DirectAccess DNS Not Working Properly

Name resolution and proper DNS server configuration is vital to the functionality of DirectAccess. When performing initial configuration of DirectAccess, or making changes to the DNS server configuration after initial configuration, you may notice the operations status for DNS indicates Critical, and that the operations state shows Server responsiveness.

DirectAccess DNS Not Working Correctly

Highlighting the DNS server on the Operations Status page and viewing the details shows that DNS is not working properly with the following error message:

None of the enterprise DNS servers <IPv6_address> used by DirectAccess
clients for name resolution are responding. This might affect DirectAccess
client connectivity to corporate resources.

DirectAccess DNS Not Working Correctly

There are a number of things that can contribute to this problem, but a common cause is an error made when assigning a DNS server to a specific DNS suffix. An inexperienced DirectAccess administrator might specify the IPv4 address of an internal corporate DNS server, which is incorrect. The DNS server IPv4 address should be the address assigned to the DirectAccess server’s internal network interface.

The best way to ensure that the DNS server is configured correctly for DirectAccess is to delete the existing entry and then click Detect.

DirectAccess DNS Not Working Correctly

An IPv6 address will be added automatically. This is the IPv6 address of the DNS64 service running on the DirectAccess server, which is how the DNS server should be configured for proper DirectAccess operation.

DirectAccess DNS Not Working Correctly

Once the changes have been saved and applied, the DNS server should once again respond and the status should return to Working.

DirectAccess DNS Not Working Correctly

Leave a comment

24 Comments

  1. Kaspars

     /  September 22, 2015

    My DA server shows error where it complains about IPv4 internal DNS server , but in domain suffix DNS configuration I have IPv6 DA server address. This DNS error is from the begining and DA works somehow. I have one NIC behind NAT. I can ping internal DNS servers from DA server. Before deletion I see ipv4 of DA server, detection inserts ipv6 and after hitting apply and properties again I can see the same ipv4 of DA server and in suffix list I see ipv6 address. So deletion do nothing in my case error remains.

    Reply
    • That’s very unusual. This blog post was to bring attention to a specific and common configuration error, that being the specification of internal DNS servers instead of using the DNS64 service on the DirectAccess server. Unfortunately it sounds like there’s something else causing this error on your server.

      Reply
    • Hello Kaspars I am having exactly the same issue I believe? Did you ever get this resolved? Thanks

      Reply
  2. Phil

     /  September 23, 2015

    I’ve had an odd DA DNS issue occur a couple of times, apparently at random (at least – no *known* changes made..!), still haven’t worked out the cause – same error as above but the DNS64 IP is set correctly, nothing informative in the event log.
    Of all things, running the DA Best Practice Analyzer in Server Manager was how I found the issue – “The IP Address on the interface where DirectAccess is listening is not correct”

    Running:
    Set-NetDNSTransitionConfiguration -State Disabled
    on each node and then restarting RAMgmtSvc seems to fix it, but I’d love to know what triggered it…

    2 node farm using Windows NLB, edge deployment, no NAT – has otherwise worked fine for 2-3 years

    Reply
  3. Matthew B

     /  March 8, 2016

    Thank you for the quick and easy clarification!

    Reply
  4. Alan

     /  June 18, 2016

    Hi Richard

    I wonder if you can help me please with my problem, my setup is behind edge with 2 nics no public IP’s configured both are private. On step 3 of remote Access configuration for some reason it is picking the IPV6 Address of the DA servers and not the Enterprise DNS Server. The Enterprise DNS is a domain controller with ipv6 enabled but no static address assigned in TCP/IP & has no AAAA record in the DNS. This is causing the client to look at wrong DNS server how can i resolve the issue my ipv6 skills are lame else I would have added a record in the dns and tested that way. My problem is similar issue to “Kaspars”, I have reinstalled everything a few times cant understand the issue any help will be really appreciated – Thanks

    Reply
    • I’d suggest manually entering the DNS64 IPv6 address for the DNS server and see if that works. The DNS64 address is the IPv6 address that ends in 3333::1 on your DirectAccess server.

      Reply
  5. Linton Harris

     /  June 29, 2016

    Hello,

    I’m getting a DNS error complaining about “Enterprise DNS servers (8.8.8.8) used by DirectAccess clients for name resolution are not responding. This might affect DirectAccess client connectivity to corporate resources. Please advise

    Reply
    • Sounds like your DNS configuration is incorrect. I’m confident that 8.8.8.8 is not the IP address of one of your internal domain DNS servers. 🙂 Follow the guidance in this post and you should be able to resolve this issue.

      Reply
  6. Thorsten Frohberg

     /  August 2, 2016

    Hello Richard,

    i have 2 directaccess server w2k12r2 behind edge with one nic. after i configure the first server for directaccess all works fine, then i build a cluster for external load balancing. After that on the first da server i have a DNS Error “Server unavailable, server responsivness.” On the second server in the Cluster all works fine. How i can find the logs for DNS, what can i check ?

    Reply
    • That’s odd, for sure. When you configured the DNS servers for the internal namespace, did you follow the guidance here to automatically detect?

      Reply
  7. Ian Randall

     /  October 6, 2016

    Richard,

    Have a 2012 DA Environment setup using an ELB and just added the second node into the cluster, everything has started okay, green ticks across the board except for DNS, which is complaining that none of the enterprise DNS servers can be reached, odd thing is that the one its noted is the 3333::1 address, which I believe is a loopback to the DNS6to4 service on the DA box.

    The first node which was created is fine, i can nslookup – and it works fine, i get results back for any site i throw at it, but do that on node 2 and i get request timed out.

    Iv checked firewall logs and i see allow for ICMP and DNS (53) inbound and outbound.

    I checked the dns settings within step 3 of the setup wizard, and although during the initial setup these did resolve to IPv4 addresses, they do now all read as the correct 3333:1 record, which is the same as on node 1.

    Im a little stumped now, any ideas where to look next ??

    Reply
    • The 3333::1 address is expected, as it is the address of the DNS64 service running on the DirectAccess server. Make sure the second node can resolve internal names via its configured DNS servers, which should be your corporate DNS servers. If it fails, ensure that you have connectivity to/from those servers. Things to check are routes, subnet masks, and internal firewalls.

      Reply
  8. Suresh Gowda

     /  February 17, 2017

    We have DA server successfully its working fine for some time
    all clients are able to connect,
    Now we are finding DNS status warning error in DA status .when turn of windows firewall all DA status are Green , if firewall is ON, DA DNS status will be error , I have allowed ports . still same error persisit

    Reply
    • That’s certainly unusual, but I have no idea what could be the root cause might be. You might want to try disabling the Remote Access Management console connectivity check to see if that helps. You can do this by selecting Operations Status and then clicking Disable Connectivity Check (PING) in the Monitoring section of the Tasks pane.

      Reply
  9. Michael M

     /  March 27, 2017

    Richard, your tech bulletins have come in handy in setting up DA server. I however am running into a small issue. My DA server internally can not resolve DNames. Have you come across this? Not sure if that is a DA design or i am truly missing something. All other records are resolvable. Any ideas.

    Reply
    • If the DirectAccess server can’t resolve internal hostnames, obviously you’d have to look the DNS settings on the DirectAccess server itself to ensure that it is using the right DNS servers (should be internal Active Directory domain servers) and that it can reach those servers on the network. After that, make sure the internal DNS servers are configured correctly.

      Reply
  10. Hi Richard:
    The domain I use to detect the DNS server come back with an address that do not validate. But my operation status are all green. The da client troubleshooter I ran on the client have 2 errors:
    1. cannot connect to domain sysvol share.
    2. cannot connect to http://directaccess-webprobehost.bcclsp.org
    How is that relate the DNS6s service. How Can I fix this ?

    Reply
    • If you specify the wrong DNS servers, DirectAccess clients won’t be able to connect but the Remote Access Management console can still show healthy. If you’ve followed the steps outlined in this post and it isn’t working, something is wrong with your configuration. The DNS64 service IPv6 address (typically ending in 3333::1) should always validate.

      Reply
      • Raymond Tsang

         /  March 31, 2017

        My da server is a VM. I moved the VM from one hist to another and it lost the domain trust relationship.so I take out the domain and rejoin and the da server breaks. I go through the wizard many time and the same dns domain name it used to validate do not validate anymore.
        The da client troubleshooting also said could not find gateway for iphttpsinterface.
        Can you point me to the right direction?

      • Moving the DirectAccess server is generally not advisable, as there are known issues with this especially if you change IP addresses. I would recommend removing the DirectAccess configuration completely and starting from scratch, but only after you’ve resolved any and all domain authentication and name resolution issues for the server first.

      • Raymond Tsang-Bellwoods

         /  April 3, 2017

        I am not able to find instructions on cleanly remove direct access configuration. Do you have any link I can go ?

      • You’ll find detailed guidance for uninstalling and removing DirectAccess here: https://directaccess.richardhicks.com/2017/04/13/uninstalling-and-removing-directaccess/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: