I hit this problem at a customer site and can re-produce it in a simple lab. Lab environment: servers:
- 1x Server 2012 R2 DC and DNS server - DC1 - 10.0.0.1
- 1x Server 2012 R2 DirectAccess (DA) server - DA1 - 10.0.0.100
Servers are running "Update" (KB2919355) and following DA hotfixes:
- KB2929930
- KB2966087
I configured DA (via advanced wizard) as follows:
- DA and remote access
- AD group
- directaccess-webprobehost DNA (A) record pointing to 10.0.0.100
- behind an edge device (with a single network adapter)
- SSL certificate from enterprise root CA issued to directaccess.contoso.com
- NLS on remote server using https://nls.corp.contoso.com
- DNS: corp.contoso.com = 10.0.0.1; nls.corp.contoso.com = ""
- DNS suffix search list = corp.contoso.com
The DNS server validates successfully in the configuration UI.
Image may be NSFW.
Clik here to view.
With this configuration, I get a static IPv6 address of fd79:7a37:cbd9:3333::1/128 assigned to the NIC
The operations status is all green apart from DNS which displays the following error:
"DNS: Not Working Properly"
Error:
None of the enterprise DNS servers fd79:7a37:cbd9:7777::a00:1 used by DirectAccess clients for name resolution are responding. This might affect DirectAccess client connectivity to corporate resources.
Causes:
Enterprise DNS servers fd79:7a37:cbd9:7777::a00:1 are not responding.
I can, however ping fd79:7a37:cbd9:7777::a00:1 (which is the DNS64 translation of 10.0.0.1)
Image may be NSFW.
Clik here to view.
I would like to know what checks are failing as there are no failures in Event Viewer.
I have come across forums where people have the same issue and fix it by specifying the local IP (in this case 10.0.0.100) as the DNS server, however Richard Hicks has confirmed with me that the DNS server should be set to the DNS server, not the DA server's IP.
