I'm the person who asked a while back about setting up a basic DirectAccess infrastructure (non-UAG), and I thought everything was going great as I was stepping through the Test Lab Guide and translating it into a real-world deployment. But everything seems to have fallen apart...
First off, I've tried just about every troubleshooting guide out there over the past 24 hours and at this point my mind is overloaded, so bear with me if I sound a bit out of it.
I completed the DirectAccess setup without any errors. My basic setup is this: 1) A physical server with three physical NICs. The domain controller is installed on the physical server and uses one NIC for internal network access. The domain controller is also acting as a file server, and of course, as the enterprise CA. 2) Hyper-V is set up on the domain controller, and the two remaining NICs are bound to virtual networks (and not shared with the physical host). The DirectAccess server is added as a VM and uses one NIC for external and the other for internal access. 3) The IP-HTTPS certificate is a commercial one and the CRL for this certificate is therefore accessible anywhere (this has been tested). 4) The NLS is on the DirectAccess server, but is using a separate virtual NIC bound to a different IP address to avoid any conflicts.
Now for the problems... I cannot access (even ping) an internal resource from a remote client despite indications that the tunnels are being created. I can ping the ISATAP address of the DirectAccess server, but not the ISATAP address of the DNS server (domain controller). And, of course, I can't access any file shares either.
From the domain controller, I can ping the ISATAP address of the DirectAccess server, but not any client addresses.
From the DirectAccess server, I can ping both the ISATAP address of the domain controller, and addresses of clients.
The firewall monitors do seem to indicate that both Main and Quick Mode connections are being made.
The problem is occurring on both a test client that is directly connected to the internet as well as one that is behind NAT. The really odd thing is that I could swear a couple days ago that I made a successful 6to4 connection on the client directly connected to the internet and was able to access and modify a file on a network share, but now even this client refuses to work despite no change that I can think of in my setup. The only thing I did is add another test client behind NAT.
I've gone through dozens of troubleshooting guides, and everything seems to check out except that I can't access corporate resources or resolve names. But there are no certificate errors or incorrect settings as far as I can tell. I even removed the transparent firewall from in front of the DA server to make sure that wasn't causing the problems but absolutely nothing changed.
I know that without seeing my setup it will be hard to know exactly what is going on but at this point I'm almost willing to pay someone a modest sum to help me figure out what the deal is. I just don't see why it isn't working, and I feel like I'm so close! Please help!
Apparently the infrastructure tunnel is coming up fine but the intranet tunnel is not. However, I'm under the impression that I should still be able to access the domain controller through the infrastructure tunnel...
I tried disabling TCP offload on the NICs (I've had odd things happen with it before) and somehow was able to ping the domain controller from the clients but still could not access anything else. Then I rebooted the domain controller and DA server and even ping fails again!
Short story: Don't ever add another adapter to the DA server for NLS.
Long story: I thought I was being safe by dedicating an adapter and IP on the DA server for NLS, but the reality is that it broke just about everything without really giving many clues as to why things weren't working. I think it has something to do with the additional adapter screwing up ISATAP functionality, but anyway as soon as I disabled that third adapter everything magically started working...
Now the only thing I need to figure out is why Teredo doesn't seem to be working. 6to4 is fine for clients not behind NAT, but all other clients seem to always fall back to IP-HTTPS.