UAG Troubleshooting: Direct Access client Fail to connect. DA is configured and disabled
Scenario
Users using Windows 7 reporting that they can't connect using Direct Access anymore. Whether its HTTPS or Teredo, DA just won't work. Upon further discussing the issue with them they mentioned that they enabled and disabled the Direct Access Connectivity assistant (DCA) and used Local DNS couple of times in an effort to work it out.
Steps
Started troubleshooting by checking the Name Resolution Policy table and we noticed that the NRPT was not getting applied on the DA client as shown below.
http://2.bp.blogspot.com/-_IgKZVqXCEo/VC14_YU6baI/AAAAAAAAAdE/3x9Xu9AlNBc/s1600/netsh.png
The next step was checking the DA resolution using the netsh dns to show the state command and it turned out to be disabled.
Name Resolution Policy Table Options:
| Query Failure Behavior: | Always fall back to LLMNR and NetBIOS if the name does not exist in DNS or if the DNS servers are unreachable when on a private network |
| Query Resolution Behavior: | Resolve only IPv6 addresses for names |
| Network Location Behavior: | Never use Direct Access settings |
| Machine Location: | Outside corporate network |
| Network Location Behavior: | Never use Direct Access settings |
| Direct Access Settings: | Configured and Disabled |
| DNSSEC Settings: | Not Configured |
The DA client already has the correct group policies, certificates but its disabled.
The next step was checking the below registry key:
"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient EnableDAForAllNetworks"
The value of the key was set to 2 which means that DA is disabled!
Upon deleting the registry key, the DA started working normally without any problem.
For more information about the EnableDAForAllNetworks and its different values, please check the below URL:
http://msdn.microsoft.com/en-us/library/ff957870.aspx
On both cases so far the reason was playing with the DCA settings (Use local DNS) which triggered the flipping of this registry key from Automatic to Disabled.
See also
http://itcalls.blogspot.com/2014/10/uag-direct-access-client-fail-to.html#sthash.jaTMrzJw.dpuf