DirectAccess is a very cool technology! But, as with all cool technologies, sometimes things go wrong.
And with DirectAccess, when things go wrong, your DirectAccess clients can find themselves in a very broken state.
Some of our favorite symptoms of a broken client include:
- Unable to resolve names via the internal name server
I.E. no more ping to internal resources - Clients can’t update policies
(This one is really nasty if you have a new DirectAccess policy and your clients are difficult to get onto the internal network without the help of FedEx) - User’s screams of “I can’t get on the network”
In many instances, these symptoms are a direct result of a broken Name Resolution Policy via a bad (or outdated) entry in the Name Resolution Policy Table (NRPT).
Never fear, removing those entries is very simple!
Removing NRPT policy on Windows 7 clients
- Navigate to Start and enter the following text into the search box to launch the Group Policy Editor
GPEDIT.MSC - Once the Group Policy Editor has launched, navigate to
Local Computer Policy –> Windows Settings –> Name Resolution Policy
- In the right hand pane, scroll to the bottom of the pane and locate the Name Resolution Policy Table
- Delete BOTH entries
- Restart your client
Removing NRPT policy on Windows 8 and Windows 10
- Navigate to Start and enter the following text into the search box to launch the Register Editor
REGEDIT.EXE - Navigate to the following registry node
HKEY-LOCAL-MACHINE –> Software –> Policies –> Microsoft –> Windows NT –>DNS Client –>DnsPolicyConfig
- Locate and delete the entries below DnsPolicyConfig which have the format of DA-{GUID} (There should be two entries)
- Restart your client
Now, you can rollout new domain policies to your client as needed.
Please remember that you will need an alternate method of connecting to your internal network such as a standard VPN or a very long network cable.
My IT department attempted to give me direct access to the university network about a week ago, and I have had numerous problems ever since. I can’t access any university related networks from off campus, and I get messages that Teredo and IP-HTTPS have been disabled locally. I re-enabled them, and still had trouble. The only thing that worked was to delete the entries in the Name Resolution Policy Table (in GPEDIT.MSC) and restart the computer. However, this morning, when I turned on my computer, the entries were back and I had to delete them again. I don’t want to use DirectAccess, so is there any way to permanently delete these entries from the NRPT?
Kathy,
The best (and pretty much only foolproof) method is to contact your System Administrator and request you be removed from DirectAccess.
Thank You! No other article clued into the problem. Your article was the only one that actually fixed the immediate crisis. Are there any other entries to remove to completely strip out all Direct Access Settings?
Mark,
None that we are aware of.
HI,
I am unable to find those entries in my machine
I have added myself in Direct access AD, also DIrect access is configured and disbaled when i am at wotk, but unable to find those registry entries.
Neha,
You did not specify a version of windows.
Assuming you are using Windows 10, please see the Windows 8 policy instructions.
Brilliant… searched on how to do this for ages and you solved it. thank you
We recently discovered that you can more or less switch it on and off by renaming dnspolicyconfig to say dnspolicyconfigold and back.. Handy if you want to test another VPN but leave your laptop with the potential to reconnect and DA still deployed