Network Location Behavior : Never use Direct Access settings


I have seen this a handful of times recently and thought it was worth a post, as the culprit is very easy to overlook. Suppose you have a machine that, though it was built from the same image and setup the same way as your other client machines, will not connect over DirectAccess. In fact, when you look at the DirectAccess Connectivity Assistant log files, it seems that DirectAccess is not turning itself on for some reason. Netsh name show effective gives us:

DNS Effective Name Resolution Policy Table Settings
Note: DirectAccess settings would be turned off when computer is inside corporate network

Must be a problem with NLS right? Maybe you forgot to exclude it from the NRPT? Maybe not – remember, this is an environment where DA works just fine on other computers. So let’s take another look at the log file. We’ll make sure the client machine is recognizing correctly that it is outside of the corporate network. Netsh dns show state:

Name Resolution Policy Table Options
Query Failure Behavior : Always fall back to LLMNR and NetBIOS if the name does not exist in DNS or if the DNS servers are unreachable when on a private network
Query Resolution Behavior : Resolve only IPv6 addresses for names
Network Location Behavior : Never use Direct Access settings
Machine Location : Outside corporate network
Direct Access Settings : Configured and Disabled
DNSSEC Settings : Not Configured

Hmm, so it is correctly identifying that it is externally connected. But take a closer look at the output of that command:

Name Resolution Policy Table Options
Query Failure Behavior : Always fall back to LLMNR and NetBIOS if the name does not exist in DNS or if the DNS servers are unreachable when on a private network
Query Resolution Behavior : Resolve only IPv6 addresses for names
Network Location Behavior : Never use Direct Access settings
Machine Location : Outside corporate network
Direct Access Settings : Configured and Disabled
DNSSEC Settings : Not Configured

“Never use Direct Access settings” – that sounds wrong, doesn’t it? Sure enough. This is a simple registry key to change from “Never use” to “Automatic” where it should be set. So far a cause for this registry key being incorrectly set has not been brought to my attention, but at least it’s a simple fix. Head over to this registry key on the client machine and change it from “2” to “0” (zero):

HKLM\Software\Policies\Microsoft\Windows NT\DNSClient
EnableDAForAllNetworks=0

Jordan Krause
IVO Networks
Jordan.Krause@ivonetworks.com