Remove From My Forums

DirectAccess DNS Entries

Question
0

Sign in to vote

I am trying to troubleshoot my once working DirectAccess setup and I am thinking it has to do with a possibly corrupt internal DNS.

It's possible that with the recent integration of a UTM50 firewall that my DNS settings got messed up, what are the standard DNS entries for DA with a fresh install?

Is it possible to repopulate the DNS server from DA?

Tuesday, November 6, 2012 6:05 AM

Answers

1

Sign in to vote
Hi,

Basically, your NRPT rules should contain entries for your internal domains (I assume you are not using Force Tunneling?)
Your DA server should have your internal DNS servers (where your AD domain is hosted) registered on the internal interface, often your domaincontrollers also have the DNS role with these zones hosted on them.

Some questions to better understand your environment (and the problems you have)

What kind of problems are you experiencing?
Can the clients establish the IPHTTPS connection?
The IPSec tunnels?
Can they reach internal servers using IP addresses (ie, if you try to connect to a known IPv6/NAT64 address)?
Does the DNS lookups internally work?

Some things to test:

* Can you reach the internal DNS servers from your DA server?
* Can you either upload the DCA log somewhere and post a link to it or post the output from 'netsh namespace show policy' ?

Jonas Blom | Relevo AB | http://blog.nrpt.se
- Marked as answer by Andy QiMicrosoft community contributor, Moderator Friday, January 4, 2013 6:05 AM
Wednesday, November 7, 2012 11:04 AM
0

Sign in to vote
Hey Pyr3x! I came across this one and wanted to update it for anyone reading it later. Based on another forum post that we worked on yesterday, I believe this issue was resolved by using a certificate from a public CA for the IP-HTTPS listener. We requested and acquired a cert from the CA, put it on the DirectAccess server, and re-ran through the wizards to tell it to use the new certificate.
- Marked as answer by Boo_MonstersIncMicrosoft community contributor, Moderator Friday, November 30, 2012 2:03 AM
Wednesday, November 14, 2012 1:59 PM

All replies

1

Sign in to vote
Hi,

Basically, your NRPT rules should contain entries for your internal domains (I assume you are not using Force Tunneling?)
Your DA server should have your internal DNS servers (where your AD domain is hosted) registered on the internal interface, often your domaincontrollers also have the DNS role with these zones hosted on them.

Some questions to better understand your environment (and the problems you have)

What kind of problems are you experiencing?
Can the clients establish the IPHTTPS connection?
The IPSec tunnels?
Can they reach internal servers using IP addresses (ie, if you try to connect to a known IPv6/NAT64 address)?
Does the DNS lookups internally work?

Some things to test:

* Can you reach the internal DNS servers from your DA server?
* Can you either upload the DCA log somewhere and post a link to it or post the output from 'netsh namespace show policy' ?

Jonas Blom | Relevo AB | http://blog.nrpt.se
- Marked as answer by Andy QiMicrosoft community contributor, Moderator Friday, January 4, 2013 6:05 AM
Wednesday, November 7, 2012 11:04 AM

Well until recently we only had one static IP address, I then purchased a block of 5 which I NAT through my firewall (NEGEAR UTM50) it was at this point that I my clients started to experience a whole variety of errors. At first I thought maybe I had setup the static IP addresses incorrectly and I called NETGEAR to double check my work which appears to be correct as other services such as exchange are working as intended. However, nothing I did or have tried thus far has resolved my issues with DirectAccess. I have made sure that the rule to forward port 443 is in place and I can verify on the outside that it is in fact open and going to the right internal system.

My clients are seeing the following errors:

DirectAccess connectivity status for user: <domain>\<user> is
Error: Corporate connectivity is not working. Windows is unable to contact the DirectAccess server. 7/11/2012 6:55:38 (UTC) 
Probes List 
HTTP: http://directaccess-WebProbeHost.<hostname>.net (Fail) 
DTE List 
PING: fd75:8204:2033:1000::1 (Fail) 
PING: fd75:8204:2033:1000::2 (Fail) 
PING: fd41:259d:2605:1000::1 (Fail) 
PING: fd41:259d:2605:1000::2 (Fail) 
PING: fd86:a2c9:3566:1000::1 (Fail) 
PING: fd86:a2c9:3566:1000::2 (Fail) 
PING: fd5d:b787:fe28:1000::1 (Pass) 
PING: fd5d:b787:fe28:1000::2 (Pass)

I then managed to get some to connect but they quickly disconnect and then eventually they revert back to the above.

When running "ipconfig /all" on both the Server and Client I see the following information.

Server:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : DA01
   Primary Dns Suffix  . . . . . . . : <DOMAIN>.COM
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : <DOMAIN>.COM

Ethernet adapter V105:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
   Physical Address. . . . . . . . . : 00-50-56-9C-7C-7C
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : fd5d:b787:fe28:3333::1(Preferred)
   Link-local IPv6 Address . . . . . : fe80::34d8:360c:624d:abc1%12(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.100.105.10(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.100.105.254
   DHCPv6 IAID . . . . . . . . . . . : 251678806
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-FE-D3-BB-00-50-56-9C-55-BE

   DNS Servers . . . . . . . . . . . : 10.100.105.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{4F6ADC57-4821-4E6C-8818-53C8504D6632}:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : fd5d:b787:fe28:1:0:5efe:10.100.105.10(Preferred)
   Link-local IPv6 Address . . . . . : fe80::5efe:10.100.105.10%13(Preferred)
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 10.100.105.1
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter 6TO4 Adapter:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft 6to4 Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter IPHTTPSInterface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : IPHTTPSInterface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : fd5d:b787:fe28:1000::1(Preferred)
   IPv6 Address. . . . . . . . . . . : fd5d:b787:fe28:1000::2(Preferred)
   IPv6 Address. . . . . . . . . . . : fd5d:b787:fe28:1000:e005:2643:2455:9ab0(Preferred)
   Link-local IPv6 Address . . . . . : fe80::e005:2643:2455:9ab0%16(Preferred)
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Disabled

Client:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : PD07
   Primary Dns Suffix  . . . . . . . : <DOMAIN>.COM
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : <DOMAIN>.COM

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : <DOMAIN>.COM
   Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
   Physical Address. . . . . . . . . : 00-50-56-9A-5E-84
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::3846:c461:adf3:d29f%12(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.140.100.185(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Tuesday, November 6, 2012 11:53:32 PM
   Lease Expires . . . . . . . . . . : Thursday, December 6, 2012 11:53:32 PM
   Default Gateway . . . . . . . . . : 10.140.100.254
   DHCP Server . . . . . . . . . . . : 10.140.100.100
   DHCPv6 IAID . . . . . . . . . . . : 251678806
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-2B-51-40-00-50-56-9A-5E-84

   DNS Servers . . . . . . . . . . . : 10.140.100.100
                                       10.140.100.101
                                       10.108.100.100
                                       10.108.100.101
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.<DOMAIN>.COM:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : <DOMAIN>.COM
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter iphttpsinterface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : iphttpsinterface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : fd5d:b787:fe28:1000:ac36:5c62:5d97:87c6(Preferred)
   Temporary IPv6 Address. . . . . . : fd5d:b787:fe28:1000:9c96:477:6b63:c9c7(Preferred)
   Link-local IPv6 Address . . . . . : fe80::ac36:5c62:5d97:87c6%14(Preferred)
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Disabled

Edited by Pyr3x Wednesday, November 7, 2012 5:47 PM Providing Additional Information

Wednesday, November 7, 2012 4:48 PM

0

Sign in to vote

Hi again,

Your DTE list looks very strange, basically you have 4 different Ipv6 prefixes. And only the last one of these match the IPv6 range that is setup on your DA server. (and those are actually listed as OK)

You say that you have gotten 5 external IPs.
I assume that only one of these are used for IPHTTPS right?
Ie, your IPHTTPS DNS record points to one of these IPs and it is this IPv4 address that is forwarded to the internal server?

Have you tried to recreate the setup a number of times which could lead to the GPOs to be incorrectly configured?

If you run Get-DAServer and check the InternalIPv6Prefix value, does it start with fd5d:b787:fe28:
Jonas Blom | Relevo AB | http://blog.nrpt.se

Friday, November 9, 2012 2:44 PM
0

Sign in to vote
I actually discovered that the settings were corrupted through my attempts to repair DA and re-apply the GPO.

As I could find no clean way to remove the DA settings or the GPO for it I found myself going into the registry and deleting the following registry key to kill the policy:

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft]

Which in turn removed the duplicate DTE settings. However, even when the list was brought down to just two DTE entries it still failed to function.

Also, if you know of a clean way to reset DA settings I'd love to know!
Friday, November 9, 2012 3:06 PM
0

Sign in to vote
This is pretty interesting I found an event popping up while DA clients try and connect through the UTM50 Firewall to the DirectAccess service:

An TLS 1.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

Is something tampering with the SSL Connection?

Can I make it less strict?
Friday, November 9, 2012 5:52 PM
0

Sign in to vote

Hi again,

I looked at the specs for the Netgear Prosafe UTM50 firewall and it can apparently do HTTPS inspection.
This could most likely be a problem if it tries to decrypt the IPHTTPS tunnel and then reencrypt it again.

I would suggest that you look through your manual and see if there are any settings where you could enable/disable HTTPS inspection.

Just to verify that you setup still works after the IP change, can you try adding your old firewall back again instead of the UTM50 but now with the new IPv4 address that you have aquired and are using for the DirectAccess setup?

Jonas Blom | Relevo AB | http://blog.nrpt.se

Friday, November 9, 2012 7:23 PM
0

Sign in to vote
Well I spoke with NETGEAR on it and its not currently turned on nor is any active inspection enabled at this time. The old firewall appears to work perfectly. I am not sure what is happening to the traffic passing through but it must be getting changed somehow. However, here is an interesting fact the client appeared to connect for a short while and then drop again an after rebooting the client it never happened again.

Here is another cool fact:

If I reboot the DA Server the client will connect! If I reboot the client after the fact it will no longer connect, at least until DA is rebooted again!
- Edited by Pyr3x Friday, November 9, 2012 8:52 PM
Friday, November 9, 2012 7:36 PM
0

Sign in to vote
Ok, if the current setup works when you use the old firewall, atleast you know it's something related to the UTM50 ;)

When you reboot the client, does it establish the IPHTTPS connection at all? Do you get any error codes?
(Run the command "netsh interface httpstunnel show interfaces")

Jonas Blom | Relevo AB | http://blog.nrpt.se
- Proposed as answer by Jonas Blom Tuesday, November 13, 2012 6:41 AM
Saturday, November 10, 2012 7:42 PM
0

Sign in to vote
It does appear to establish a connection for a brief moment. A couple of my tests resulted in a stable connection but after rebooting the client it became inconsistent again. Over the period that it was connected I could ping internally and I even did a gpupdate.

However, after the reboot it simply does not connect or its on and off again. Any ideas on why this may be true?

P.S - I am being told to try getting a cert from a public CA so I purchased a 5 year cert. I just do not know how to setup the request from DA.
- Edited by Pyr3x Tuesday, November 13, 2012 5:30 PM
Tuesday, November 13, 2012 3:47 PM
0

Sign in to vote
Hey Pyr3x! I came across this one and wanted to update it for anyone reading it later. Based on another forum post that we worked on yesterday, I believe this issue was resolved by using a certificate from a public CA for the IP-HTTPS listener. We requested and acquired a cert from the CA, put it on the DirectAccess server, and re-ran through the wizards to tell it to use the new certificate.
- Marked as answer by Boo_MonstersIncMicrosoft community contributor, Moderator Friday, November 30, 2012 2:03 AM
Wednesday, November 14, 2012 1:59 PM
0

Sign in to vote

I have not updated this post until I finish running tests over the next few days.

However, thus far directaccess is still working. It all seems to stem from the fact that even though with my old firewall I could get away with using my internal CA for certs the new firewall however, inspects inbound traffic and does not appear to pass traffic signed with bad certificates. When I applied a externally signed certificate the UTM50 began to allow the traffic to pass through.

I will update this thread again when I have run more tests over a greater period of time.

Wednesday, November 14, 2012 3:33 PM
0

Sign in to vote

Hello,

I know this is an old thread but the SSL error you mentioned is probably due to the type of Certificate. If you are using an MD5 has for the Cert then Direct Access will throw that error. You need your cert to be SHA1.

~ Matt

Thursday, January 2, 2014 3:40 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

DirectAccess DNS Entries

Question

Answers

All replies