Windows 8/8.1 Disabling NRPT Hotfix

Today brings a new DirectAccess hotfix for Windows 8 and Windows 8.1 computers. This hotfix was just released and is meant to allow your Windows 8/8.1 systems to be able to unload the Name Resolution Policy Table (NRPT) in case your Network Location Server (NLS) becomes unavailable. Without this hotfix when your internal NLS goes down, all your internal DirectAccess clients will load the NRPT attempt to connect to their DirectAccess server endpoints. There is no fast way in a couple of clicks to tell your DirectAccess clients to unload the NRPT. This hotfix brings this ability by clicking on the disconnect button in the network bar :

DADis

The hotfix is available here from Microsoft and I would highly recommend this for any environment :

http://support.microsoft.com/kb/2953212

This hotfix will eventually be rolled into our monthly updates for Windows 8.1. I’ll update this article when this happens so you don’t have to manually push this hotfix out in your environments anymore.

Now if you really get into a bind and your NLS is down and don’t have the above hotfix, you can restore corporate network access on your DirectAccess clients by temporarily flushing the NRPT cache. This can be done by running the following two command below in an elevated command prompt on the broken DirectAccess client :

reg delete “HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig” /f
net stop NcaSvc && net stop Dnscache && net start Dnscache && net start NcaSvc

This will remove the NRPT from the registry and flush them by restarting the DNS Client service. Next time this machines updates it’s GPOs, it will get back into a broken state so be sure you get your NLS online ASAP! Ideally it’s best to host your NLS site on a highly available location such as a load balancer (if you have one at your disposal).

Tags: , , , , , , , , , , , , , , , , , , ,

Categories: Install Tips

24 Comments on “Windows 8/8.1 Disabling NRPT Hotfix”

  1. Clayton
    June 5, 2014 at 14:47 #

    I installed the hotfix, but no button shows up. However, it also reports “No Internet access”, even though I AM connected through our DirectAccess server, and can connect to the internet and to systems on the intranet. (on win8.1 enterprise. On windows 7 enterprise, everything works fine)

    • June 5, 2014 at 14:49 #

      Hi Clayton,

      Are you using forced tunneling for your DirectAccess install?

      • Clayton
        June 5, 2014 at 14:56 #

        Yes. It is a requirement.

      • June 5, 2014 at 14:59 #

        There is no option to disconnect DirectAccess when running a forced tunneling mode so this is expected behavior.

  2. Clayton
    June 5, 2014 at 15:02 #

    Was trying to figure out if NRPT was causing win8.1 to detect there was no internet when there really was.

    My 8.1 systems connect to directaccess and desktop apps work, but any metro apps won’t because it thinks that it can’t connect to internet.

    • June 5, 2014 at 15:04 #

      Are you using an internal proxy server to reach the Internet from inside of your network?

      • Clayton
        June 5, 2014 at 15:10 #

        No. I was under the impression that a proxy was not necessary due to the DA server doing the ipv6-ipv4 translation now in R2. The windows 7 systems work fine, and show that they are connected to the internet.

      • June 5, 2014 at 15:37 #

        Are you able to reach the Internet from the Windows 7 machines connected on DirectAccess?

  3. Clayton
    June 5, 2014 at 15:40 #

    yes. and the wifi shows as connected to the internet

    • June 5, 2014 at 15:57 #

      Are the Windows 8.1 clients able to reach :

      http://www.msftncsi.com/ncsi.txt

      In a web browser?

      • Clayton
        June 5, 2014 at 16:05 #

        yes.

      • June 5, 2014 at 16:18 #

        Can you run the following from an elevated command or PowerShell prompt on your Windows 8.1 DA client?

        reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet

  4. Clayton
    June 5, 2014 at 16:28 #

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet
    ActiveWebProbePath REG_SZ ncsi.txt
    EnableActiveProbing REG_DWORD 0x1
    PassivePollPeriod REG_DWORD 0xf
    ActiveWebProbeContent REG_SZ Microsoft NCSI
    ActiveWebProbeHost REG_SZ http://www.msftncsi.com
    StaleThreshold REG_DWORD 0x1e
    WebTimeout REG_DWORD 0x23
    ActiveWebProbePathV6 REG_SZ ncsi.txt
    ActiveDnsProbeHost REG_SZ dns.msftncsi.com
    ActiveWebProbeContentV6 REG_SZ Microsoft NCSI
    ActiveDnsProbeContentV6 REG_SZ fd3e:4f5a:5b81::1
    ActiveDnsProbeContent REG_SZ 131.107.255.255
    ActiveWebProbeHostV6 REG_SZ ipv6.msftncsi.com
    ActiveDnsProbeHostV6 REG_SZ dns.msftncsi.com

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet\ManualProxies

    I suspect that it is trying to do a nslookup for the dns.msftncsi.com and is failing due to using the NRPT instead of DNS

    • June 5, 2014 at 16:35 #

      What happens when you ping dns.msftncsi.com from the Windows 8.1 client while over DirectAccess?

  5. Clayton
    June 5, 2014 at 16:38 #

    ping dns.msftncsi.com

    Pinging dns.msftncsi.com [fd1f:da2a:dee2:7777::836b:ffff] with 32 bytes of data:

    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.

    Ping statistics for fd1f:da2a:dee2:7777::836b:ffff:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

    • June 5, 2014 at 16:39 #

      What do you get when you run the following PowerShell command?

      Get-NetConnectionProfile

  6. Clayton
    June 5, 2014 at 16:45 #

    PS C:\Windows\system32> get-netconnectionprofile

    Name : InfrastructureCable
    InterfaceAlias : Wi-Fi
    InterfaceIndex : 4
    NetworkCategory : Public
    IPv4Connectivity : NoTraffic
    IPv6Connectivity : LocalNetwork

    • June 5, 2014 at 16:49 #

      Try changing the ActiveDnsProbeContentV6 registry value to fd1f:da2a:dee2:7777::836b:ffff at :

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet

  7. Clayton
    June 5, 2014 at 16:45 #

    InfrastructureCable is a cablemodem connection to the internet

  8. Clayton
    June 5, 2014 at 16:57 #

    Nope. Still no luck. I have to leave for today, but I really appreciate your help. I can check back with you tomorrow if you are available.

  9. Matt
    June 24, 2014 at 20:02 #

    To get the “internet access” detection working with force tunnel mode turned on I believe you need

    – an entry for ipv6.msftncsi.com that resolves to an IPv6 address to an internal website
    – an entry IPv6 A record for dns.msftncsi.com that resolves to fd3e:4f5a:5b81::1

  10. Gerard
    July 1, 2014 at 16:10 #

    Actually the Disconnect button while in “Connected” state is not was is added by this hotfix, this was already possible if local name resolution is allowed by the policy. This hotfix adds it is the ability to Disconnect while NOT in “Connected” state. For me the most useful benefit is not the scenario of the NLS being down, but of DirectAccess being stucking in “Connecting” state, but at that point the NRPT is already active and you are unable to access corporate resources that would be available through public IP-addresses (in a split DNS scenario).

    The KB-article says that “By design, the Disconnect option to disable the NRPT is available only if you have already made a successful connection to the DirectAccess server.”

    Worst design decisions EVER.

    An even better solution would have been to not make the NRPT active until DirectAccess is “Connected”.

  11. Clayton
    September 2, 2014 at 11:56 #

    It appears that enabling the Web proxy AND enabling local name resolution might be the solution. Enabled web proxy by editing the group policy DirectAccess Client Settings > Computer Configuration > Policies > Windows Settings > Name Resolution Policy, select “.” (the first entry in the Name Resolution Policy Table), Edit Rule, select tab DNS Settings for Direct Access, check Use this Web proxy: , and I put in the name of one of our websense hosts. Enabled local name resolution in the remote access setup/console in the Remote Clients > Edit > Network Connectivity Assistant, check Allow DirectAccess clients to use local name resolution.

    • Clayton
      September 2, 2014 at 11:58 #

      (The solution for my windows 8 systems showing as limited, or not connected to the internet while using forced tunneling). I ended up not installing any hotfixes.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: