DirectAccess Client Troubleshooting tool!

Exciting news for today!  Some of my colleagues who work a lot with DirectAccess have released a new public DirectAccess Client Troubleshooting Tool.  This works on Windows 7, 8, and 8.1 DirectAccess client machines.  If you plan to install this on a Windows 7 client, be sure you also install the .NET framework 4.0 as this is required.

If you need a good step-by-step troubleshooting guide to follow, see my previous blog posting here :

Please leave any feedback on the DirectAccess client troubleshooting tool in the comment box below and I’ll be sure to pass it along to the authors of the tool!

Tags: , , , , , , , , , ,

Categories: Troubleshooting DirectAccess

24 Comments on “DirectAccess Client Troubleshooting tool!”

  1. Matt
    February 19, 2014 at 22:10 #

    I like the tool – issue I have found is that under “Interface Test” it gives a yellow exclamation mark warning because you can’t ping your IPv4 DNS server. Our DNS server is Google DNS at but it does reply on actual DNS queries.

    • February 19, 2014 at 23:16 #

      Thanks for the feedback Matt! I’ll pass it along to the developers of the tool.

      • Matt
        April 9, 2014 at 23:28 #

        I found another strange item…

        If you have a Network Connectivity Assistant probe resource which is a PING resource (not the default of HTTP), the logfile of the troubleshooter says “Error: Unknown Probe format for probe hostname”

      • April 10, 2014 at 08:35 #

        Hi Matt,

        Thanks for reporting this, I’ll send the feedback along to the developers!

      • April 11, 2014 at 09:22 #

        Hi Matt,

        The developers of the tool found a bug in their code and will be fixing this in a future release. We really appreciate you passing this feedback along!

  2. February 20, 2014 at 09:28 #

    Hi! You do a greate job here! We deploy DA at the moment with Windows 7 clients. May I ask a question? Thanks! We use DA with Windows Server 2012 R2 and do NOT use “force tunneling” but “Two-factor authentication: Enabled”. However, users are able to use DA without Smart Card. How can this be able? Now I am searching for hours and find … nothing. Please help! I am pulling my hair out. This is one main requirement of our security section. Everything else works like a charm!


  3. February 20, 2014 at 10:46 #

    Wow, very fast reply. Thanks

    Yes, DCA and all recommended updates ( are installed. It works with smart card and without smart card. Sometimes I get a message in systray but everything is reachable and works but it shouldn’t!? Often the users should be able to do some things and it do not work. But now the users should not be able to do … but YES, THEY CAN ;-))

    • February 20, 2014 at 14:52 #

      Hi Dietmar,

      What do you see when you run the following PowerShell command on the DA Server?

      Get-DAServer | ft UserAuthentication

      What type of internal resources are the users able to access? Are they domain controllers or something defined in the management server list (infrastructure tunnel)?

      • February 21, 2014 at 09:42 #

        Hi! The PowerShell command delivers “Two-Factor” as answer. The clients are able to login to the machine, DCA says DirectAccess connection works, all the shares are mapped (we use Group Policy Preferences to map our network drives) and are listed. In the management server list we only added ConfigMgr-Servers and Anti-Virus update server.

        Oh, our Anti-Virus uses an Active Directory account to reach the share. This works also. Is this because the server is in the management server list?


      • February 25, 2014 at 22:48 #

        Hi Dietmar,

        Can you run the following command on the DirectAccess server?

        netsh adv consec sh rule name=”DirectAccess Policy-DaServerToCorp” type=dynamic

        I’m looking to see what value is present for the ApplyAuthorization field.

        If you add servers in the management list, then the DirectAccess client will reach them over the infrastructure tunnel which does not require the authorization.

      • February 26, 2014 at 00:41 #


        Enabled: Yes
        Profiles: Private, Public
        Type: Dymanic
        Mode: Tunnel
        RemoteTunnelEndpoint: Any
        Endpoint2: Any
        Protocol: Any
        Action: RequireInRequireOut
        Auth1: ComputerCert
        Auth1CertMapping: No
        Auth1ExcludeCAName: No
        Auth1CertType: Root
        Auth1HealthCert: No
        Auth2: UserKerb
        ExemtIPsecProtectedConnections: No
        ApplyAuthorization: Yes

        Is this OK?

  4. Fred
    February 21, 2014 at 02:14 #


    I have tried this tool on a French Windows 8 and it did not work

    I have installed the English User Interface and after that the tool work perfectly

    Hope in the future this tool work for all localization interface

    Best regards

    • February 21, 2014 at 11:28 #

      Hi Fred,

      We really appreciate this feedback! I’ll pass this feedback along to the developers of the tool. They are working on an updated version so please check back.

      • Fred
        February 21, 2014 at 11:51 #


        Ok great news I will follow this thread


    • May 10, 2014 at 03:10 #

      Same Problem here. Default Language is German, Tool does not work

      • May 13, 2014 at 11:51 #

        Hi Andreas,

        I’ve passed the feedback to the tool developers and they are working on a fix in the next version of the tool. Thanks for reading!

  5. didihai
    May 21, 2014 at 13:52 #


    @Fred: Every time I want to use the Troubleshooting Tool it crashes! I use Windows 7 German.

    We use force tunneling with Windows 7. The Troubleshooting Tool marks yellow that the IP-HTTPS-Interface has no standard-gateway. Everything works like a charm. Do I need a standard-gateway for the IP-HTTPS-Interface? When yes, where to configure? I find no entries for this. Thanks!

    • May 22, 2014 at 10:43 #

      You don’t need to have a default gateway configured for the IP-HTTPS adapter. I’ve passed this as feedback to the developers of the tool to hopefully get updated in a future version.

  6. Russell
    September 8, 2014 at 18:20 #

    Ok, we have some issues with some of our clients every once in a while that show that everything is good on the troubleshooter, aside from the last connection to our domain. We have struggled to find what is causing this for quite some time. I have created a small script used to automate our ‘fixes’ for DirectAccess issues. So far, this issue eludes me as to how to fix. I can supply a copy of some logs, but they are too bulky to put on this post. Is there somewhere I can upload the logs?

  7. October 1, 2014 at 07:58 #

    Just found this tool and used it to resolve our IPHTTPS issue (error 0x10df). However on laptops that I have installed it on that are working fine the DCA icon say its not DA is not properly configured, how do I resolve that misleading icon?

  8. Rob J
    October 2, 2014 at 04:16 #

    I’ve found that this tool while very useful does always throw one false positive.
    During the firewall check phase I see on every computer where they are connected at home wired or wireless and are clearly in “home” profile the tool says they are in “Private” profile and also says that the firewall is disabled in that profile (which it isn’t!).

    This is very misleading… can the profile detection be fixed ?

    This is primarily Win7 clients…

  9. Fred
    October 16, 2014 at 11:52 #


    Just for your information I have tested the Tools on an English Windows 10 Technical Preview and …………….. it’s work 🙂

    I have a question, do you have an information about the compatibity with localized version of Windows. In my case it’s the French localize version of Windows.

    Best Regards

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: