I hit this problem at a customer site and can re-produce it in a simple lab.  Lab environment: servers:

• 1x Server 2012 R2 DC and DNS server - DC1 - 10.0.0.1
• 1x Server 2012 R2 DirectAccess (DA) server - DA1 - 10.0.0.100

Servers are running "Update" (KB2919355) and following DA hotfixes:

• KB2929930
• KB2966087

I configured DA (via advanced wizard) as follows:

• DA and remote access
• AD group
• directaccess-webprobehost DNA (A) record pointing to 10.0.0.100
• behind an edge device (with a single network adapter)
• SSL certificate from enterprise root CA issued to directaccess.contoso.com
• NLS on remote server using https://nls.corp.contoso.com
• DNS: corp.contoso.com = 10.0.0.1; nls.corp.contoso.com = ""
• DNS suffix search list = corp.contoso.com

The DNS server validates successfully in the configuration UI.

With this configuration, I get a static IPv6 address of fd79:7a37:cbd9:3333::1/128 assigned to the NIC

The operations status is all green apart from DNS which displays the following error:

"DNS: Not Working Properly"

Error:

None of the enterprise DNS servers fd79:7a37:cbd9:7777::a00:1 used by DirectAccess clients for name resolution are responding. This might affect DirectAccess client connectivity to corporate resources.

Causes:

Enterprise DNS servers fd79:7a37:cbd9:7777::a00:1 are not responding.

I can, however ping fd79:7a37:cbd9:7777::a00:1 (which is the DNS64 translation of 10.0.0.1)

I would like to know what checks are failing as there are no failures in Event Viewer.

I have come across forums where people have the same issue and fix it by specifying the local IP (in this case 10.0.0.100) as the DNS server, however Richard Hicks has confirmed with me that the DNS server should be set to the DNS server, not the DA server's IP.

Hi Andrew - i have come across this once or twice but good to know it can be reproduced. Had one recently where the DirectAccess Server would not update DNS Correctly on the Domain Controller - perhaps worth a check. The webprobe host and connectivity host records were there but not the IPv6 Address of the DA Server. The config you have posted all seems "normal" and fine - except i couldn't see an NRPT exclusion for directacess.contoso.com (with no DNS Servers specified) - was this mentioned in the application of the GPO's ? Just a question as the first time i ever did this i missed that nugget of information where the internal and external names are the same.

Hi John,

I have added an NRPT exclusion for directaccess.contoso.com which has made no difference (yes I came across that nugget before too and the GPO application did create a warning, but in this lab it did not).  The DNS entries appear ok, but to make sure, here are the registered entries for the DA server:

• DA1 (AAAA) - fd79:7a37:cbd9:1:0:5efe:10.0.0.100
• DA1 (A)       - 10.0.0.100
• directaccess-corpConnectivityHost (A)       - 127.0.0.1
• directaccess-corpConnectivityHost (AAAA) - fd79:7a37:cbd9:7777::7f00:1
• directaccess-WebProbeHost (A)                 - 10.0.0.100

Cheers

Hi Andrew - so the only things that spring to mind right now are as follows (unless we have found  a new feature !)

Is the IPv6 Address on the internal nic of the DA Server after configuration - I only ask as I have seen instances where this "seems" to disappear. Secondly my thoughts are Windows Firewall. Is the Domain Profile for both DA Server and DC potentially blocking the traffic ? are there any firewalls in between or is something like AV intercepting the call - Symantec is one I can think of immediately.

Hi John,

The IPv6 address is still present on the DA server's internal NIC.  In this lab, there is no AV software installed (all servers are running on a single Hyper-V host using a private network).

The Windows Firewall is enabled on both the DA server and DC in default configuration.  I created and applied a GPO that opens all the built-in "Core Networking" rules for both server but it made no difference.

I might have to give Wireshark a spin...

Cheers,

Andrew

hi 

same, i could not find any solution. did you find any solution ?

Hi Both - having a conversation (although not being a Hyper-V Guru) i believe the network requires to be set to either External or Internal to work. Private bridges the Physical NIC on the Host and the Virtual NIC on the VM and will not allow traffic between the Virtual Machines on the same host. Please try External for me and see what happens.

Hi John,

A private network in Hyper-V allows communications between VMs on a single host, internal is between them and the host. Network connectivity is working perfectly between the DA server and the DC using private.

Changing it to external made no difference. My client with the same problem is running on VMWare with an external connection.

Cheers, Andrew

Hi Andrew - good to hear from you - ok wasn' sure but now that is clarified that's fine. The client has VMware? Have operated on both and haven't seen this issue at all. Have you tried a config with two (simulated) public IP's to see if any issues occur there? Like you trying to work out if this is NAT / DA Single NIC Related or comms between DA Server and DC. Did you manage to run a wireshark trace with any luck.

I ran a Wireshark capture on the DA server and restarted the RaMgmtSvc serviceand everything seemed normal.

DNS Filter:

ICMP filter:

10.0.0.90 is the NLS server.  Only the ISATAP DNS query is returning "no such name" but that is expected as I'm running an IPv4 internal network and do not have (nor want to) ISATAP.

I'll try nuking the DA server config and setting it up with two NICs and see if that makes any difference, though I don't want to do this at the client site as they have a large network and t would require an insane amount of static routes to be configured on the internal NICs.

I had the same issue - its because I had ISATAP misconfigured.

Do a route /print and validate the route to the fd4f:e9b1:fa17:7777 subnet

I had multiple entries and traffic was going thru my ISATAP interface instead of the local NIC.

Thanks for the post Matt,

ISATAP has been disabled on my DA server, so the results of a "ROUTE PRINT -6" command yields:

===========================================================================
Interface List
 12...00 15 5d 01 03 64 ......Microsoft Hyper-V Network Adapter
  1...........................Software Loopback Interface 1
 14...00 00 00 00 00 00 00 e0 IPHTTPSInterface
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination                           Gateway
  1    306 ::1/128                                               On-link
 12    261 fd79:7a37:cbd9::/48                         On-link
 14    306 fd79:7a37:cbd9:1000::/64                On-link
 14    306 fd79:7a37:cbd9:1000::/128              On-link
 14    306 fd79:7a37:cbd9:1000::1/128            On-link
 14    306 fd79:7a37:cbd9:1000::2/128            On-link
 14    306 fd79:7a37:cbd9:1000:814c:28be:46b5:52c1/128     On-link
 12    261 fd79:7a37:cbd9:3333::1/128            On-link
 12    261 fd79:7a37:cbd9:7777::/96                On-link
 12    261 fe80::/64                                           On-link
 14    306 fe80::/64                                           On-link
 12    261 fe80::20c0:e848:d304:9f01/128       On-link
 14    306 fe80::814c:28be:46b5:52c1/128      On-link
  1    306 ff00::/8                                               On-link
 12    261 ff00::/8                                              On-link
 14    306 ff00::/8                                             On-link
===========================================================================
Persistent Routes:
 If Metric Network Destination                            Gateway
  0 4294967295 fd79:7a37:cbd9:1000::/64       On-link
  0 4294967295 fd79:7a37:cbd9::/48                On-link
  0 4294967295 fd79:7a37:cbd9:7777::/96       On-link
===========================================================================

Does DNS actually work? 

Set the DNS to the name or IP of your DirectAccess server (10.0.0.100).

make sure your external NIC interface is not trying to reach DNS server >

DNS server should be reached by NIC inside .

It should work then.

Hi Andrew,  we ran into the same issue and resolved by specifying the DA's IPv4 address as the DNS server.  Where did you find Richard confirming that the local DNS server should be required.

Hi Benjamin,

I got this from Richard during an email conversation, and when discussing this particular aspect I asked him "In an IPv4 only environment, if I specify the DNS server to be the IPv4 address of the DNS server, it validates fine, but DNS shows as not working.  If I change the DNS server to the IPv4 address of the DA server, it validates fine and DNS then changes to Working properly.  Others on the interwebs have the same behaviour e.g. http://social.technet.microsoft.com/Forums/windowsserver/en-US/df08fa06-d3fc-4ca9-b4a2-85824a10819a/direct-access-server-dns-error?forum=winserver8setup, but based on what you said, we should NOT use the DA servers IP.  When I set the DNS server to the actual DNS server (10.0.0.1 no IPv6 address) the error is: None of the enterprise DNS servers fd79:7a37:cbd9:7777::a00:1 used by DirectAccess clients for name resolution are responding. However I ping fd79:7a37:cbd9:7777::a00:1 from the DA server, it responds.  DNS64 is working perfectly so what darn check is failing I wonder?

To which he replied "Its possible that there is a UI validation bug. Although Ive not seen this one in particular, there are others and Ive actually worked with MS to produce a hotfix for one in the past, so they do exist. But yadefinitely dont configure the DA servers IP address for DNS. :)"

• Proposed as answer by Djurman, Richard 11 hours 2 minutes ago
• Unproposed as answer by Djurman, Richard 11 hours 2 minutes ago

Hi Benjamin,

I got this from Richard during an email conversation, and when discussing this particular aspect I asked him "In an IPv4 only environment, if I specify the DNS server to be the IPv4 address of the DNS server, it validates fine, but DNS shows as not working.  If I change the DNS server to the IPv4 address of the DA server, it validates fine and DNS then changes to Working properly.  Others on the interwebs have the same behaviour e.g. http://social.technet.microsoft.com/Forums/windowsserver/en-US/df08fa06-d3fc-4ca9-b4a2-85824a10819a/direct-access-server-dns-error?forum=winserver8setup, but based on what you said, we should NOT use the DA servers IP.  When I set the DNS server to the actual DNS server (10.0.0.1 no IPv6 address) the error is: None of the enterprise DNS servers fd79:7a37:cbd9:7777::a00:1 used by DirectAccess clients for name resolution are responding. However I ping fd79:7a37:cbd9:7777::a00:1 from the DA server, it responds.  DNS64 is working perfectly so what darn check is failing I wonder?

To which he replied "Its possible that there is a UI validation bug. Although Ive not seen this one in particular, there are others and Ive actually worked with MS to produce a hotfix for one in the past, so they do exist. But yadefinitely dont configure the DA servers IP address for DNS. :)"

• Proposed as answer by Djurman, Richard Friday, August 21, 2015 8:20 PM
• Unproposed as answer by Djurman, Richard Friday, August 21, 2015 8:20 PM

Hi Benjamin,

I got this from Richard during an email conversation, and when discussing this particular aspect I asked him "In an IPv4 only environment, if I specify the DNS server to be the IPv4 address of the DNS server, it validates fine, but DNS shows as not working.  If I change the DNS server to the IPv4 address of the DA server, it validates fine and DNS then changes to Working properly.  Others on the interwebs have the same behaviour e.g. http://social.technet.microsoft.com/Forums/windowsserver/en-US/df08fa06-d3fc-4ca9-b4a2-85824a10819a/direct-access-server-dns-error?forum=winserver8setup, but based on what you said, we should NOT use the DA servers IP.  When I set the DNS server to the actual DNS server (10.0.0.1 no IPv6 address) the error is: None of the enterprise DNS servers fd79:7a37:cbd9:7777::a00:1 used by DirectAccess clients for name resolution are responding. However I ping fd79:7a37:cbd9:7777::a00:1 from the DA server, it responds.  DNS64 is working perfectly so what darn check is failing I wonder?

To which he replied "Its possible that there is a UI validation bug. Although Ive not seen this one in particular, there are others and Ive actually worked with MS to produce a hotfix for one in the past, so they do exist. But yadefinitely dont configure the DA servers IP address for DNS. :)"

• Proposed as answer by Djurman, Richard Friday, August 21, 2015 8:20 PM
• Unproposed as answer by Djurman, Richard Friday, August 21, 2015 8:20 PM

Hi Benjamin,

I got this from Richard during an email conversation, and when discussing this particular aspect I asked him "In an IPv4 only environment, if I specify the DNS server to be the IPv4 address of the DNS server, it validates fine, but DNS shows as not working.  If I change the DNS server to the IPv4 address of the DA server, it validates fine and DNS then changes to Working properly.  Others on the interwebs have the same behaviour e.g. http://social.technet.microsoft.com/Forums/windowsserver/en-US/df08fa06-d3fc-4ca9-b4a2-85824a10819a/direct-access-server-dns-error?forum=winserver8setup, but based on what you said, we should NOT use the DA servers IP.  When I set the DNS server to the actual DNS server (10.0.0.1 no IPv6 address) the error is: None of the enterprise DNS servers fd79:7a37:cbd9:7777::a00:1 used by DirectAccess clients for name resolution are responding. However I ping fd79:7a37:cbd9:7777::a00:1 from the DA server, it responds.  DNS64 is working perfectly so what darn check is failing I wonder?

To which he replied "Its possible that there is a UI validation bug. Although Ive not seen this one in particular, there are others and Ive actually worked with MS to produce a hotfix for one in the past, so they do exist. But yadefinitely dont configure the DA servers IP address for DNS. :)"

• Proposed as answer by Djurman, Richard Friday, August 21, 2015 8:20 PM
• Unproposed as answer by Djurman, Richard Friday, August 21, 2015 8:20 PM

Hi Benjamin,

I got this from Richard during an email conversation, and when discussing this particular aspect I asked him "In an IPv4 only environment, if I specify the DNS server to be the IPv4 address of the DNS server, it validates fine, but DNS shows as not working.  If I change the DNS server to the IPv4 address of the DA server, it validates fine and DNS then changes to Working properly.  Others on the interwebs have the same behaviour e.g. http://social.technet.microsoft.com/Forums/windowsserver/en-US/df08fa06-d3fc-4ca9-b4a2-85824a10819a/direct-access-server-dns-error?forum=winserver8setup, but based on what you said, we should NOT use the DA servers IP.  When I set the DNS server to the actual DNS server (10.0.0.1 no IPv6 address) the error is: None of the enterprise DNS servers fd79:7a37:cbd9:7777::a00:1 used by DirectAccess clients for name resolution are responding. However I ping fd79:7a37:cbd9:7777::a00:1 from the DA server, it responds.  DNS64 is working perfectly so what darn check is failing I wonder?

To which he replied "Its possible that there is a UI validation bug. Although Ive not seen this one in particular, there are others and Ive actually worked with MS to produce a hotfix for one in the past, so they do exist. But yadefinitely dont configure the DA servers IP address for DNS. :)"

Hi Andrew,
The DA's IPv4 address should be specified as the DNS server and this is also the default value when you are using the wizard while configuring.

Its not a validation bug but a very confusing explanation text in the DNS configuration window.