Note: The issue described in this article has been resolved in Windows 10 version 1703 (Creators Update). Making these changes is no longer required after installing the Creators Update release of Windows 10.
For DirectAccess manage out deployments using ISATAP, you may encounter a scenario in which you are unable to initiate outbound connections to connected DirectAccess clients from a Windows 10 computer. Outbound connections using ISATAP from Windows 7, Windows 8, Windows Server 2008/R2, or Windows Server 2012/R2 systems work without issue.
As it turns out, there is a bug in the Windows 10 DNS client code that prevents manage out using ISATAP from a Windows 10 client from working correctly. Thanks to the diligent effort of DirectAccess administrators Mike Piron and Jason Kuhns, a workaround has been identified. To deploy the workaround, it will be necessary to implement registry changes to alter the default behavior of the DNS resolver in Windows 10. You can implement these changes on a Windows 10 DirectAccess manage out machine by using the following PowerShell commands:
New-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\” -Name DisableParallelAandAAAA -PropertyType dword -Value 1 -Force
New-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\” -Name DisableServerUnreachability -PropertyType dword -Value 1 –Force
Once these registry changes have been made, you should now be able to use ISATAP for DirectAccess manage out connections from a Windows 10 machine.
Anthony
/ November 12, 2015Thank you! This was driving my nuts for like three days!
Richard M. Hicks
/ November 14, 2015Don’t thank me, thank Mike and Jason! They are the ones who brought it to my attention. I hadn’t yet tested that scenario and wasn’t aware of the issue before they approached me. Thankfully there’s an easy and effective workaround!
Riccardo
/ November 10, 2016+1
Thank you very much, Mike and Jason … and Richard too for posting 🙂
Riccardo (from Italy)
Karsten Hentrup
/ December 8, 2016Hello Richard,
thanks to Mike, Jason and you sharing this Information. Last month we had this Problem in 4 different customer DA-installations. We opened a ticket @M$ and got the Information, that a single Reg-Hack will also work:
HKLM\System\CCS\Services\DNSCACHE\Parameters
REG_DWORD “AddrConfigControl ”
Value: 0
New-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\” -Name AddrConfigControl -PropertyType dword -Value 0 -Force
The supporter classified this Case as bug, let’s see if anything changes in future versions of Win10/Patchlevel. Meanwhile the registry-hack is a Workaround.
I wrote a Little blog-entry (in german) with a Pingback to this article:
http://blog.forefront-tmg.de/?p=1454
Greets from Germany,
Karsten…
Richard M. Hicks
/ December 15, 2016Thanks for the tip, Karsten! I’ll be sure to test that out soon. I’ll also update the blog post to reflect this new information. Thanks again!
Michael Piron
/ February 22, 2017Glad to see this information is still helping people out periodically! Thanks again Rich for all of your assistance with diagnosing the issue and testing through workarounds.