Quantcast
Channel: Forefront Edge Security – DirectAccess, UAG and IAG フォーラム
Viewing all 1485 articles
Browse latest View live

DirectAccess 2016 problem with MSRA.EXE for DirectAcces Client

April 9, 2018, 1:20 pm
$
0
0
Hello

I installed DirectAccess 2016 in the dmz, with just a network card.

Almost everything is functional except the MSRA.exe command.

Let me explain:

When I try to offer remote assistance on a laptop that is in our infrastructure (AD) everything works fine. When the customer connects from home and I have to offer remote assistance to troubleshoot it does not work, there is a time out.

To work around this problem and for the moment, I have to go into the DNS server, removed the DNS entry corresponding to the ip address of the IPv4 client's laptop. Then I ask the client to restart his laptop. Once restart
I go back to the DNS and make sure the entry is in IPv6. From now on it works, the MSRA.exe command works and I can do my thing on the laptop.

On the other hand, when the client comes back with his laptop in our infrastructure, and if I have to offer him assistance remotely, I must first remove the IPv6 entry in the DNS server, then asked the client to restart his laptop. Once done, I make sure the entry into the DNS server is IPv4 and the offer of remote assistance works.

How can I fix this problem? Is it a DNS problem or a bad configuration of DirectAccess?


Thank you in advance

Search

sql server windows nt 64 bit high memory usage on DirectAccess servers.

April 9, 2018, 7:47 am
$
0
0

Dear Experts,

We have DirectAccess W2012R2 on WNLB. Recently we started getting alerts related to High memory usage on both the nodes.

Could you please guide us what action should be taken to normalize everything?

Regards

DevT-MCT

Two Direct Access on the same domain

April 4, 2018, 9:40 pm
$
0
0


Hi

I have DA 2012 R2 that is installed on Windows Server 2012 R2. I need to implement a new installation of DA with windows server 2016 and move the client to the new DA. I read several KBs and everything pointing that its supported to have to DAs on the same domain, Group policy can be assigned manually, CA NLS..etc can be shared. My concern is that the DNS record for directaccess-webprobehost and directaccess-corpConnectivityHost can only point to one server. Is that something that can be solve? im i missing something else regarding having two DAs?

NAT64 translation failure

October 19, 2016, 5:48 am
$
0
0

NAT64 recently started to give errors.

ERROR
NAT64 translation failures might be preventing remote clients from accessing IPv4-only servers in the corporate network.

CAUSES
1. NAT64 is not enabled on the server.
2. The NAT64 server cannot be reached.
3. NAT64 translation has failed.

RESOLUTION
1. Ensure that the NAT64 server can be reached on the corporate network.
2. Ensure that NAT64 is enabled on the server.
3. If you have native IPv6 connectivity, ensure that the NAT64/DNS64 prefix is configured in the DirectAccess settings.
4. In the Remote Access Server Setup Wizard, ensure that the default NRPT entry points to the internal address of the NAT64/DNS64 server.

I'm not sure what the cause is or how to troubleshoot it. Any ideas?

Mike Pietrorazio

Direct Access unable to reach the internet

May 7, 2018, 1:36 am
$
0
0

Hi,

Im configuring DA 2016 using force tunneling and Proxy. The Proxy already applied through Group policy and i enable the force tunneling and assigne "." to use the Proxy in DA server.

The client is connecting succesfully and i can reach the internal Resources but im unable to surfe to the internet.

The DA troubleshooting Tools founds no problems.

Do i have to enable some extra ports in the DA server so that it will be able to surfe?

Having issues with Windows 10 Enterprise clients connecting to DirectAccess

April 14, 2016, 7:38 am
$
0
0

Hi All,

I'm trying to re-set up DirectAccess for our internal users as the old environment just stopped working one day. The DA servers is Windows2012R2 with a single NIC behind an Edge router. Our internal domain name is not reachable from the outside, but we do have a public domain name that points to the internal server. On the DA server, all dashboard diagnostics show green so I'm fairly confident that the issue is with the client machine.

On the client, I've confirmed that it has the proper security group and GPO. It passes the WMI filtering as well. When I connect to a network that's not on the domain, the DirectAccess service tries to connect but never fully establishes a connection. I'm posting the output of the DirectAccess Client Troubleshooting Tool and have changed the internal and external domain names for security. Any help would be greatly appreciated.

[4/13/2016 2:47:07 PM]: User canceled the tests.
[4/13/2016 2:47:08 PM]: In worker thread, going to start the tests.
[4/13/2016 2:47:08 PM]: Running Network Interfaces tests.
[4/13/2016 2:47:08 PM]: VMware Network Adapter VMnet1 (VMware Virtual Ethernet Adapter for VMnet1): fe80::3426:769:fbee:6e74%27;: 192.168.52.1/255.255.255.0;
[4/13/2016 2:47:08 PM]: No default gateway found for VMware Network Adapter VMnet1.
[4/13/2016 2:47:08 PM]: VMware Network Adapter VMnet8 (VMware Virtual Ethernet Adapter for VMnet8): fe80::cd01:47d0:a9f8:834a%6;: 192.168.135.1/255.255.255.0;
[4/13/2016 2:47:08 PM]: No default gateway found for VMware Network Adapter VMnet8.
[4/13/2016 2:47:08 PM]: Wi-Fi (Marvell AVASTAR Wireless-AC Network Controller): 2602:304:b319:d780:1d81:5c4e:f26f:5077;: 2602:304:b319:d780:edec:6b68:55eb:5192;: fe80::1d81:5c4e:f26f:5077%21;: 192.168.1.240/255.255.255.0;
[4/13/2016 2:47:08 PM]: Multiple default gateways found for Wi-Fi!
[4/13/2016 2:47:08 PM]: Teredo Tunneling Pseudo-Interface (Teredo Tunneling Pseudo-Interface): 2001:0:9d38:90d7:1036:f29:b4ce:6287;: fe80::1036:f29:b4ce:6287%17;
[4/13/2016 2:47:08 PM]: No default gateway found for Teredo Tunneling Pseudo-Interface.
[4/13/2016 2:47:08 PM]: Warning - this client computer has multiple default gateways defined!
[4/13/2016 2:47:08 PM]: Wi-Fi has configured the default gateway fe80::3e36:e4ff:fe66:7ca0%21.
[4/13/2016 2:47:08 PM]: Default gateway fe80::3e36:e4ff:fe66:7ca0%21 for Wi-Fi replies on ICMP Echo requests, RTT is 3 msec.
[4/13/2016 2:47:08 PM]: Wi-Fi has configured the default gateway 192.168.1.254.
[4/13/2016 2:47:08 PM]: Default gateway 192.168.1.254 for Wi-Fi replies on ICMP Echo requests, RTT is 1 msec.
[4/13/2016 2:47:08 PM]: Received a response from the public DNS server (8.8.8.8), RTT is 67 msec.
[4/13/2016 2:47:08 PM]: Received a reply from the public DNS server (2001:4860:4860::8888), RTT is 66 msec.
[4/13/2016 2:47:08 PM]: Running Inside/Outside location tests.
[4/13/2016 2:47:08 PM]: NLS is https://DirectAccess-NLS.<internal name>.com:62000/insideoutside.
[4/13/2016 2:47:08 PM]: NLS is not reachable via HTTPS, the client computer is not connected to the corporate network (external) or the NLS is offline.
[4/13/2016 2:47:08 PM]: NRPT contains 2 rules.
[4/13/2016 2:47:08 PM]:      Found (unique) DNS server: fded:4b9:e759:3333::1
[4/13/2016 2:47:08 PM]:      Send an ICMP message to check if the server is reachable.
[4/13/2016 2:47:14 PM]: DNS Server fded:4b9:e759:3333::1 does not reply on ICMP Echo requests.
[4/13/2016 2:47:20 PM]: DNS Server fded:4b9:e759:3333::1 does not reply on ICMP Echo requests.
[4/13/2016 2:47:20 PM]: Running IP connectivity tests.
[4/13/2016 2:47:20 PM]: The 6to4 interface service state is default.
[4/13/2016 2:47:20 PM]: Teredo inferface status is online.
[4/13/2016 2:47:20 PM]:     The configured DirectAccess Teredo server is win10.ipv6.microsoft.com..
[4/13/2016 2:47:20 PM]: The IPHTTPS interface is operational.
[4/13/2016 2:47:20 PM]:     The IPHTTPS interface status is IPHTTPS interface active.
[4/13/2016 2:47:20 PM]: IPHTTPS is used as IPv6 transition technology.
[4/13/2016 2:47:20 PM]:     The configured IPHTTPS URL is https://directaccess.<external name>.com:443.
[4/13/2016 2:47:20 PM]: IPHTTPS has a single site configuration.
[4/13/2016 2:47:20 PM]: IPHTTPS URL endpoint is: https://directaccess.<external name>.com:443.
[4/13/2016 2:47:20 PM]:     Successfully connected to endpoint https://directaccess.<external name>.com:443.
[4/13/2016 2:47:20 PM]: No response received from <internal name>.com.
[4/13/2016 2:47:20 PM]: Running Windows Firewall tests.
[4/13/2016 2:47:20 PM]: The current profile of the Windows Firewall is Public.
[4/13/2016 2:47:20 PM]: The Windows Firewall is enabled in the current profile Public.
[4/13/2016 2:47:20 PM]: The outbound Windows Firewall rule Core Networking - Teredo (UDP-Out) is enabled.
[4/13/2016 2:47:20 PM]: The outbound Windows Firewall rule Core Networking - IPHTTPS (TCP-Out) is enabled.
[4/13/2016 2:47:20 PM]: Running certificate tests.
[4/13/2016 2:47:20 PM]: No usable machine certificate found.
[4/13/2016 2:47:20 PM]: Found 0 machine certificates on this client computer.
[4/13/2016 2:47:20 PM]: Running IPsec infrastructure tunnel tests.
[4/13/2016 2:47:20 PM]: Failed to connect to domain sysvol share \\<internal name>.com\sysvol\<internal name>.com\Policies.
[4/13/2016 2:47:20 PM]: Running IPsec intranet tunnel tests.
[4/13/2016 2:47:20 PM]: Successfully reached fded:4b9:e759:1000::1, RTT is 11 msec.
[4/13/2016 2:47:20 PM]: Successfully reached fded:4b9:e759:1000::2, RTT is 10 msec.
[4/13/2016 2:47:20 PM]: Failed to connect to HTTP probe at http://directaccess-WebProbeHost.<internal name>.com.
[4/13/2016 2:47:20 PM]: Successfully reached HTTP probe at http://directaccess.<external name>.com/.
[4/13/2016 2:47:20 PM]: Running selected post-checks script.
[4/13/2016 2:47:20 PM]: No post-checks script specified or the file does not exist.
[4/13/2016 2:47:20 PM]: Finished running post-checks script.
[4/13/2016 2:47:20 PM]: Finished running all tests.

DirectAccess and Outlook Anywhere with Outlook 2016

May 18, 2018, 11:26 am
$
0
0

Hi all,

Having a devil of a time with DirectAccess and Outlook 2016.  First, we are using Split Tunneling in DirectAccess.  Which works fine, but Outlook 2016 performance is awful - hangs and not responding messages when composing New or Replying to emails.  So we enabled Outlook Anywhere and got that working fine with DirectAccess off.  If we turn DirectAccess on in Windows 10 (by starting the IPHelper Service), Outlook 2016 still uses Outlook Anywhere to connect, but the Hangs and Not Responding messages are back when composing new mail or replying to mail.

We excluded all the Exchange related FQDN in NRPT on the URA server, but no success, the hangs are still there.  If we stop the IP Helper service (Specifically the Network Connection Assistant, which manages the NRPT) then Outlook performs perfectly.  What am I missing?

Thanks,

Chris

Direct Access 2012 and SCCM Remote Tools

February 20, 2013, 1:00 am
$
0
0

I have created Direct Access 2012 NLB cluster in single NIC scenario behind NAT. All DA clients are Windows 7 and only IP-HTTPS.
Everything is fine, clients can connect to internal resources, but I want also manage-out these clients.
So I created additional FW rules according http://blogs.technet.com/b/edgeaccessblog/archive/2010/09/14/how-to-enable-remote-desktop-sharing-rds-rdp-from-corporate-machines-to-directaccess-connected-machines.aspx
I deployed ISATAP only on my test computer according http://blog.msedge.org.uk/2011/11/limiting-isatap-services-to-uag.html
Now I can access shares on DA client, RDP, but SCCM 2007 SP Remote Control doesn't works. It displays starting remote session and then connection failed (0x80004005). Application distibution, windows updates are working.
Of course when on local intranet Remote Control is working.
We have UAG DA test environment, when I remove DA 2012 GPOs and add UAG DA GPOs (also only IP-HTTPS, Teredo and 6to4 is disabled) on the same client, Remote Control is working.
So any suggestions? Is this some kind of single NIC scenarion limitations?
P.S. Another strange thing - when client is connected through UAG DA in SCCM Management Console on computer object i can see IPv6 address of IPHTTPs adapter, when through DA 2012 there is no IPv6 addreses.

Search

Deploying Remote Access Always On VPN server 2016 in Microsoft Azure

May 15, 2018, 2:35 am
$
0
0

Dear experts,

We are planning to deploy Remote Access Always On VPN on Server 2016 in Microsoft Azure, is this configuration supported.

(Always-on VPN with Windows Server 2016 and Windows 10 clients) over Microsoft Azure. 

It will be a great help if anyone shares a Microsoft public article

Regards

DevT-MCT

Windows 10 1803 removing IPv4/6 Transition Technologies like ISATAP? What will this do to DirectAccess clients?

May 10, 2018, 10:06 am
$
0
0

Hello,

We have a single DirectAccess site deployed using IP-HTTPS only.

Internally we do not have native IPv6 support, so we have leveraged the RRAS/DA server to also be our ISATAP router using group policy we can make sure our technician computers get the ISATAP settings so that they can manage-out the direct access clients that are on the road.

This essentially allows us to access/ping remote clients even if we don't have IPv6 internally.

Essentially we followed Richard Hicks guides on this.

If the technician computers are upgraded to Windows 10 1803 - will that mean that ISATAP is no more? Meaning if we don't have native IPv6 internally - we won't be able to manage-out those clients that are remote on DA?

Connecting to DA clients from internal network

May 25, 2018, 10:57 am
$
0
0

Hi,

We are running Direct Access and for the end users it runs fine, but I'm facing an issue in managing the DA clients.

When using DA, the clients can connect to all servers and services over IPv6, pinging an server FQDN will return a IPv6 address.

But when internal servers(SCCM / AV), other then the DA servers, want to connect to these clients they can't make connection.

I don't have any IPv6 DHCP scopes, but all servers have a link-local address.
When doing a NSLOOKUP for a client name, it returns 3 IPv6 addresses (FD00 / 2001 / 2A02).
Doing a ping from the DA-servers it is successful, when doing a ping from the AV or SCCM server it just can't resolve the clients IP address.

Since I don't want to break the DA-environment I need some help in fixing this issue.

Anyone knows where to start?

Thanks, Dennis 

Windows 10 Direct Access Workplace Connection keeps Connecting

May 30, 2018, 4:18 pm
$
0
0

Hi,

I'm using two Win 10 computers with Win 10 1803. As far as I can tell both computers have the same configuration and I'm using the same user. Though only one computer has since one of the last Windows Updates a reliable Direct Access connection to our Windows Server 2016 Direct Access Server. I ran the build-in the Direct Access troubleshooter, but it couldn't identify the issue. The log tells what I pasted below

What can I do for further analysis? Is anyone else experiencing this issue with the latest Windows 10 Updates?

Any advice in advance

John

------------------------------------------------------------------------------

PrintConnection to a Workplace Using DirectAccess Publisher details 

No issues detected
Detection details Expand 

InformationalDiagnostics Information (IPHTTPS) 
Details about IPHTTPS diagnosis: 


Interface iphttpsinterface Parameters
------------------------------------------------------------
Total bytes received       : 907726
Total bytes sent           : 523344

Interface IPHTTPSInterface (Group Policy)  Parameters
------------------------------------------------------------
Role                       : client
URL                        : https://ras.mydomain.com:443/IPHTTPS
Last Error Code            : 0x0
Interface Status           : IPHTTPS interface active 

 
 
InformationalDiagnostics Information (Teredo) 
Details about Teredo diagnosis: 

Teredo Parameters
---------------------------------------------
Type                    : disabled
Server Name             : win1711.ipv6.microsoft.com.
Client Refresh Interval : 30 seconds
Client Port             : unspecified
State                   : offline
Error                   : none

 
 
InformationalDiagnostics Information (IPHTTPS) 
Details about IPHTTPS diagnosis: 


Interface iphttpsinterface Parameters
------------------------------------------------------------
Total bytes received       : 908774
Total bytes sent           : 524104

Interface IPHTTPSInterface (Group Policy)  Parameters
------------------------------------------------------------
Role                       : client
URL                        : https://ras.mydomain.com:443/IPHTTPS
Last Error Code            : 0x0
Interface Status           : IPHTTPS interface active 

 
 
InformationalDiagnostics Information (Teredo) 
Details about Teredo diagnosis: 

Teredo Parameters
---------------------------------------------
Type                    : disabled
Server Name             : win1711.ipv6.microsoft.com.
Client Refresh Interval : 30 seconds
Client Port             : unspecified
State                   : offline
Error                   : none

 
 
InformationalNetwork Diagnostics Log 
File Name:  B00AFB88-6483-4AD3-85F7-942279952698.Diagnose.0.etl 
 
InformationalOther Networking Configuration and Logs 
File Name:  NetworkConfiguration.cab 
 
Collection information 
Computer Name:  MyPC
Windows Version: 10.0 
Architecture: x64 
Time: Thursday, May 31, 2018 1:10:13 AM 

Publisher details Expand 

Windows Network Diagnostics 
Detects problems with network connectivity. 
Package Version: 4.0 
Publisher: Microsoft Windows 
Connection to a Workplace Using DirectAccess 
Find and fix problems with connecting to your workplace network using DirectAccess. 
Package Version: 3.0 
Publisher: Microsoft Corporation 

John

What will happen if I change authentication method on Remote server setup page?

May 31, 2018, 9:14 pm
$
0
0

Now I've got rid of all my old clients I'd like to change the authentication method for DirectAccess to just Active Directory and not use Certificates anymore.

This will change the GPO so will it stop existing clients from connecting in if they're expecting to use a certificate for authentication?

Richard P

DirectAccess Reconnect

June 6, 2018, 9:14 am
$
0
0
We have been running direct access for a few years now, works great...most of the time.  It is running on Sever 2012, we also use OTP.  When clients loose connectivity to their network, is there anyway to reconnect to DA without having to reboot the PC?  Our users do not have access to services (I've read somewhere about restarting the IP helper service, the PC's are locked down.  Thanks.

Windows 10 Clients not connecting

June 18, 2018, 9:27 am
$
0
0

I am trying to implement a Direct Access server for testing purposes and with the use of several instructional blogs, I have the server configured and showing all green, but my client can detect when it is on or off the network but fails to completely connect when it is off network.

My DA server is a 2012 R2 VM with 2 NICs, one in the DMZ and the other on my server vLAN.  Both NICs are configured with static IP, netmask, gateway and DNS, IPv6 is enabled, and the firewalls are "on."  Installation was very much "out of the box" follow the wizard, where the main issue I had to troubleshoot was that the DNS server was the local DA server and not my internal DNS servers.

With my client I am getting a number of the same DNS related messages both on and off network.  Here are the troubleshooting logs:

On Network-

[6/18/2018 11:21:29 AM]: In worker thread, going to start the tests.
[6/18/2018 11:21:29 AM]: Running Network Interfaces tests.
[6/18/2018 11:21:29 AM]: Ethernet (Intel(R) 82579LM Gigabit Network Connection): fe80::29cd:5605:43dc:787f%7;: [PC_IP]/255.255.255.0;
[6/18/2018 11:21:29 AM]: Default gateway found for Ethernet.
[6/18/2018 11:21:29 AM]: Ethernet has configured the default gateway 192.168.20.1.
[6/18/2018 11:21:29 AM]: Default gateway 192.168.20.1 for Ethernet replies on ICMP Echo requests, RTT is 25 msec.
[6/18/2018 11:21:29 AM]: Received a response from the public DNS server (8.8.8.8), RTT is 18 msec.
[6/18/2018 11:21:40 AM]: The public DNS Server (2001:4860:4860::8888) does not reply on ICMP Echo requests, the request or response is maybe filtered?
[6/18/2018 11:21:40 AM]: Running Inside/Outside location tests.
[6/18/2018 11:21:40 AM]: NLS is https://[NLS DNS Name]/.
[6/18/2018 11:21:41 AM]: NLS is reachable via HTTPS, the client computer is connected to the corporate network (internal).
[6/18/2018 11:21:41 AM]: NRPT contains 3 rules.
[6/18/2018 11:21:41 AM]: Found (unique) DNS server: fd74:b930:60d8:3333::1
[6/18/2018 11:21:41 AM]: Send an ICMP message to check if the server is reachable.
[6/18/2018 11:21:53 AM]: DNS Server fd74:b930:60d8:3333::1 does not reply on ICMP Echo requests.
[6/18/2018 11:21:53 AM]: Running IP connectivity tests.
[6/18/2018 11:21:54 AM]: The 6to4 interface service state is default.
[6/18/2018 11:21:55 AM]: Teredo inferface status is offline.
[6/18/2018 11:21:55 AM]: The configured DirectAccess Teredo server is win1710.ipv6.microsoft.com..
[6/18/2018 11:21:56 AM]: The IPHTTPS interface is operational.
[6/18/2018 11:21:56 AM]: The IPHTTPS interface status is IPHTTPS interface not installed..
[6/18/2018 11:21:56 AM]: Teredo is used as IPv6 transition technology.
[6/18/2018 11:21:56 AM]: The configured IPHTTPS URL is https://da.[Domain]:443.
[6/18/2018 11:21:56 AM]: IPHTTPS has a single site configuration.
[6/18/2018 11:21:56 AM]: IPHTTPS URL endpoint is: https://da.[Domain]:443.
[6/18/2018 11:21:56 AM]: Failed to connect to endpoint https://da.[Domain]:443.
[6/18/2018 11:22:07 AM]: No response received from ad.[Domain].
[6/18/2018 11:22:07 AM]: Running Windows Firewall tests.
[6/18/2018 11:22:07 AM]: Warning - the current profile of the Windows Firewall is Domain.
[6/18/2018 11:22:07 AM]: The Windows Firewall is enabled in the current profile Domain.
[6/18/2018 11:22:08 AM]: The outbound Windows Firewall rule Core Networking - Teredo (UDP-Out) is enabled.
[6/18/2018 11:22:08 AM]: The outbound Windows Firewall rule Core Networking - IPHTTPS (TCP-Out) is enabled.
[6/18/2018 11:22:08 AM]: Running certificate tests.
[6/18/2018 11:22:08 AM]: Found 2 machine certificates on this client computer.
[6/18/2018 11:22:08 AM]: Checking certificate [no subject] with the serial number [190000004E031D1E276A02FFAA00010000004E].
[6/18/2018 11:22:08 AM]: The certificate [190000004E031D1E276A02FFAA00010000004E] contains the EKU Client Authentication.
[6/18/2018 11:22:08 AM]: The trust chain for the certificate [190000004E031D1E276A02FFAA00010000004E] was sucessfully verified.
[6/18/2018 11:22:08 AM]: Checking certificate CN=[PCName].ad.[Domain] with the serial number [190000004D1E070D2E777F401C00010000004D].
[6/18/2018 11:22:08 AM]: The certificate [190000004D1E070D2E777F401C00010000004D] contains the EKU Client Authentication.
[6/18/2018 11:22:08 AM]: The trust chain for the certificate [190000004D1E070D2E777F401C00010000004D] was sucessfully verified.
[6/18/2018 11:22:08 AM]: Running IPsec infrastructure tunnel tests.
[6/18/2018 11:22:08 AM]: Successfully connected to domain sysvol share, found 31 policies.
[6/18/2018 11:22:08 AM]: Running IPsec intranet tunnel tests.
[6/18/2018 11:22:19 AM]: Failed to connect to fd74:b930:60d8:1000::1 with status TimedOut.
[6/18/2018 11:22:31 AM]: Failed to connect to fd74:b930:60d8:1000::2 with status TimedOut.
[6/18/2018 11:22:31 AM]: Successfully reached HTTP probe at http://directaccess-WebProbeHost.ad.[Domain].
[6/18/2018 11:22:31 AM]: Running selected post-checks script.
[6/18/2018 11:22:31 AM]: No post-checks script specified or the file does not exist.
[6/18/2018 11:22:31 AM]: Finished running post-checks script.
[6/18/2018 11:22:31 AM]: Finished running all tests.

Off Network

[6/18/2018 11:19:41 AM]: In worker thread, going to start the tests.
[6/18/2018 11:19:41 AM]: Running Network Interfaces tests.
[6/18/2018 11:19:41 AM]: Wi-Fi (Intel(R) Centrino(R) Advanced-N 6205): fe80::88be:56fb:5811:e833%2;: [PC_IP]/255.255.255.0;
[6/18/2018 11:19:41 AM]: Default gateway found for Wi-Fi.
[6/18/2018 11:19:41 AM]: Teredo Tunneling Pseudo-Interface (Teredo Tunneling Pseudo-Interface): 2001:0:9d38:953c:189e:9518:94a3:8539;: fe80::189e:9518:94a3:8539%5;
[6/18/2018 11:19:41 AM]: Default gateway found for Teredo Tunneling Pseudo-Interface.
[6/18/2018 11:19:41 AM]: Wi-Fi has configured the default gateway 192.168.1.1.
[6/18/2018 11:19:41 AM]: Default gateway 192.168.1.1 for Wi-Fi replies on ICMP Echo requests, RTT is 14 msec.
[6/18/2018 11:19:41 AM]: Teredo Tunneling Pseudo-Interface has configured the default gateway ::.
[6/18/2018 11:19:41 AM]: Warning - default gateway :: for Teredo Tunneling Pseudo-Interface does not reply on ICMP Echo requests, the request or response is maybe filtered?
[6/18/2018 11:19:41 AM]: Received a response from the public DNS server (8.8.8.8), RTT is 201 msec.
[6/18/2018 11:19:53 AM]: The public DNS Server (2001:4860:4860::8888) does not reply on ICMP Echo requests, the request or response is maybe filtered?
[6/18/2018 11:19:53 AM]: Running Inside/Outside location tests.
[6/18/2018 11:19:53 AM]: NLS is https://[NLS DNS Name]/.
[6/18/2018 11:20:14 AM]: NLS is not reachable via HTTPS, the client computer is not connected to the corporate network (external) or the NLS is offline.
[6/18/2018 11:20:14 AM]: NRPT contains 3 rules.
[6/18/2018 11:20:14 AM]: Found (unique) DNS server: fd74:b930:60d8:3333::1
[6/18/2018 11:20:14 AM]: Send an ICMP message to check if the server is reachable.
[6/18/2018 11:20:26 AM]: DNS Server fd74:b930:60d8:3333::1 does not reply on ICMP Echo requests.
[6/18/2018 11:20:26 AM]: Running IP connectivity tests.
[6/18/2018 11:20:27 AM]: The 6to4 interface service state is default.
[6/18/2018 11:20:27 AM]: Teredo inferface status is online.
[6/18/2018 11:20:27 AM]: The configured DirectAccess Teredo server is win1710.ipv6.microsoft.com..
[6/18/2018 11:20:28 AM]: The IPHTTPS interface is not operational, last error code is 0x2af9.
[6/18/2018 11:20:28 AM]: The IPHTTPS interface status is failed to connect to the IPHTTPS server. Waiting to reconnect.
[6/18/2018 11:20:28 AM]: Teredo is used as IPv6 transition technology.
[6/18/2018 11:20:28 AM]: The configured IPHTTPS URL is https://da.[Domain]:443.
[6/18/2018 11:20:28 AM]: IPHTTPS has a single site configuration.
[6/18/2018 11:20:28 AM]: IPHTTPS URL endpoint is: https://da.[Domain]:443.
[6/18/2018 11:20:28 AM]: Failed to connect to endpoint https://da.[Domain]:443.
[6/18/2018 11:20:28 AM]: No response received from ad.[Domain].
[6/18/2018 11:20:28 AM]: Running Windows Firewall tests.
[6/18/2018 11:20:28 AM]: The current profile of the Windows Firewall is Public.
[6/18/2018 11:20:28 AM]: The Windows Firewall is enabled in the current profile Public.
[6/18/2018 11:20:28 AM]: The outbound Windows Firewall rule Core Networking - Teredo (UDP-Out) is enabled.
[6/18/2018 11:20:28 AM]: The outbound Windows Firewall rule Core Networking - IPHTTPS (TCP-Out) is enabled.
[6/18/2018 11:20:28 AM]: Running certificate tests.
[6/18/2018 11:20:28 AM]: Found 2 machine certificates on this client computer.
[6/18/2018 11:20:28 AM]: Checking certificate [no subject] with the serial number [190000004E031D1E276A02FFAA00010000004E].
[6/18/2018 11:20:28 AM]: The certificate [190000004E031D1E276A02FFAA00010000004E] contains the EKU Client Authentication.
[6/18/2018 11:20:28 AM]: The trust chain for the certificate [190000004E031D1E276A02FFAA00010000004E] was sucessfully verified.
[6/18/2018 11:20:28 AM]: Checking certificate CN=[PCName].ad.[Domain] with the serial number [190000004D1E070D2E777F401C00010000004D].
[6/18/2018 11:20:28 AM]: The certificate [190000004D1E070D2E777F401C00010000004D] contains the EKU Client Authentication.
[6/18/2018 11:20:28 AM]: The trust chain for the certificate [190000004D1E070D2E777F401C00010000004D] was sucessfully verified.
[6/18/2018 11:20:28 AM]: Running IPsec infrastructure tunnel tests.
[6/18/2018 11:20:28 AM]: Failed to connect to domain sysvol share \\ad.[Domain]\sysvol\ad.[Domain]\Policies.
[6/18/2018 11:20:28 AM]: Running IPsec intranet tunnel tests.
[6/18/2018 11:20:39 AM]: Failed to connect to fd74:b930:60d8:1000::1 with status TimedOut.
[6/18/2018 11:20:51 AM]: Failed to connect to fd74:b930:60d8:1000::2 with status TimedOut.
[6/18/2018 11:20:51 AM]: Failed to connect to HTTP probe at http://directaccess-WebProbeHost.ad.[Domain].
[6/18/2018 11:20:51 AM]: Running selected post-checks script.
[6/18/2018 11:20:51 AM]: No post-checks script specified or the file does not exist.
[6/18/2018 11:20:51 AM]: Finished running post-checks script.
[6/18/2018 11:20:51 AM]: Finished running all tests.

It appears that my main issue(s) are that I'm having DNS connection issues, which doesn't surprise me.  This is the first thing in my environment that requires IPv6 to operate, so I don't really have a configured infrastructure for it.  Another thing that I'm not quite clear on is whether I need to install DNS services on the DA server itself, which currently, I don't.  In my current iteration of troubleshooting these are where I'm focusing my research but I'm not finding much.  Does anyone have some advice or see something that I don't, I am new to reading these logs after all and am probably missing something. Thanks

Search

Collect Logs and Email - not working on Windows 10

November 15, 2017, 7:53 am
$
0
0

I am in the process of setting up a DA server (which is working), and am documenting troubleshooting steps for IT.  One issue I am seeing is on the Client side - specific to when you want to collect the logs and email.

I have the Group Policy setup with the DA connection name, and the email address the logs should go to.  However when I click the button - "Collect" - nothing happens.

My understanding is that the default email program (In this case Outlook 2013) should open up, and attach the log files to an email message.  But nothing appears.

I can advise that the log file is generated in the normal location (which I can advise IT to look for) but why is the email portion not working?

I have tried setting the default "Mail" application that comes with Windows 10 as default, but it won't work either.

Public CRL vs Internal CRL DirectAccess Clients

June 16, 2018, 12:48 am
$
0
0

Do we need public CRL for Windows 10 clients only?

We do not plan support ever Windows 7 clients therefor we would like to use only private (internal) PKI infrastructure and not having any external dependency from 3rd party CA.

DirectAccess Network Adapter Warning - Corporate network route publish

June 23, 2018, 4:41 pm
$
0
0

Hi - I'm hoping someone can help shed some light on an error I am getting on a DirectAccess Server.

This is a fresh installation and from what I can see, clients are having no issues connecting.

The configuration of our server is on a solely IPv4 network running DA on a single network adapter. We are using IPHTTPS only.

The error I am receiving is: DirectAccess clients cannot connect to all resources on the corporate network.

What I am unclear on is what routes I will need to set and why DA hasn't created it automatically? The only thing I can think is that the network adapter already had a static IPv6 address assigned when I started configuring DA so it didn't have full control over as much as usual.

Any help would be most greatly appreciated.

Many thanks,

Chris



Direct Access DNS warning

July 10, 2018, 12:34 am
$
0
0

Hi,

I have configured two direct access servers using Multisites.

The NRPT table which been configured autmatically by DA contains 4 records

da1.company.com (cannot be edited)

any suffix (Cannot be edited)

da2.comapny.com (Canot be edited but now it can)

nls.company.com (cannot be edited)

I guess along the way of adding a new entry point a change have been made to the NRPT (specifically on da2.company.com) and now when ever i try to change anything in DA im recieiving the following error

"Exemption entry da1.company.com cannot be modified or delted in the NRPT"

"Exemption entry da2.company.com cannot be modified or delted in the NRPT"

I even recieving warning in the operation status for "DA1.company.com"

Enterprise DNS server (::1) used by directaccess clients for name resolution are not responding.

the strange thing is that there is no full IPV6 but only (::1). is it possible to reset the settings of the NRPT table for this record through powershell? i tried to delete it and manully adding it but whatever i do i recive the above error.

ANy help will be appreciate it.

DirectAccess + Offline Files + DFS + Slow-link mode

July 10, 2018, 12:39 pm
$
0
0

Hi,

We use DirectAccess in our environment for remote workers. We also have Offline Files configured.

We are finding that remote workers never go offline on slow-link connections. As standard, I set this in GPO:

Configure slow-link mode: Enabled

Name: \\corp.domain.com\dfsroot
Value: Latency=32000

Name: \\corp.domain.com\folder1
Value: Latency=20

Name: \\corp.domain.com\folder2
Value: Latency=120

Folder1 is our user home directories which are redirected. On a connection slower than 20ms it stays online, causing terrible performance out of the office. If I even set Folder1 to Latency=1 it still stays online.

If I manually set the home folder drive map to Work Offline, performance is brilliant. All drive maps point to the DFS namespace shares.

What am I missing? All of our remote workers are running Windows 10 Enterprise.

Thanks

Viewing all 1485 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>