DirectAccess DNS Not Working Properly

Name resolution and proper DNS server configuration is vital to the functionality of DirectAccess. When performing initial configuration of DirectAccess, or making changes to the DNS server configuration after initial configuration, you may notice the operations status for DNS indicates Critical, and that the operations state shows Server responsiveness.

DirectAccess DNS Not Working Correctly

Highlighting the DNS server on the Operations Status page and viewing the details shows that DNS is not working properly with the following error message:

None of the enterprise DNS servers <IPv6_address> used by DirectAccess
clients for name resolution are responding. This might affect DirectAccess
client connectivity to corporate resources.

DirectAccess DNS Not Working Correctly

There are a number of things that can contribute to this problem, but a common cause is an error made when assigning a DNS server to a specific DNS suffix. An inexperienced DirectAccess administrator might specify the IPv4 address of an internal corporate DNS server, which is incorrect. The DNS server IPv4 address should be the address assigned to the DirectAccess server’s internal network interface.

The best way to ensure that the DNS server is configured correctly for DirectAccess is to delete the existing entry and then click Detect.

DirectAccess DNS Not Working Correctly

An IPv6 address will be added automatically. This is the IPv6 address of the DNS64 service running on the DirectAccess server, which is how the DNS server should be configured for proper DirectAccess operation.

DirectAccess DNS Not Working Correctly

Once the changes have been saved and applied, the DNS server should once again respond and the status should return to Working.

DirectAccess DNS Not Working Correctly

Leave a comment

14 Comments

  1. Kaspars

     /  September 22, 2015

    My DA server shows error where it complains about IPv4 internal DNS server , but in domain suffix DNS configuration I have IPv6 DA server address. This DNS error is from the begining and DA works somehow. I have one NIC behind NAT. I can ping internal DNS servers from DA server. Before deletion I see ipv4 of DA server, detection inserts ipv6 and after hitting apply and properties again I can see the same ipv4 of DA server and in suffix list I see ipv6 address. So deletion do nothing in my case error remains.

    Reply
    • That’s very unusual. This blog post was to bring attention to a specific and common configuration error, that being the specification of internal DNS servers instead of using the DNS64 service on the DirectAccess server. Unfortunately it sounds like there’s something else causing this error on your server.

      Reply
    • Hello Kaspars I am having exactly the same issue I believe? Did you ever get this resolved? Thanks

      Reply
  2. Phil

     /  September 23, 2015

    I’ve had an odd DA DNS issue occur a couple of times, apparently at random (at least – no *known* changes made..!), still haven’t worked out the cause – same error as above but the DNS64 IP is set correctly, nothing informative in the event log.
    Of all things, running the DA Best Practice Analyzer in Server Manager was how I found the issue – “The IP Address on the interface where DirectAccess is listening is not correct”

    Running:
    Set-NetDNSTransitionConfiguration -State Disabled
    on each node and then restarting RAMgmtSvc seems to fix it, but I’d love to know what triggered it…

    2 node farm using Windows NLB, edge deployment, no NAT – has otherwise worked fine for 2-3 years

    Reply
  3. Matthew B

     /  March 8, 2016

    Thank you for the quick and easy clarification!

    Reply
  4. Alan

     /  June 18, 2016

    Hi Richard

    I wonder if you can help me please with my problem, my setup is behind edge with 2 nics no public IP’s configured both are private. On step 3 of remote Access configuration for some reason it is picking the IPV6 Address of the DA servers and not the Enterprise DNS Server. The Enterprise DNS is a domain controller with ipv6 enabled but no static address assigned in TCP/IP & has no AAAA record in the DNS. This is causing the client to look at wrong DNS server how can i resolve the issue my ipv6 skills are lame else I would have added a record in the dns and tested that way. My problem is similar issue to “Kaspars”, I have reinstalled everything a few times cant understand the issue any help will be really appreciated – Thanks

    Reply
    • I’d suggest manually entering the DNS64 IPv6 address for the DNS server and see if that works. The DNS64 address is the IPv6 address that ends in 3333::1 on your DirectAccess server.

      Reply
  5. Linton Harris

     /  June 29, 2016

    Hello,

    I’m getting a DNS error complaining about “Enterprise DNS servers (8.8.8.8) used by DirectAccess clients for name resolution are not responding. This might affect DirectAccess client connectivity to corporate resources. Please advise

    Reply
    • Sounds like your DNS configuration is incorrect. I’m confident that 8.8.8.8 is not the IP address of one of your internal domain DNS servers. 🙂 Follow the guidance in this post and you should be able to resolve this issue.

      Reply
  6. Thorsten Frohberg

     /  August 2, 2016

    Hello Richard,

    i have 2 directaccess server w2k12r2 behind edge with one nic. after i configure the first server for directaccess all works fine, then i build a cluster for external load balancing. After that on the first da server i have a DNS Error “Server unavailable, server responsivness.” On the second server in the Cluster all works fine. How i can find the logs for DNS, what can i check ?

    Reply
    • That’s odd, for sure. When you configured the DNS servers for the internal namespace, did you follow the guidance here to automatically detect?

      Reply
  7. Ian Randall

     /  October 6, 2016

    Richard,

    Have a 2012 DA Environment setup using an ELB and just added the second node into the cluster, everything has started okay, green ticks across the board except for DNS, which is complaining that none of the enterprise DNS servers can be reached, odd thing is that the one its noted is the 3333::1 address, which I believe is a loopback to the DNS6to4 service on the DA box.

    The first node which was created is fine, i can nslookup – and it works fine, i get results back for any site i throw at it, but do that on node 2 and i get request timed out.

    Iv checked firewall logs and i see allow for ICMP and DNS (53) inbound and outbound.

    I checked the dns settings within step 3 of the setup wizard, and although during the initial setup these did resolve to IPv4 addresses, they do now all read as the correct 3333:1 record, which is the same as on node 1.

    Im a little stumped now, any ideas where to look next ??

    Reply
    • The 3333::1 address is expected, as it is the address of the DNS64 service running on the DirectAccess server. Make sure the second node can resolve internal names via its configured DNS servers, which should be your corporate DNS servers. If it fails, ensure that you have connectivity to/from those servers. Things to check are routes, subnet masks, and internal firewalls.

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: