Troubleshoot DirectAccess

Try our Virtual Agent - It can help you quickly identify and fix common DirectAccess issues.

This article provides information about troubleshooting DirectAccess deployments.

Applies to:   Windows Server 2022, Windows Server 2019, Windows Server 2016

Follow these steps to troubleshoot Remote Access (DirectAccess) issues.

Issue Resolution
Remote Access management console is unable to show the DirectAccess configuration To restore missing configuration information:
- If you're troubleshooting a multisite deployment, ensure that the domain controller closest to the entry point is available.
- Use the Get-DAEntrypointDC cmdlet to retrieve the name of the domain controller closest to the entry point. If the domain controller isn't running, use the Set-DAEntryPointDC cmdlet to point to another domain controller.
- Run gpresult from an elevated command prompt on the server to ensure the server is getting the DirectAccess Group Policy Objects.
- Enable user interface (UI) logging.
- Use the following command to start Windows PowerShell logging:logman create trace ETWTrace -ow -o c:\ETWTrace.etl -p {AAD4C46D-56DE-4F98-BDA2-B5EAEBDD2B04} 0xffffffffffffffff 0xff -nb 16 16 -bs 1024 -mode 0x2 -max 2048 -ets
logman update trace ETWTrace -p {62DFF3DA-7513-4FCA-BC73-25B111FBB1DB} 0xffffffffffffffff 0xff -ets
<repro>- Close and reopen the user interface.
- Disable Windows PowerShell logging. Collect the Event Trace Log files. Also, collect all the logs from the %windir%\tracing folder.
Applying the DirectAccess configuration fails To refresh the DirectAccess configuration:
- If you're troubleshooting a multisite deployment, ensure that the domain controller closest to the entry point is available.
- Use the Get-DAEntrypointDC cmdlet to retrieve the name of the domain controller closest to the entry point. If the domain controller isn't running, use the Set-DAEntryPointDC cmdlet to point to another domain controller.
- Use the following command to start Windows PowerShell logging:
logman create trace ETWTrace -ow -o c:\ETWTrace.etl -p {AAD4C46D-56DE-4F98-BDA2-B5EAEBDD2B04} 0xffffffffffffffff 0xff -nb 16 16 -bs 1024 -mode 0x2 -max 2048 -ets
logman update trace ETWTrace -p {62DFF3DA-7513-4FCA-BC73-25B111FBB1DB} 0xffffffffffffffff 0xff -ets
<repro>
- Select Apply.
- After the failure occurs, disable Windows PowerShell logging, and collect the Event Trace Log.
DirectAccess is configured, but clients are not able to connect to internal resources To troubleshoot client connection issues:
- Select the Operations Status tab in the Remote Access Management console, and ensure that all the components show a green icon. If not, check the error details and follow the resolution steps.
- Run the Remote Access Server Best Practices Analyzer (BPA). If there are any warnings or errors, follow the resolution steps to resolve the issue.
Encountering issues related to a multisite configuration (for example, enabling a multisite, adding entry points, or setting the domain controller for an entry point) Follow the steps in Troubleshoot a Multisite Deployment.
Configuration status tile on the dashboard shows a warning or error Follow the steps in Monitor the configuration distribution status of the Remote Access server.
Encountering issues related to configuring load balancing (for example, the configuration fails when you enable load balancing, or there are issues when you add or remove servers from a cluster) If you were enabling load balancing or adding a node, and the configuration refreshed when you selected Apply, but the cluster didn't form correctly on the server, run the following command: cmd.exe /c "reg add HKLM\SYSTEM\CurrentControlSet\Services\RaMgmtSvc\Parameters /f /v DebugFlag /t REG_DWORD /d ""0xffffffff"" " to collect the user interface logs on the new server.
Operations status shows an error or warning after following steps to correct the situation If the operations status is showing incorrect information (such as errors-even after you fix them):

- Enable the registry key cmd.exe /c "reg add HKLM\SYSTEM\CurrentControlSet\Services\RaMgmtSvc\Parameters /f /v EnableTracing /t REG_DWORD /d ""5"" ".
- Refresh the operations status and collect the logs from %windir%\tracing.

Windows 8 and later DirectAccess client computers report "No Internet" as status for the DirectAccess connection, and Network Connectivity Status Indicator (NCSI) reports limited connectivity. This can occur when Force Tunneling is enabled in the DirectAccess configuration and, because of this, only IPHTTPS is being used. To resolve this issue, you can create and configure a proxy server. NCSI then uses the proxy server to perform Internet connectivity checks. It is recommended that you add a static proxy to the Name Resolution Policy Table (NRPT) by using the following procedure.

Before you run the commands in this procedure, ensure that you replace all domain names, computer names, and other Windows PowerShell command variables with values that are appropriate for your deployment.

Configure a static proxy for an NRPT rule:
1. Display the "." NRPT rule: Get-DnsClientNrptRule -GpoName "corp.example.com\DirectAccess Client Settings" -Server <DomainControllerNetBIOSName>
2. Note the name (GUID) of the "." NRPT rule. The name (GUID) should start with DA-{..}
3. Set the proxy for the "." NRPT rule to proxy.corp.example.com:8080: Set-DnsClientNrptRule -Name "DA-{..}" -Server <DomainControllerNetBIOSName> -GPOName "corp.example.com\DirectAccess Client Settings" -DAProxyServerName "proxy.corp.example.com:8080" -DAProxyType "UseProxyName"
4. Display the "." NRPT rule again by running Get-DnsClientNrptRule, and verify that ProxyFQDN:port is now correctly configured.
5. Refresh Group Policy by running gpupdate /force on a DirectAccess client when the client is connected internally, then display the NRPT using Get-DnsClientNrptPolicy and verify that the "." rule shows ProxyFQDN:port.