locked
2012 DirectAccess Internal Clients Going Offline RRS feed

 , 
 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi All

    I've got a situation where for some reason Windows 7 DA Clients seem to be going "offline" - the symptom is the Network Location changes to Public even though the clients are connected to the Domain via LAN cable. When this happens, the client can't access any network resources.

    When the issue is being experienced, although the client has an IP assigned via DHCP - it is unable to resolve names via internal DNS lookup. I've checked and I can confirm using the IP Address of the DA Server directly, I can ping the DA server and I can access the https://da.internal.ip/insideoutside page.

    Prior to enabling the DA Server there were no apparent underlying network/infrastructure problems of this nature and desktop clients which still continue to fall outside the DA Group Policy scope are not experiencing any issues (just a bunch of laptops which have been put into the DA Group).

    The only thing I can think that might be causing issues is within the subnetting, (bit of a stab in the dark). The DA server is on a 172.x address in the datacenter and the DA Clients are in a 192.x address.

    Any ideas?

    The issue raises how important it's going to be to get this thing more "available" (guess we'll be deploying a second DA server real soon).

    One really interesting thing I noticed - I get this feeling the DA Wizards have slightly changed since implementing my first DA Server (using RTM media) - and I have also noticed in the Default Web Site within IIS, the DirectAccess-NLS Certificate is not being applied to any of the bindings. Could that be the cause of any problems?

    Ben

    Friday, November 16, 2012 9:25 AM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    With indiscriminately, do you mean that it only happens to certain clients or that only happens to random clients at random times?

    There was actually a KB that popped up in a blogpost the other day that referenced a Microsoft KB addressing Windows 7 clients randomly failing to determine that they are on the corporate networks, you can read about it here: http://danstoncloud.com/blogs/simplebydesign/archive/2012/11/11/directaccess-kb-to-keep-in-mind.aspx

    To answer your other question, NLS has actually nothing to do with loadbalancing or Multisite setups within DirectAccess.
    It is only a simplification in the DA setup that you can now have the Wizard automatically deploy the NLS on the DA server.

    To simply explain, the NLS is a https based website that the client tries to reach and get a valid html response from.
    (And ofcourse, the certificate must be valid, from a CA that the client trusts and the name in the certificate must match the NLS URL)

    What you needs to get a HA NLS is simply a HA website.
    An example on how to do it is http://blogs.msdn.com/b/clustering/archive/2009/06/01/9674799.aspx
    Like I said in the previous post it is your requirements that control how you HA solution should be deployed.
    Personally I would say a VM running on a cluster is often enough. (The NLS does not require any real changes once it is up and running, and a server running IIS is rather simple to keep patching. The most important thing is to have some kind of alarm or calendar event alerting you when the NLS certificate goes out, so you can change it before the certificate goes out)

    Jonas Blom | Relevo AB | http://blog.nrpt.se

    Saturday, November 17, 2012 7:02 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,


    It sounds like your clients have problems reaching the NLS website and therefore considers themself to be external.

    Have you tried connecting to the NLS website from a regular client?
    A good post to read about this is http://blogs.technet.com/b/tomshinder/archive/2010/04/06/when-good-network-location-servers-go-bad-preparing-against-nls-failure.aspx (it talks about UAG deployments though so certain aspects like having the NLS on the DA server is not discussed in it)

    My suggestion would actually be to move the NLS to a separate webserver.
    If this is a HA webserver solution or a virtual machine running on a failover cluster is really only up to you and your requirements.

     

    Jonas Blom | Relevo AB | http://blog.nrpt.se

    • Proposed as answer by Jonas Blom Friday, November 16, 2012 11:40 AM
    Friday, November 16, 2012 11:40 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,


    It sounds like your clients have problems reaching the NLS website and therefore considers themself to be external.

    Have you tried connecting to the NLS website from a regular client?
    A good post to read about this is http://blogs.technet.com/b/tomshinder/archive/2010/04/06/when-good-network-location-servers-go-bad-preparing-against-nls-failure.aspx (it talks about UAG deployments though so certain aspects like having the NLS on the DA server is not discussed in it)

    My suggestion would actually be to move the NLS to a separate webserver.
    If this is a HA webserver solution or a virtual machine running on a failover cluster is really only up to you and your requirements.

    Jonas Blom | Relevo AB | http://blog.nrpt.se

    Thanks Jonas. What is described in that article is exactly what's going on (but can't work out why it's indiscriminately happening).

    Are you aware of any starter guides for implementing NLS across two or more web servers? I'm guessing this is where Multisite or Load Balancing within DA kicks off?

    Saturday, November 17, 2012 1:46 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    With indiscriminately, do you mean that it only happens to certain clients or that only happens to random clients at random times?

    There was actually a KB that popped up in a blogpost the other day that referenced a Microsoft KB addressing Windows 7 clients randomly failing to determine that they are on the corporate networks, you can read about it here: http://danstoncloud.com/blogs/simplebydesign/archive/2012/11/11/directaccess-kb-to-keep-in-mind.aspx

    To answer your other question, NLS has actually nothing to do with loadbalancing or Multisite setups within DirectAccess.
    It is only a simplification in the DA setup that you can now have the Wizard automatically deploy the NLS on the DA server.

    To simply explain, the NLS is a https based website that the client tries to reach and get a valid html response from.
    (And ofcourse, the certificate must be valid, from a CA that the client trusts and the name in the certificate must match the NLS URL)

    What you needs to get a HA NLS is simply a HA website.
    An example on how to do it is http://blogs.msdn.com/b/clustering/archive/2009/06/01/9674799.aspx
    Like I said in the previous post it is your requirements that control how you HA solution should be deployed.
    Personally I would say a VM running on a cluster is often enough. (The NLS does not require any real changes once it is up and running, and a server running IIS is rather simple to keep patching. The most important thing is to have some kind of alarm or calendar event alerting you when the NLS certificate goes out, so you can change it before the certificate goes out)

    Jonas Blom | Relevo AB | http://blog.nrpt.se

    Saturday, November 17, 2012 7:02 AM