This topic lists some common issues you might encounter when setting up or using DirectAccess.

For the most up-to-date troubleshooting information, see the DirectAccess home page on Microsoft Technet (

What problem are you having?

I get the “The Internet interface must not be classified as a domain network” error message in step 2.

  • Cause: A domain controller for the domain of which the DirectAccess server is a member is reachable on the network to which the selected Internet interface is attached.

  • Solution: This error is most commonly encountered when the DirectAccess server is also configured as a domain controller, and then you try to run the DirectAccess Setup wizard. The DirectAccess server cannot be a domain controller. If the DirectAccess server is not a domain controller, select the correct Internet interface or determine why a domain controller can be located on network to which the selected Internet interface is attached. For more information, see Checklist: Before You Configure DirectAccess and Checklist: Install and Configure Single-Server DirectAccess.

A DirectAccess client does not have access to the internal network.

  • Cause #1: The DirectAccess client is not a member of the configured security groups for DirectAccess clients.

  • Solution #1: Verify that the correct security groups are configured in step 1 of the DirectAccess wizard and that the computer account of the DirectAccess client computer is a member of one of the configured groups. For more information, see Configure DirectAccess Clients.

  • Cause #2: Your Internet or internal network firewalls are blocking traffic to and from the DirectAccess server.

  • Solution #2: See Understanding DirectAccess Components for information about configuring your Internet and internal network firewalls.

A DirectAccess client cannot access a resource on the internal network.

  • Cause #1: The resource on the internal network is not Internet Protocol version 6 (IPv6)-capable.

  • Solution #1: To access a resource on the internal network, the resource must either be IPv6-capable, which requires that the computer and the application making the resource available are both IPv6-capable, or that you use a Network Address Translation-Port Translation (NAT-PT) device between the DirectAccess client and the resource. For more information, see Understanding DirectAccess Components.

  • Cause #2: The Name Resolution Policy Table (NRPT) is configured incorrectly.

  • Solution #2: To determine where to send Domain Name System (DNS) name query requests, the DirectAccess client uses the NRPT. If the name of an internal network resource server is not matched to an entry in the NRPT, the DirectAccess client uses Internet-facing DNS servers and other methods to resolve the name. Verify the NRPT has the correct entries as configured in step 3 of the DirectAccess Setup wizard. For more information, see Identify Infrastructure Servers for DirectAccess.

See Also