Windows 2008 R2 DirectAccess implementation
Some 75 Windows 7 Enterprise clients
Occasionally we have windows clients not able to access network resources.
Rebooting client does not correct the issue, nor does switching to other off-corporate-network networks.
Some pertinent information from a failed client
This shows the client knows it is off the corporate network and DA is enabled
C:\Windows\system32>netsh dns show state
Name Resolution Policy Table Options
--------------------------------------------------------------------
Query Failure Behavior : Always fall back to LLMNR and NetBIOS
if the name does not
exist in DNS or
if the DNS servers
are unreachable
when on a private
network
Query Resolution Behavior : Resolve only IPv6 addresses for names
Network Location Behavior : Let Network ID determine when Direct
Access settings are
to be used
Machine Location : Outside corporate network
Direct Access Settings : Configured and Enabled
DNSSEC Settings : Not Configured
This shows the client is getting the group policies that apply the DA configuration (which is working for all other clients)
COMPUTER SETTINGS
------------------
Last time Group Policy was applied: 7/25/2014 at 8:40:03 AM
Group Policy was applied from: BS1.ccht.org
Group Policy slow link threshold: 500 kbps
Domain Name: CCHT
Domain Type: WindowsNT 4
Applied Group Policy Objects
-----------------------------
WSUS - Laptops and Desktops
Default Domain Policy
DirectAccess - IPv6
DirectAccess - Certificate Services
Aeon Client Settings
UAG DirectAccess: Clients (DIRECTACCESS.CCHT.ORG)
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
UAG DirectAccess: Gateways (DIRECTACCESS.CCHT.ORG)
Filtering: Denied (Security)
Microsoft Office Customizations
Filtering: Not Applied (Empty)
WSUS - Servers
Filtering: Not Applied (Unknown Reason)
Local Group Policy
Filtering: Not Applied (Empty)
Terminal Server IE Settings
Filtering: Denied (WMI Filter)
The computer is a part of the following security groups
-------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
System Mandatory Level
Windows firewall (public profile) is showing that it got the Connection Security Rules from GPO. It shows that the Security Associations > Main Mode is empty (so not connecting?)
I can brows to https://directaccess.mydomain.org and get a 403 access is denied, which I think is the expected behavior. Meaning it can get there but there isn't a website to freely browse.
I think the problem has something to do with the absence of the IPHTTPS interface. It doesn't show up in ipconfig/all or device manager even when hidden items are shown.
Assuming my suspicion is correct, how does the IPHTTPS interface get created, and maybe more importantly how would it be removed? How can I force it to be recreated?
Note that this is happening to clients at random. Not one client over and over again. Seems like there is one per week. The onsite admin removes the computers from domain, then re-adds them then gives the DA permission. And then sometimes they cooperate and work again. I am sure this is way overkill, there must be a more graceful way of correcting. And hopefully there is a way of preventing the failures altogether.
Ideas? Thanks!