Hotfix Available to Disable NRPT on Windows 8.x DirectAccess Clients

Updated April 9, 2015: The hotfix referred to in this article is now included in the November 2014 update rollup for Windows 8.1 and Windows Server 2012 R2. You will receive an error message when installing this update on Windows 8.x clients with the update rollup installed. More details here.

The Network Location Server (NLS) is a critical infrastructure component for DirectAccess deployments. The NLS is used by DirectAccess clients to determine if the client is located inside or outside of the corporate network. If the NLS becomes unavailable, DirectAccess clients that are already outside the corporate network are unaffected. However, DirectAccess clients that are inside the corporate network will mistakenly believe that they are outside and the Name Resolution Policy Table (NRPT) will be enabled, forcing name resolution requests for hosts in the internal namespace to be sent to the DNS64 service running on the DirectAccess server. If the DirectAccess server is unreachable from the internal network (a common scenario for a variety of reasons), DirectAccess clients inside the corporate network will be unable to connect to any local network resources by name until the NLS is once again reachable.

Configuring the Network Connectivity Assistant to Allow DirectAccess clients to use local name resolution does not resolve this issue. Although it sounds intuitive, it doesn’t resolve this specific issue where the NLS is unreachable.

Hotfix Available to Disable NRPT on Windows 8.x DirectAccess Clients

When the option to Allow DirectAccess clients to use local name resolution is enabled, the client can only choose to disconnect (use local name resolution) after it has successfully established a connection to the DirectAccess server. If the DirectAccess connection shows that it is still connecting, the option to disconnect is not available.

Hotfix Available to Disable NRPT on Windows 8.x DirectAccess Clients

To address this issue, Microsoft has released update KB2953212 for Windows 8.x clients that allows the disabling of the NRPT regardless if the client has successfully established a DirectAccess connection. With this update, if a DirectAccess client is located on the corporate network and is unable to reach the NLS, the user will be able to disable the NRPT (effectively disconnect DirectAccess) and once again connect to resources on the corporate network.
Hotfix Available to Disable NRPT on Windows 8.x DirectAccess Clients

This update is certainly no excuse not to deploy your NLS in a highly-available configuration using Windows Network Load Balancing (NLB) or a third-party external load balancer (hardware or software), but it can be a life-saver if your NLS becomes unavailable for any reason. I’d recommend deploying this update to all of your Windows 8.x DirectAccess clients soon.

For more information and to download the hotfix, click here.

Leave a comment

16 Comments

  1. I installed this hotfix on my Windows8 machine and I don’t still don’t have any disconnect button.
    The hotfix shos when checking via “wmic qfe list” and I rebooted but that didn’t help either …

    Reply
    • After installing this hotfix you will only see the disconnect button in a few scenarios – if you are on the corporate LAN, or if you are remote and haven’t established a DirectAccess connection, or if you are remote, have established a connection, and the option to allow users to use local name resolution is enabled in the DirectAccess configuration. In any of those scenarios you should see the disconnect button.

      Reply
  2. How would you handle these scenario’s with Windows 7 clients? I can’t find a patch for them…..

    Reply
  3. Tim Heizer

     /  March 4, 2015

    I have DA working on 2012r2 and a Win 8.1 client with this hotfix installed. When I connect to the corp lan and then stop the NLS site in IIS, the 8.1 client changes to “connecting” but I have no Disconnect button. The details below “Connecting” state “IPv6 is disabled. Contact your admin for help.” Any ideas? DA connects perfectly when not on the corp lan. It also works fine when on the corp lan and the NLS site is available.

    Reply
    • That’s unusual. When I tested this a while back it worked fine then, but I haven’t tried it recently. I’ll test again and see if I have the same issue that you do.

      Reply
  4. Sebastian Krueck

     /  March 18, 2015

    I downloaded the patch and tried to install it on my Win8.1 x64 machine, but Windows says that this update is not applicable for my computer. Any ideas what I need to do?

    Reply
  5. Sebastian Krueck

     /  April 19, 2015

    Thanks a lot for your investigation and the resulting information. But…
    If the patch is included in update rollup it should also bring the functionality to the Client, shouldn’t it? My computer is on current patch level and I don’t have the “Disconnect” button. I checked update history and the update rollup you are talking about is installed. Any ideas on that?

    Reply
    • I tested and confirmed that indeed it is there. :) The disconnect button will only be visible while DirectAccess is in a “connecting” state. Also, it does require that you enable the “allow users to use local name resolution” option in the DirectAccess configuration.

      Reply
  1. Disconnect DirectAccess in Windows 8.x while on LAN - Simple and secure by Design but Business compliant [Benoît SAUTIERE / MVP]
  2. Unable to Install DirectAccess Hotfix KB2953212 to Disable NRPT | Richard Hicks' DirectAccess Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 67 other followers

%d bloggers like this: