DirectAccess Client Cannot Resolve Names with Intranet DNS Servers

Updated: November 18, 2009

Applies To: Windows Server 2008 R2

When a DirectAccess client has determined that it is on the Internet, it uses rules in the Name Resolution Policy Table (NRPT) to send Domain Name System (DNS) queries for intranet resources to intranet DNS servers. DirectAccess clients receive NRPT rules through Group Policy.

To troubleshoot why a DirectAccess client cannot resolve names with an intranet DNS server

  1. On the DirectAccess client, start a command prompt as an administrator.

  2. From the Command Prompt window, run the netsh namespace show policy command.

    This command displays the NRPT rules configured through Group Policy, which are typically one or more namespace rules (with a leading period) for your intranet namespace and one or more exemption rules for names that should not be resolvable while on the Internet (fully qualified domain names [FQDNs] without a leading period for names such as your network location server). Verify that your entire intranet namespace is represented by namespace rules. If there are no rules, verify that the DirectAccess client is running Windows 7 Ultimate Edition, Windows 7 Enterprise Edition, or Windows Server 2008 R2, is a member of a security group specified in step 1 of the DirectAccess Setup Wizard, and has updated its computer configuration Group Policy.

    In the DirectAccess-based rules for your intranet namespace, there should be at least one Internet Protocol version 6 (IPv6) address for DirectAccess (DNS Servers).

  3. From the Command Prompt window, run the netsh namespace show effective command.

    This command displays the current effective rules.

    If there are no DirectAccess-based rules, the DirectAccess client has determined that it is on the intranet.

  4. From the Command Prompt window, ping the IPv6 addresses of your intranet DNS servers from step 2 or 3.

    This ensures that the intranet DNS server is reachable across the DirectAccess connection.

  5. From the Command Prompt window, use the nslookup –q=aaaa IntranetFQDN IntranetDNSServerIPv6Address command to resolve the names of intranet servers (example: nslookup –q=aaaa 2002:836b:2:1::5efe:

    This command should display the IPv6 addresses of the specified intranet server.

    If there are no IPv6 addresses for the name, determine why the corresponding IPv6 (AAAA) records are not in your intranet DNS.

    If there is no response from the intranet DNS server, troubleshoot the infrastructure tunnel between the DirectAccess client and server. For more information, see DirectAccess Client Cannot Establish Tunnels to the DirectAccess Server. If the infrastructure tunnel is in place, Use the Interfaces tab for the properties of the DNS server in the DNS Manager snap-in to ensure that the DNS Server service on Windows-based DNS servers is listening on its assigned IPv6 addresses.