Updated April 9, 2015: The hotfix referred to in this article is now included in the November 2014 update rollup for Windows 8.1 and Windows Server 2012 R2. You will receive an error message when installing this update on Windows 8.x clients with the update rollup installed. More details here.
The Network Location Server (NLS) is a critical infrastructure component for DirectAccess deployments. The NLS is used by DirectAccess clients to determine if the client is located inside or outside of the corporate network. If the NLS becomes unavailable, DirectAccess clients that are already outside the corporate network are unaffected. However, DirectAccess clients that are inside the corporate network will mistakenly believe that they are outside and the Name Resolution Policy Table (NRPT) will be enabled, forcing name resolution requests for hosts in the internal namespace to be sent to the DNS64 service running on the DirectAccess server. If the DirectAccess server is unreachable from the internal network (a common scenario for a variety of reasons), DirectAccess clients inside the corporate network will be unable to connect to any local network resources by name until the NLS is once again reachable.
Configuring the Network Connectivity Assistant to Allow DirectAccess clients to use local name resolution does not resolve this issue. Although it sounds intuitive, it doesn’t resolve this specific issue where the NLS is unreachable.
When the option to Allow DirectAccess clients to use local name resolution is enabled, the client can only choose to disconnect (use local name resolution) after it has successfully established a connection to the DirectAccess server. If the DirectAccess connection shows that it is still connecting, the option to disconnect is not available.
To address this issue, Microsoft has released update KB2953212 for Windows 8.x clients that allows the disabling of the NRPT regardless if the client has successfully established a DirectAccess connection. With this update, if a DirectAccess client is located on the corporate network and is unable to reach the NLS, the user will be able to disable the NRPT (effectively disconnect DirectAccess) and once again connect to resources on the corporate network.
This update is certainly no excuse not to deploy your NLS in a highly-available configuration using Windows Network Load Balancing (NLB) or a third-party external load balancer (hardware or software), but it can be a life-saver if your NLS becomes unavailable for any reason. I’d recommend deploying this update to all of your Windows 8.x DirectAccess clients soon.
For more information and to download the hotfix, click here.
Marc Andrieux
/ July 23, 2014I installed this hotfix on my Windows8 machine and I don’t still don’t have any disconnect button.
The hotfix shos when checking via “wmic qfe list” and I rebooted but that didn’t help either …
Richard Hicks
/ July 25, 2014After installing this hotfix you will only see the disconnect button in a few scenarios – if you are on the corporate LAN, or if you are remote and haven’t established a DirectAccess connection, or if you are remote, have established a connection, and the option to allow users to use local name resolution is enabled in the DirectAccess configuration. In any of those scenarios you should see the disconnect button.
Jon Scriven (@JonScriv)
/ February 11, 2015How would you handle these scenario’s with Windows 7 clients? I can’t find a patch for them…..
Richard Hicks
/ February 11, 2015There is no similar update for Windows 7. Nothing you can do at this point, unfortunately. :/
Tim Heizer
/ March 4, 2015I have DA working on 2012r2 and a Win 8.1 client with this hotfix installed. When I connect to the corp lan and then stop the NLS site in IIS, the 8.1 client changes to “connecting” but I have no Disconnect button. The details below “Connecting” state “IPv6 is disabled. Contact your admin for help.” Any ideas? DA connects perfectly when not on the corp lan. It also works fine when on the corp lan and the NLS site is available.
Richard Hicks
/ March 7, 2015That’s unusual. When I tested this a while back it worked fine then, but I haven’t tried it recently. I’ll test again and see if I have the same issue that you do.
Sebastian Krueck
/ March 18, 2015I downloaded the patch and tried to install it on my Win8.1 x64 machine, but Windows says that this update is not applicable for my computer. Any ideas what I need to do?
Richard Hicks
/ March 22, 2015Perhaps it is already installed? Run the Get-Hotfix PowerShell command to confirm.
Sebastian Krueck
/ March 23, 2015No, I allready checked that. Checked it again now, and it is not installed. Meanwhile I have a second system the patch won’t install on. I have no idea…
clowg
/ March 25, 2015Same for me. Hotfix says it isnt applicable to my computer. It isn’t in the list of Hotfixes already installed.
Richard Hicks
/ March 26, 2015Interesting. I’ll investigate and get back with you guys soon. Stand by…
Richard Hicks
/ April 9, 2015Did some investigating on this issue. Turns out that this hotfix was recently included in an update rollup for Windows. I’ll update the article with that information. More details here: http://directaccess.richardhicks.com/2015/04/09/unable-to-install-directaccess-hotfix-kb2953212-to-disable-nrpt/
Sebastian Krueck
/ April 19, 2015Thanks a lot for your investigation and the resulting information. But…
If the patch is included in update rollup it should also bring the functionality to the Client, shouldn’t it? My computer is on current patch level and I don’t have the “Disconnect” button. I checked update history and the update rollup you are talking about is installed. Any ideas on that?
Richard Hicks
/ April 20, 2015I tested and confirmed that indeed it is there. 🙂 The disconnect button will only be visible while DirectAccess is in a “connecting” state. Also, it does require that you enable the “allow users to use local name resolution” option in the DirectAccess configuration.