DirectAccess with NAP Troubleshooting Guidance
Veröffentlicht: April 2010
Letzte Aktualisierung: Juni 2010
Betrifft: Windows Server 2008 R2
In most cases, the most effective way to troubleshoot a problem with a DirectAccess client in the DirectAccess with NAP solution is to try and isolate the problem to either of the following:
An issue with system health validation and acquiring a health certificate (the NAP infrastructure)
See Troubleshooting NAP Problems in the Network Access Protection Troubleshooting Guide.
An issue with intranet access or network location detection (the DirectAccess infrastructure)
See Probleme mit DirectAccess-Verbindungen or Problembehandlung für die Netzwerkadressenerkennung in the Problembehandlungshandbuch für DirectAccess.
For a DirectAccess client on the Internet, an easy way to separate a NAP problem from a DirectAccess problem is to determine whether the client is compliant. You can perform this check with the following:
Run the netsh nap client show state command at a command prompt. If the Restriction state in the Client state section is Not restricted, the client is compliant.
Use the Certificates snap-in to check for a health certificate in the Personal\Certificates folder of the local computer certificates store. If a health certificate exists, the client is compliant.
If you are using full enforcement mode, a client that is not compliant will not be able to access the intranet.
If the client is not compliant, use Troubleshooting NAP Problems to determine the root cause of the NAP health validation problem.
If the client is not compliant because it cannot reach the HRAs and remediation servers on the intranet, see DirectAccess-Client kann keine Tunnel zum DirectAccess-Server einrichten. For example, if the Network Access Protection message window states This computer doesn’t meet security standards defined by your network administrator but does not contain any information about the error condition, the DirectAccess client cannot reach the HRA on the intranet.
If the client is compliant but cannot access intranet resources other than the HRAs and remediation servers, see DirectAccess-Client kann keine Tunnel zum DirectAccess-Server einrichten.
To learn more about NAP troubleshooting tools and to practice NAP health validation issues in a test lab, see the Test Lab Guide: Troubleshoot DirectAccess with NAP (http://go.microsoft.com/fwlink/?LinkId=193603).