Remove / Reset DirectAccess Name Resolution Policy on DA clients

DirectAccess is a very cool technology!  But, as with all cool technologies, sometimes things go wrong.
And with DirectAccess, when things go wrong, your DirectAccess clients can find themselves in a very broken state.

Some of our favorite symptoms of a broken client include:

  • Unable to resolve names via the internal name server
    I.E. no more ping to internal resources
  • Clients can’t update policies
    (This  one is really nasty if you have a new DirectAccess policy and your clients are difficult to get onto the internal network without the help of FedEx)
  • User’s screams of “I can’t get on the network”

In many instances, these symptoms are a direct result of a broken Name Resolution Policy via a bad (or outdated) entry in the Name Resolution Policy Table (NRPT).
Never fear, removing those entries is very simple!

Removing NRPT policy on Windows 7 clients

  1. Navigate to Start and enter the following text into the search box to launch the Group Policy Editor
  2. Once the Group Policy Editor has launched, navigate to
    Local Computer Policy –> Windows Settings –> Name Resolution Policy
    GPEdit Navigation
  3. In the right hand pane, scroll to the bottom of the pane and locate the Name Resolution Policy Table
  4. Delete BOTH entries
  5. Restart your client


Removing NRPT policy on Windows 8 and Windows 10

  1. Navigate to Start and enter the following text into the search box to launch the Register Editor
  2. Navigate to the following registry node
    HKEY-LOCAL-MACHINE –> Software –> Policies –> Microsoft –> Windows NT –>DNS Client –>DnsPolicyConfig
    2012 Register Edit
  3. Locate and delete the entries below DnsPolicyConfig which have the format of DA-{GUID} (There should be two entries)
  4. Restart your client


Now, you can rollout new domain policies to your client as needed.
Please remember that you will need an alternate method of connecting to your internal network such as a standard VPN or a very long network cable.

8 thoughts on “Remove / Reset DirectAccess Name Resolution Policy on DA clients

  1. Kathy

    My IT department attempted to give me direct access to the university network about a week ago, and I have had numerous problems ever since. I can’t access any university related networks from off campus, and I get messages that Teredo and IP-HTTPS have been disabled locally. I re-enabled them, and still had trouble. The only thing that worked was to delete the entries in the Name Resolution Policy Table (in GPEDIT.MSC) and restart the computer. However, this morning, when I turned on my computer, the entries were back and I had to delete them again. I don’t want to use DirectAccess, so is there any way to permanently delete these entries from the NRPT?

  2. ArmgaSys Post author

    The best (and pretty much only foolproof) method is to contact your System Administrator and request you be removed from DirectAccess.

  3. Mark A. Hatfield

    Thank You! No other article clued into the problem. Your article was the only one that actually fixed the immediate crisis. Are there any other entries to remove to completely strip out all Direct Access Settings?

  4. Neha Lala


    I am unable to find those entries in my machine

    I have added myself in Direct access AD, also DIrect access is configured and disbaled when i am at wotk, but unable to find those registry entries.

  5. ArmgaSys Post author

    You did not specify a version of windows.
    Assuming you are using Windows 10, please see the Windows 8 policy instructions.

  6. Krossie

    We recently discovered that you can more or less switch it on and off by renaming dnspolicyconfig to say dnspolicyconfigold and back.. Handy if you want to test another VPN but leave your laptop with the potential to reconnect and DA still deployed

Leave a Reply

Your email address will not be published. Required fields are marked *