I have a small lab set up. Two DCs with DNS, PKI running on DC1, a couple of other idle servers that aren't relevant, and a remote access server that runs RAS with VPN, DNS (stub zone for the lab domain pointed to DC1 and recursion enabled), and DHCP. All the servers are Windows Server 2012 Standard. The client I'm testing with is Windows 8 Enterprise. I tried this before setting up IPv6 in the lab network, and am now trying it with. The DCs have static IPv6 addresses and can ping each other and the DA host. Also note that the lab subnet gateway is a separate device not on any of these servers, but DHCP configuration works fine for IPv4 devices on the lab subnet and they have full intranet/internet access as expected.
SSTP and PPTP VPN work, so I'm pretty sure it's not a PKI problem, but I can't access internet resources when I'm connected to the VPN and forcing an IPv4 route doesn't help... So maybe it's server side?
I've set up DA with the out of the box settings for a two NIC configuration, and added my CRL CDP host (pki.domain.local) to the NRP exclusion list. I can ping its public IP and view the CRL and AIA from the test client and other clients. Other exclusions are directaccess.domain.local and da.domain.local (note that I'm using a real internet domain name there, not domain.local).
On the test client, the "Workplace Connection" stays in "Connecting" mode. I'm able to ping the domain and various hosts by IPv6 and get name resolution and a reply, but when I ping anything by IPv4 (the lab's private subnet) the local (to the remote test client) gateway responds with TTL expired (is this expected behavior with DirectAccess?). The DirectAccess connection assistant is not helpful, it just says that corporate connectivity is working correctly... But group policy updates don't work and I can't browse servers by UNC path.