?
Solved

Direct Access Not Working

Posted on 2014-07-14
14
Medium Priority
?
1,597 Views
Last Modified: 2015-03-19
I recently installed Windows Server 2012 with the Direct Access feature and (thought I had) followed the instructions carefully for enabling a Windows 7 client PC to remote in however it’s not working.  Following a gpupdate /force (on both the server and PC)   I examined the registry on the PC and see the DA settings, yet when I get onto the non-corporate network, although I see Toredo and iphttps Interfaces enabled with IPv6 addresses, a netsh dns show state reveals:
•      Outside corporate network
•      Network location behavior – Never use DA settings
•      DA Settings – not configured
•      DNSSEC Settings – not configured

So I don’t understand why it says “Never use DA settings” or why the others show not configured.  And I suppose it’s proper to have both interfaces active?!  

My setup is a fully patched DA server with one interface sitting behind a firewall.  So I have my firewall redirecting all requests to the DA server.  The log of my Cisco router/firewall is showing nothing in the log of any traffic blocked.  I do have ESP traffic going through my firewall due to site-to-site VPN traffic. (Hopefully that’s not interfering with anything.)

I also found this website listing the steps needed for allowing Windows 7 clients into DA which I performed     http://blogs.msdn.com/b/canberrapfe/archive/2012/07/12/simple-direct-access-setup-with-windows-server-2012-rp.aspx.

No messages in the event log; the Remote Access Mgmt Console shows everything green and doing a trace shows absolutely nothing.  What can I do to fix this or reveal the source of my problem?
0
Comment
Question by:ejefferson213
  • 6
  • 5
  • 2
  • +1
14 Comments
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 40196372
From the above it looks like you are using Windows 7 as your client.

Have you setup all the requirements for that - a computer certificate for any clients, published the CRL of the issuing certificate authority for those certificates i.e. made it accessible externally.
Do the group policy settings apply correctly to the Win7 client - GP results to show if it has picked up the settings
what does the DA troubleshooting say from the client - that will show more than the netsh commands
can you resolve the external FQDN of your DA server
can you telnet to port 443 from externally to the DA server
0
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 40196395
Check that it is not set at 2 Set it to 0, or 1

HKLM\Software\Policies\Microsoft\Windows NT\DNSClient or HKLM\System\CurrentControlSet\services\Dnscache\Parameters<1>
EnableDAForAllNetworks" DWORD (32Bit) to 0

http://msdn.microsoft.com/en-us/library/ff957870.aspx
0
 

Author Comment

by:ejefferson213
ID: 40199167
Thank you both very much for your suggestions!

David,  I made the change as you suggested but unfortunately it didn't make any difference.  Again, thanks for the suggestion!

irweazelwallis, I too was wondering about the certificate so, using the purchased GoDaddy cert, I imported that cert into the public store on the RAS/DA server but I don't know how to publish the CRL, I'll look more into that.  On my Windows 7 PC, I can see DA settings brought about by Group policy so that should be ok (although I'm still concerned that the netsh dns show state results look bad).  The external FQDN is resolvable and I can telnet to port 443 (it comes back with a blank screen to which I haven't a clue what to enter).  

I also don't know yet what troubleshooting tools are available on the RAS/DA server so I'll look into that some more.

Thanks again with your help!!
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 18

Expert Comment

by:irweazelwallis
ID: 40199199
didn't mention last time win7 and win8 will need to be enterprise edition to work

Do you have a windows 8 client you can test with as that should work out of the box

Do you have an internal PKI?
here is a quick guide on the steps

http://syscomlab.blog.com/2012/09/how-to-get-windows-7-to-work-with-directaccess-server-2012/

this matches pretty much what i have done
We also present out CRL's externally so that the Win7 Client can do a revocation check  - i.e. change the AIA to have an externally resolvable URL i.e. crl.company.com
i couldn't find any nice screen shot guides for this on the first look but if you need help i will have another look or screenshot something up myself
0
 

Author Comment

by:ejefferson213
ID: 40199556
Thanks for that link, Somewhere/somehow I had come across that and followed each step.  However my one issue is this, when trying to edit the Remote Access Server setup, under the Network Adapter, you can choose to use a self-signed certificate.  I chose to use the certificate we purchased from Godaddy.  However, when I click on Browse... it doesn't list it even though when I bring up the Certificates MMC, I see it under Personal/Certificates.   Any clue on that????

And btw, I'm using Windows 7 Professional (wonder if that's my problem). And no, we don't have an internal PKI in place.  And next week, my boss is bringing in her Windows 8 machine to test with.

Thank you!
0
 

Author Comment

by:ejefferson213
ID: 40199657
Also, I forgot to mention that my Certificate server is on Windows Server 2008 R2 if that makes a difference.... I've forgotten why the role was installed but we never use it so I guess I must correct myself by saying that we "do" have a PKI infrastructure.
0
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 40200700
2008 R2 is fine - haven't upgraded my internal one past that.
Its the certificate templates that need to be specific
the AIA publishing points - need to have HTTP locations in there - this means reissuing root CA cert and an other certs that will need to be used in the DA deployment i.e. NLS

you would need to set up the specific enrollment polices for the win7 computers

How did you do the config of Direct access - quick setup or the more involved wizard?
have you tested with win8 to make sure its functional as is?
0
 

Author Comment

by:ejefferson213
ID: 40204874
I must admit that I am a novice when it comes to certificates but being that what I've read makes me believe that a PKI infrastructure isn't needed and that DA generated certs are possible, I'm puzzled why this is a certificate issue.  And I've followed several articles for setting up my Windows 7 PCs and used the wizard of DA for setup.  It won't be until Tuesday (7/22) that I'll be able to test Windows 8.  (Stay tuned...)  However, I'm more interested in why the command: Netsh show dns state               reveals: Network Location Behavior:   Never use Direct Access Settings.
An article I found on  line spoke of a registry setting (EnableDAonAllNetworks) (or some such key) and my registry didn't have that at all but I placed it in there along with the suggested value and rebooted and it still doesn't work.  I can't believe that Windows 7 professional is the culprit but I may need to open a case with MS to get this resolved.
0
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 40208401
if you use the getting start wizard PKI is not required - BUT - its not very clear but it won't work with Windows7

http://technet.microsoft.com/en-us/library/dn464273.aspx 
if you look down to the advanced setup it shows it will support windows 7


can you confirm that its windows 7 Professional? this will be a problem only enterprise (and ultimate) versions of the desktop OS's are supported
0
 
LVL 84

Accepted Solution

by:
David Johnson, CD, MVP earned 1000 total points
ID: 40208425
Direct access is supported on: Windows 7 Ultimate and Windows 7 Enterprise only, Windows 8 Enterprise and not PRO
0
 

Author Comment

by:ejefferson213
ID: 40211410
I guess that's been my problem because indeed, we only use Windows 7 Professional.  I'll test Windows 8 out and let you know the results.  Thank you!
0
 
LVL 18

Assisted Solution

by:irweazelwallis
irweazelwallis earned 1000 total points
ID: 40211658
No problem, if you want windows 7 you will need it to be enterprise and have some certificate infrastructure setup but test out with Win8 first
0
 

Author Closing Comment

by:ejefferson213
ID: 40227374
Thank you both for your help.  While I await a Windows 8 machine to test with, I don't want to see this question abandoned so I'll close it out.  I'm confident that the solutions you suggested will solve the issue I'm having.  Thanks once again!!!
0
 

Expert Comment

by:jss130
ID: 40675564
Wow, thanks for your all solution. I'm practicing for my Windows Server 2012 and I have Windows 8.1 Pro and I was wondering why the group policy pushed from Server 2012 R2 wasn't going to the client.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question