This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 96%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
I few days ago we had to load a new certificate on one of our Direct Access servers. Since then, we have had a major problem on that server. The Direct Access console cannot be loaded and DA itself cannot run. The exact message is "Settings for the server ServerName cannot be retrieved. The system cannot find the file specified."
We have traced this out to being unable to talk to the PDC emulator for the domain.
Background info: We have three stand-alone setups of Direct Access (not multisite) at different countries and, obviously, AD sites. One that is installed in the same AD site as the PDC emulator has no problem. A second installation has no problem - and is two armed with one on the domain network and one in the DMZ. (Security team want this system turned off and replaced because they can't inspect the traffic after it passes through DA - outside the scope of this question). The problem server is one armed and sits in a DMZ at yet a different AD site. However, neither on the DMZ, nor on our production LAN for testing, can it talk to the PDC emulator.
Other hosts on the same networks are able to talk to the PDC emulator, so it is functioning. We have changed IP addresses so we know it's not something special there.
It is not related to the Remote Access MMC. The Group Policy Management Console also cannot talk to the PDC emulator, but can talk to another Domain Controller on the same subnet as the DA server, and also the PDC emulator.
So, I thought, nah, DA is broken. So, I created a new instance at yet a fourth site to test things. This instance, correctly setup with Certificates, NLA, two armed configuration breaks, with the same error when it installs. As soon as it loads the Direct Access group policy (and the DA firewall policies), it drops any connection to the PDC emulator and does not load DA - which never functions. We don’t have any policies on the box EXCEPT for the Direct Access policies. If we remove the DA policies, the server works as expected.
Testing servers were, 2012 R2, 2016 and 2019. Full patched before attempting the installs. These AD sites are in different countries - the latency is important for the local users accessing local resources. Using a DA server in another country is just not feasible.
Any thoughts would be most helpful.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Not real clear what's going on here but I'd check the required ports are flowing between networks.
https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts#windows-server-2008-and-later-versions
https://www.microsoft.com/en-us/download/details.aspx?id=24009
--please don't forget to upvote and Accept as answer if the reply is helpful--
PortQry was used in the testing, that how we worked out it was blocked. LDAP(s) and LDAP(s) against the global catalog. Strangely, Netbios and File share ports were open (13x and 445).
Just checking if there's any progress or updates?
--please don't forget to upvote and Accept as answer if the reply is helpful--
All ports blocks removed during testing. Long testing with our networks group with permit statements on all associated IP addresses.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 82%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJD%3C/text%3E%3C/svg%3E)
I have the same symptoms after a failed SSL cert replacement