Remove ISATAP from the DNS Global Query Block List

Updated: April 15, 2010

Applies To: Windows Server 2008 R2


This topic describes deployment of DirectAccess in Windows Server 2008 R2. For deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Deployment Guide (

By default, DNS servers running Windows Server 2008 R2 or Windows Server 2008 use the global query block list to block the resolution of the name ISATAP. To allow name resolution for the ISATAP name, you must remove ISATAP from the global query block list of the DNS Server service for each DNS server on your intranet running Windows Server 2008 R2 or Windows Server 2008.

To complete these procedures, you must be a member of the local Administrators group on the DNS server, or otherwise be delegated permissions to modify registry values on the DNS server. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (

To remove ISATAP from the DNS global query block list on a DNS server

  1. Click Start, type regedit.exe, and then press ENTER.

  2. In the console tree, open Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters.

  3. In the contents pane, double-click the GlobalQueryBlockList value.

  4. In the Edit Multi-String dialog box, remove the name ISATAP from the list, and then click OK.

  5. Start a command prompt as an administrator.

  6. In the Command Prompt window, run the following commands:

    net stop dns

    net start dns

If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to return to the checklist.