There are many underlying technology pieces that are used in a DirectAccess solution. These include IPv6, IPSec, the DNS Name Resolution Policy Table, UAG’s NAT64/DNS64, and a Network Location Service. Many or all of these are likely to be unfamiliar to you as you embark on learning about DirectAccess, and troubleshooting any problems in this environment can be daunting. This article should both help you understand the key individual components of DirectAccess and guide you through performing the troubleshooting steps that will narrow down the problem to a particular technology area.
The first things you should know are:
But even before you dive into those options, you should take a look at the basic troubleshooting concepts shown in the troubleshooting one-pager below. This boils down UAG DirectAccess troubleshooting into a couple of initial pointers and then seven additional basic steps. Each step has some additional, more detailed follow-up items if the basic troubleshooting step fails.
The seven steps test out each of these technology pieces:
Step 1 – The Network Location Detection process and the DNS Name Resolution Policy Table
Step 2 – Basic IPv6 connectivity at the client
Step 3 – Traffic routing across the UAG DirectAccess Server
Step 4 – IPSec with certificates/NTLM authentication for the computer account, using a DNS query to the intranet
Step 5 – Authentication with an internal Domain Controller
Step 6 – IPsec with certificates/user Kerberos authentication
Step 7 – UAG’s NAT64 function to translate IPv6 traffic to IPv4 at the intranet edge
In step 2, you will verify that you have a usable IPv6 address. There are a number of possible types of IPv6 address when you include all of the IPv6-over-IPv4 transition technologies available to DirectAccess clients. You may find it useful to have the IPv6 addressing “cheat sheet” below with you when you start to work with IPv6, and especially when performing troubleshooting. It describes the main varieties of IPv6 addresses, and how they are composed – for example, you can see how a computer’s IPv4 address is often used as part of the IPv6 address.
These are the basic troubleshooting steps I always start with when examining problematic DirectAccess clients – I hope they help you too!
Author: Pat Telford, Principal Consultant, Microsoft
The diagrams aren't very clear. Do you have a larger versions?
I too would love to print these out. Can you do a higher quality render for us?
Is there some where to download higher resolution versions?
if you email me at email@example.com i might be able to help you.
Tom Shinder has put up a downloadable copy of the cheat sheets over at blogs.technet.com/.../ipv6-and-directaccess-troubleshooting-cheat-sheets.aspx