Cannot connect to DirectAccess with IP-HTTPS because of domain suffix issue

All replies

• 

  

  1

  Sign in to vote

  Hi,

  DirectAccess is using something called NRPT (NameResolution Policy Table) http://technet.microsoft.com/sv-se/library/ee649207(v=ws.10).aspx.

  With the NRPT you are creating rules on what namespaces you should utilize the DirectAccess-Connection for.

  To see how your NRPT is configured on a client, you can type the following in a command prompt:

  netsh namespace show policy

  
  

  If you've stated that you'd like to send *.contoso.com over DirectAccess, and use the address da.contoso.com without having done an exception for that host, you have a chicken and egg problem :)

  So what you need to do is create an exception for da.contoso.com (you already have an exception for your NLS). See my example below:

  

  So as you can see in my example I have added both contoso.com and corp.contoso.com, but have done exceptions for two specific addresses (da.contoso.com and directaccess-nls.contoso.com). Since I've not added any dns servers for them local DNS resolution will always be used for Those addresses,  and that is exactly what you need to do for your 'da.contoso.com'. (note that your dns addresses of course will be different)

  Hope this helps you out!

  ---

  MCT | MCSE: Private Cloud/Server, Desktop Infrastructure

  
  
  

  • Edited by Johan Dahlbom Sunday, December 29, 2013 12:20 PM
  • Proposed as answer by Tamirlevy Monday, December 30, 2013 2:53 PM
  • Marked as answer by Daniel JiSunModerator Tuesday, January 7, 2014 1:03 AM

  Sunday, December 29, 2013 12:17 PM
• 

  

  0

  Sign in to vote

  Helps a lot for me!

  thanks

  ---

  Tamir Levy

  Monday, December 30, 2013 2:54 PM
• 

  

  0

  Sign in to vote

  Hi Johan

  I thought it helped me, though when I tried to add da.contoso.com it doesn't allow me to add it without a DNS Server. if I try to add it and leave the DNS server blank - the "Apply Configuration" fails. it forces me to add DNS server so that's what I did.

  it looks more like a "By design" kind of issue.

  the only way I managed to override the problem is after I added it with DNS Server is to edit the DirectAccess Client Settings GPO manually and there, I went to the Name resolution policy and modified the da.contoso.com. changed it from a DNS Suffix to FQDN and canceled the DNS Server.

  after that - it worked! though I'm not really satisfied with the solution...

  modifying the GPO manually is not supported by design and now every time I'll try to make a change in my DA it might remove my settings.

  any suggestions?

  ---

  Tamir Levy

  Thursday, January 2, 2014 5:29 PM
• 

  

  0

  Sign in to vote

  Hi Tamir,

  That sounds strange, I have done the configuration I pointed to you as a solution a lot of times and have never experienced the issues you did. Are you getting the error in the "Infrastructure servers" part or are you getting  it when actually trying to deploy the GPO itself by clicking finish?

  Instead of using the GUI, you could instead use powershell to add the suffix without a dns server with the cmdlet as below:

  Add-DAClientDnsConfiguration -DnsSuffix da.contoso.com

  http://technet.microsoft.com/en-us/library/hh918437.aspx

  In my Environment, both methods work very well

  /Johan

  ---

  MCT | MCSE: Private Cloud/Server, Desktop Infrastructure

  
  

  • Edited by Johan Dahlbom Friday, January 3, 2014 11:51 PM
  • Marked as answer by Daniel JiSunModerator Tuesday, January 7, 2014 1:03 AM

  Friday, January 3, 2014 11:21 PM