One of the first places administrators look for information about the DirectAccess client connection is the Network Connectivity Assistant (NCA). The NCA is used to view current connection status and to gather detailed information that is helpful for troubleshooting failed DirectAccess connections. The NCA was first integrated with the client operating system beginning with Windows 8. Similar functionality can be extended to Windows 7 clients by installing and configuring the Windows 7 DirectAccess Connectivity Assistant (DCA).
NCA
The DirectAccess NCA can be accessed by pressing the Windows Key + I and then clicking on Network & Internet and DirectAccess. Here you’ll find a helpful visual indicator of current connectivity status, and for multisite deployments you’ll also find details about the current entry point.
DirectAccess Missing?
If DirectAccess does not appear in the list, open an elevated PowerShell window and restart the Network Connectivity Assistant service (NcaSvc) using the following command.
Restart-Service NcaSvc
If you receive the error “Failed to start service ‘Network Connectivity Assistant (NcaSvc)‘”, ensure that the client operating system is Enterprise or Education edition. The NCA service will always fail to start on Professional edition as it is not a supported DirectAccess client.
Log Collection
The DirectAccess NCA also provides access to crucial troubleshooting information. Clicking on the Collect button creates a detailed diagnostic log file that is often helpful for troubleshooting DirectAccess connectivity issues.
Troubleshooting Info Missing?
The option to collect a log, and email it to your IT admin will only be displayed if a support email address is defined in the DirectAccess configuration. To define a support email address, open the Remote Access Management console and perform the following steps.
1. Click Edit on Step 1.
2. Click Network Connectivity Assistant.
3. Enter an email address in the Helpdesk email address field.
4. Click Finish to complete Step 1.
5. Click Finish to apply the changes.
Email Program
Microsoft assumes that an end user will be generating the DirectAccess client troubleshooting log and will be emailing them to their administrator. If an email program is not installed on the client, the following information is displayed.
There is no email program associated to perform the requested action. Please install an email program or, if one is already installed, create an associate in the Default Programs control panel.
If you wish to simply view the log file on the client and not email them, you can find the generated DirectAccess troubleshooting log file in HTML format in the following location.
%SystemDrive%\Users\%Username%\AppData\Local\Temp
Unable to Generate Log Files
There are numerous reports that generating the DirectAccess troubleshooting log fails on Windows 10 v1709. DirectAccess administrators have been reporting that the process seems to fail during the creation of the log file, leaving it truncated and incomplete. To resolve this issue, open an elevated PowerShell window and enter the following command.
New-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\NcaSvc\” -Name SvcHostSplitDisable -PropertyType DWORD -Value 1 -Force
The computer must be restarted for this change to take effect. If initial testing of this workaround is successful, the registry setting can be pushed out to all DirectAccess clients using Active Directory Group Policy Preferences.
Additional Information
Installing and Configuring DirectAccess Connectivity Assistant 2.0 on Windows 7 Clients
Planning and Implementing DirectAccess with Windows Server 2016 Video Training Course on Pluralsight
Managing and Supporting DirectAccess with Windows Server 2016 Video Training Course on Pluralsight
Nickett
/ April 4, 2018Hi Richard, any referece on what the SvcHostSplitDisable string is? It fixed our issue with collecting logs but I have no clue why.
Richard M. Hicks
/ April 6, 2018No idea. I just know that is resolves the issue. 🙂
Nickett
/ April 9, 2018LOL. Thanks 🙂
Chris Moore
/ July 25, 2018Thought I’d follow up on the SvcHostSplitDisable bit – there’s a good write-up here on why things changed in 1703, and what that value does: http://www.aitltd.com/2017/05/03/svchost-service-refactoring-in-windows-10-v1703/
Essentially in this case, it’s ensuring the NCA service doesn’t get split away from it’s NetSvcs group.
Richard M. Hicks
/ July 25, 2018Thanks Chris! 🙂
Michael Schmidt
/ January 8, 2019It is worth noting that the software Intel Online Connect, WILL make Direct Access hang in connecting state, and thus needs to be uninstalled (or the service disabled)
Jason Hall
/ October 30, 2020Hi Richard,
We’ve been having an intermittent issue on our system for about the last 6-12months; obviously this has gained more exposure with Covid and the increase of staff working from home.
What we are seeing is that the iphelper service on the client systems will stop responding/crash. We’re unable to restart it, requiring a reboot of the client to fix.
We had a support case open with MS for a while, but it went nowhere. We were never able to capture a crash while running their requested traces as the issue is so random and intermittent… We’ve never found a way to trigger it at will.
Is this something you have seen before? Or could give any pointers to tracking down the cause?
All clients are on win10 v1809; though I’m currently validating our 1909 build and have experienced it on that system too.
Richard M. Hicks
/ November 1, 2020I’ve not seen this specific issue myself. The only thing I can suggest is testing with a clean build. No third-party software installed (security or management) and a dedicated OU with inheritance blocked and only the DirectAccess client settings GPO applied. If you are still having issues then, it is most likely a bug in Windows.
Mark Ghobril
/ May 28, 2022I have installed Direct Access on a full Server 2019 environment
Here is the following
On the network Direct Access recognizing this and displays the same message concerning being connected locally
Once connected remotely there is no access to the domain but I do have internet access despite both the adapter and direct access stating there is not. The site is not cached
I cannot ping the IP4 address of the Location Server
I can ping the IPv6 Gateway
I believe I am looking at a DNS issue but cannot quite understand this
The NLA is configured with a single network adapter on the same internal network with a NAT configure from the public internet for HTTPS
In addition the host would not work without adding a host record on the local host file pointing to the public IP despite being able to ping the record.
Richard M. Hicks
/ June 2, 2022First, you will never be able to ping any resources using IPv4 over DirectAccess. DirectAccess is IPv6 exclusively. Also, the NLS is not reachable over the DirectAccess tunnel, so not being able to reach it when outside the network is expected and by design. You should not have to use hosts file entries to get DirectAccess to work, for sure. However, if you are using split DNS, you will need to add the DirectAccess public FQDN to your NRPT configuration as an exemption. Details here.
https://directaccess.richardhicks.com/2017/12/26/directaccess-nrpt-configuration-with-split-dns/
BD
/ March 9, 2021Hi Richard,
Our organisation is having regular issues with the DA stuck in a connecting state. Normally a gpupdate via a secondary VPN or a reboot solves the issue. Problem is DA on one machine has been stuck in this state for around 5 days. Any rational explanation for this (The above has been attempted)?
Richard M. Hicks
/ March 9, 2021When DirectAccess reports “Connecting” can you access any on-premises resources over the DirectAccess tunnel at all? Can you resolve on-premises names to IPv6 addresses? Can you access file shares via UNC path or RDP into an internal host?
bikkerbokker
/ March 26, 2021You have one explanation for the “Failed to start service ‘Network Connectivity Assistant (NcaSvc)”, which is that the OS is not Windows 10 Enterprise/Education.
However, do you have any suggestions if a user see this message even when OS is confirmed to be Windows 10 Enterprise?
Thanks
Richard M. Hicks
/ March 27, 2021I’ve never encountered another scenario in which this service didn’t start. I’d have a look in the event log for any other clues.
Lindy
/ July 8, 2021Hi Richard
Please assist Direct access is stuck on connecting then says ipv6 is disabled contact administrator
Richard M. Hicks
/ July 8, 2021DirectAccess requires IPv6 for operation. If it is indeed disabled, you will have to enable it. No way around that, unfortunately.
Ace
/ November 22, 2021Hi Richard,
We use Direct Access as our default remote access platform but also use another 3rd party vpn access tool.
When users ‘Direct Access’ is connected they are able to access internal resources, however, when they use the other vpn connection, while it connects, Direct Access stays on connecting and internal resources can’t be accessed at all. We need to wait for the DA connection to drop and then things start to work over the other vpn tool.
Sometimes multiple reboots and retries eventually get the user working over the 3rd party vpn.
Any thoughts or pointers to check please?
Richard M. Hicks
/ November 22, 2021Not sure, but it sounds like perhaps the VPN client is trying to resolve the public FQDN over the DirectAccess connection and failing, or maybe getting the incorrect IP address back. With DirectAccess connected, make sure the FQDN used by the VPN client resolves correctly. Be sure to use the PowerShell command Resolve-DnsName too. You may need to add the VPN FQDN to the NRPT in the DirectAccess configuration, which is quite common.
Michael Niehaus
/ March 14, 2022Seems the SvcHostSplitDisable workaround is always required, even on Windows 11.
Richard M. Hicks
/ March 15, 2022Interesting. Good to know! 🙂