Windows Server 2012 DirectAccess Network Location Server Not Working Properly

After configuring a Windows Server 2012 DirectAccess server to use an intranet-based Network Location Server (NLS), you may notice that the operations status in the remote access management console indicates a critical problem with NLS, when in fact you can browse the NLS server from the DirectAccess server.

DirectAccess Network Location Server Issue

The issue here is that the DirectAccess server, in addition to being able to successfully connect to the NLS using an HTTP GET, must also be able to ping the NLS server. However, inbound ICMP is often blocked on web servers which results in the DirectAccess server marking the service as failed. The issue can be quickly resolved by modifying the host firewall policy to allow inbound ICMPv4 echo requests. For example, in my test lab I’m using a Microsoft Windows Server 2012 server with Internet Information Services (IIS) installed. A new access rule can be added to the Windows Firewall with Advanced Security (WFAS) by executing the following PowerShell command:

New-NetFirewallRule -Name “Allow Inbound ICMPv4 Echo Request” -DisplayName “Allow Inbound ICMPv4 Echo Request” -Protocol ICMPv4 -IcmpType 8 -RemoteAddress 172.16.1.241, 172.16.1.242 -Profile Domain -Action Allow -Enabled True

Note that my lab server is domain joined, so I’ve specified the WFAS profile to be the Domain profile. In addition I’ve included the IPv4 addresses assigned to the internal network interfaces of my two DirectAccess servers. You’ll need change the command as required to work in your environment.

Leave a comment

10 Comments

  1. Dear,

    i have the same issue … i have tried applying the rule in firewall and still it is the same.

    Reply
  2. kashif

     /  June 3, 2015

    Still same error coming any other solution?

    Reply
    • That’s the only solution. 🙂 As long as your NLS responds to ICMP echo requests, has a valid and trusted SSL certificate installed, and responds to HTTPS requests with a 200 OK, everything should work!

      Reply
  3. We have Network Location Server error on status page but can both ping the NLS server and access the https URL from the DirectAccess 2012 server manually but it fails to validate via the mgmt console. The event log has EvtID 10038
    “Network Location Server monitor has gone from HEALTHY state to UNHEALTHY state on 21/03/2016 at 14:10 on DAServer-01. The failure heuristic IDs for state change of Network Location Server are 800d0002.”
    Have altready tried reboot. DA Clients are generally still working. Any ideas how to troubleshoot this further please?

    Reply
  4. Chris

     /  April 13, 2016

    What about if you have 2 NLS servers behind a load-balancer? I’m trying to run DA in Azure and have tried a couple of load-balancers (Azure’s own and loadbalancer.org) but neither allow icmp responses from the virtual IP. The real servers respond to pings so it’s not an issue with the firewall on the IIS servers. Thanks

    Reply
    • This check is performed by the management console, so the VIP must respond to ICMP. However, you can disable the ICMP health check in the management console by highlighting Operations Status in the navigation tree and then clicking on Disable Connectivity Check (PING) below Monitoring in the Tasks pane.

      Reply
  5. Chris

     /  April 14, 2016

    Thanks Richard, I had not even noticed that option as the window had been collapsed!

    Reply
  6. Hello Mr. Richard I had the same error and I am just wondering if this could affect the connectivity between the clients and the server via the WSE connector cause I can’t get any of my clients to successfully connect to the server though the client did find the server name yet never get connection and it gives me this message ” can’t get information from “my server name” .please contact your server administrator .
    Thank you for your time 🙂

    Reply
    • I apologize, I don’t have any experience with configuring DirectAccess on WSE. There could very well be a conflict that I’m not aware of.

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: