Share via


Using DirectAccess Connectivity Assistant (DCA) 1.5

Microsoft DirectAccess Connectivity Assistant (DCA) version 1.5 improves your DirectAccess connectivity experience, and helps organizations to reduce the cost of supporting DirectAccess.

When running DCA 1.5 on your computer you can do the following:

  1. View DirectAccess connection information—DCA provides information about the state of the DirectAccess connection, and messages to help you resolve connection issues.

  2. Use local DNS resolution—By default, all name requests are resolved by corporate DNS servers. You can select Use local DNS resolution to resolve single-label names using DNS resolution mechanisms on your computer, instead of corporate DNS servers. This option is only available if it is enabled by the DirectAccess administrator.

  3. Troubleshoot DCA—You can view troubleshooting information, and create and send log files that can be used to solve DirectAccess issues.

System requirements

To install DCA 1.5 the following is required on your computer:

  1. Windows 7 Ultimate or Enterprise Edition

  2. NET Framework 3.5 SP1 (3.5.30729.01)

  3. Windows Installer 4.5

View DirectAccess connection information

When DCA 1.5 is installed, it appears as an icon in the notification area of the taskbar. Left-clicking (or hovering over) the icon provides information about the DirectAccess connectivity state, and informative messages.

Connectivity states

The DirectAccess connectivity states are described in the following table.

Connectivity state Details Action

DirectAccess connectivity is working

When the DirectAccess icon appears without warning or error symbols, it indicates that DirectAccess is working as expected.

None

DirectAccess connectivity is not working

An error symbol with a red X icon indicates that there is no DirectAccess connectivity.

This error is typically related to DirectAccess server issues, and should be resolved by the DirectAccess administrator.

DirectAccess connectivity requires user action

A warning symbol with an exclamation mark in a yellow triangle indicates that DirectAccess is not operating as expected.

This indicates that user action is required in order to access all resources. The warning icon appears until you complete the required action.

Connectivity messages

Each DirectAccess connectivity state has a number of messages, summarized in the following table.

Connectivity state Displayed message Details

No DirectAccess connectivity

DirectAccess is not supported by the Windows operating system on your computer. Contact the administrator.

DirectAccess is supported on Windows 7 Ultimate, Windows 7 Enterprise, and Windows Server 2008 R2. DCA 1.5 runs on Windows 7 only.

DirectAccess is not configured correctly. If the problem persists, contact the administrator.

The computer is not configured to use DirectAccess. This can be verified in the default logs generated by the Advanced Diagnostics window.

Your computer cannot connect to the DirectAccess server. If the problem persists, contact the site administrator.  

DCA cannot contact the DirectAccess server. DCA determines the state of the DirectAccess connection by attempting to access a network server designated by the administrator. Connectivity status can be verified in the default logs generated by the Advanced Diagnostics window.

Corporate network names cannot be resolved. If the problem persists, contact the administrator. 

Windows cannot resolve names of resources on the corporate network.

Your computer cannot connect to some corporate resources. If the problem persists, contact the administrator.  

DCA cannot access one or more of the test resources on the corporate network. Connectivity status can be verified in the default logs generated in the Advanced Diagnostics window.

Your computer has lost connectivity to some corporate resources. If the problem persists, contact the administrator.

DCA cannot access one or more of the test resources on the corporate network. Connectivity status can be verified in the default logs generated in the Advanced Diagnostics window.

The DirectAccess Connectivity Assistant application is not configured correctly. If the problem persists, contact the administrator.      

DCA is missing information that must be configured by the administrator. The current configuration can be viewed in the default logs generated in the Advanced Diagnostics window. DCA settings are stored in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\DirectAccessConnectivityAssistant

Name resolution settings are not configured correctly. Contact the site administrator.  

The Name Resolution Policy Table (NRPT) on your computer is corrupt, or there is an error in the client group policy. The NRPT is used by DirectAccess when resolving names for corporate resources.

An authentication certificate cannot be validated. No connection to the IP-HTTPS certificate revocation list (CRL) is available. Contact the administrator.

You cannot access the Internet-based Certificate Revocation List (CRL). A server certificate required for IP-HTTPS must be verified against the CRL. IP-HTTPS is a transition technology that DirectAccess uses to transfer IPv6 traffic over the IPv4 Internet.

Your computer is not configured correctly for DirectAccess. IPv6 is not enabled correctly.

Some or all of the required transition technologies are disabled. You communicate with the DirectAccess server using IPv6. When the transition technologies are disabled the DirectAccess client cannot communicate with the DirectAccess server.

DirectAccess connectivity requires user action

Your computer is not compliant with corporate health requirements.

If the corporate network checks the health of your computer (for example by checking that antivirus software or security updates are installed), you might not be able to connect to corporate resources if your computer is not compliant. The DCA pop-up dialog box provides information, and includes links to help you resolve the problem. For example, a link to client software that remediates computer health issues.

Smartcard credentials are required for corporate connectivity via DirectAccess. Either specify your credentials, or lock and then unlock this computer using your smartcard.

Your administrator can choose to enforce the use of smartcards to access corporate resources via DirectAccess. This message appears the first time your computer attempts to access a corporate resource when smartcard credentials are not available, or when it wakes up from sleep or hibernation.

DirectAccess is configured to resolve names using local resolution settings. To restore connectivity, select to resolve names via the DirectAccess server.

DCA is set to resolve names using the resolution method defined locally on your computer. To access corporate resources, you must clear the Use local DNS resolution option, and enable Use corporate DNS resolution. This can be done by selecting the option in the right-hand menu, or by restarting the computer.

Internet connectivity is not available. Ensure that your computer is connected to the Internet.         

Windows cannot connect to the Internet.

Your computer is not configured correctly for DirectAccess. The Windows Firewall must be enabled.           

Windows firewall must be enabled, so that IPsec can be used when connecting to the DirectAccess server. IPsec is required for DirectAccess authentication.

You are not logged on with a domain account. Log on with a domain account, or lock and unlock the computer with a smartcard.       

Log on to the local computer with a domain account to connect to DirectAccess.

DirectAccess requires your one-time password (OTP) credentials for corporate access. Click here to specify the credentials

Your administrator can choose to enforce the use of an OTP to access corporate resources via DirectAccess. This message appears the first time your computer attempts to access a corporate resource when OTP credentials are not available, or after it wakes up from sleep or hibernation.

Use local DNS resolution

By default Use corporate DNS resolution is enabled, and name requests are resolved by a corporate DNS server via the DirectAccess connection. This includes FQDN requests, and requests for single-label names such as https://hrweb.

In some cases, you might want to access single-label names that cannot be resolved by your corporate DNS server. To reach these resources, you can right-click the DCA icon and select Use local DNS resolution. With this setting enabled, DCA will use the DNS mechanisms (LLMNR and NetBios) on your local computer to resolve names, instead of sending the request via DirectAccess to your corporate DNS server.

For example, if you are at a customer site with a DirectAccess computer, and you want to check the website https://thissite on the customer network, with Use corporate DNS resolution enabled, the request is sent to your corporate DNS server and the following occurs:

  • If your corporate intranet has a resource named https://thissite, then the request will be resolved to this corporate Web site.

  • If there is no corporate site named https://thissite, name resolution will fail unless corporate settings are able to resolve the name.

In both cases, you will not be able to access the site on the customer network unless you select the Use local DNS resolution setting. When using the local DNS resolution, option, note the following:

  • Local name resolution is only available when allowed by the DirectAccess administrator.

  • When local name resolution is selected, the DCA notification area displays a yellow warning icon to remind you to enable the use of corporate DNS when you have finishing accessing the local resource.

  • If you disconnect and reconnect from the network and the DirectAccess server (for example, if you restart or resume your computer), Use corporate DNS resolution will be enabled automatically when the DirectAccess connection is resumed. You must reselect Use local DNS resolution to continue using local name resolution.

Troubleshoot DCA

You can view DirectAccess troubleshooting information, and create and send log files to your administrator.

To troubleshoot DCA

  1. Left-click the DCA icon in the notification area of the taskbar. Then click DA Troubleshooting.

  2. Review the information on the troubleshooting Web page.

Note

Troubleshooting information is available only if configured by the DirectAccess administrator.

To create and send log files

  1. In the taskbar, right-click the DCA icon, and then click Advanced Diagnostics.

  2. As soon as the Advanced Diagnostics dialog box opens, DCA automatically begins logging information. Information is gathered into the specified log file, in .cab format.

  3. Click Email logs to send the information to the DirectAccess administrator. The log file is automatically attached to the mail. In the mail, add any additional information to describe the problem you are experiencing, and then click Send.