NRPT hotfix for Windows 7, 8, 2008 R2, and 2012

Hi again fellow DirectAccess admins!  This week I wanted to let everyone know about a recent hotfix we’ve published to correct an issue that some of you might hit in a large DirectAccess configuration.  The Name Resolution Policy Table (NRPT) is a pivotal function included in the Windows 7 and 2008 R2 onwards that provides DirectAccess name resolution.  Since you will be using name resolution (DNS) for lookups of internal resources with DirectAccess, the NRPT is quite an important function for any healthy DirectAccess install.  How do you access the entries in the NRPT?  Open up your DirectAccess server console and head to Step 3 of the configuration and then go to the DNS section as shown below :

nrpt

 

When you setup a new DirectAccess server configuration, it will by default include the FQDN of the domain of which the DirectAccess server is joined.  In this example it would be the *.corp.contoso.com domain.  Now a common question I get from customers is the DNS Server Address field.  In my example it’s showing 10.10.10.20 for corp.contoso.com.  This is the IPv4 address of the DirectAccess server.  Why would we use the DirectAccess server IP address and not a valid internal DNS server?  This is due to the fact that the DirectAccess server is running a special DNS service called DNS64.  Think of this acting as a DNS proxy and will forward DNS requests to your internal DNS IPs that are defined on the network card settings of the DirectAccess server.

By adding entries into this table, it modifies the NRPT settings pushed to your DirectAccess clients and controls what specific servers or domains should be resolved across DirectAccess and what should be resolved using the client’s Internet connection.  Most installs may have a handful of entries in this table but for some installs, this table can get into the hundreds of entries.  Out of the box in Windows 7, 8, 2008 R2, or 2012 there is a maximum of 1,000 entries allowed in the NRPT.  If you happen to go past this limit, the NRPT is blanked on your clients and it will essentially break DirectAccess from working.

Just recently we introduced a new hotfix that allows more than 1,000 entries in the NRPT.  For any DirectAccess installs with hundreds of entries in the NRPT, I would highly recommend proactively installing this hotfix for your DirectAccess clients.  Remember this should be installed on all your DirectAccess clients, not on the DirectAccess servers

http://support.microsoft.com/kb/2885974

It’s pretty rare to hear someone hitting this issue but as least we’ve got your covered.  Please note this hotfix is not needed for Windows 8.1 or Windows 2012 R2 DirectAccess clients as it’s already included in the OS out of the box.

Tags: , , , , , , , , , , , , , , , , , , ,

Categories: Troubleshooting DirectAccess

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: