Troubleshooting DirectAccess Clients Step by StepBasic troubleshooting steps are shown in order on the next slides to assist from basic misconfigurations to more advanced problems. These steps are to be used when you have one or more DirectAccess clients that cannot connect.

Written by : Tom Danielstomdan@outlook.comwww.DirectAccessGuide.com

Version 1.3

Make sure the client has DirectAccess GPOs (Step 1)

Check with rsop.msc or gpresult /r

Make sure the client has DirectAccess GPOs (Step 1)

This can occur when DA computer is not added to the security group or in the wrong OU not being targeted by the DirectAccess Client GPOIf you’ve recently added the computer to a security group, it does require a reboot to pick up the new group membership. When in doubt, reboot the computer to ensure it has proper group membership

DA Client must think it’s on the Internet (Step 2)

Check status of NCSI to make sure computer thinks it’s on the Internet

DA Client must think it’s on the Internet (Step 2)

Windows OS uses Network Connectivity Status Indicator (NCSI) to determine Internet connectivity.Check icon to make sure it doesn’t have any warnings or errorsEnsure NCSI in OS can reach www.msftncsi.com/ncsi.txtSome Internet connections require a proxy serverMost public Internet connections have a splash page you need to logon to reach Internet resources

Check to see if DA client is disconnected (Step 3)

See if DA Client has been manually disconnected

Check to see if DA client is disconnected (Step 3)

It’s possible to manually disconnect a DirectAccess client by selecting “use local DNS resolution” with the DirectAccess Connectivity Assistant (DCA) on Windows 7On Windows 8, the disconnect option can be selected on a DirectAccess connection to manually disconnect the DirectAccess client connection.

Check network profile (Step 4)This needs to be public or home for most DA installs to work properly

Check network profile (Step 4)This controls what firewall profile will applySome environments disable the work firewall profile which can break DirectAccess if a user selects work when presented with a new network connection.

Check key services on DirectAccess Client (Step 5)Make sure key services are running on DirectAccess client

Check key services on DirectAccess Client (Step 5)IP Helper must be running in order for the IPv6 transition adapters to load (Terero, 6to4, IP-HTTPS)The Windows Firewall service must also be running for the DirectAccess clients to negotiate IPsec correctlyThe IKE and AuthIP IPsec Keying Modules service must be running in order for machines to properly communicate using IPsec which is required for DirectAccessThe Network Connectivity Assistant is used on Windows 8+ systems to show DirectAccess Status

Check Windows firewall profile (Step 6)Check Windows firewall profile is enabled for Public and Private profiles using wf.msc or netsh adv sh pub and netsh adv sh priv

Check Windows firewall profile (Step 6)Not only does the Windows firewall service need to be running, the profile in the Windows Firewall for public and private needs to be enabled. If disabled, this will prevent IPsec from working correctly on the DA client.

Check DNS Suffix Search Order (Step 7)The DA client needs to have the correct DNS suffix search orders listed. Check at top of ipconfig /all

Check DNS Suffix Search Order (Step 7)Most users expect to get to resources by short name. If the DNS Suffix search order is blank or not complete this can cause issuesIf you suspect a problem with the DNS Suffix search order, try to reach the same resources by FQDN instead and see if it works

Check NRPT Settings (Step 8)Check to make sure the Name Resolution Policy Table (NRPT) has the correct domain/hostnames listed by running netsh na sh po

Check NRPT Settings (Step 8)The NRPT controls what DNS names the DA client is able to resolve across DirectAccess. It’s critical to ensure the domain(s)/hostname(s) the client is trying to resolve appear in the NRPTFor domain/hostnames that should be resolved across DA, make sure the correct IPv6 address of the DA server appears (usually contains a “3333” IPv6 address)If the NRPT is blank and you’ve confirmed the DirectAccess Clients GPO has applied, then you are running Windows 7/8/8.1 Professional or Home Edition. DirectAccess requires you are running Enterprise or Ultimate Edition of Windows : http://support.microsoft.com/kb/2756536

Check DA Client certificate (Step 9)Check for a computer certificate using either certutil –store my or looking in the local computer certificate store in mmc

Check DA Client certificate (Step 9)During most installs, a computer certificate is required especially if Windows 7 DA clients exist. Only exception is a Windows 8 only DA deployment which can use Kerberos.Check to make sure subject name of certificate matches the name of the computerLook at validity period, needs to be within this periodReview Extended Key Usage (EKU) on certificate to ensure it lists at least Client AuthenticationEnsure the client certificate is not listed in the Certificate Revocation List (CRL)

Check computer account in AD (Step 10)Check domain controller for computer account to make sure on exists and it’s not disabled

Check the status of the IP-HTTPS connection (Step 11)You can run the following command on your DirectAccess client to check the state of the IP-HTTPS adapter : netsh int https show int

You will get an output that will show the current state of the connection. A good connection should show error code 0×0 like below :

Check the status of the IP-HTTPS connection (Step 11)If you get any other error code besides 0x0, then you have an issue with the IP-HTTPS negotiation between the DirectAccess client and DirectAccess server. I’ve posted some of my previous troubleshooting articles for more common specific IP-HTTPS error codes :

0x2af9 = http://directaccessguide.com/2013/08/05/getting-ip-https-error-code-0x2af9/

0x2afc = http://directaccessguide.com/2013/08/21/getting-ip-https-error-code-0x2afc/

0x4be = http://directaccessguide.com/2013/09/04/getting-ip-https-error-code-0x4be/

0x32 = http://directaccessguide.com/2014/04/11/getting-ip-https-error-code-0x32/

0x34 = http://directaccessguide.com/2014/05/02/getting-ip-https-error-code-0x34/0x80090326 = http://directaccessguide.com/2014/06/01/getting-ip-https-error-code-0x80090326

0x643 = http://directaccessguide.com/2014/06/11/getting-ip-https-error-code-0x643/

0x274c = http://directaccessguide.com/2015/03/10/getting-ip-https-error-code-0x274c/