Direct Access Server Setup Issues

Question

So I am building a new Direct Access Server on Windows Server 2019, not by choice. But anyway I matched the configuration settings to our current DA Server and in the Remote Access Management Console I get a sporadic error saying it cannot connect to the domain. When opening cmd to do a policy update on the server it fails to apply computer policy, I tried temporarily turning off the first GPO it tried to apply, but as expected errored out on the next one.

The only way I have been able to fix the issue is by either relaunching the Remote Access Management Console and if that doesn't work, rebooting will temporarily fix it, everything on the dashboard will be green until it bombs out again with the error.

The new DA server is on a Windows Server 2022 Hyper-V host. The VM for the new server has one NIC setup and I tried MAC spoofing on and off and it did not make any difference. The setup is selected as 'Behind an edge device (with the single network adapter)'.

The one thing I notice when this error occurs in Step 2 in Remote Access Mgmt Console is on Step 2 -- Network Adapters it goes from one drop-down to two drop-downs for selecting a NIC, and both of them are blank with nothing in the drop-down.

Additionally, when DA is on the green status I have been trying to get machines to connect to it but they get stuck on connecting.

Originally when trying to connect a machine to the new DAm server it gave an IPv6 Disabled error, which I resolved by making an adjustment in the New DA Connectivity Assistant GPO.

But now I get the error of could not contact Direct Access Server.

Also, I ran nmap.exe to troubleshoot and I get a failure to resolve n, on, p443, and the URL for the new DA server failed as well.

But on an external device, I can reach the new DA server URL that is set up.

Also, the DA troubleshooting logs saved to the user app data directory show HTTP fail, and both pings for the DTE list as fail also.

Also, I did a test on the new URL for the DA server for the SSL test and everything checked out on that.

I am lost on what I am missing with this as everything is literally the same with my configuration of the new server compared to the old one (aside from IPs and URL).

Know this is a long post, but I am hoping to get any ideas.

Answer 1

Hello there,

There are several reasons this error may occur:

A proxy server is blocking the connection.
Inability to resolve the name of the IP-HTTPS server (DirectAccess server) mentioned in the IP-HTTPS interface URL.
Client-side or server-side firewall may be blocking the connection to the IP-HTTPS Server (DirectAccess server).

Try to connect to the server through telnet by using the external IP address or name of the DirectAccess server on port 443. If it fails to connect, this may be because the packet is being dropped somewhere on the network, or the NAT rules are not created correctly on the external NAT device behind which DirectAccess is configured.

The below thread discusses the same issue and you can try out some troubleshooting steps from this and see if that helps you to sort the Issue.

https://social.technet.microsoft.com/Forums/en-US/a134bdf3-193d-4bfa-8201-fb927456fcc4/directaccess-client-not-connecting-without-error-code-on-windows-server-2012-r2-and-windows-81?forum=winserver8gen

DirectAccess clients may not be able to connect to DirectAccess server with error code 0x103, 0x2AFC, or 0x2AF9 when using IP-HTTPS https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/directaccess-clients-not-connect-to-server

---------------------------------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept it as an answer–