Troubleshooting DirectAccess Clients Step by Step

Slides:



Advertisements
Similar presentations
Direct Access 2012 Chad Duffey and Tristan Kington Microsoft Premier Field Engineering WSV333.
Advertisements

Direct Access, Do’s and Don’ts
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Creating a UAA VPN Connection For Your Computer To Facilitate Polycom PVX – For Windows XP Last Modified On 10/25/2010 University of Alaska Anchorage,
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 14: Troubleshooting Remote Connections.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
Implementing Native Mode and Internet Based Client Management.
10.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.
NETOP ONDEMAND What’s new in version 2.1? DECEMBER 09 NETOP ONDEMAND1.
1 Chapter Overview Introduction to Windows XP Professional Printing Setting Up Network Printers Connecting to Network Printers Configuring Network Printers.
File sharing. Connect the two win 7 systems with LAN card Open the network.
© N. Ganesan, Ph.D., All rights reserved. Active Directory Nanda Ganesan, Ph.D.
Senior Technical Writer
How to connect your laptop to the classroom wireless AP.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.
Gavin Carius Architect Microsoft Services SVR311.
Smart Card Single Sign On with Access Gateway Enterprise Edition
11 NETWORK PROTOCOLS AND SERVICES Chapter 10. Chapter 10: Network Protocols and Services2 NETWORK PROTOCOLS AND SERVICES  Identify how computers on TCP/IP.
1 ISA Server 2004 Installation & Configuration Overview By Nicholas Quinn.
Implementing Secure Shared File Access
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 9: Securing Network Traffic Using IPSec.
Configuring Mobile Computing and Remote Access
Using Windows Firewall and Windows Defender
Chapter 14: Remote Server Administration BAI617. Chapter Topics Configure Windows Server 2008 R2 servers for remote administration Remotely connect to.
© 2009 FP Mailing Solutions. All rights reserved. Customer Service Training Basic Computer Training.
Module 8 Configuring and Securing SharePoint Services and Service Applications.
Managing Windows Server 2008 R2 Lesson 2. Objectives.
Configuring and Troubleshooting Remote Access
Implementing Network Access Protection
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
Microsoft DirectAccess & Work Folders NICHOLAS A. HAY MONROE COUNTY ISD
Troubleshooting Windows Vista Security Chapter 4.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
1 Chapter Overview Using the New Connection Wizard to configure network and Internet connections Using the New Connection Wizard to configure outbound.
Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.
Module 7: Managing the User Environment by Using Group Policy.
Module 7 Configure User and Computer Environments By Using Group Policy.
Implementing Group Policy. Overview What is Group Policy Introduction to Group Policy Group Policy Structure How Group Policy Settings Are Applied in.
IP Security IP sec IPsec is short for Internet Protocol Security. It was originally created as a part of IPv6, but has been retrofitted into IPv4. It.
Module 8: Planning and Troubleshooting IPSec. Overview Understanding Default Policy Rules Planning an IPSec Deployment Troubleshooting IPSec Communications.
Module 11: Troubleshooting Group Policy Issues. Module Overview Introduction to Group Policy Troubleshooting Troubleshooting Group Policy Application.
Integrating and Troubleshooting Citrix Access Gateway.
Module 5: Designing Security for Internal Networks.
Module 4 Planning for Group Policy. Module Overview Planning Group Policy Application Planning Group Policy Processing Planning the Management of Group.
Administering Group Policy Chapter Eleven. Exam Objectives in this Chapter  Plan a Group Policy strategy using Resultant Set of Policy Planning mode.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
NetTech Solutions Common Connectivity Problems Lesson Eight.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 10: Planning and Managing IP Security.
Module 7: Implementing Security Using Group Policy.
Administering Microsoft Windows Server 2003 Chapter 2.
Week 4 Objectives Overview of Group Policy Group Policy Processing Implementing a Central Store for Administrative Templates.
CheckPoint Reporting System for Seismic Surveys Setting Up for Multiple Users December 2012 Mid Point Geo Limited PO Box 7437 Reading Berkshire RG27 7HQ,
Module 10: Windows Firewall and Caching Fundamentals.
GROUP POLICY. Group Policy is a hierarchical infrastructure which allows systems administrators to configure computer and user settings from a central.
By the end of this lesson you will be able to explain: 1. Identify the support categories for reported computer problems 2. Use Remote Assistance to connect.
11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.
/Reimage-Repair-Tool/ /u/6/b/ /channel/UCo47kkB-idAA-IMJSp0p7tQ /alexwaston14/reimage-system-repair/
Windows 10 Common VPN Error Tech Support Number
IP Security IP sec IPsec is short for Internet Protocol Security. It was originally created as a part of IPv6, but has been retrofitted into IPv4. It works.
Configuring and Troubleshooting Routing and Remote Access
Lesson #10 MCTS Cert Guide Microsoft Windows 7, Configuring Chapter 10 Configuring Network and Firewall Settings.
Presentation transcript:

Troubleshooting DirectAccess Clients Step by Step Basic troubleshooting steps are shown in order on the next slides to assist from basic misconfigurations to more advanced problems. These steps are to be used when you have one or more DirectAccess clients that cannot connect. Written by : Tom Daniels tomdan@outlook.com www.DirectAccessGuide.com Version 1.3

Make sure the client has DirectAccess GPOs (Step 1) Check with rsop.msc or gpresult /r

Make sure the client has DirectAccess GPOs (Step 1) This can occur when DA computer is not added to the security group or in the wrong OU not being targeted by the DirectAccess Client GPO If you’ve recently added the computer to a security group, it does require a reboot to pick up the new group membership. When in doubt, reboot the computer to ensure it has proper group membership

DA Client must think it’s on the Internet (Step 2) Check status of NCSI to make sure computer thinks it’s on the Internet

DA Client must think it’s on the Internet (Step 2) Windows OS uses Network Connectivity Status Indicator (NCSI) to determine Internet connectivity. Check icon to make sure it doesn’t have any warnings or errors Ensure NCSI in OS can reach www.msftncsi.com/ncsi.txt Some Internet connections require a proxy server Most public Internet connections have a splash page you need to logon to reach Internet resources

Check to see if DA client is disconnected (Step 3) See if DA Client has been manually disconnected

Check to see if DA client is disconnected (Step 3) It’s possible to manually disconnect a DirectAccess client by selecting “use local DNS resolution” with the DirectAccess Connectivity Assistant (DCA) on Windows 7 On Windows 8, the disconnect option can be selected on a DirectAccess connection to manually disconnect the DirectAccess client connection.

Check network profile (Step 4) This needs to be public or home for most DA installs to work properly

Check network profile (Step 4) This controls what firewall profile will apply Some environments disable the work firewall profile which can break DirectAccess if a user selects work when presented with a new network connection.

Check key services on DirectAccess Client (Step 5) Make sure key services are running on DirectAccess client

Check key services on DirectAccess Client (Step 5) IP Helper must be running in order for the IPv6 transition adapters to load (Terero, 6to4, IP-HTTPS) The Windows Firewall service must also be running for the DirectAccess clients to negotiate IPsec correctly The IKE and AuthIP IPsec Keying Modules service must be running in order for machines to properly communicate using IPsec which is required for DirectAccess The Network Connectivity Assistant is used on Windows 8+ systems to show DirectAccess Status

Check Windows firewall profile (Step 6) Check Windows firewall profile is enabled for Public and Private profiles using wf.msc or netsh adv sh pub and netsh adv sh priv

Check Windows firewall profile (Step 6) Not only does the Windows firewall service need to be running, the profile in the Windows Firewall for public and private needs to be enabled. If disabled, this will prevent IPsec from working correctly on the DA client.

Check DNS Suffix Search Order (Step 7) The DA client needs to have the correct DNS suffix search orders listed. Check at top of ipconfig /all

Check DNS Suffix Search Order (Step 7) Most users expect to get to resources by short name. If the DNS Suffix search order is blank or not complete this can cause issues If you suspect a problem with the DNS Suffix search order, try to reach the same resources by FQDN instead and see if it works

Check NRPT Settings (Step 8) Check to make sure the Name Resolution Policy Table (NRPT) has the correct domain/hostnames listed by running netsh na sh po

Check NRPT Settings (Step 8) The NRPT controls what DNS names the DA client is able to resolve across DirectAccess. It’s critical to ensure the domain(s)/hostname(s) the client is trying to resolve appear in the NRPT For domain/hostnames that should be resolved across DA, make sure the correct IPv6 address of the DA server appears (usually contains a “3333” IPv6 address) If the NRPT is blank and you’ve confirmed the DirectAccess Clients GPO has applied, then you are running Windows 7/8/8.1 Professional or Home Edition. DirectAccess requires you are running Enterprise or Ultimate Edition of Windows : http://support.microsoft.com/kb/2756536

Check DA Client certificate (Step 9) Check for a computer certificate using either certutil –store my or looking in the local computer certificate store in mmc

Check DA Client certificate (Step 9) During most installs, a computer certificate is required especially if Windows 7 DA clients exist. Only exception is a Windows 8 only DA deployment which can use Kerberos. Check to make sure subject name of certificate matches the name of the computer Look at validity period, needs to be within this period Review Extended Key Usage (EKU) on certificate to ensure it lists at least Client Authentication Ensure the client certificate is not listed in the Certificate Revocation List (CRL)

Check computer account in AD (Step 10) Check domain controller for computer account to make sure on exists and it’s not disabled

Check the status of the IP-HTTPS connection (Step 11) You can run the following command on your DirectAccess client to check the state of the IP-HTTPS adapter : netsh int https show int You will get an output that will show the current state of the connection. A good connection should show error code 0×0 like below :

Check the status of the IP-HTTPS connection (Step 11) If you get any other error code besides 0x0, then you have an issue with the IP-HTTPS negotiation between the DirectAccess client and DirectAccess server. I’ve posted some of my previous troubleshooting articles for more common specific IP-HTTPS error codes : 0x2af9 = http://directaccessguide.com/2013/08/05/getting-ip-https-error-code-0x2af9/ 0x2afc = http://directaccessguide.com/2013/08/21/getting-ip-https-error-code-0x2afc/ 0x4be = http://directaccessguide.com/2013/09/04/getting-ip-https-error-code-0x4be/ 0x32 = http://directaccessguide.com/2014/04/11/getting-ip-https-error-code-0x32/ 0x34 = http://directaccessguide.com/2014/05/02/getting-ip-https-error-code-0x34/ 0x80090326 = http://directaccessguide.com/2014/06/01/getting-ip-https-error-code-0x80090326 0x643 = http://directaccessguide.com/2014/06/11/getting-ip-https-error-code-0x643/ 0x274c = http://directaccessguide.com/2015/03/10/getting-ip-https-error-code-0x274c/

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.