Error Message in a Step of the DirectAccess Setup Wizard

Updated: November 18, 2009

Applies To: Windows Server 2008 R2

The following sections describe problems that you might encounter on the pages of the DirectAccess Setup Wizard in the DirectAccess Management snap-in and how to correct them.

For additional information about events and errors encountered by the DirectAccess Setup Wizard, see the %SystemRoot%\Tracing\DASetup.log file.

Step 2-DirectAccess Server

Step 2 of the DirectAccess Setup Wizard has the following pages:

  • Connectivity

  • Prefix configuration

  • Certificate components

Connectivity page

On the Connectivity page, you select the interface that is connected to the Internet, the interface that is connected to the intranet (internal network), and specify whether you want to require smart cards for an additional level of authorization for access to the intranet.

The following table lists most typical error messages you might see when selecting the Internet or intranet (internal network) interface.

Error message Error condition and the steps to correct

The Internet interface must have two consecutive global Internet Protocol version 4 (IPv4) addresses configured. Select an interface with two consecutive global IPv4 addresses.

The interface that you select must have two, consecutive public IPv4 addresses statically assigned. These two consecutive addresses are needed by the DirectAccess server to act as a Teredo server.

Note
The DirectAccess Management console sorts the public IPv4 addresses alphabetically. Therefore, the DirectAccess Management console does not consider the following sets of addresses as consecutive: w.x.y.9 and w.x.y.10, which is sorted as w.x.y.10, w.x.y.9; w.x.y.99 and w.x.y.100, which is sorted as w.x.y.100, w.x.y.99; w.x.y.1, w.x.y.2, and w.x.y.10, which is sorted as w.x.y.1, w.x.y.10, w.x.y.2. Use a different set of consecutive addresses.

The Internet interface must not be classified as a domain network.

The interface that you have specified for the Internet is connected to a network that contains a domain controller (the network has been assigned the domain firewall profile). The Internet interface must be connected to a network that has been assigned the Public or Private profiles. Select a different interface or add outbound packet filters to the selected interface that block connectivity to the IP addresses of the domain controllers. For more information, see Configure Packet Filters to Block Access to Domain Controllers.

You can use the netsh advfirewall monitor show currentprofile command to display the networks to which your computer is attached and their assigned profiles. Then, use the Network Connections window to determine the networks to which the interfaces are connected.

The internal network interface must be classified as a domain network.

The interface that you have specified for the intranet (internal network) is connected to a network that has been assigned the Private or Public firewall profile. The intranet interface must be connected to a network that has been assigned the Domain profile, which contains a domain controller. Select a different interface.

You can use the netsh advfirewall monitor show currentprofile command to display the networks to which your computer is attached and their assigned profiles. Then, use the Network Connections window to determine the networks to which the interfaces are connected.

The internal network interface does not have Domain Name System (DNS) server settings configured. Select an interface with DNS server settings configured.

The intranet (internal network) interface must be manually configured with the IPv4 or IPv6 addresses of at least one intranet DNS server. Select another interface or manually configure the appropriate interface with the IPv4 or Internet Protocol version 6 (IPv6) addresses of at least one intranet DNS server.

The internal network interface does not have a connection-specific DNS suffix. Select an interface with a connection-specific DNS suffix.

The intranet (internal network) interface must be manually configured with a connection-specific DNS suffix that represents your intranet DNS namespace (for example, corp.contoso.com). Select another interface or manually configure the appropriate interface with a connection-specific DNS suffix.

IPv6 was detected on your Internet interface. DirectAccess setup will apply settings without considering the IPv6 settings on the Internet interface.

Your Internet interface has a global IPv6 address assigned. The DirectAccess Setup Wizard configures IPv6 for the intranet without regard to the IPv6 configuration of the Internet interface.

However, you will need to configure packet filters on the Internet interface to prevent the Internet interface from being assigned the Domain firewall profile. For more information, see Configure Packet Filters to Block Access to Domain Controllers.

Prefix Configuration page

On the Prefix Configuration page, which the DirectAccess Setup Wizard displays only when it detects global or unique local IPv6 addresses on the intranet interface, you specify the IPv6 prefix for your organization and the 64-bit prefix assigned to Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS)-based DirectAccess clients.

The following table lists the error messages you might see when specifying the organization or IP-HTTPS IPv6 prefixes.

Error message Error condition and the steps to correct

The IPv6 prefix you provided for the internal network is not valid. Provide a valid IPv6 prefix.

You have not specified a valid global or unique local address prefix for your organization.

The IPv6 prefix you provided to assign to the IPv6 addresses of remote client computers is not valid. Provide a valid IPv6 prefix.

You have not specified a valid 64-bit global or unique local address prefix for your IP-HTTPS-based DirectAccess clients.

The network prefix you provided to assign to IPv6 addresses must be a subset of the internal network IPv6 prefix. Provide a valid IPv6 prefix.

The 64-bit prefix for your IP-HTTPS-based DirectAccess clients must be based on the IPv6 prefix for your organization. For example, if your intranet IPv6 prefix is 2001:db8:4ac1::/48, your 64-bit prefix must be of the form 2001:db8:4ac1:xxxx::/64.

Certificate Components page

On the Certificate Components page, you select a root or intermediate certificate for IPsec authentication and the certificate used by the DirectAccess server for client-based authentication of IP-HTTPS connections.

The following table lists the most common error messages you might see when specifying the IP-HTTPS certificate.

Error message Error condition and the steps to correct

The selected certificate has a subject name that is not valid. Select a certificate with a valid subject name.

The certificate that you selected does not have a valid value in the Subject field. A valid Subject field is required to configure DirectAccess clients with a Secure Hypertext Transfer Protocol (HTTPS)-based uniform resource locator (URL) of the IP-HTTPS server (the DirectAccess server). To see the value of the Subject field, use the Certificates snap-in for the local computer store, obtain properties of the certificate, and then click the Details tab.

The selected certificate does not have a subject name. Select a certificate with a subject name.

or

The selected certificate does not contain a subject name.

The certificate that you selected does not have a value in the Subject field. The Subject field is required to configure DirectAccess clients with an HTTPS-based URL of the IP-HTTPS server (the DirectAccess server).

The selected certificate does not have Server Authentication Enhanced Key Usage enabled.

The certificate that you selected does not have the Server Authentication object identifier (OID) in the Enhanced Key Usage (EKU) field. The Server Authentication OID is required by the DirectAccess server to perform HTTPS-based authentications as the IP-HTTPS server. Select a certificate with a Server Authentication OID or obtain a new certificate with a Server Authentication OID. To see the value of the EKU field, use the Certificates snap-in for the local computer store, obtain properties of the certificate, and then click the Details tab.

Unable to resolve the subject name of the certificate to a valid Internet Protocol (IP) address.

The DirectAccess Setup Wizard cannot resolve the fully qualified domain name (FQDN) in the Subject field of the selected certificate. Select a certificate with a resolvable FQDN in the Subject field or obtain a new certificate with a resolvable FQDN.

Step 3-Infrastructure Servers

Step 3 of the DirectAccess Setup Wizard has the following pages:

  • Location

  • DNS and Domain Controller

  • Management

The following topics describe the most typical problems encountered on the Location and DNS and Domain Controller pages.

Location page

On the Location page, you specify the HTTPS-based URL of the network location server or you specify that the DirectAccess server is the network location server and the certificate to use for HTTPS authentication.

For the HTTPS-based URL of the network location server, ensure the following:

  • You are specifying an HTTPS-based URL, rather than a Hypertext Transfer Protocol (HTTP)-based URL.

  • The URL is valid and can be reached from the DirectAccess server. To test reachability, click Verify or type the URL in your Web browser on the DirectAccess server. You should be able to view the Web page with no errors in the certificate authentication.

  • If you are using an IP address in the FQDN portion of the URL, it must be an IPv6 address and it must be reachable by the DirectAccess server using IPv6.

If you have selected the DirectAccess server as the network location server, you might see the message The IP and Domain Restrictions role service of the Web Server (IIS) role must be installed for network location to work properly on the DirectAccess server. Install this role service and try again. The IP and Domain Restrictions role service prevents DirectAccess clients on the Internet from reaching the network location URL on the DirectAccess server.

Additionally, you cannot select the certificate that you are using for IP-HTTPS as the network location server certificate. Select another certificate or obtain an additional certificate with the Server Authentication OID. For more information about the network location certificate requirements, see Design Your PKI for DirectAccess.

DNS and Domain Controller page

On the DNS and Domain Controller page, you configure the rules in the Name Resolution Policy Table (NRPT) of DirectAccess clients. The DirectAccess Setup Wizard automatically creates default rules based on the configuration of the DirectAccess server. When you add new NRPT namespace rules, you must specify a namespace (with a leading period) and the IPv4 or IPv6 addresses of the DNS servers. When you add new NRPT exemption rules, you only specify the namespace or FQDN.

When configuring NRPT rules, ensure that:

  • You are using a valid DNS suffix or FQDN.

  • The FQDN for an exemption rule can be resolved to its IPv4 or IPv6 address. To test this, try to ping the name in a Command Prompt window.

When configuring the IP addresses for DNS servers, ensure the following:

  • They are not duplicated for a rule.

  • That the DNS server is available on the network and is responding to DNS queries over IPv6. To test this, use the nslookup IntranetName DNSServerIPAddress command in a Command Prompt window.

Step 4-Application Servers

The most common problem in this step is the error message You must have at least one computer object, or the corresponding IP address, in the selected security groups. Select a security group that contains at least one member.