Troubleshooting DirectAccess Clients Step by Step

Troubleshooting DirectAccess Clients Step by Step
Basic troubleshooting steps are shown in order on the next slides to assist from
basic misconfigurations to more advanced problems. These steps are to be used
when you have one or more DirectAccess clients that cannot connect.
Written by :
Tom Daniels
tomdan@outlook.com
www.DirectAccessGuide.com
Version 1.2
Make sure the client has DirectAccess GPOs (Step 1)
Check with rsop.msc or gpresult /r
Make sure the client has DirectAccess GPOs (Step 1)
This can occur when DA computer is not added to the security group or in the
wrong OU not being targeted by the DirectAccess Client GPO
If you’ve recently added the computer to a security group, it does require a
reboot to pick up the new group membership. When in doubt, reboot the
computer to ensure it has proper group membership
DA Client must think it’s on the Internet (Step 2)
Check status of NCSI to make sure computer thinks it’s on the Internet
DA Client must think it’s on the Internet (Step 2)
Windows OS uses Network Connectivity Status Indicator (NCSI) to determine
Internet connectivity.
Check icon to make sure it doesn’t have any warnings or errors
Ensure NCSI in OS can reach www.msftncsi.com/ncsi.txt
Some Internet connections require a proxy server
Most public Internet connections have a splash page you need to logon to
reach Internet resources
Check to see if DA client is disconnected (Step 3)
See if DA Client has been manually disconnected
Check to see if DA client is disconnected (Step 3)
It’s possible to manually disconnect a DirectAccess client by selecting “use local
DNS resolution” with the DirectAccess Connectivity Assistant (DCA) on
Windows 7
On Windows 8, the disconnect option can be selected on a DirectAccess
connection to manually disconnect the DirectAccess client connection.
Check network profile (Step 4)
This needs to be public or home for most DA installs to work properly
Check network profile (Step 4)
This controls what firewall profile will apply
Some environments disable the work firewall profile which can break
DirectAccess if a user selects work when presented with a new network
connection.
Check key services on DirectAccess Client (Step 5)
Make sure key services are running on DirectAccess client
Check key services on DirectAccess Client (Step 5)
IP Helper must be running in order for the IPv6 transition adapters to load
(Terero, 6to4, IP-HTTPS)
The Windows Firewall service must also be running for the DirectAccess clients
to negotiate IPsec correctly
The IKE and AuthIP IPsec Keying Modules service must be running in order for
machines to properly communicate using IPsec which is required for
DirectAccess
The Network Connectivity Assistant is used on Windows 8+ systems to show
DirectAccess Status
Check Windows firewall profile (Step 6)
Check Windows firewall profile is enabled for Public and Private profiles using
wf.msc or netsh adv sh pub and netsh adv sh priv
Check Windows firewall profile (Step 6)
Not only does the Windows firewall service need to be running, the profile in
the Windows Firewall for public and private needs to be enabled. If disabled,
this will prevent IPsec from working correctly on the DA client.
Check DNS Suffix Search Order (Step 7)
The DA client needs to have the correct DNS suffix search orders listed. Check
at top of ipconfig /all
Check DNS Suffix Search Order (Step 7)
Most users expect to get to resources by short name. If the DNS Suffix search
order is blank or not complete this can cause issues
If you suspect a problem with the DNS Suffix search order, try to reach the same
resources by FQDN instead and see if it works
Check NRPT Settings (Step 8)
Check to make sure the Name Resolution Policy Table (NRPT) has the correct
domain/hostnames listed by running netsh na sh po
Check NRPT Settings (Step 8)
The NRPT controls what DNS names the DA client is able to resolve across
DirectAccess. It’s critical to ensure the domain(s)/hostname(s) the client is
trying to resolve appear in the NRPT
For domain/hostnames that should be resolved across DA, make sure the
correct IPv6 address of the DA server appears (usually contains a “3333” IPv6
address)
If the NRPT is blank and you’ve confirmed the DirectAccess Clients GPO has
applied, then you are running Windows 7/8/8.1 Professional or Home Edition.
DirectAccess requires you are running Enterprise or Ultimate Edition of
Windows : http://support.microsoft.com/kb/2756536
Check DA Client certificate (Step 9)
Check for a computer certificate using either certutil –store my or looking in the
local computer certificate store in mmc
Check DA Client certificate (Step 9)
During most installs, a computer certificate is required especially if Windows 7
DA clients exist. Only exception is a Windows 8 only DA deployment which can
use Kerberos.
Check to make sure subject name of certificate matches the name of the
computer
Look at validity period, needs to be within this period
Review Extended Key Usage (EKU) on certificate to ensure it lists at least Client
Authentication
Ensure the client certificate is not listed in the Certificate Revocation List (CRL)
Check computer account in AD (Step 10)
Check domain controller for computer account to make sure on exists and it’s
not disabled
Check the status of the IP-HTTPS connection (Step 11)
You can run the following command on your DirectAccess client to check the
state of the IP-HTTPS adapter : netsh int https show int
You will get an output that will show the current state of the connection. A
good connection should show error code 0×0 like below :
Check the status of the IP-HTTPS connection (Step 11)
If you get any other error code besides 0x0, then you have an issue with the IP-HTTPS
negotiation between the DirectAccess client and DirectAccess server. I’ve posted some of my
previous troubleshooting articles for more common specific IP-HTTPS error codes :
0x2af9 = http://directaccessguide.com/2013/08/05/getting-ip-https-error-code-0x2af9/
0x2afc = http://directaccessguide.com/2013/08/21/getting-ip-https-error-code-0x2afc/
0x4be = http://directaccessguide.com/2013/09/04/getting-ip-https-error-code-0x4be/
0x32 = http://directaccessguide.com/2014/04/11/getting-ip-https-error-code-0x32/
0x34 = http://directaccessguide.com/2014/05/02/getting-ip-https-error-code-0x34/
0x80090326 = http://directaccessguide.com/2014/06/01/getting-ip-https-error-code0x80090326
0x643 = http://directaccessguide.com/2014/06/11/getting-ip-https-error-code-0x643/