Disable DirectAccess

Disable DirectAccess

Q: How can I stop DirectAccess from running temporarily and even clean up DirectAccess from my machine?

A: There are numerous ways to disable DirectAccess. The easiest is to disable the IP Helper service, for example

net stop "ip helper"

You can reenable by starting IP Helper service with net start "ip helper"; however, remember if you stop IP Helper, there are still certain aspects of DirectAccess that will continue.

I recently had a problem where I couldn't contact corporate resources. An nslookup of the name would work, so I could ping by IP address, but if I tried to ping by name it would not work. 

This seems impossible until you realize that a normal nslookup bypasses DirectAccess and IP commands will use local routing, but if you try and ping via name, it will use the DNS name policy table that will stipulate the use of DirectAccess resources. You can view the state of your name resolution policy table using this command:

netsh namespace show policy

This will show which servers are being used as part of name resolution and connectivity.

In my case, I had a machine that was actually no longer part of the domain but the Group Policy settings had not been removed correctly, which included the DirectAccess configuration. Additionally the DirectAccess server was no longer available, which was actually causing the name resolution and connectivity problems.

To remove the entries from the name resolution policy table, I had to kill the Group Policy settings. This could not be done in any clean way, so instead I wiped the domain policies from the registry by navigating to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft and just deleting the entire key. The machine was no longer domain joined, so it shouldn't actually have had any policies.

I then rebooted the machine. Upon reboot, the name resolution policy table was empty, and my connectivity problems were solved.

Note that if a machine was still domain joined, then deleting the registry key wouldn't work since as soon as the machine restarted, the policies would be reapplied.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish