Hi All,
please help me find a root cause of our DA issue. I've got a virtual machine win7 ent SP1 which has been installed/joined to domain and configured for DA in corporate network. Then it was moved to remote location and we are unable to get DA work on it. Other machines worldwide works ok. On the server side UAG 2008 SP3 + rollups is being used. DNS64 service running, ISATAP in place.
If I try to log in to domain (I have never been logged in on that machine before) it says "There are no logon servers available". Then my colleague logs in with his domain account (cached credentials) and we can see DAC reporting that DA is not working.
This is strange because it looks like the tunnel is up and running and I can ping all internal resources and also I can resolve their names to IPv6 addresses with nslookup. Im however unable to access them via http, rdp or file share.
RED: Corporate connectivity is not working.
Corporate network names cannot be resolved. If the problem persists, contact your administrator.
Probes List
PASS - PING: 2002:a123:1234::a123:1234
FAIL - HTTP: http://appsrv.domain.local
DTE List
PASS - PING: 2002:a123:1234::a123:1234
PASS - PING: 2002:a123:1235::a123:1235
IPconfig
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:XXXX:(Preferred)
Link-local IPv6 Address . . . . . : fe80::XXXX(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled
netsh int teredo show state
Teredo Parameters
---------------------------------------------
Type : enterpriseclient
Server Name : <UAG server external IP> (Group Policy)
Client Refresh Interval : 30 seconds
Client Port : unspecified
State : qualified
Client Type : teredo client
Network : unmanaged
NAT : restricted
NAT Special Behaviour : UPNP: No, PortPreserving: Yes
Local Mapping : 192.168.1.127:64810
External NAT Mapping : <my home router external IP>:64810
netsh dns show state
Name Resolution Policy Table Options
--------------------------------------------------------------------
Query Failure Behavior : Always fall back to LLMNR and NetBIOS
if the name does not exist in DNS or
if the DNS servers are unreachable
when on a private network
Query Resolution Behavior : Resolve only IPv6 addresses for names
Network Location Behavior : Let Network ID determine when Direct
Access settings are to be used
Machine Location : Outside corporate network
Direct Access Settings : Configured and Enabled
DNSSEC Settings : Not Configured
netsh name show effective
Settings for NLS.domain.local
----------------------------------------------------------------------
Certification authority : CN=DOMAIN.LOCAL Root CA
DNSSEC (Validation) : disabled
IPsec settings : disabled
DirectAccess (DNS Servers) :
DirectAccess (Proxy Settings) : Use default browser settings
Settings for .domain.local
----------------------------------------------------------------------
Certification authority : CN=DOMAIN.LOCAL Root CA
DNSSEC (Validation) : disabled
IPsec settings : disabled
DirectAccess (DNS Servers) : 2002:a123:1234::a123:1234
DirectAccess (Proxy Settings) : Bypass proxy
netsh adv mon show mmsa
No SAs match the specified criteria.
netsh nap client show state
The "Network Access Protection Agent" service is not running.
wevtutil query-events Microsoft-Windows-NetworkAccessProtection/Operational /count:20 /format:text /rd:true
n/a
netsh int ipv6 show int level=verbose
Interface Local Area Connection 3 Parameters
----------------------------------------------
IfLuid : ethernet_10
IfIndex : 20
State : connected
Metric : 5
Link MTU : 1500 bytes
Reachable Time : 39000 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 1
Site Prefix Length : 64
Site Id : 1
Forwarding : disabled
Advertising : disabled
Neighbor Discovery : enabled
Neighbor Unreachability Detection : enabled
Router Discovery : enabled
Managed Address Configuration : enabled
Other Stateful Configuration : enabled
Weak Host Sends : disabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled
Interface Teredo Tunneling Pseudo-Interface Parameters
----------------------------------------------
IfLuid : tunnel_6
IfIndex : 29
State : connected
Metric : 50
Link MTU : 1280 bytes
Reachable Time : 16000 ms
Base Reachable Time : 15000 ms
Retransmission Interval : 2000 ms
DAD Transmits : 0
Site Prefix Length : 64
Site Id : 1
Forwarding : disabled
Advertising : disabled
Neighbor Discovery : enabled
Neighbor Unreachability Detection : enabled
Router Discovery : enabled
Managed Address Configuration : disabled
Other Stateful Configuration : disabled
Weak Host Sends : disabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled
netsh advf show currentprofile
Public Profile Settings:
----------------------------------------------------------------------
State ON
Firewall Policy BlockInbound,AllowOutbound
LocalFirewallRules N/A (GPO-store only)
LocalConSecRules N/A (GPO-store only)
InboundUserNotification Enable
RemoteManagement Enable
UnicastResponseToMulticast Enable
Logging:
LogAllowedConnections Disable
LogDroppedConnections Disable
FileName %systemroot%\system32\LogFiles\Firewall\pfirewall.log
MaxFileSize 4096
Ok.
netsh advfirewall monitor show consec
Global Settings:
----------------------------------------------------------------------
IPsec:
StrongCRLCheck 0:Disabled
SAIdleTimeMin 5min
DefaultExemptions ICMP
IPsecThroughNAT Never
AuthzUserGrp None
AuthzComputerGrp None
StatefulFTP Enable
StatefulPPTP Enable
Main Mode:
KeyLifetime 60min,0sess
SecMethods DHGroup2-AES128-SHA256,DHGroup2-AES128-SHA1,DHGroup2-3DES-SHA1
ForceDH No
Categories:
BootTimeRuleCategory Windows Firewall
FirewallRuleCategory Windows Firewall
StealthRuleCategory Windows Firewall
ConSecRuleRuleCategory Windows Firewall
Quick Mode:
QuickModeSecMethods ESP:SHA1-None+60min+100000kb,ESP:SHA1-AES128+60min+100000kb,ESP:SHA1-3DES+60min+100000kb,AH:SHA1+60min+100000kb
QuickModePFS None
Security Associations:
No SAs match the specified criteria.
Certutil -store my
================ Certificate 0 ================Serial Number: 30c01609000000000940
Issuer: CN=DOMAIN.LOCAL Issuing CA, DC=domain, DC=local
NotBefore: 5.6.2013 11:50
NotAfter: 5.6.2014 11:50
Subject: EMPTY (DNS Name=WIN7-PC.domain.local)
Non-root Certificate
Template: 1.3.6.1.4.1.311.21.8.13768635.85687789.4213417.11012286.3735705.185.14004952.4727139
Cert Hash(sha1): cb ec b5 81 56 af 55 78 c1 ef 4d 11 22 cb 5b a4 a6 18 35 48
Key Container = le-Copy of DirectAccess Clients-3bd19f52-cf0f-4c9d-94af-532d10f9e08c
Unique container name: a49f6d57807ac70e6572cf123246546_ee41bebe-ec69-4f8e-abaa-0ecc28d561bf
Provider = Microsoft RSA SChannel Cryptographic Provider
Private key is NOT exportable
Encryption test passed