For more information, see << Insert more information URL or technical support contact>>.
• Your computer must have a Trusted Platform Module (TPM) and it must be initialized. For more information, see “Checking Your Computer for a TPM in this guide.
It seems like I need a smart card reader and TPM.
Not sure if this is true, but it does say it is a prerequisite.
Can someone confirm this?
Prerequisites for Using DirectAccess
Before you can use DirectAccess for Windows 8:
• Your computer must be running the Windows 8 Release Preview (or later) image or Windows 8 Release Preview Enterprise Edition or later.
• Your computer must be joined to a deployed domain.
• You must have a physical smart card and smart card reader. If you have a physical smart card but haven’t used it to connect to the corporate network using IT VPN, you must reset or unblock your smart card PIN. You can also reset your PIN if you have forgotten it. For more information, see << Insert more information URL or technical support contact>>.
• Your computer must have a Trusted Platform Module (TPM) and it must be initialized. For more information, see “Checking Your Computer for a TPM in this guide.
It seems like I need a smart card reader and TPM.
Not sure if this is true, but it does say it is a prerequisite.
Can someone confirm this?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Using Enterprise fixed issue.
What server is being used to detect whether the client is on the LAN or operating externally - the DA server itself?