Solved

DirectAccess on Server 2012

Posted on 2013-11-03
22
2,485 Views
Last Modified: 2014-03-30
Hi Guys

We've configured DirectAccess on Server 2012.
Everything seems to be ok. Internally its connected, but external it's not.

We've checked everything but nothing we can see. I'm sure theres something, but not sure what it is.

When we did the netsh dns show state command, it shows Inside corporate network but its not even connected to the corp network.

Any ideas?

Cheers
0
Comment
Question by:goraek
  • 14
  • 7
22 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 39622142
Is this just a DA implementation or DA and RAS combined?
What server is being used to detect whether the client is on the LAN or operating externally - the DA server itself?
0
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 39622513
how did you do the setup up - simple deployment or the full wizard

which client are you using win8 or win7

use netsh name show - this will show the NRPT table - make sure you internal domain names are showing up

what does the diagnostic report from the client say
0
 
LVL 2

Author Comment

by:goraek
ID: 39625137
thanks for the response.

this is just DA itself.

sorry, how do i check if the client is on LAN or externally?

i've setup this using both, and configuration appears to be working.
i believe i'm having issues with NLS, but not too sure if its working or not because it cant detect whether its inside or outside corporate network

we're running both win 7 and 8, but at the moment testing on win 8.
0
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 39625685
ok win8 is the easiest to troubleshoot with

on the client start with
 Get-daconnectionstatus

if its local you'll get this

Status    : ConnectedLocally
Substatus : None

or it should be
Status    : ConnectedRemotely


then if you are running windows 8 if you right click on the DA connection you should be able to run the diagnostics out and tell whether its failed to connect to something i.e. NLS, the other internal end points


if you use
netsh int httpstunnel show int

you should get if you are on the network

Interface IPHTTPSInterface (Group Policy)  Parameters
------------------------------------------------------------
Role                       : client
URL                        : https://yourDAURL:443/IPHTTPS
Last Error Code            : 0x0
Interface Status           : IPHTTPS interface not installed.
                             Other corporate connectivity available.

If external and connected
Interface Status           : IPHTTPS interface active

or it will show an error code
0
 
LVL 2

Author Comment

by:goraek
ID: 39625745
Yeah hence Im doing this on win 8 to troubleshoot.
I dont get the IPHTTPS interface active when externally connected.
Any reason to this? That's probably why it isnt working?
0
 
LVL 2

Author Comment

by:goraek
ID: 39625761
I just double checked and its giving me IPHTTPS interface deactivated.
0
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 39625816
does the DA connection from the charm bar still show as connecting at this point?
what does the get-daconnectionstatus show at this point?

can you run the advanced diagnostics and show the output
0
 
LVL 2

Author Comment

by:goraek
ID: 39625833
This is what I get when I ran the health test.

Component            RemoteAccessServer   HealthState     TimeStamp            Id              OperationStatus
---------            ------------------   -----------     ---------            --              ---------------
Server               localhost            OK              6/11/2013 5:44:59 AM
6to4                 localhost            Disabled        6/11/2013 4:33:04 AM
Vpn Addressing       localhost            Disabled        6/11/2013 4:33:04 AM
Network Security     localhost            OK              6/11/2013 4:38:04 AM
Dns                  localhost            OK              6/11/2013 4:38:49 AM
IP-Https             localhost            OK              6/11/2013 5:44:59 AM
Nat64                localhost            OK              6/11/2013 4:38:04 AM
Dns64                localhost            OK              6/11/2013 4:38:04 AM
IPsec                localhost            OK              6/11/2013 4:38:04 AM
Kerberos             localhost            OK              6/11/2013 5:44:58 AM
Domain Controller    localhost            OK              6/11/2013 4:38:10 AM
Management Servers   localhost            Disabled        6/11/2013 4:33:04 AM
Network Location ... localhost            OK              6/11/2013 5:44:15 AM
Otp                  localhost            Disabled        6/11/2013 4:33:04 AM
High Availability    localhost            Disabled        6/11/2013 4:33:04 AM
Isatap               localhost            Disabled        6/11/2013 4:33:04 AM
Vpn Connectivity     localhost            Disabled        6/11/2013 4:33:04 AM
Teredo               localhost            Disabled        6/11/2013 4:33:04 AM
Network Adapters     localhost            OK              6/11/2013 4:38:04 AM
Services             localhost            OK              6/11/2013 4:38:04 AM
0
 
LVL 2

Author Comment

by:goraek
ID: 39625835
After I ran Get-DaConnectionStatus I get:

PS C:\Users\administrator> Get-DAConnectionStatus


Status    : Error
Substatus : CouldNotContactDirectAccessServer

This also shows Connecting
0
 
LVL 2

Author Comment

by:goraek
ID: 39625840
Here is the diagnostic

PS C:\Users\administrator> nltest /dsgetdc:directaccess.domain.local
Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
PS C:\Users\administrator> Get-DAConnectionStatus


Status    : Error
Substatus : CouldNotContactDirectAccessServer



PS C:\Users\administrator> netsh int httpstunnel sh int

Interface IPHTTPSInterface (Group Policy)  Parameters
------------------------------------------------------------
Role                       : client
URL                        : https://directaccess.domain.local:443/IPHTTPS
Last Error Code            : 0x0
Interface Status           : IPHTTPS interface deactivated

PS C:\Users\administrator> netsh dns sh state

Name Resolution Policy Table Options
--------------------------------------------------------------------

Query Failure Behavior                : Always fall back to LLMNR and NetBIOS
                                        if the name does not exist in DNS or
                                        if the DNS servers are unreachable
                                        when on a private network

Query Resolution Behavior             : Resolve only IPv6 addresses for names

Network Location Behavior             : Let Network ID determine when Direct
                                        Access settings are to be used

Machine Location                      : Outside corporate network

Direct Access Settings                : Configured and Enabled

DNSSEC Settings                       : Not Configured
0
 
LVL 2

Author Comment

by:goraek
ID: 39625954
I ran the httpstunnel command again, now Im getting not installed:

PS C:\Users\administrator> netsh int httpstunnel sh int

Interface IPHTTPSInterface (Group Policy)  Parameters
------------------------------------------------------------
Role                       : client
URL                        : https://directaccess.domain.local:443/IPHTTPS
Last Error Code            : 0x0
Interface Status           : IPHTTPS interface not installed.
                             Other corporate connectivity available.

Any ideas?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 2

Author Comment

by:goraek
ID: 39626004
By the way, how do we reset the 443 IIS cert binding? We've set this manually, but want to revert this back.
0
 
LVL 2

Author Comment

by:goraek
ID: 39626233
I believe there's an issue with the certificate.
I cant browse to is externally. Is there something we need to do with the certificate?
0
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 39626567
So the basic tests would be from the client ping the DA server address makes ste it resolves
then you can browse to it using the url that,you got above
this shouldn't display much but you can check the cert i.e. Make sure its trusted etc
are you using a 3rd party cert?

when you say you reset the binding do you mean you went into iis on the da server?
did you change to a different port.
if you run through the da setup wizard again for the step where you set the url and cert then that should do it....maybe make a change and apply and then change it back
0
 
LVL 2

Author Comment

by:goraek
ID: 39626695
i can ping the url but unfortunately im not able to browse to it.
is there a guide to create a self-signed cert? i believe i did it correct.

yes thats correct, i made the change on DA server, manually binded port 433.
how do I remove the manual bind and use the default bind from DA setup?
0
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 39626995
the self signed cert i am talking about it created via the DA wizard. Are you talking about one you created and signed with an internal CA?



i would almost think about redoing the config
0
 
LVL 2

Author Comment

by:goraek
ID: 39627222
i've re-done the config many times, still no go.
I'm just not able to connect externally, and everything seems all fine.
0
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 39627239
the reason for redoing the config so reset the binding on IIS

have you checked the config for the NRPT table to ensure it includes all the domain names of you internal domain

on the client side do it have the group policies applied correctly
does it have the certificate trusted?
does it have the firewall on
0
 
LVL 2

Author Comment

by:goraek
ID: 39636748
Interesting enough, I found a guide:

Prerequisites for Using DirectAccess
Before you can use DirectAccess for Windows 8:
•      Your computer must be running the Windows 8 Release Preview (or later) image or Windows 8 Release Preview Enterprise Edition or later.
•      Your computer must be joined to a deployed domain.
•      You must have a physical smart card and smart card reader. If you have a physical smart card but haven’t used it to connect to the corporate network using IT VPN, you must reset or unblock your smart card PIN. You can also reset your PIN if you have forgotten it. For more information, see << Insert more information URL or technical support contact>>.
•      Your computer must have a Trusted Platform Module (TPM) and it must be initialized. For more information, see “Checking Your Computer for a TPM in this guide.

It seems like I need a smart card reader and TPM.

Not sure if this is true, but it does say it is a prerequisite.

Can someone confirm this?
0
 
LVL 18

Accepted Solution

by:
irweazelwallis earned 500 total points
ID: 39637127
No you don't need a smart card reader. Not 100% sure about TPM but not sure what it needs to be used for. We have TPM's in all our laptops
the only prerequisites that i adhered to was it being win8 enterprise
0
 
LVL 2

Assisted Solution

by:goraek
goraek earned 0 total points
ID: 39955077
Apparently it was an OS issue, it needs to be Enterprise. Changed this and all was good.
0
 
LVL 2

Author Closing Comment

by:goraek
ID: 39964656
Using Enterprise fixed issue.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now