- If you're troubleshooting a multisite deployment, ensure that the domain controller closest to the entry point is available.
- Use the
Get-DAEntrypointDC
cmdlet to retrieve the name of the domain controller closest to the entry point. If the domain controller isn't running, use the Set-DAEntryPointDC
cmdlet to point to another domain controller.- Run
gpresult
from an elevated command prompt on the server to ensure the server is getting the DirectAccess Group Policy Objects.- Enable user interface (UI) logging.
- Use the following command to start Windows PowerShell logging:
logman create trace ETWTrace -ow -o c:\ETWTrace.etl -p {AAD4C46D-56DE-4F98-BDA2-B5EAEBDD2B04} 0xffffffffffffffff 0xff -nb 16 16 -bs 1024 -mode 0x2 -max 2048 -ets
logman update trace ETWTrace -p {62DFF3DA-7513-4FCA-BC73-25B111FBB1DB} 0xffffffffffffffff 0xff -ets
<repro>- Close and reopen the user interface.
- Disable Windows PowerShell logging. Collect the Event Trace Log files. Also, collect all the logs from the %windir%\tracing folder.
- If you're troubleshooting a multisite deployment, ensure that the domain controller closest to the entry point is available.
- Use the
Get-DAEntrypointDC
cmdlet to retrieve the name of the domain controller closest to the entry point. If the domain controller isn't running, use the Set-DAEntryPointDC
cmdlet to point to another domain controller.- Use the following command to start Windows PowerShell logging:
logman create trace ETWTrace -ow -o c:\ETWTrace.etl -p {AAD4C46D-56DE-4F98-BDA2-B5EAEBDD2B04} 0xffffffffffffffff 0xff -nb 16 16 -bs 1024 -mode 0x2 -max 2048 -ets
logman update trace ETWTrace -p {62DFF3DA-7513-4FCA-BC73-25B111FBB1DB} 0xffffffffffffffff 0xff -ets
<repro>
- Select Apply.
- After the failure occurs, disable Windows PowerShell logging, and collect the Event Trace Log.
- Select the Operations Status tab in the Remote Access Management console, and ensure that all the components show a green icon. If not, check the error details and follow the resolution steps.
- Run the Remote Access Server Best Practices Analyzer (BPA). If there are any warnings or errors, follow the resolution steps to resolve the issue.
cmd.exe /c "reg add HKLM\SYSTEM\CurrentControlSet\Services\RaMgmtSvc\Parameters /f /v DebugFlag /t REG_DWORD /d ""0xffffffff"" "
to collect the user interface logs on the new server.- Enable the registry key cmd.exe /c "reg add HKLM\SYSTEM\CurrentControlSet\Services\RaMgmtSvc\Parameters /f /v EnableTracing /t REG_DWORD /d ""5"" "
.
- Refresh the operations status and collect the logs from %windir%\tracing.
Before you run the commands in this procedure, ensure that you replace all domain names, computer names, and other Windows PowerShell command variables with values that are appropriate for your deployment.
Configure a static proxy for an NRPT rule:
1. Display the "." NRPT rule: Get-DnsClientNrptRule -GpoName "corp.example.com\DirectAccess Client Settings" -Server <DomainControllerNetBIOSName>
2. Note the name (GUID) of the "." NRPT rule. The name (GUID) should start with DA-{..}
3. Set the proxy for the "." NRPT rule to proxy.corp.example.com:8080
: Set-DnsClientNrptRule -Name "DA-{..}" -Server <DomainControllerNetBIOSName> -GPOName "corp.example.com\DirectAccess Client Settings" -DAProxyServerName "proxy.corp.example.com:8080" -DAProxyType "UseProxyName"
4. Display the "." NRPT rule again by running Get-DnsClientNrptRule
, and verify that ProxyFQDN:port
is now correctly configured.
5. Refresh Group Policy by running gpupdate /force
on a DirectAccess client when the client is connected internally, then display the NRPT using Get-DnsClientNrptPolicy
and verify that the "." rule shows ProxyFQDN:port
.