DirectAccess Manage Out with ISATAP Fails on Windows 10 and Windows Server 2016

Note: The issue described in this article has been resolved in Windows 10 version 1703 (Creators Update). Making these changes is no longer required after installing the Creators Update release of Windows 10.

Introduction

For organizations that have implemented DirectAccess manage out using the Intrasite Automatic Tunnel Addressing Protocol (ISATAP), you may find connecting to remote DirectAccess clients by hostname using Windows 10 or Windows Server 2016 fails. Connections to remote DirectAccess clients using Windows 7, Windows 8.x, Windows Server 2008/2008R2, and Windows Server 2012/2012R2 work without issue.

Troubleshooting

On a Windows 10 or Windows Server 2016 host configured to use ISATAP for DirectAccess manage out, the remote DirectAccess client resolves to an IPv6 address correctly.

DirectAccess Manage Out with ISATAP Fails on Windows 10 and Windows Server 2016

In addition, a route to the DirectAccess client’s IPv6 prefix is also present in the routing table.

DirectAccess Manage Out with ISATAP Fails on Windows 10 and Windows Server 2016

Nevertheless, attempts to connect to the remote DirectAccess client by name fail.

DirectAccess Manage Out with ISATAP Fails on Windows 10 and Windows Server 2016

The DirectAccess client is reachable by its IPv6 address, however.

DirectAccess Manage Out with ISATAP Fails on Windows 10 and Windows Server 2016

Known Issue

There is a known issue with Windows 10 and Windows Server 2016 DNS client that prevents manage out using ISATAP on these operating systems from working correctly. A while back I wrote about implementing some registry entries as a workaround for this issue on Windows 10. Recently, Karsten Hentrup brought another effective workaround to my attention that also involves adding a registry entry on the ISATAP client machine. This method is preferred as it requires only one registry entry and does not adversely affect existing DNS operation. To make this change, on each machine that requires DirectAccess manage out functionality open an elevated PowerShell command window and run the following command.

New-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\” -Name AddrConfigControl -PropertyType DWORD -Value 0 -Force

Summary

When using ISATAP, ensure that this workaround is implemented on any Windows 10 or Windows Server 2016 machine that will require manage out functionality to remote DirectAccess clients.

Additional Resources

ISATAP Recommendations for DirectAccess Deployments

DirectAccess Client Firewall Rule Configuration for ISATAP Manage Out

Implementing DirectAccess with Windows Server 2012 R2 Book

DirectAccess Consulting Services

Leave a comment

6 Comments

  1. Ryan Arnold

     /  March 31, 2017

    Thank you! Was wondering why my server 2016 was having issues connecting to remote clients.

    Reply
  2. John2

     /  April 21, 2017

    Seems like a kludgy workaround.
    Is this a bug Microsoft knows about that will be fixed in an update for Server 2016 and Windows 10?

    Reply
    • Agreed. Microsoft is aware of the issue. Not sure when/if a fix is forthcoming. ISATAP is not commonly used and Microsoft may decide not to fix it.

      Reply
  3. I am experiencing this exact issue with my Help Desk clients trying to connect to Deployed Staff thats is connected via Direct Access. We are a majority Windows 10 shop. Sometimes the Help Desk is able to connect to Direct Access clients via SCCM and sometimes they’re not able to connect. The only common denominator that I have been able to find is the way the manage out client is resolving the DNS name of the DA client. If the manage out client is able to resolve the workstations via IPv6 address, then SCCM and PING works with no issues. If the workstation is unable to resolve via IPv6 then the manage out client is obviously not able to connect to the Direct Access client. Not sure why, but DNS resolving flip flops IPv4 and IPv6. I will try your registry entries and see if that corrects the issue.

    Reply
    • IPv6 must be used to communicate outbound to remote connected DirectAccess clients, no doubt about that. If the management server can’t resolve the client’s hostname to an IPv6 address, it won’t work. Keep in mind also that if the client restarts, it will often get a new IPv6 address and there may be a period of time in which internal DNS records may be stale. However, if you are trying to manage out from a Windows 10 or Windows Server 2016 box you’ll definitely need to implement the workaround outlined in this article for sure. 🙂

      Reply
  1. DirectAccess Manage Out and System Center Configuration Manager (SCCM) | Richard M. Hicks Consulting, Inc.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: