So, in following various troubleshooting documents, it has led me to this point.
I worked through the article DirectAccess Client Cannot Access Intranet Resources, which led me to the sectionTo troubleshoot why an intranet ISATAP host does not configure an ISATAP address because the intranet resources I've allowed both show a fe80 ipv6 address (meaning they are not getting configured via the ISATAP router).
I was able to walk through all of its steps without errors. I did have to alter it slightly as I'm not using ISATAP fully, but limited mode with a custom ISATAP DNS name that is pointing to the DA server internal IP address.
The next section in the article To troubleshoot an ISATAP router is where I run into issues. I go through the process, using my customized ISATAP name, which pings, etc. I get to step 8 and this is where it goes off the rails.
I do a netsh interface ipv6 show interfaces. I have TWO interfaces with the name isatap.longstringoflettersandnumbers which each represent one of the two NICs in the server (One public one internal). The document states it should be the intranetDNSSuffix. So, I added the DNS Suffix to both NICs, rebooted the DA Server.
Question, should these be listed as isatap.something or should they be my custom isatapname.something?
My understanding is ISATAP.DOMAINsuffix is blocked globally by default unless I unblock it (which I haven't). I'm using a custom ISATAP name, lets say customISATAP.DOMAINSuffix. I have a GPO setup to enable ISATAP and point them to my custom ISATAP entry for restricted systems. I can verify they get those settings because their isatap state is enabled and they have the custom isatap as their router.
But...they are not getting routable ipv6 addresses.
My configuration is as follows:
NLS - 2012 R2 Server
DA - 2012 R2 Server with Win 7 access turned on. Dual NIC, one internal and one external. External points to a F5 then out to the wild. Dashboard shows all green for status in my DA.
PKI - Setup and configured. Certs assigned (I believe, but I don't think Certs will stop ISATAP from assigning the correct ipv6 IP)
Win 7 Enterprise Test DA client - Can connect, shows as connected, but only resources I can get to is the domain controller, I can access the sysvol and netlogon folders. I cannot access other intranet resources.
Thanks for any assistance.