Test Lab Guide: Troubleshootdirectaccess

Test Lab Guide: TroubleshootDirectAccess

Microsoft Corporation

Published: January 2010
Updated: July 2010

Abstract

DirectAccess is a new feature in the Windows® 7 and Windows Server® 2008 R2 operating systems that enables remote users to securely access intranet shared folders, Web sites, and applications without connecting to a virtual private network (VPN). This document is a companion to the Test Lab Guide: Demonstrate DirectAccessand describes DirectAccess troubleshooting tools, the results of the tools in a working DirectAccess test lab, and how to troubleshoot common problems in the DirectAccess test lab.

Copyright Information

This document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document. Information in this document, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2010 Microsoft Corporation. All rights reserved.

Date of last update: July 27, 2010

Microsoft, Windows, Active Directory, Internet Explorer, and WindowsServer are either registered trademarks or trademarks of MicrosoftCorporation in the UnitedStates and/or other countries.

All other trademarks are property of their respective owners.

Contents

Introduction

In this guide

DirectAccess Troubleshooting Tools

DirectAccess Troubleshooting Tools in the Test Lab

Intranet subnet

netsh dnsclient show state

netsh namespace show policy

netsh namespace show effectivepolicy

netsh advfirewall monitor show currentprofile

Windows Firewall with Advanced Security snap-in

netsh interface isatap show state

netsh interface isatap show router

ipconfig /all

Internet subnet

netsh dnsclient show state

netsh namespace show effectivepolicy

netsh advfirewall monitor show currentprofile

Windows Firewall with Advanced Security snap-in

netsh interface 6to4 show state

netsh interface 6to4 show relay

ipconfig /all

Homenet subnet with Teredo connectivity

netsh advfirewall monitor show currentprofile

netsh interface teredo show state

ipconfig /all

Homenet subnet with IP-HTTPS connectivity

netsh interface httpstunnel show interfaces

ipconfig /all

Troubleshooting DirectAccess Client Connectivity Problems

Cannot resolve intranet FQDNs (root cause 1)

Break the configuration procedure

Step-by-step troubleshooting

Correct the configuration procedure

Cannot resolve intranet FQDNs (root cause 2)

Break the configuration procedure

Step-by-step troubleshooting

Correct the configuration procedure

Cannot access a specific intranet resource

Break the configuration procedure

Step-by-step troubleshooting

Correct the configuration procedure

DirectAccess client cannot correctly detect the intranet

Break the configuration procedure

Step-by-step troubleshooting

Correct the configuration procedure

DirectAccess client cannot complete an IP-HTTPS-based connection

Break the configuration procedure

Step-by-step troubleshooting

Correct the configuration procedure

Additional Resources

Introduction

DirectAccess is a new feature in the Windows® 7 and Windows Server® 2008 R2 operating systems that gives users the experience of being seamlessly connected to their intranet any time they have Internet access. With DirectAccess enabled, requests for intranet resources (such as e-mail servers, shared folders, or intranet Web sites) are securely directed to the intranet, without requiring users to connect to a VPN. DirectAccess provides increased productivity for a mobile workforce by offering the same connectivity experience both inside and outside the office.

In this guide

The DirectAccess test lab,as described in the Test Lab Guide: Demonstrate DirectAccess, containsfour server computers running Windows Server 2008 R2 Enterprise Edition and two client computers running Windows 7 Ultimate Edition. The lab simulatesan intranet, the Internet, and a home networkand demonstrates DirectAccess in different Internet connection scenarios.

The DirectAccess test lab consists of:

One computer running Windows Server2008 R2Enterprise Edition named DC1 that is configured as an intranet domain controller, Domain Name System (DNS) server, Dynamic Host Configuration Protocol (DHCP) server, and an enterprise root certification authority (CA).

One intranet member server running Windows Server2008 R2 Enterprise Edition named EDGE1 that is configured as the DirectAccess server.

One intranet member server running Windows Server2008 R2 Enterprise Edition named APP1 that is configuredas a general application serverand network location server.

One standalone server running Windows Server2008 R2 Enterprise Edition named INET1 that is configured as an Internet DNS and Web server.

One standalone client computer running Windows 7Ultimate Edition named NAT1that is configured as a network address translator (NAT) device using Internet Connection Sharing.

One roaming member client computer running Windows 7Ultimate Edition named CLIENT1 that is configured as a DirectAccess client.

The DirectAccess test lab consists of three subnets that simulate the following:

• The Internet (131.107.0.0/24).
• Ahome network named Homenet (192.168.137.0/24)connected to the Internet by a NAT.
• An intranet named Corpnet (10.0.0.0/24) separated from the Internet by the DirectAccess server.

Computers on each subnet connect using a hub or switch. See the following figure.

In the DirectAccess test lab, you connect CLIENT1 initiallyto the Corpnet subnet and join the intranet domain. After configuring EDGE1as a DirectAccess server, you update CLIENT1 with the associated Group Policy settings. Then, you connect CLIENT1 to the Internet subnet and the Homenet subnetand test DirectAccess connectivity to intranet resources on the Corpnet subnet.

This guide uses the working DirectAccess test lab as a basis for describing DirectAccess troubleshooting tools and their results when the DirectAccess client is connected to the three different test lab subnets. This guide then takes you through various troubleshooting scenarios using topics in the DirectAccess Troubleshooting Guide and the troubleshooting tools to discover the root cause of the problem.

Important

This guide does not describe how to troubleshoot a non-functioning DirectAccess test lab. For general troubleshooting information, see the DirectAccess Troubleshooting Guide.

DirectAccess Troubleshooting Tools

Windows 7 and Windows Server 2008 R2 provide many tools for gathering information for DirectAccess problem determination and resolution. The following table lists the tools and describes their use and purpose for DirectAccess. For additional information, see Tools for Troubleshooting DirectAccess.

Tool / Description
Windows Network Diagnostics / To access Windows Network Diagnostics, right-click the network connection icon in the notification area, and then click Troubleshoot problems
Windows Network Diagnostics has extensive support for DirectAccess connections and in many cases provides the user with information about the root cause of the problem.
Troubleshooting item in Control Panel / To focus troubleshooting on DirectAccess and collect additional information, you can use the Connection to a Workplace Using DirectAccess troubleshooter in the Troubleshooting item of Control Panel.
Network and Windows Firewall tracing / For performing detailed troubleshooting for networking problems, network and Windows Firewall tracing provides information about internal Windows component interaction. For more information, see Network Diagnostics and Tracing.
netsh dnsclient show state command / Displays DNS client settings.
Use this command to determine the DirectAccess client’s location and whether DirectAccess Name Resolution Policy Table (NRPT) rules have been configured and are active.
netsh namespace show policy command / Displays the rules in the NRPT as configured with Group Policy.
Use this command to ensure that the DirectAccess client has received the NRPT rules from Group Policy.
netsh namespace show effectivepolicy command / Displays the active rules in the NRPT.
Use this command to show whether the DirectAccess client has determined that it is on the Internet (DirectAccess NRPT rules are present) or the intranet (DirectAccess NRPT rules are not present).
netsh advfirewall monitor show currentprofile command / Displays the current networks and the Windows Firewall profiles to which they are assigned.
Use this command to determine whether the DirectAccess client should be using connection security rules to access the intranet through the DirectAccess server when only private and public profiles are detected.
netsh interface isatap show state command / Displays the current state of the Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) component.
Use this command to determine if ISATAP component has been disabled.
netsh interface isatap show router command / Displays the current ISATAP router configuration.
Use this command to display how the DirectAccess client is discovering the ISATAP router.
netsh interface teredo show state command / Displays the current state of the Teredoclient component.
Use this command to determine the name or address of the Teredo server and if the Teredo client component has been disabled.
netsh interface 6to4 show state command / Displays the current state of the 6to4 component.
Use this command to determine if the 6to4 component has been disabled.
netsh interface 6to4 show relay command / Displays the configuration settings of the 6to4 relay.
Use this command to determine the address or name that the 6to4 component of the DirectAccess client is using for the 6to4 relay.
netsh interface httpstunnel show interfaces command / Displays the settings and state of the Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS) component.
Use this command to determine the current state of the IP-HTTPS component, any error conditions, and the IP-HTTPS uniform resource locator (URL).
ipconfig /all command / Displays the current TCP/IP configuration, including Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) addresses and settings.
Use this command to determine which interfaces have been configured with global IPv6 addresses.
nslookup -q=aaaa IntranetFQDN IntranetDNSServerIPv6Address command / Simulates the DNS queries of DirectAccess clients.
Use this command to simulate the behavior of the DirectAccess client when the DirectAccess-based NRPT rules are active.Nslookup.exe does not use the NRPT. If you do not specify the IPv6 address of the intranet DNS server, Nslookup.exe will send its queries to interface-configured DNS servers.
nltest /dsgetdc: /force command / Displays information about Active Directory Domain Services (AD DS).
Use this command to determine whether DirectAccess clients, DirectAccess servers, and intranet resources can locate and contact domain controllers for Internet Protocol security (IPsec) authentication.
Windows Firewall with Advanced Security snap-in / The monitoring node displays current connection security rules, main mode security associations (SAs), and quick mode SAs. For more information, see Windows Firewall with Advanced Security.
Use this snap-in to determine whether there are active connection security rules and IPsec SAs on a DirectAccess client.
Resultant Set of Policy snap-in / Displays the set of Group Policy objects (GPOs) that are applied to a computer or user.
Use this snap-in to determine whether DirectAccess GPOs have been applied to DirectAccess clients or servers.
Event Viewer snap-in / Displays events for Windows Firewall, intranet detection, and IPsec audit events.
Use this snap-in to see the details of intranet detection and IPsec negotiation issues. For more information, see Event Viewer.
Certificates snap-in / Displays the installed certificates and their properties.
Use this snap-in to verify that the correct certificates are installed with the correct field values. For more information, see Certificates.

DirectAccess Troubleshooting Tools in the Test Lab

This section describes the display of key troubleshooting tools when CLIENT1 is connected to the Intranet, Internet, and Homenet subnets.

Intranet subnet

When CLIENT1 is attached to the Intranet subnet, it obtains an IPv4 address configuration, including its DNS server, from DC1. As an ISATAP host, CLIENT1 also automatically configures an ISATAP address on an ISATAP interface. Because it is attached to the intranet, there should not be any active rules in the NRPT nor any active connection security rules or IPsec SAs.

The following sections use DirectAccess troubleshooting tools and commands to display the state of CLIENT1 when it is attached to the Intranet subnet.

netsh dnsclient show state

The following is the display of the netsh dnsclient show state command on CLIENT1 when it is connected to the Intranet subnet:

Name Resolution Policy Table Options

------

Query Failure Behavior : Always fall back to LLMNR and NetBIOS

if the name does not exist in DNS or

if the DNS servers are unreachable

when on a private network

Query Resolution Behavior : Resolve only IPv6 addresses for names

Network Location Behavior : Let Network ID determine when Direct

Access settings are to be used

Machine Location : Inside corporate network

Direct Access Settings : Configured and Disabled

DNSSEC Settings : Not Configured

Notice the Machine Location, which indicates that CLIENT1 has determined that it is located on the intranet (Inside corporate network).

netsh namespace show policy

The following is the display of the netsh namespace show policy command on CLIENT1 when it is connected to the Intranet subnet:

DNS Name Resolution Policy Table Settings

Settings for nls.corp.contoso.com

------

Certification authority : DC=com, DC=contoso, DC=corp, CN=corp-D

C1-CA

DNSSEC (Validation) : disabled

DNSSEC (IPsec) : disabled

DirectAccess (DNS Servers) :

DirectAccess (IPsec) : disabled

DirectAccess (Proxy Settings) : Bypass proxy

Settings for .corp.contoso.com

------

Certification authority : DC=com, DC=contoso, DC=corp, CN=corp-D

C1-CA

DNSSEC (Validation) : disabled

DNSSEC (IPsec) : disabled

DirectAccess (DNS Servers) : 2002:836b:2:1:0:5efe:10.0.0.1

DirectAccess (IPsec) : disabled

DirectAccess (Proxy Settings) : Bypass proxy

Because thenetsh namespace show policy command displays the NRPT rules obtained from Group Policy, its display will not change when CLIENT1 moves to the Internet and Homenet subnets.

netsh namespace show effectivepolicy

The following is the display of the netsh namespace show effectivepolicy command on CLIENT1 when it is connected to the Intranet subnet:

DNS Effective Name Resolution Policy Table Settings

Note: DirectAccess settings would be turned off when computer is inside corporate network

There should not be any active NRPT rules when CLIENT1 is connected to the Intranet subnet.

netsh advfirewall monitor show currentprofile

The following is the display of the netsh advfirewall monitorcurrentprofile command on CLIENT1 when it is connected to the Intranet subnet:

Domain Profile:

------

corp.contoso.com

Ok.

CLIENT1 has detected the domain controller for the corp.contoso.com domain (DC1) and the presence of the network location server (APP1).

Windows Firewall with Advanced Security snap-in

The following is the Monitoring\Connection Security Rules node of the Windows Firewall with Advanced Security snap-in on CLIENT1 when it is connected to the Intranet subnet:

Because the connected network (corp.contoso.com) is in the domain profile and the DirectAccess connection security rules are configured for the public or private profiles, there are no active DirectAccess connection security rules.

netsh interface isatap show state

The following is the display of the netsh interface isatap show state command on CLIENT1 when it is connected to the Intranet subnet:

ISATAP State : enabled

CLIENT1 should have the ISATAP component enabled.

netsh interface isatap show router

The following is the display of the netsh interface isatap show router command on CLIENT1 when it is connected to the Intranet subnet:

Router Name : default

Use Relay : default

Resolution Interval : default

CLIENT1 should have the default settings for the ISATAP component, which means that it will attempt to locate the intranet ISATAP router by querying the name ISATAP.

ipconfig /all

The following is the display of the ipconfig /all command on CLIENT1 when it is connected to the Intranet subnet:

Windows IP Configuration

Host Name ...... : CLIENT1

Primary Dns Suffix ...... : corp.contoso.com

Node Type ...... : Hybrid

IP Routing Enabled...... : No

WINS Proxy Enabled...... : No

DNS Suffix Search List...... : corp.contoso.com

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : corp.contoso.com

Description ...... : ADMtek AN983 based ethernet adapter

Physical Address...... : 00-04-5A-56-0F-FF

DHCP Enabled...... : Yes

Autoconfiguration Enabled . . . . : Yes

Link-local IPv6 Address . . . . . : fe80::b52f:36dc:be07:9d6d%13(Preferred)

IPv4 Address...... : 10.0.0.100(Preferred)

Subnet Mask ...... : 255.255.255.0

Lease Obtained...... : Tuesday, December 08, 2009 10:26:13 AM

Lease Expires ...... : Wednesday, December 16, 2009 10:26:17 AM

Default Gateway ...... :

DHCP Server ...... : 10.0.0.1

DHCPv6 IAID ...... : 369099866

DHCPv6 Client DUID...... : 00-01-00-01-12-15-01-C8-00-13-72-2B-34-07