Basic troubleshooting steps for UAG DirectAccess

Basic troubleshooting steps for UAG DirectAccess

  • Comments 5
  • Likes

There are many underlying technology pieces that are used in a DirectAccess solution. These include IPv6, IPSec, the DNS Name Resolution Policy Table, UAG’s NAT64/DNS64, and a Network Location Service. Many or all of these are likely to be unfamiliar to you as you embark on learning about DirectAccess, and troubleshooting any problems in this environment can be daunting. This article should both help you understand the key individual components of DirectAccess and guide you through performing the troubleshooting steps that will narrow down the problem to a particular technology area.

The first things you should know are:

  • Detailed Windows DirectAccess troubleshooting procedures are documented in the TechNet DirectAccess Troubleshooting Guide. There are some UAG DirectAccess specifics that are not included in this guide, such as how to troubleshoot NAT64 problems, but it is an excellent starting point for any DirectAccess problem.
  • You can use the Network Diagnostics Framework in Windows 7 to troubleshoot DirectAccess issues and provide detailed tracing. NDF mixes together Windows events and actual traffic captures to provide a more unified picture of what is occurring when recreating a problem. An example is in this TechNet article.
  • The DirectAccess Connectivity Assistant client utility, which is highly recommended as part of any DirectAccess deployment, has the ability to gather diagnostic output which can help you with troubleshooting.

But even before you dive into those options, you should take a look at the basic troubleshooting concepts shown in the troubleshooting one-pager below. This boils down UAG DirectAccess troubleshooting into a couple of initial pointers and then seven additional basic steps. Each step has some additional, more detailed follow-up items if the basic troubleshooting step fails.

The seven steps test out each of these technology pieces:

Step 1 – The Network Location Detection process and the DNS Name Resolution Policy Table

Step 2 – Basic IPv6 connectivity at the client

Step 3 – Traffic routing across the UAG DirectAccess Server

Step 4 – IPSec with certificates/NTLM authentication for the computer account, using a DNS query to the intranet

Step 5 – Authentication with an internal Domain Controller

Step 6 – IPsec with certificates/user Kerberos authentication

Step 7 – UAG’s NAT64 function to translate IPv6 traffic to IPv4 at the intranet edge

image

In step 2, you will verify that you have a usable IPv6 address. There are a number of possible types of IPv6 address when you include all of the IPv6-over-IPv4 transition technologies available to DirectAccess clients. You may find it useful to have the IPv6 addressing “cheat sheet” below with you when you start to work with IPv6, and especially when performing troubleshooting. It describes the main varieties of IPv6 addresses, and how they are composed – for example, you can see how a computer’s IPv4 address is often used as part of the IPv6 address.

image

These are the basic troubleshooting steps I always start with when examining problematic DirectAccess clients – I hope they help you too!

Author:
Pat Telford, Principal Consultant, Microsoft

Comments
  • The diagrams aren't very clear. Do you have a larger versions?

  • I too would love to print these out.  Can you do a higher quality render for us?

  • Is there some where to download higher resolution versions?

    Thank you

  • HI Paul,

    if you email me at tomsh@microsoft.com i might be able to help you.

    Tom

  • Tom Shinder has put up a downloadable copy of the cheat sheets over at blogs.technet.com/.../ipv6-and-directaccess-troubleshooting-cheat-sheets.aspx

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment