Server 2012 DirectAccess NRPT / DNS Resolution Problems RRS feed

  • Question

  • Bleh. I'm stumped.

    I just completed the stand-up of a DirectAccess environment configured with force tunneling (the client demanded it, so please don't try and convince me to revert to split tunneling, my hands are tied). The entire environment has been working beautifully, then as one last step there was another external URL they needed to have added to the NRPT exemptions list that requires external ipv4 resolution from their DA clients.

    its a procedure I've done a thousand times, but for some reason, after adding the entry the DA clients can no longer resolve any of the NRPT exemptions when connected remotely.

    if I disable DirectAccess on the client by turning off the IP Helper service, I can resolve the external A records just fine, so I know it's not a DNS issue locally. As soon as the DA Client resolves the Entry Point and connects, I can no longer resolve any DNS record that is listed in the NRPT as an exemption.

    I've tried deleting the DnsPolicyConfig Key in regedit and forcing a gpupdate, just in case the NRPT had been corrupted. I've lowered the DNS resolution policy to fallbackunsecured and of course restarting several times to ensure that everything picks up the policy changes properly.

    nothing has had an impact, as soon as DirectAccess connects, I can no longer resolve any DNS entry added as an exemption, though I can still look up the IP using nslookup.

    Tuesday, February 18, 2014 8:11 PM

All replies

  • By chance did you ever figure this out? Facing this exact same issue... and yes.. I'm also stumped. The only work around I've found is to enable both IPv4 and IPv6 lookups on the client using 'set-dnsclientnrptglobal -querytype queryboth". This can also be modified in the GPO, but I don't want to break something else by messing with the defaults.
    Wednesday, October 29, 2014 3:26 AM
  • You know, I honestly can't remember exactly what I did to resolve the issue. if memory serves, it had something to do with the default routing when operating in a forced tunnel configuration. I ran the following on all my DA boxes:

    netsh interface ipv6 set interface iphttps advertisedefaultroute=enabled store=persistent

    The only caveat is that while the store=persistent would make you think that it will stick, it actually doesn't. DA tends to overwrite it anytime the GPO's are updated, I ended up having to script it to re-apply periodically on a schedule.

    this might, in fact, not solve your problem, it was one of those problems I had then resolved and then brain-dumped when it never re-surfaced again.

    Wednesday, October 29, 2014 4:27 PM
  • When you enable force tunneling, when the DirectAccess Clients establishes an internet connection, the default IPv6 route will me removed. You can only connect to IPv4 resources through your DirectAccess environment. You cannot use the NRPT to exclude that hostname from being forced.

    Boudewijn Plomp | BPMi Infrastructure & Security

    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember, if you see a post that helped you please click "Vote as Helpful", and if it answered your question, please click "Mark as Answer".

    Wednesday, November 5, 2014 2:32 PM