Remote Desktop Server farm is unavailable over DirectAccess (single/multisite)

Symptoms
Consider the following scenario:
  • You have a DirectAccess environment (two network adapters on Edge, two network adapters behind Edge, or a single network adapter behind Edge), including Force Tunnel.
  • You have users who connect to a Remote Desktop Services deployment from an external network through the DirectAccess tunnel.
  • Session redirection is enabled on the RDS farm through the Connection Broker role.
In this scenario, all redirected RDS connections fail.
Cause
The issue occurs because the Remote Desktop Services roles and services are not IPv6-aware. When the client tries to connect to the RDS deployment, the Connection Broker returns a redirection packet, and this contains the IP address of the endpoint RDSH that the client will be redirected to. If the RDSH servers have only an IPv4 address assigned, the connection broker returns only this IPv4 address. Therefore, clients try to connect to the IPv4 address over the DA tunnel, and this fails. 
Resolution

Prerequisite

Windows 7 and Windows 8.1 clients must have the following update installed to connect to RDP over a DA connection. This update fixes an issue in which the client does not try to connect to the IPv6 address if a connection to the IPv4 address fails:

Windows 8.1 or Windows 7 cannot connect over DirectAccess to a Remote Desktop Session Host server farm.

To resolve the issue, IPv6 IP addresses must be enabled and applied, and the internal network must be capable of IPv6 routing. To enable this functionality, use one of the following methods:

  • Enable and use an ISATAP adapter on the Remote Desktop Session Host servers. Be aware that this method is supported only with a single site DA deployment. The use of an ISATAP adapter in environments that contain a multi-site DA deployment is not recommended nor supported.
  • Apply the method that's described in the "Workaround" section.

Workaround

To work around this issue, follow these steps:
  1. At an administrative PowerShell prompt on the DA server, run the following command: 

    Get-NetNatTransitionConfiguration

    Note Make a note of the prefix (which generally has :7777:: embedded in it).
  2. Inject the prefix into the following script. (For multiple DA deployments, add each suffix separated by a comma ( , ). Also, the quotation marks ("") are required.

    $prefix = ""
    $add = Get-NetIPAddress -AddressFamily IPv4 -Type Unicast -PrefixOrigin Manual
    foreach ($a in $add)
    {
    $n = ($a.IPAddress).Split(".")
    Clear-Variable c -ErrorAction SilentlyContinue
    $c;
    foreach($num in $n)
    {
    if ($c.Length -eq 4)
    {
    $c = $c + ":"
    }
    $c = $c + ("{0:X2}" -f [int]$num)
    }
    $ip = $prefix + $c;
    New-NetIPAddress -IPAddress $ip -InterfaceAlias $a.InterfaceAlias -AddressFamily IPv6 -PrefixLength 64 -Type Unicast
    }
  3. Run this script on all the RDS servers. It will pick up the static IP from the network adapter, generate a NAT64'd IPv6 address, and assign it to the network adapter.
Properties

Article ID: 3123137 - Last Review: 02/12/2016 17:29:00 - Revision: 4.0

Windows Server 2008 R2 Standard

  • KB3123137
Feedback