There are many underlying technology pieces that are used in a DirectAccess solution. These include IPv6, IPSec, the DNS Name Resolution Policy Table, UAG’s NAT64/DNS64, and a Network Location Service. Many or all of these are likely to be unfamiliar to you as you embark on learning about DirectAccess, and troubleshooting any problems in this environment can be daunting. This article should both help you understand the key individual components of DirectAccess and guide you through performing the troubleshooting steps that will narrow down the problem to a particular technology area.
The first things you should know are:
- Detailed Windows DirectAccess troubleshooting procedures are documented in the TechNet DirectAccess Troubleshooting Guide. There are some UAG DirectAccess specifics that are not included in this guide, such as how to troubleshoot NAT64 problems, but it is an excellent starting point for any DirectAccess problem.
- You can use the Network Diagnostics Framework in Windows 7 to troubleshoot DirectAccess issues and provide detailed tracing. NDF mixes together Windows events and actual traffic captures to provide a more unified picture of what is occurring when recreating a problem. An example is in this TechNet article.
- The DirectAccess Connectivity Assistant client utility, which is highly recommended as part of any DirectAccess deployment, has the ability to gather diagnostic output which can help you with troubleshooting.
But even before you dive into those options, you should take a look at the basic troubleshooting concepts shown in the troubleshooting one-pager below. This boils down UAG DirectAccess troubleshooting into a couple of initial pointers and then seven additional basic steps. Each step has some additional, more detailed follow-up items if the basic troubleshooting step fails.
The seven steps test out each of these technology pieces:
Step 1 – The Network Location Detection process and the DNS Name Resolution Policy Table
Step 2 – Basic IPv6 connectivity at the client
Step 3 – Traffic routing across the UAG DirectAccess Server
Step 4 – IPSec with certificates/NTLM authentication for the computer account, using a DNS query to the intranet
Step 5 – Authentication with an internal Domain Controller
Step 6 – IPsec with certificates/user Kerberos authentication
Step 7 – UAG’s NAT64 function to translate IPv6 traffic to IPv4 at the intranet edge
In step 2, you will verify that you have a usable IPv6 address. There are a number of possible types of IPv6 address when you include all of the IPv6-over-IPv4 transition technologies available to DirectAccess clients. You may find it useful to have the IPv6 addressing “cheat sheet” below with you when you start to work with IPv6, and especially when performing troubleshooting. It describes the main varieties of IPv6 addresses, and how they are composed – for example, you can see how a computer’s IPv4 address is often used as part of the IPv6 address.
These are the basic troubleshooting steps I always start with when examining problematic DirectAccess clients – I hope they help you too!
Pat Telford, Principal Consultant, Microsoft