1

Pardon my naivety but I have never setup DirectAccess before, I've done some research prior and was unable to find a relevant resource. Let me provide a little background and then I'll jump into the question.

The 2012R2 server is setup behind a NAT with port 443 and 6200 (is this port necessary?) forwarded to the WAN. There is a domain attached to that WAN IP as well.

The server is running both DA, and the CA, with the DC being on a separate 2012R2 server.

At least according to the Remote Access Management Console, the server is running appropriately:

Remote Access Management Console (all green)

I've thrown a client on the domain in the DirectAccessClients AD group. Here is the downtrodden error I get from the client:

Client Error Echo Requests Failing

As far as I know, nothing special is setup for IPv6 (the DHCP on the DC may not even be setup to assign these).

What needs to be done to get my client to be properly on network?

Attached is some of the debug log:

[4/10/2015 8:18:31 AM]: The public DNS Server (2001:4860:4860::8888) does not reply on ICMP Echo requests, the request or response is maybe filtered?    
[4/10/2015 8:18:31 AM]: NLS is reachable via HTTPS, the client computer is connected to the corporate network (internal).    
[4/10/2015 8:18:31 AM]:      Found (unique) DNS server: [redacted]::1
[4/10/2015 8:18:31 AM]:      Send an ICMP message to check if the server is reachable.
[4/10/2015 8:18:31 AM]: DNS Server [redacted]::1 does not reply on ICMP Echo requests.

NOTE: I have no idea where Google's IPv6 DNS came from?

Every relevant error seems to be with the IPv6 DNS, any ideas as to how to resolve this?

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940

3 Answers3

1

https://support.microsoft.com/en-us/help/929852/how-to-disable-ipv6-or-its-components-in-windows - I used the “Microsoft Fix it 50440” and “Microsoft Fix it 50444” tool on the client pc (expand table and the icons here are not advertisements, they are installers). These re-enable IPv6 on affected systems.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
TamusJRoyce
  • 131
  • 4
  • The numbers and descriptions of these fix-its have been changed. Which ones did you intend to refer to? – Michael Hampton Dec 06 '17 at 21:36
  • Thank you for updating the link! I apologize for not remembering the original links per website changes. http://www.ibenit.com/post/16392966830/how-to-disable-ip-version-6-ipv6-or-its-specific - I believe this was one of the original sources. It has manual alternatives to the fix-it's too. – TamusJRoyce Dec 07 '17 at 23:06
1

The Remote Access Installation Wizard configures the NLS service over the server. This enables the port 62000 which should be accessible from the computers on the internal network. It is not necessary that this port have public NAT, the only port necessary is 443.

Andrés Rivera
  • 21
  • 3
1

I think this is auto assigned by Direct Access, in all my deployments when I see an error like this, it's related to one of two items:

  1. The Windows Firewall is OFF on the Server and Clients used in the DA Deployment. For it to work properly the Windows Firewall needs to be enabled

  2. IPv6 is not configured on the DA Server, and/or IPv6 is not configured on the DNS Server that the DA Server is pointed to. This entails created a proper reverse IPv6 DNS Zone on the DNS Server, and registering the AAAA Records & PTR Records for both the DA Server and the DNS Server.

JStellato
  • 136
  • 1
  • 5