DirectAccess NRPT Configuration with Split DNS

DirectAccess NRPT Configuration with Split DNSThe Name Resolution Policy Table (NRPT) in Windows provides policy-based name resolution request routing for DNS queries. DirectAccess uses the NRPT to ensure that only requests for resources in the internal namespace, as defined by the DirectAccess administrator, are sent over the DirectAccess connection. DNS queries for all other namespaces are sent to the DNS servers defined on the client’s network interface.

Note: This behavior changes when force tunneling is enabled. In this case, all DNS queries are sent over the DirectAccess connection with the exception of the NLS and the DirectAccess server’s public hostname(s). If force tunneling is enabled, the configuration guidance described below is not required.

Split DNS

NRPT configuration is straightforward when the internal and external namespaces are unique. However, when split DNS is used, meaning when the internal and external namespaces are the same, DirectAccess configuration is more challenging. Typically, there may be many resources that should not go over the DirectAccess connection, such as public-facing web servers, email and unified communications servers, federation servers, etc. Without additional configuration, requests for all of these services would go over the DirectAccess connection. That may or may not be desirable, depending on the requirements of the implementation.

DirectAccess Server

One crucial public resource is the DirectAccess server itself. When using split DNS, the DirectAccess implementation’s public hostname will, by default, be included in the internal namespace. In this scenario, the DirectAccess client will fail to establish a connection to the DirectAccess server.

Troubleshooting

When troubleshooting failed connectivity, the output of ipconfig will show the IP-HTTPS tunnel interface media state as “Media disconnected”.

DirectAccess NRPT Configuration with Split DNS

The output of Get-NetIPHttpsState will also return an error code 0x2AF9 with an interface status “Failed to connect to the IPHTTPS server; waiting to reconnect”.

DirectAccess NRPT Configuration with Split DNS

To further troubleshoot this issue, examine the output of Get-NetIPHttpsConfiguration. Test name resolution of the FQDN listed in the ServerURL field. If the issue is related to NRPT configuration, the client will fail to resolve this name to an IP address. Testing from a non-DirectAccess client should resolve correctly, however.

DirectAccess NRPT Configuration with Split DNS

NRPT Configuration

If split DNS is employed, it is necessary to include the DirectAccess server’s public hostname in the NRPT as an exemption. This will cause the DNS query for the public hostname to use public DNS servers, allowing the DirectAccess client to establish a connection successfully.

To resolve this issue, open the Remote Access Management console on the DirectAccess server, highlight DirectAccess and VPN under Configuration, and then click Edit on Step 3. Select DNS, and then double-click on an empty row in the table.

DirectAccess NRPT Configuration with Split DNS

Enter the public hostname for the DirectAccess deployment in the DNS suffix field (the public hostname can be found by clicking Edit on Step 2). Do NOT specify a DNS server. Click Apply, click Next twice, and then click Finish.

DirectAccess NRPT Configuration with Split DNS

Note: For multisite deployments, be sure to include the public hostname for each entry point in the enterprise. Also, if multisite is configured to use GSLB, include the GSLB hostname as well.

PowerShell

Alternatively, you can run the following PowerShell commands to automatically configure the NRPT for split DNS. For multisite deployments, be sure to run these commands on at least one DirectAccess server in each site.

$hostname = Get-RemoteAccess | Select-Object -ExpandProperty ConnectToAddress
Add-DAClientDnsConfiguration -DnsSuffix $hostname -PassThru

If multisite is configured to use GSLB, run the following PowerShell commands on one DirectAccess server in the enterprise.

$gslbfqdn = Get-DAMultiSite | Select-Object -ExpandProperty GslbFqdn
Add-DAClientDnsConfiguration -DnsSuffix $gslbfqdn -PassThru

Additional Information

Troubleshooting DirectAccess IP-HTTPS Error 0x2af9

DirectAccess DNS Not Working Properly

DirectAccess DNS Records Explained

Troubleshooting Name Resolution Issue on DirectAccess Clients

Outlook Offline over DirectAccess on Windows 10

Outlook Offline over DirectAccess on Windows 10You may encounter a scenario in which Outlook on Windows 10 reports that it is working offline while connected remotely via DirectAccess. The Network Connectivity Status Indicator (NCSI) shows DirectAccess is in a connected state and all other internal resources are accessible.

Outlook Offline over DirectAccess on Windows 10

This is caused by the default settings of the IP-HTTPS tunnel interface on the DirectAccess server not advertising a default route for connected DirectAccess clients. To resolve this issue, enable default route advertising for IP-HTTPS on each DirectAccess server in the enterprise by running the following PowerShell command.

Get-NetIPInterface | Where-Object {$_.InterfaceAlias -eq “IPHTTPSInterface”} | Set-NetIPInterface -AdvertiseDefaultRoute Enabled -PassThru

Outlook Offline over DirectAccess on Windows 10

In the past I’ve heard reports of this setting being overwritten after group policy refresh. Recent testing on Windows Server 2016 does not show this behavior, however. Please report any results you may have in the comments below. Thanks!

PowerShell Recommended Reading for DirectAccess and Always On VPN Administrators

PowerShell Recommended Reading for DirectAccess and Always On VPN AdministratorsPowerShell is an important skill for administrators supporting Microsoft workloads including DirectAccess and Always On VPN. Using PowerShell to install required roles and features is much simpler and quicker than using the Graphical User Interface (GUI), with only a single command required to accomplish this task. Some settings aren’t exposed in the GUI and can only be configured using PowerShell. In addition, PowerShell makes the task of troubleshooting DirectAccess and Always On VPN much easier.

Learn PowerShell

One of the best resources for learning PowerShell is the book Learn PowerShell in a Month of Lunches authored by Microsoft MVPs and recognized PowerShell experts Don Jones and Jeff Hicks. This book, now in its third edition, should be considered essential reading for all Microsoft administrators. Click here for more details.

PowerShell Recommended Reading for DirectAccess and Always On VPN Administrators

Learn PowerShell Scripting

Recently Don and Jeff released a new book entitled Learn PowerShell Scripting in a Month of Lunches. This new book builds upon the skills learned in their first title by focusing on the development of PowerShell scripts to automate many common administrative tasks. PowerShell scripts can also be used to build custom, reusable tools to more effectively manage and monitor Microsoft workloads. Click here for more details.

PowerShell Recommended Reading for DirectAccess and Always On VPN Administrators

PowerShell for the Future

In my experience, far too many administrators today lack crucial PowerShell abilities. Don’t get left behind! PowerShell is rapidly becoming a required skill, so get these books and start learning PowerShell today!

Additional Resources

Top 5 DirectAccess Troubleshooting PowerShell Commands

Configure Windows Server Core to use PowerShell by Default

 

TechMentor Conference Orlando 2017

I'm Speaking at Live!360 and TechMentor Event 2017 in Orlando, Florida November 12-17. Join me!I’m pleased to announce that I’ll be speaking at the TechMentor Conference (which is part of Live! 360) in Orlando, FL. The event takes place November 12-17 and I will be delivering several sessions on DirectAccess, DNS policies, and network troubleshooting in Windows Server 2016. More details these sessions can be found here.

TMT02 – Implementing DirectAccess with Windows Server 2016

TMW01 – Network Troubleshooting for Windows Administrators

TMW04 – Introducing DNS Policies in Windows Server 2016

Sign up using promotion code LSPK34 and save $500.00. Register now!

 

 

Top 5 DirectAccess Troubleshooting PowerShell Commands

Top 5 DirectAccess Troubleshooting PowerShell CommandsNative PowerShell commands in Windows 10 make DirectAccess troubleshooting much easier than older operating systems like Windows 7. For example, with one PowerShell command an administrator can quickly determine if a DirectAccess client has received the DirectAccess client settings policy. In addition, PowerShell can be used to view the status of the connection and retrieve additional information or error codes that can be helpful for determining the cause of a failed connection. Further, PowerShell can also be used to review configuration details and perform other troubleshooting and connectivity validation tasks.

Here are my top 5 PowerShell commands for troubleshooting DirectAccess on Windows 10.

1. Get-DAClientExperienceConfiguration

Ensuring that the DirectAccess Client Settings group policy has been applied to the client is one of the first steps in troubleshooting failed DirectAccess connections. While it is possible to use gpresult to do this, using the Get-DAClientExperienceConfiguration PowerShell command is much simpler. If DirectAccess client settings have been applied, the output of the command will include information such as the IPsec tunnel endpoint IPv6 addresses and the Network Connectivity Assistant (NCA) corporate resource URL. If DirectAccess client settings have not been applied, this information will be missing.

Top 5 DirectAccess Troubleshooting PowerShell Commands

Figure 1. DirectAccess Client Settings group policy successfully applied.

Top 5 DirectAccess Troubleshooting PowerShell Commands

Figure 2. DirectAccess Client Settings group policy not applied.

2. Get-NetIPHttpsState

Performance improvements first introduced in Windows 8 have made IP-HTTPS the IPv6 transition technology of choice when it comes to supporting DirectAccess client connectivity. Also, if the DirectAccess server is located behind an edge device performing Network Address Translation (NAT), IP-HTTPS is the only supported transition technology. Using the Get-NetIPHttpsState PowerShell command, the DirectAccess administrator can quickly determine if the IP-HTTPS connection was successful. If it was not, the command will return an error code and interface status that will indicate why the IP-HTTPS connection was unsuccessful.

Top 5 DirectAccess Troubleshooting PowerShell Commands

Figure 3. Get-NetIPHttpsState

3. Get-NetIPHttpsConfiguration

When troubleshooting IP-HTTPS connection failures, it is necessary to obtain additional information to continue the troubleshooting process. Using the Get-NetIPHttpsConfiguration PowerShell command, the DirectAccess administrator can obtain the public hostname for the DirectAccess server and ensure that the name resolves to the correct IP address in DNS and that it is reachable on TCP port 443.

Top 5 DirectAccess Troubleshooting PowerShell Commands

Figure 4. Get-NetIPHttpsConfiguration

4. Resolve-DnsName

Using the Resolve-DnsName PowerShell command is crucial when performing any name resolution tasks on the DirectAccess client. This is because Resolve-DnsName is aware of the Name Resolution Policy Table (NRPT) and will direct name resolution requests accordingly. Tools like nslookup are DNS server testing tools and are unaware of the NRPT. Typically they do not yield expected results when testing name resolution on a DirectAccess client.

Top 5 DirectAccess Troubleshooting PowerShell Commands

Figure 5. Name resolution results from Resolve-DnsName and nslookup.

5. Get-DnsClientNrptPolicy

Often the cause of DirectAccess client connectivity issues is a misconfigured NRPT. Using the Get-DnsClientNrptPolicy PowerShell command the DirectAccess administrator can validate that name resolution requests for host names in any internal namespaces are being sent to the DirectAccess DNS64 IPv6 address.

Top 5 DirectAccess Troubleshooting PowerShell Commands

Figure 6. Get-DnsClientNrptPolicy

Additional Resources

Top 5 DirectAccess Troubleshooting Tips

Troubleshooting Name Resolution Issues on DirectAccess Clients

Learn PowerShell in a Month of Lunches Book by Don Jones and Jeff Hicks

Implementing DirectAccess with Windows Server 2016 Book

Planning and Implementing DirectAccess with Windows Server 2016 Video Training Course

Managing and Supporting DirectAccess with Windows Server 2016 Video Training Course

 

 

DirectAccess Reporting Fails and Schannel Event ID 36871 after Disabling TLS 1.0

IMPORTANT NOTE: The guidance in this post will disable support for null SSL/TLS cipher suites on the DirectAccess server. This will result in reduced scalability and performance for all clients, including Windows 8.x and Windows 10. It is recommended that TLS 1.0 not be disabled on the DirectAccess server if at all possible.

When performing security hardening on the DirectAccess server it is not uncommon to disable weak cipher suites or insecure protocols such as SSL 3.0 and TLS 1.0. However, after disabling SSL 3.0 and TLS 1.0 you will find that it is no longer possible generate reports. Clicking the Generate Report link in the Remote Access Management console returns no data.

DirectAccess Reporting Fails after Disabling TLS 1.0

In addition, the System event log indicates Schannel errors with Event ID 36871. The error message states that “A fatal error occurred while creating a TLS client credential. The internal error state is 10013.”

DirectAccess Reporting Fails after Disabling TLS 1.0

To resolve this issue and restore DirectAccess reporting functionality you must enable the use of FIPS compliant encryption algorithms on the DirectAccess server. This change can be made locally or via Active Directory group policy. Open the Group Policy Management Console (gpmc.msc) for Active Directory GPO, or the Local Group Policy Editor (gpedit.msc) on the DirectAccess server and navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. Double-click System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing and select Enabled.

DirectAccess Reporting Fails after Disabling TLS 1.0

If using Active Directory GPO, ensure that the GPO is applied all DirectAccess servers in the organization. A restart is not required for this setting to take effect. Once this change has been made, reporting should work as expected.

Additional Resources

DirectAccess IP-HTTPS SSL and TLS Insecure Cipher Suites
DirectAccess Video Training Courses on Pluralsight
Implementing DirectAccess with Windows Server 2016 Book on Amazon.com

Managing and Supporting DirectAccess with Windows Server 2016 Video Training Course on Pluralsight

Planning and Implementing DirectAccess with Windows Server 2016I’m pleased to announce my newest video training course, Managing and Supporting DirectAccess with Windows Server 2016, is now available on Pluralsight! This new course is a follow-up to my previous course, Planning and Implementing DirectAccess with Windows Server 2016. This latest course builds upon the first one and covers advanced configuration such as enabling load balancing, configuring geographic redundancy, and enforcing strong user authentication using one-time passwords (OTP) and smart cards.

In addition, monitoring and reporting is covered, as well as implementing manage out for DirectAccess clients in supported scenarios. The course also includes a full hour of in-depth DirectAccess configuration and connectivity troubleshooting that will be valuable for all DirectAccess administrators.

The course includes the following training modules:

Configuring High Availability
Enabling Strong User Authentication
DirectAccess Monitoring and Reporting
Implementing Outbound Management for DirectAccess Clients
DirectAccess Troubleshooting

Throughout the course, I share valuable knowledge and insight gained from more than 5 years of experience deploying DirectAccess for some of the largest organizations in the world. Pluralsight offers a free trial subscription if you don’t already have one, so watch my latest DirectAccess video training course today!

Additional Resources

Planning and Implementing DirectAccess with Windows Server 2016 on Pluralsight
Managing and Supporting DirectAccess with Windows Server 2016 on Pluralsight
Implementing DirectAccess with Windows Server 2016 book

Top 5 DirectAccess Troubleshooting Tips

Top 5 DirectAccess Troubleshooting TipsDirectAccess is a thing of beauty when everything is working as it should. When it isn’t, troubleshooting can be quite challenging. DirectAccess relies on many Windows platform technologies such as Active Directory for authentication, PKI for certificate management, group policy for settings deployment, IPsec for encryption, and IPv6 for transport. With so many dependencies, locating the source of the problem can be a difficult and daunting task.

I’m frequently called upon to help organizations of all sizes with DirectAccess troubleshooting. While this post is not intended to be a detailed, prescriptive guide for DirectAccess troubleshooting, I did want to share some common troubleshooting tips based on many years of troubleshooting DirectAccess.

Here are my top 5 DirectAccess troubleshooting tips:

  1. Check Prerequisites – Before diving in and collecting network traces and scouring event logs for clues as to why DirectAccess isn’t working, it’s essential to start at the beginning. Often the source of trouble is missing or misconfigured prerequisites. For example, is the DirectAccess client running a supported operating system? Remember, clients must be running Windows 10 Enterprise or Education, Windows 8.x Enterprise, or Windows 7 Enterprise or Ultimate. Also, ensure that the Windows firewall is enabled on DirectAccess servers and clients, that certificates are installed and valid (trusted, correct EKU, etc.), and that the DirectAccess settings GPO has been applied to servers and clients.
  2. Validate External Connectivity – If you are following implementation and security best practices for DirectAccess, the DirectAccess server will be in a perimeter/DMZ network behind an edge firewall. The firewall must be configured to allow inbound TCP port 443 only. If the firewall is also performing Network Address Translation (NAT), the NAT rule must be configured to forward traffic to the DirectAccess server’s dedicated or virtual IP address (VIP), or the VIP of the load balancer. Watch for routing issues when using load balancers too. It’s a good idea to confirm external connectivity using the Test-NetConnection PowerShell command. Even better, use the open source tool Nmap for more thorough testing.
  3. Remove Third Party Software – I can’t tell you how many times I’ve resolved DirectAccess connectivity issues by removing (not just disabling!) third party software on the client and/or server. It’s not uncommon for third-party security software to interfere with IPsec and/or IPv6 communication, both of which are vital to DirectAccess. If your DirectAccess troubleshooting efforts reveal no underlying issues with prerequisites or external connectivity, I’d suggest removing (at least temporarily) any third-party software and testing again.
  4. Isolate Environmental Issues – Occasionally other settings applied manually or via Active Directory group policy will interfere with DirectAccess. Examples include IPv6 being disabled in the registry, IPv6 transition technologies required to support DirectAccess are turned off, essential firewall rules for DirectAccess are disabled, or manipulating local security settings such as Access this computer from the network. To assist with troubleshooting it might be necessary to temporarily place DirectAccess clients and servers in their own dedicated Organizational Units (OUs) and block inheritance to isolate the configuration as much as possible. In addition, if DirectAccess clients are servers are provisioned using images or templates, testing with a clean build straight from the installation source (ISO or DVD) can be helpful.
  5. Check for Unsupported Configurations – If DirectAccess isn’t working, it might be possible the configuration you are trying to use is not supported. Examples including strong user authentication with OTP when force tunneling is enabled, provisioning Windows 7 clients when using Kerberos Proxy authentication, or provisioning Windows 10 clients when Network Access Protection (NAP) integration is enabled. These configurations won’t work and are formally documented here.

This is by no means a comprehensive or exhaustive troubleshooting guide. For more information and additional DirectAccess troubleshooting guidance I would encourage you to purchase my book Implementing DirectAccess with Windows Server 2016, which has an entire chapter devoted just to troubleshooting. In addition, watch my DirectAccess video training courses on Pluralsight for details and information about DirectAccess installation, configuration, management, support, and troubleshooting. And if you’re still struggling to resolve a DirectAccess problem, use the form at the bottom of this page to contact me to inquire about additional troubleshooting help.

Additional Resources

Microsoft Windows DirectAccess Client Troubleshooting Tool
DirectAccess and Windows 10 Professional
DirectAccess Troubleshooting with Nmap
DirectAccess Unsupported Configurations
Planning and Implementing DirectAccess with Windows Server 2016 Video Training Course on Pluralsight
Implementing DirectAccess with Windows Server 2016 Book

Need assistance with DirectAccess troubleshooting? Complete the form below and I’ll get in touch with you.

KEMP LoadMaster Load Balancer Certificate Format Invalid

When implementing a KEMP LoadMaster load balancer, one of the first configuration tasks performed is importing root and intermediate Certification Authority (CA) certificates. When doing this, it is not uncommon to encounter the following error message.

Certificate Format Invalid.

KEMP LoadMaster Load Balancer Certificate Invalid

To resolve this issue, .CER files must first be converted to .PEM format before being imported in to the LoadMaster. Using OpenSSL, .CER files can quickly be converted to .PEM with the following command.

openssl x509 -inform der -in example.cer -out example.pem

Optionally, .CER files can be converted to .PEM online here.

If the root and/or intermediate certificates are from an internal PKI, export the certificates using the Base-64 encoded x.509 (.CER) option. Certificates exported using this format can be imported directly in to the LoadMaster without first having to be converted to .PEM.

KEMP LoadMaster Load Balancer Certificate Format Invalid

Pro tip: When entering the Certificate Name, it is not necessary to enter a file extension. The name will be appended with .PEM automatically upon import.

KEMP LoadMaster Load Balancer Certificate Format Invalid

KEMP LoadMaster Load Balancer Certificate Format Invalid

Additional Resources

DirectAccess Deployment Guide for KEMP LoadMaster Load Balancers

Maximize Your Investment in Windows 10 with KEMP LoadMaster Load Balancers

DirectAccess and the FREE KEMP LoadMaster Load Balancer

Configure KEMP LoadMaster Load Balancer for DirectAccess Network Location Server (NLS)

Planning and Implementing DirectAccess Video Training Course on Pluralsight

Implementing DirectAccess with Windows Server 2016 Book

DirectAccess Network Connectivity Assistant Missing in Windows 10

Occasionally when troubleshooting DirectAccess connectivity issues I will encounter a scenario in which a client will have an established DirectAccess connection, but DirectAccess does not appear in the Network & Internet settings window in the user interface.

Windows 10 DirectAccess Network Connectivity Assistant Missing

In addition, the Get-DAConnectionStatus PowerShell command returns the following error.

Network Connectivity Assistant service is stopped or not responding.

Windows 10 DirectAccess Network Connectivity Assistant Missing

This commonly occurs when the Network Connectivity Assistant service (NcaSvc) fails to start. The issue can be easily resolve by simply starting the NCA service using the following PowerShell command.

Start-Service NcaSvc

Once the service has been started, DirectAccess will appear in the Network & Internet settings window.

Windows 10 DirectAccess Network Connectivity Assistant Missing

Additional Resources

Planning and Implementing DirectAccess with Windows Server 2016 on Pluralsight

Implementing DirectAccess with Windows Server 2016 Book

DirectAccess Consulting Services

%d bloggers like this: