DirectAccess Client Cannot Establish Tunnels to the DirectAccess Server
This week I noticed some issues with DirectAccess on my Windows 7 client. For some strange reason both Infrastructure and Intranet tunnels are not established. When walking through the Advanced Firewall configuration I noticed that Internet Protocol security (IPsec) tunnel mode security associations (SAs) were not initiated. After some searching if found a post on Forefront forum which describes more or less the same behavior.
Thanks to Jason Jones if found my issue. By verifying the Name Resolution Policy Table (NRPT) configuration using netsh dnsclient show state and noticed that Direct Access Settings is misconfigured. The NRPT is configured using the DirectAccess Setup wizard. You can configure the rules also directly by yourself but take into account these settings are overridden when running the DirectAccess wizard!
Check the following regkey: HKLM\Software\Policies\Microsoft\Windows NT\DNSClient\EnableDAForAllNetworks and make sure it is set to 0 and not 2.
The values for the key are shown below
Enable DA for All Networks
Key: Software\Policies\Microsoft\Windows NT\DNSClient
Value: “EnableDAForAllNetworks”
Type: REG_DWORD
Size: 32 bits.
Data: This field is a 32-bit value, which MUST contain one of the following values.
| Value | Meaning |
| 0x00000000 | Let Network ID determine when Direct Access settings are to be used. |
| 0x00000001 | Always use Direct Access settings regardless of location. |
| 0x00000002 | Never use Direct Access settings regardless of location. |
After changing the value I rebooted my Windows 7 client and DirectAccess is working again like a charm J
Sources:
http://msdn.microsoft.com/en-us/library/ff957870(PROT.10).aspx
http://technet.microsoft.com/en-us/library/ee844114(WS.10).aspx
DirectAccess Client Location Awareness – NRPT Name Resolution
Categories
Modern Workplace 
One thought on “DirectAccess Client Cannot Establish Tunnels to the DirectAccess Server” Leave a comment ›