DirectAccess with NAP Troubleshooting Guidance

Updated: June 1, 2010

Applies To: Windows Server 2008 R2

In most cases, the most effective way to troubleshoot a problem with a DirectAccess client in the DirectAccess with NAP solution is to try and isolate the problem to either of the following:

For a DirectAccess client on the Internet, an easy way to separate a NAP problem from a DirectAccess problem is to determine whether the client is compliant. You can perform this check with the following:

  • Run the netsh nap client show state command at a command prompt. If the Restriction state in the Client state section is Not restricted, the client is compliant.

  • Use the Certificates snap-in to check for a health certificate in the Personal\Certificates folder of the local computer certificates store. If a health certificate exists, the client is compliant.

If you are using full enforcement mode, a client that is not compliant will not be able to access the intranet.

If the client is not compliant, use Troubleshooting NAP Problems to determine the root cause of the NAP health validation problem.

If the client is not compliant because it cannot reach the HRAs and remediation servers on the intranet, see DirectAccess Client Cannot Establish Tunnels to the DirectAccess Server. For example, if the Network Access Protection message window states This computer doesn’t meet security standards defined by your network administrator but does not contain any information about the error condition, the DirectAccess client cannot reach the HRA on the intranet.

If the client is compliant but cannot access intranet resources other than the HRAs and remediation servers, see DirectAccess Client Cannot Establish Tunnels to the DirectAccess Server.

To learn more about NAP troubleshooting tools and to practice NAP health validation issues in a test lab, see the Test Lab Guide: Troubleshoot DirectAccess with NAP (https://go.microsoft.com/fwlink/?LinkId=193603).