I'm playing with Direct Access Server in a test environment that consists of a couple of DCs (Server 2012 RTM), an "edge" server with two virtual NICs (Server 2012 R2) and the Direct Access tole and a "PC" running Windows 8.1 Enterprise. There are two network segments: an "internal" test VLAN with Internet access and an isolated VLAN with no network access. All server network interfaces has IPv6 enabled (with auto-assigned IPv6 addresses). The "PC" has only IPv4 enabled. All computers are joined to the same test AD domain.
Initially, all computers are connected to the "internal" segment. Then I use series of built-in masters to enable and configure Direct Access. Then I connect the "PC" to the "external" segment. Everything works just fine, all lights are green in the DA Management Console. I can open a web browser on the "PC" and surf the Internet, and I can ping computers on the "internal" network (ping shows IPv6 addresses instead of IPv4 ones).
Then I go to "Network connections" on the "edge" server and unbind IPv6 from the "internal" interface. "Operations Status" panel shows me that network adapters don't work properly but DNS and DNS64 lights still stay green. However, Internet browsing on the workstation is impossible as names aren't resolved into IP addresses anymore. OK, I bind IPv6 back to the "internal" interface, and...the system doesn't work. Although "Network adapters" node in"Operations Status" becomes green again after a while, name resolution on the workstation doesn't work anyway. And it NEVER starts working again. Reloading and refreshing configuration on the server, reattaching the "PC" to the "internal" segment, rebooting the server and the "PC" - nothing helps. The only way to restore the situation back to normal is completely removing DA configuration from the server and recreating it from scratch.
If I open the configuration wizard of "Step 3 (Infrastructure servers)" and go to "DNS" tab, I can see the address of the DA server as the only DNS server for clients. Before I break the system, I can open that entry, press the "Validate" button", and the system tells me that DNS is working fine. After I've broken the system, I press the "Validate" button, and after a long pause the system tells me that name resolution doesn't work.
What's even worse, sometimes the "PC" completely loses the ability to resolve names even after reconnecting to the "internal" segment, and the only way to resolve it is completely deleting the key with policies from registry (HKLM\SOFTWARE\Policies\Microsoft).
What's going one? Why unbinding IPv6 completely breaks name resolution on the DA server? I spent three days reproducing the situation in the test environment, and the problem appears again and again. A bug?
Evgeniy Lotosh
MCSE: Server infractructire, MCSE: Messaging