Troubleshoot adding entry points
This article contains troubleshooting information for issues related to the Add-DAEntryPoint
command. To confirm that the error you received is related to adding an entry point, check in the Windows Event log for the event ID 10067.
Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016
Missing RemoteAccessServer parameter
Error received
You must supply a value for the parameter RemoteAccessServer
.
Cause
When adding a new entry point to a multisite deployment, you must specify the parameter RemoteAccessServer
, which is the name of the server that you want to add as the new entry point.
Solution
Run the command and make sure to specify the RemoteAccessServer
parameter with the name of the server to be added as an entry point.
Remote Access isn't configured
Error received
Remote Access isn't configured on <server_name>. Specify the name of a server that belongs to a multisite deployment.
Cause
Remote Access isn't configured on the computer specified by the ComputerName
parameter, or on the computer on which you run the command.
When adding a new entry point to a multisite deployment, you must specify two parameters: ComputerName
and RemoteAccessServer
. The ComputerName
is the name of a server that is already part of the multisite deployment, the RemoteAccessServer
is the name of the server that you want to add as the new entry point. If you run from a computer that is part of the multisite deployment, the ComputerName
parameter isn't required.
Solution
Run the command and make sure to specify the ComputerName
parameter with the name of the server that is already configured as part of the multisite deployment, or run the command from a computer that is part of the multisite deployment.
Multisite not enabled
Error received
You must enable a multisite deployment before performing this operation. Use the Enable-DAMultiSite
cmdlet to do this.
Cause
Multisite isn't enabled on the server specified by the ComputerName parameter. To add a new entry point to a Remote Access deployment, you must first enable multisite.
Solution
Enable multisite using the Enable-DaMultiSite
cmdlet. For more information, see Deploy multisite Remote Access.
IPv6 prefix issues
Issue 1
Error received
IPv6 is deployed in the internal network, but you have not specified a client IPv6 prefix.
Cause
IPv6 is deployed on the corporate network, and an IP-HTTPS prefix is required. However, a prefix wasn't specified in the ClientIPv6Prefix
parameter for the new entry point.
Solution
- Assign a unique IP-HTTPS prefix to the new entry point and ensure that packets targeted to an IP address under this prefix will be routed to the server you're adding.
- Run the
Add-DAEntryPoint
cmdlet and specify the IP-HTTPS prefix in theClientIPv6Prefix
parameter.
Issue 2
Error received
The client IPv6 prefix is already in use by another entry point. Specify an alternate value.
Cause
The IP-HTTPS prefix specified in the ClientIPv6Prefix
parameter is already used by a different entry point
Solution
- Assign a unique IP-HTTPS prefix to the new entry point and ensure that packets targeted to an IP address under this prefix will be routed to the server you're adding.
- Run the
Add-DAEntryPoint
cmdlet and specify the IP-HTTPS prefix in theClientIPv6Prefix
parameter.
ConnectTo address
Error received
The address (<connect_to_address>) to which DirectAccess clients connect on the RemoteAccess server is the same as the network location server address. Specify an alternate value.
Cause
The ConnectTo address and the network location server address are the same.
Solution
The ConnectTo address should be resolvable over the Internet to allow client machines to connect over IP-HTTPS. The network location server address should be resolvable over the corporate network but should not be resolvable over the Internet. Make sure that the network location server and the ConnectTo addresses are not the same. Select different addresses and try again.
DirectAccess or VPN already installed
Error received
A VPN installation was detected on the server <server_name>. Specify an alternate server that doesn't have Remote Access installed, or remove the VPN configuration from the server.
Or
Remote Access is already installed on server <server_name>. Specify an alternate server not running DirectAccess, or remove the existing DirectAccess configuration from the server.
Cause
DirectAccess or VPN is already configured on the new entry point. You can't add a configured entry point to a multisite deployment.
Solution
To add a server to a multisite deployment, you must install the Remote Access role on the server but DirectAccess and VPN should not be configured.
Run the command and make sure that the server you specify in the RemoteAccessServer
parameter doesn't have DirectAccess or VPN configured.
IPsec root certificate
Error received. The configured IPsec root certificate can't be located on server <server_name>.
Cause
The certificate of the root or intermediate certification authority (CA) that issues computer certificates couldn't be found on the server you're trying to add to the deployment.
Solution
In the Remote Access Management console, in Step 2 Remote Access Server, click Edit, and on the Authentication page, under Use computer certificates, make sure that the certificate selected is valid. If the certificate is valid, make sure that it's located under the trusted root CA on the server you want to add and try again.
Note
The certificate must be the same certificate with the same Thumbprint.
If the certificate isn't valid, select a valid certificate that is configured as the trusted root CA on all the Remote Access servers.
Mixing IPv6 and IPv4 entry points
When DirectAccess is installed for the first time, the internal network adapter is inspected to determine if the network contains IPv4 addresses only (IPv4-only network), IPv6 and IPv4 addresses, or IPv6 addresses only (IPv6-only network). The information is used to determine the deployment type (IPv4 only, IPv6+IPv4, or IPv6 only).
Issue 1
Warning received
The Remote Access server being added is configured with both IPv4 and IPv6 addresses. This is an IPv4 only deployment, and Remote Access will ignore the IPv6 addresses.
Cause
When this deployment was first installed, the internal network was detected as an IPv4 only network. In a multisite deployment, different entry points are assumed to be located in different subnets with different characteristics. Therefore, although the deployment is configured as an IPv4 only deployment, it can contain an entry point located in an IPv6+IPv4 subnet. However, although the entry point will be added to the deployment, DirectAccess will ignore the IPv6 addresses configured on the new entry point's internal interface.
Solution
If the entire internal network is configured with IPv6 and IPv4 addresses, consider moving to an IPv6+IPv4 deployment to benefit from IPv6 technologies. See "Transitioning from a pure IPv4 to an IPv6+IPv4 corporate network" in Step 3: Plan the multisite deployment.
Issue 2
Error received
The internal network adapters of the Remote Accces servers in this multisite deployment are configured with IPv4 addresses. The entry point you're adding must also be configured with an IPv4 address on the internal network adapter.
Cause
When this deployment was first installed, the internal network was detected as an IPv4 only network. Remote Access detected that the entry point that you're trying to add is configured with only IPv6 addresses on its internal network. This isn't allowed in an IPv4 only deployment.
Solution
If the entire network is already configured with IPv6 addresses, you should move to an IPv6+IPv4 or IPv6-only deployment. See "Plan the transition to IPv6 when multisite Remote Access is deployed."
Issue 3
Error received
This entry point is located in an IPv4 network, but previous entry points are located in an IPv6 network. Connect this entry point to the IPv6 network before adding it to the same multisite deployment.
Cause
When this deployment was first installed, it was detected that the internal network is IPv6+IPv4 or IPv6-only. It was detected that only IPv4 addresses are configured on the internal network on the new entry point you're trying to add. This isn't allowed in IPv6+IPv4, or IPv6-only deployments.
Solution
Configure the new entry point with IPv6 addresses and then add the entry point to the multisite deployment.
Issue 4
Warning received
The internal network adapter on the Remote Access server isn't configured with an IPv4 address. DNS64 and NAT64 will not be configured on this server. DirectAccess clients can access IPv6 internal servers only.
Cause
When this deployment was first installed, it was detected that the internal network is IPv6+IPv4. In this deployment mode, DNS64 and NAT64 are enabled to allow client computers to access machines on the internal network that are configured with only IPv4 addresses.
When adding the new entry point, Remote Access detected that the internal interface on the new computer has only IPv6 addresses. To configure DNS64 and NAT64, an IPv4 address is required in order to route packets from the Remote Access server to the IPv4 only computer. Since no such IP exists on the new computer, NAT64 and DNS64 won't be configured on the Remote Access server. Therefore, client machines accessing the corporate network over DirectAccess using this entry point won't be able to access IPv4 only servers on the internal network. For information on how to transition to an IPv6+IPv4 network, or an IPv6-only network, see "Plan the transition to IPv6 when multisite Remote Access is deployed."
Solution
Add an IPv4 address to the new Remote Access server to ensure that DNS64 and NAT64 work correctly.
Domain issues with the ServerGpoName
Issue 1
Error received
The domain specified in the ServerGpoName parameter <server_GPO> doesn't exist. Specify the domain <domain_name> instead.
Cause
The domain name part of the server GPO name that was sent by the administrator wasn't found.
Solution
Make sure that you typed the domain name correctly. If the domain name is spelled correctly, try again using the fully qualified domain name (FQDN).
Issue 2
Error received
The server GPO must be located in the Remote Access server domain. Specify the domain <domain_name> in the ServerGpoName parameter.
Cause
The domain of the server GPO isn't the same as the one to which the Remote Access server belongs.
Solution
The server GPO should be located in the same domain as the Remote Access server. Use the server's domain name for the server GPO and try again.
Split-brain DNS
Warning received
The NRPT entry for the DNS suffix <DNS_suffix> contains the public name used by client computers to connect to the Remote Access server. Add the name <connect_to_address> as an exemption in the NRPT.
Cause
You're using split brain DNS. To allow clients to connect using IP-HTTPS, you should make sure that the ConnectTo address selected is exempt in the NRPT rules.
Solution
If you have a multisite deployment, make sure that all connect to addresses of the different entry points are exempt from the NRPT rules.
To exempt an address in the NRPT rules:
- In the Remote Access Management console, under Step 3 Infrastructure Servers, select Edit.
- In the Infrastructure Server Setup wizard, on the DNS page, double-click the table to enter a new name suffix.
- On the DNS Server Addresses dialog box, in DNS suffix, enter the ConnectTo address of the entry point, and then select Apply.
When you add name suffixes without specifying a server address, the suffix is treated as an NRPT exemption.
Saving server GPO settings
Error received
An error occurred while saving Remote Access settings to GPO <GPO_name>.
To troubleshoot this error, see Saving server GPO settings in Troubleshooting Enabling Multisite.
GPO updates can't be applied
Warning received
GPO updates can't be applied on <server_name>. Changes will not take effect until the next policy refresh.
Cause
An error occurred while trying to refresh policies on the specified computer. Therefore, changes made will not take effect until the next policy refresh.
Solution
To force a policy refresh, run gpupdate /force
on the specified computer.
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for