DirectAccess Troubleshooting and the Windows 10 Network Connectivity Assistant

DirectAccess Troubleshooting and the Windows 10 Network Connectivity AssistantOne of the first places administrators look for information about the DirectAccess client connection is the Network Connectivity Assistant (NCA). The NCA is used to view current connection status and to gather detailed information that is helpful for troubleshooting failed DirectAccess connections. The NCA was first integrated with the client operating system beginning with Windows 8. Similar functionality can be extended to Windows 7 clients by installing and configuring the Windows 7 DirectAccess Connectivity Assistant (DCA).


The DirectAccess NCA can be accessed by pressing the Windows Key + I and then clicking on Network & Internet and DirectAccess. Here you’ll find a helpful visual indicator of current connectivity status, and for multisite deployments you’ll also find details about the current entry point.

DirectAccess Troubleshooting and the Windows 10 Network Connectivity Assistant

DirectAccess Missing?

If DirectAccess does not appear in the list, open an elevated PowerShell window and restart the Network Connectivity Assistant service (NcaSvc) using the following command.

Restart-Service NcaSvc

If you receive the error “Failed to start service ‘Network Connectivity Assistant (NcaSvc)‘”, ensure that the client operating system is Enterprise or Education edition. The NCA service will always fail to start on Professional edition as it is not a supported DirectAccess client.

Log Collection

The DirectAccess NCA also provides access to crucial troubleshooting information. Clicking on the Collect button creates a detailed diagnostic log file that is often helpful for troubleshooting DirectAccess connectivity issues.

DirectAccess Troubleshooting and the Windows 10 Network Connectivity Assistant

Troubleshooting Info Missing?

The option to collect a log, and email it to your IT admin will only be displayed if a support email address is defined in the DirectAccess configuration. To define a support email address, open the Remote Access Management console and perform the following steps.

1. Click Edit on Step 1.
2. Click Network Connectivity Assistant.
3. Enter an email address in the Helpdesk email address field.
4. Click Finish to complete Step 1.
5. Click Finish to apply the changes.

Email Program

Microsoft assumes that an end user will be generating the DirectAccess client troubleshooting log and will be emailing them to their administrator. If an email program is not installed on the client, the following information is displayed.

There is no email program associated to perform the requested action. Please install an email program or, if one is already installed, create an associate in the Default Programs control panel.

DirectAccess Troubleshooting and the Windows 10 Network Connectivity Assistant

If you wish to simply view the log file on the client and not email them, you can find the generated DirectAccess troubleshooting log file in HTML format in the following location.


DirectAccess Troubleshooting and the Windows 10 Network Connectivity Assistant

Unable to Generate Log Files

There are numerous reports that generating the DirectAccess troubleshooting log fails on Windows 10 v1709. DirectAccess administrators have been reporting that the process seems to fail during the creation of the log file, leaving it truncated and incomplete. To resolve this issue, open an elevated PowerShell window and enter the following command.

New-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\NcaSvc\” -Name SvcHostSplitDisable -PropertyType DWORD -Value 1 -Force

The computer must be restarted for this change to take effect. If initial testing of this workaround is successful, the registry setting can be pushed out to all DirectAccess clients using Active Directory Group Policy Preferences.

Additional Information

Installing and Configuring DirectAccess Connectivity Assistant 2.0 on Windows 7 Clients

Planning and Implementing DirectAccess with Windows Server 2016 Video Training Course on Pluralsight

Managing and Supporting DirectAccess with Windows Server 2016 Video Training Course on Pluralsight

Implementing DirectAccess with Windows Server 2016 Book

Leave a comment


  1. Nickett

     /  April 4, 2018

    Hi Richard, any referece on what the SvcHostSplitDisable string is? It fixed our issue with collecting logs but I have no clue why.

  2. Chris Moore

     /  July 25, 2018

    Thought I’d follow up on the SvcHostSplitDisable bit – there’s a good write-up here on why things changed in 1703, and what that value does:

    Essentially in this case, it’s ensuring the NCA service doesn’t get split away from it’s NetSvcs group.

  3. It is worth noting that the software Intel Online Connect, WILL make Direct Access hang in connecting state, and thus needs to be uninstalled (or the service disabled)

  4. Jason Hall

     /  October 30, 2020

    Hi Richard,

    We’ve been having an intermittent issue on our system for about the last 6-12months; obviously this has gained more exposure with Covid and the increase of staff working from home.

    What we are seeing is that the iphelper service on the client systems will stop responding/crash. We’re unable to restart it, requiring a reboot of the client to fix.

    We had a support case open with MS for a while, but it went nowhere. We were never able to capture a crash while running their requested traces as the issue is so random and intermittent… We’ve never found a way to trigger it at will.

    Is this something you have seen before? Or could give any pointers to tracking down the cause?

    All clients are on win10 v1809; though I’m currently validating our 1909 build and have experienced it on that system too.

    • I’ve not seen this specific issue myself. The only thing I can suggest is testing with a clean build. No third-party software installed (security or management) and a dedicated OU with inheritance blocked and only the DirectAccess client settings GPO applied. If you are still having issues then, it is most likely a bug in Windows.

      • Mark Ghobril

         /  May 28, 2022

        I have installed Direct Access on a full Server 2019 environment

        Here is the following
        On the network Direct Access recognizing this and displays the same message concerning being connected locally

        Once connected remotely there is no access to the domain but I do have internet access despite both the adapter and direct access stating there is not. The site is not cached

        I cannot ping the IP4 address of the Location Server

        I can ping the IPv6 Gateway

        I believe I am looking at a DNS issue but cannot quite understand this

        The NLA is configured with a single network adapter on the same internal network with a NAT configure from the public internet for HTTPS

        In addition the host would not work without adding a host record on the local host file pointing to the public IP despite being able to ping the record.

      • First, you will never be able to ping any resources using IPv4 over DirectAccess. DirectAccess is IPv6 exclusively. Also, the NLS is not reachable over the DirectAccess tunnel, so not being able to reach it when outside the network is expected and by design. You should not have to use hosts file entries to get DirectAccess to work, for sure. However, if you are using split DNS, you will need to add the DirectAccess public FQDN to your NRPT configuration as an exemption. Details here.

  5. BD

     /  March 9, 2021

    Hi Richard,

    Our organisation is having regular issues with the DA stuck in a connecting state. Normally a gpupdate via a secondary VPN or a reboot solves the issue. Problem is DA on one machine has been stuck in this state for around 5 days. Any rational explanation for this (The above has been attempted)?

    • When DirectAccess reports “Connecting” can you access any on-premises resources over the DirectAccess tunnel at all? Can you resolve on-premises names to IPv6 addresses? Can you access file shares via UNC path or RDP into an internal host?

  6. You have one explanation for the “Failed to start service ‘Network Connectivity Assistant (NcaSvc)”, which is that the OS is not Windows 10 Enterprise/Education.

    However, do you have any suggestions if a user see this message even when OS is confirmed to be Windows 10 Enterprise?


    • I’ve never encountered another scenario in which this service didn’t start. I’d have a look in the event log for any other clues.

  7. Lindy

     /  July 8, 2021

    Hi Richard

    Please assist Direct access is stuck on connecting then says ipv6 is disabled contact administrator

    • DirectAccess requires IPv6 for operation. If it is indeed disabled, you will have to enable it. No way around that, unfortunately.

  8. Ace

     /  November 22, 2021

    Hi Richard,

    We use Direct Access as our default remote access platform but also use another 3rd party vpn access tool.

    When users ‘Direct Access’ is connected they are able to access internal resources, however, when they use the other vpn connection, while it connects, Direct Access stays on connecting and internal resources can’t be accessed at all. We need to wait for the DA connection to drop and then things start to work over the other vpn tool.

    Sometimes multiple reboots and retries eventually get the user working over the 3rd party vpn.

    Any thoughts or pointers to check please?

    • Not sure, but it sounds like perhaps the VPN client is trying to resolve the public FQDN over the DirectAccess connection and failing, or maybe getting the incorrect IP address back. With DirectAccess connected, make sure the FQDN used by the VPN client resolves correctly. Be sure to use the PowerShell command Resolve-DnsName too. You may need to add the VPN FQDN to the NRPT in the DirectAccess configuration, which is quite common.

  9. Seems the SvcHostSplitDisable workaround is always required, even on Windows 11.


Leave a Reply

%d bloggers like this: