DirectAccess Client Cannot Access Intranet Resources

Updated: November 18, 2009

Applies To: Windows Server 2008 R2

A DirectAccess client uses Internet Protocol version 6 (IPv6) exclusively to access intranet resources across the DirectAccess connection with the DirectAccess server. When a DirectAccess client queries the intranet Domain Name System (DNS) servers, it requests only IPv6 addresses. The intranet DNS server will respond with IPv6 addresses in the following cases:

  • The intranet resource server is IPv6-capable and has registered its unique local or global IPv6 addresses in DNS.

    In this case, the DirectAccess client can connect to the intranet resource server using end-to-end IPv6 addresses. A client application on the DirectAccess client can communicate with its corresponding server application on the intranet resource server if both client and server applications are IPv6-capable.

  • The intranet resource is not IPv6-capable, but the intranet DNS server is performing an IPv6/Internet Protocol version 4 (IPv4) DNS gateway function and returning the IPv6 address of an IPv6/IPv4 translator, such as a NAT64.

    In this case, the DirectAccess client can connect to the IPv4-only intranet resource using an intermediate IPv6/IPv4 translator. This topic does not describe troubleshooting DirectAccess connectivity when using an IPv6/IPv4 DNS gateway or IPv6/IPv4 translator.

As described in Choose an Intranet IPv6 Connectivity Design, you can use native IPv6 (recommended) or Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) to deploy IPv6 connectivity on your intranet. In either case, IPv6-capable nodes on your network are reachable with IPv6 and, if they support DNS dynamic update, register their IPv6 addresses in DNS.

To troubleshoot why a DirectAccess client cannot connect to an intranet resource

  1. On the DirectAccess client, start a command prompt as an administrator.

  2. From the Command Prompt window, run the netsh namespace show effective command.

    This command displays the current effective rules, which are typically one or more namespace rules (with a leading period) for your intranet namespace and one or more exemption rules for names that should not be resolvable while on the Internet (fully qualified domain names [FQDNs] without a leading period for names such as your network location server). Verify that your entire intranet namespace is represented by DirectAccess-based namespace rules.

    In the rules for your intranet namespace, there should be at least one IPv6 address for DirectAccess (DNS Servers).

    If there are no rules, run the netsh namespace show policy command. If there are DirectAccess-based rules, the DirectAccess client has determined that it is on the intranet. If there are no rules, verify that the DirectAccess client is running Windows 7 Ultimate Edition, Windows 7 Enterprise Edition, or Windows Server 2008 R2, is a member of a security group specified in step 1 of the DirectAccess Setup Wizard, and has updated its computer configuration Group Policy.

  3. From the Command Prompt window, ping the IPv6 addresses of your intranet DNS servers from step 2.

    This step ensures that the intranet DNS server is reachable across the DirectAccess connection.

  4. Verify that the FQDN of the intranet resource matches a namespace rule in the NRPT and does not match an exemption rule.

    This step ensures that the DirectAccess client will send its queries to the intranet DNS servers, rather than an Internet DNS server.

  5. From the Command Prompt window, use the nslookup –q=aaaa IntranetFQDN IntranetDNSServerIPv6Address command to resolve the names of intranet servers to IPv6 addresses (example: nslookup –q=aaaa dc1.corp.contoso.com 2002:836b:2:1::5efe:10.0.0.1).

    This command should display the IPv6 addresses of the specified intranet server.

    If there are no IPv6 addresses for the name, see the To determine the IPv6 addresses that an intranet resource registers in DNS procedure in this topic.

    If there is no response from the intranet DNS server, troubleshoot the infrastructure tunnel between the DirectAccess client and server. For more information, see DirectAccess Client Cannot Establish Tunnels to the DirectAccess Server.

  6. From the Command Prompt window, ping the IPv6 addresses of the intranet resource server from step 5.

    This ensures that the intranet resource server is reachable across the DirectAccess connection.

  7. From the DirectAccess client, attempt to connect to the intranet server using the appropriate application or run the **net view \\**IntranetServerName command from the Command Prompt window.

    If there is no response from the intranet DNS server, verify that the client and server or peer applications running on both the DirectAccess client and intranet server are IPv6-capable.

    If the peer or client application running on the DirectAccess client is not IPv6-capable, you cannot use it over the DirectAccess connection.

    If the peer or client application running on the intranet server is not IPv6-capable, you can update the application to support IPv6 or place it behind an IPv6/IPv4 translator. Most built-in server applications and system services on computers running Windows Server 2003 or Windows XP are not IPv6-capable.

  8. If the applications running on both the DirectAccess client and intranet server are IPv6-capable, troubleshoot the intranet tunnel between the DirectAccess client and server.

    For more information, see DirectAccess Client Cannot Establish Tunnels to the DirectAccess Server.

To determine the IPv6 addresses that an intranet resource registers in DNS

  1. On the Windows-based intranet resource server, start a command prompt as an administrator.

  2. From the Command Prompt window, run the ipconfig command.

    This command displays your current Transmission Control Protocol/Internet Protocol (TCP/IP) configuration, including both IPv4 and IPv6 addresses.

    Verify that an IPv6 global address (an address that begins with 2 or 3) or an IPv6 unique local address (begins with fd) is assigned to an interface on the computer. If all of the IPv6 addresses begin with fe80, the intranet resource has not been configured with an IPv6 address that is registerable in DNS and reachable by DirectAccess clients. For more information, see the To troubleshoot why an intranet ISATAP host does not configure an ISATAP address procedure in this topic.

  3. If there is a global or unique local IPv6 address assigned to an interface, use the nslookup –q=aaaa IntranetServerFQDN IntranetDNSServerIPAddress command to determine if the intranet resource has registered its IPv6 address. For example, for the intranet resource named APP1 in the corp.contoso.com domain that has been configured to use the DNS server at 10.0.0.1, the command is nslookup –q=aaaa app1.corp.contoso.com 10.0.0.1.

    This command should display the IPv6 addresses of the intranet resource that are registered in DNS.

  4. If there are no IPv6 addresses for the name, run the ipconfig /registerdns command and go to step 3.

    If there are still no IPv6 addresses, troubleshoot DNS dynamic update between the intranet resource server and its DNS servers.

If you are using ISATAP for IPv6 connectivity on your intranet, ISATAP hosts should automatically discover the IPv4 address of the ISATAP router (the DirectAccess server) and configure an ISATAP address on an ISATAP interface.

To troubleshoot why an intranet ISATAP host does not configure an ISATAP address

  1. On the Windows-based intranet resource, start a command prompt as an administrator.

  2. From the Command Prompt window, run the reg query HKLM\SYSTEM\CurrentControlSet\Services\tcpip6\Parameters /v DisabledComponents command.

    If the DisabledComponents registry value is present, the command displays its value. If the DisabledComponents registry value is not present, the command displays ERROR: The system was unable to find the specified registry key or value.

    If DisabledComponents is present and it is not 0, convert it to a binary number. If the first or third bit from the right in the binary number is 1, DisabledComponents has disabled ISATAP. You must change the first and third bit from the right to 0 to enable ISATAP.

  3. From the Command Prompt window, run the reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\TCPIP\v6Transition /v ISATAP_RouterName command.

    This command should display ERROR: The system was unable to find the specified registry key or value. If it does not, note the value.

  4. From the Command Prompt window, run the reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\TCPIP\v6Transition /v ISATAP_State command.

    This command should display ERROR: The system was unable to find the specified registry key or value. If it does not, ensure that the value is set to enabled. If it is set to disabled, change the Computer Configuration\Policies\Administrative Templates\Network\TCPIP Settings\IPv6 Transition Technologies\ISATAP State setting in the Group Policy object for this intranet resource to either Enabled or Not Configured and update computer configuration Group Policy.

  5. From the Command Prompt window, run the netsh interface isatap show state command.

    This command should display enabled in ISATAP State.

  6. From the Command Prompt window, run the netsh interface isatap show router command.

    This command should display default or the name from step 3 in Router Name.

  7. From the Command Prompt window, ping the name isatap or the name from step 3.

    This ensures that the intranet resource can resolve the name of the ISATAP router to an IPv4 address and reach the IPv4 address. Verify that the IPv4 address is assigned to the computer that is the intranet ISATAP router, which is typically the DirectAccess server.

  8. If the name isatap or the name from step 3 does not resolve, check your DNS server to verify that the corresponding Address (A) record exists in your intranet DNS.

  9. DNS servers running Windows Server 2008 or later will not by default answer queries for the name isatap unless you remove it from the global query block list. Verify that the name isatap has been removed from the global query block list. For more information, see Remove ISATAP from the DNS Global Query Block List.

The next step in troubleshooting ISATAP connectivity is the ISATAP router.

To troubleshoot an ISATAP router

  1. On the DirectAccess server acting as the ISATAP router, start a command prompt as an administrator.

  2. From the Command Prompt window, run the reg query HKLM\SYSTEM\CurrentControlSet\Services\tcpip6\Parameters /v DisabledComponents command.

    If the DisabledComponents registry value is present, the command displays its value. If the DisabledComponents registry value is not present, the command displays ERROR: The system was unable to find the specified registry key or value.

    If DisabledComponents is present and it is not 0, convert it to a binary number. If the first or third bit from the right in the binary number is 1, DisabledComponents has disabled ISATAP. You must change the first and third bit from the right to 0 to enable ISATAP.

  3. From the Command Prompt window, run the reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\TCPIP\v6Transition /v ISATAP_RouterName command.

    This command should display ERROR: The system was unable to find the specified registry key or value. If it does not, note the value.

  4. From the Command Prompt window, run the reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\TCPIP\v6Transition /v ISATAP_State command.

    This command should display ERROR: The system was unable to find the specified registry key or value. If it does not, ensure that the value is set to enabled.

  5. From the Command Prompt window, run the netsh interface isatap show state command.

    This command should display enabled in ISATAP State.

  6. From the Command Prompt window, run the netsh interface isatap show router command.

    This command should display **isatap.**IntranetDNSSuffix in Router Name.

  7. From the Command Prompt window, ping the name isatap.

    This demonstrates that the DirectAccess server has registered the ISATAP name. Verify that the resolved IPv4 address is assigned to an intranet interface of the DirectAccess server.

  8. From the Command Prompt window, run the netsh interface ipv6 show interfaces command.

    This command lists all of the IPv6 interfaces and their interface index numbers. Note the interface index (Idx) of the interface named **isatap.**IntranetDNSSuffix.

  9. From the Command Prompt window, run the netsh interface ipv6 show interface ISATAPInterfaceIndex command.

    Verify that Advertising and Forwarding are set to Enabled. If not, run the netsh interface ipv6 set interface ISATAPInterfaceIndex advertise=enabled forwarding=enabled command.

  10. From the Command Prompt window, run the netsh interface ipv6 show route command.

    This command lists the routes in the IPv6 route table. Verify that there is a 64-bit route with the Gateway/Interface Name set to **isatap.**IntranetDNSSuffix and Publish set to Yes. This is the ISATAP subnet route that the DirectAccess server is advertising to ISATAP hosts on the intranet. The 64-bit route typically has the form 2002:WWXX:YYZZ:1::/64, in which WWXX:YYZZ is the colon hexadecimal representation of w.x.y.z, the first public IPv4 address of the DirectAccess server’s Internet interface.

  11. If Publish is set to No for the route in step 10, run the netsh interface ipv6 set route 64BitRoute ISATAPInterfaceIndex publish=yes.