DirectAccess Manage Out from Windows 10 Does Not Work

For DirectAccess manage out deployments using ISATAP, you may encounter a scenario in which you are unable to initiate outbound connections to connected DirectAccess clients from a Windows 10 computer. Outbound connections using ISATAP from Windows 7, Windows 8, Windows Server 2008/R2, or Windows Server 2012/R2 systems work without issue.

DirectAccess Manage Out from Windows 10 Does Not Work

As it turns out, there is a bug in the Windows 10 DNS client code that prevents manage out using ISATAP from a Windows 10 client from working correctly. Thanks to the diligent effort of DirectAccess administrators Mike Piron and Jason Kuhns, a workaround has been identified. To deploy the workaround, it will be necessary to implement registry changes to alter the default behavior of the DNS resolver in Windows 10. You can implement these changes on a Windows 10 DirectAccess manage out machine by using the following PowerShell commands:

New-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\” -Name DisableParallelAandAAAA -PropertyType dword -Value 1 -Force

New-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\” -Name DisableServerUnreachability -PropertyType dword -Value 1 –Force

Once these registry changes have been made, you should now be able to use ISATAP for DirectAccess manage out connections from a Windows 10 machine.

Leave a comment

8 Comments

  1. Anthony

     /  November 12, 2015

    Thank you! This was driving my nuts for like three days!

    Reply
    • Don’t thank me, thank Mike and Jason! They are the ones who brought it to my attention. I hadn’t yet tested that scenario and wasn’t aware of the issue before they approached me. Thankfully there’s an easy and effective workaround!

      Reply
  2. Riccardo

     /  November 10, 2016

    +1
    Thank you very much, Mike and Jason … and Richard too for posting 🙂

    Riccardo (from Italy)

    Reply
  3. Hello Richard,

    thanks to Mike, Jason and you sharing this Information. Last month we had this Problem in 4 different customer DA-installations. We opened a ticket @M$ and got the Information, that a single Reg-Hack will also work:

    HKLM\System\CCS\Services\DNSCACHE\Parameters
    REG_DWORD “AddrConfigControl ”
    Value: 0

    New-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\” -Name AddrConfigControl -PropertyType dword -Value 0 -Force

    The supporter classified this Case as bug, let’s see if anything changes in future versions of Win10/Patchlevel. Meanwhile the registry-hack is a Workaround.

    I wrote a Little blog-entry (in german) with a Pingback to this article:
    http://blog.forefront-tmg.de/?p=1454

    Greets from Germany,
    Karsten…

    Reply
    • Thanks for the tip, Karsten! I’ll be sure to test that out soon. I’ll also update the blog post to reflect this new information. Thanks again!

      Reply
  4. Glad to see this information is still helping people out periodically! Thanks again Rich for all of your assistance with diagnosing the issue and testing through workarounds.

    Reply
  1. DirectAccess Manage Out funktioniert nicht von internen Windows 10 Clients… – Let's Talk
  2. DirectAccess Manage Out with ISATAP Fails on Windows 10 and Windows Server 2016 | Richard Hicks' DirectAccess Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: