Share via


The Netsh.exe Command Line Tool

Updated: May 24, 2010

Applies To: Windows Server 2008 R2

You can use the following Network Shell (Netsh) commands to gather information when troubleshooting DirectAccess:

  • netsh dnsclient show state

  • netsh namespace show effectivepolicy and netsh namespace show policy

  • netsh interface 6to4 show relay

  • netsh interface teredo show state

  • netsh interface httpstunnel show interfaces

  • netsh interface istatap show state and netsh interface istatap show router

  • netsh interface httpstunnel show interfaces

  • netsh advfirewall monitor show mmsa

  • netsh advfirewall monitor show qmsa

  • netsh advfirewall monitor show consec rule name=all

  • netsh advfirewall monitor show currentprofile

  • netsh interface ipv6 show interfaces

  • netsh interface ipv6 show interfaces level=verbose

  • netsh interface ipv6 show route

Note

The example displays of Netsh.exe commands in this topic were obtained from the DirectAccess test lab (https://go.microsoft.com/fwlink/?Linkid=150613).

netsh dnsclient show state

This command shows the settings for the Name Resolution Policy Table (NRPT) on a DirectAccess client, including where the client is located (either on the intranet or on the Internet), whether the client has been configured with DirectAccess NRPT rules, and whether the rules are enabled.

The following is an example of output from the netsh dnsclient show state command.

Name Resolution Policy Table Options
--------------------------------------------------------------------
Query Failure Behavior                : Only use LLMNR and NetBIOS if the  name does not exist in DNS
Query Resolution Behavior             : Resolve only IPv6 addresses for names
Network Location Behavior             : Let Network ID determine when DirectAccess settings are to be used
Machine Location                      : Inside corporate network
DirectAccess Settings                 : Configured and Disabled
DNSSEC Settings                       : Not Configured

In this example, the DirectAccess client is located on the intranet (Machine location: Inside corporate network) and has been configured with DirectAccess NRPT rules, but they are disabled (DirectAccess Settings: Configured and Disabled).

You use the netsh dnsclient show state command to determine the results of network location detection (the Machine location field) and the state of DirectAccess NRPT rules (the DirectAccess Settings field).

netsh namespace show effectivepolicy and netsh namespace show policy

This command shows the rules in the NRPT on a DirectAccess client. The netsh namespace show policy shows the NRPT rules as configured with Group Policy and the netsh namespace show effectivepolicy command shows the active rules.

The following is an example of output from the netsh namespace show effectivepolicy command.

DNS Effective Name Resolution Policy Table Settings


Settings for nls.corp.contoso.com
----------------------------------------------------------------------
Certification authority                 : DC=com, DC=contoso, DC=corp, CN=corp-D
C1-CA
DNSSEC (Validation)                     : disabled
IPsec settings                          : disabled
DirectAccess (DNS Servers)              :
DirectAccess (Proxy Settings)           : Bypass proxy



Settings for .corp.contoso.com
----------------------------------------------------------------------
Certification authority                 : DC=com, DC=contoso, DC=corp, CN=corp-D
C1-CA
DNSSEC (Validation)                     : disabled
IPsec settings                          : disabled
DirectAccess (DNS Servers)              : 2002:836b:2:1:0:5efe:10.0.0.1
DirectAccess (Proxy Settings)           : Bypass proxy

In this example, the DirectAccess client is located on the Internet and has a namespace rule for its intranet namespace (the example rule for .corp.contoso.com) and an exemption rule for the FQDN of its network location server (the example rule for .nls.corp.contoso.com).

You use the netsh namespace show effectivepolicy command to determine the results of network location detection and the Internet Protocol version 6 (IPv6) addresses of intranet Domain Name System (DNS) servers for additional troubleshooting.

If there are active rules in the NRPT, the DirectAccess client has determined that it is not on the intranet. If there are no active rules in the NRPT, the DirectAccess client has determined that it is on the intranet or it has not been correctly configured with NRPT rules.

If there are no rules in the NRPT as configured through Group Policy (from the display of the netsh namespace show policy command), the DirectAccess client has not been properly configured. Verify that the computer account of the DirectAccess client is a member of the appropriate security group to which DirectAccess client Group Policy settings are applied.

Note

The DirectAccess server is not a DirectAccess client and is not configured with NRPT rules. The netsh namespace show effectivepolicy command on a DirectAccess server should always display no rules.

netsh interface 6to4 show relay

This command shows the Internet Protocol version 4 (IPv4) address or fully qualified domain name (FQDN) of the 6to4 relay on a DirectAccess client. This is set by default through Group Policy to the first consecutive public IPv4 address that is assigned to the Internet interface of the DirectAccess server. The following is an example of output from the netsh interface 6to4 show relay command.

Relay Name             : 131.107.0.2 (Group Policy)
Use Relay              : default
Resolution Interval    : default

In this example, the DirectAccess client has been configured with the 6to4 relay IPv4 address of 131.107.0.2 through Group Policy.

You use the netsh interface 6to4 show relay command to determine where the DirectAccess client is sending its default route IPv6 traffic when it has been configured with a public IPv4 address and is using 6to4 to tunnel IPv6 traffic across the Internet.

netsh interface teredo show state

This command shows the state and configuration of the Teredo component on a DirectAccess server or client. On a DirectAccess client, the Teredo client configuration is set by default through Group Policy and the Server Name is set to the first consecutive public IPv4 address assigned to the Internet interface of the DirectAccess server.

The following is an example of output from the netsh interface teredo show state command on a DirectAccess client.

Teredo Parameters
---------------------------------------------
Type                    : client
Server Name             : 131.107.0.2 (Group Policy)
Client Refresh Interval : 30 seconds
Client Port             : unspecified
State                   : offline
Error                   : client is in a managed network

In this example, the DirectAccess client has been configured with the Teredo server IPv4 address of 131.107.0.2 through Group Policy and is in an offline state.

The following is an example of output from the netsh interface teredo show state command on a DirectAccess server.

Teredo Parameters
---------------------------------------------
Type                    : server
Virtual Server Ip       : 0.0.0.0
Client Refresh Interval : 30 seconds
State                   : online

Server Packets Received : 0
Success                 : 0 (Bubble 0, Echo 0, RS1 0 RS2 0)
Failure                 : 0 (Hdr 0, Src 0, Dest 0, Auth 0)

Relay Packets Received  : 0
Success                 : 0 (Bubble 0, Data 0)
Failure                 : 0 (Hdr 0, Src 0, Dest 0)

Relay Packets Sent      : 2
Success                 : 0 (Bubble 0, Data 0)
Failure                 : 2 (Hdr 0, Src 2, Dest 0)

Packets Received in the last 30 seconds:
Bubble 0, Echo 0, RS1 0, RS2 0
6to4 source address 0, native IPv6 source address 0
6to4 destination address 0, native IPv6 destination address 0


Estimated Bandwidth consumed in the last 30 seconds (in BPS):
Bubble 0, Echo 0, Primary 0, Secondary 0
6to4 source address 0, native IPv6 source address 0
6to4 destination address 0, native IPv6 destination address 0

In this example, the DirectAccess server is acting as a Teredo server and a Teredo relay and is in an online state.

You use the netsh interface teredo show state command on a DirectAccess client to determine the Teredo server of a DirectAccess client and its current state. You use the netsh interface teredo show state command on a DirectAccess server to determine whether it is acting as a Teredo server and relay and its current state.

netsh interface httpstunnel show interfaces

This command shows the state and configuration of the Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS) component on a DirectAccess server or client. On a DirectAccess client, the IP-HTTPS client configuration is set by default through Group Policy. The uniform resource locator (URL) of the IP-HTTPS server is based on the Subject field in the certificate chosen for IP-HTTPS connections in Step 2 of the DirectAccess Setup Wizard.

The following is an example of output from the netsh interface httpstunnel show interfaces command on a DirectAccess client.

Interface IPHTTPSInterface (Group Policy)  Parameters
------------------------------------------------------------
Role                       : client
URL                        : https://da1.contoso.com:443/IPHTTPS
Last Error Code            : 0x0
Interface Status           : IPHTTPS interface deactivated

In this example, the DirectAccess client has been configured as an IP-HTTPS client with the URL https://da1.contoso.com:443/IPHTTPS.

The following is an example of output from the netsh interface httpstunnel show interfaces command on a DirectAccess server.

Interface IPHTTPSInterface Parameters
------------------------------------------------------------
Role                       : server
URL                        : https://da1.contoso.com:443/IPHTTPS
Client authentication mode : certificates
Last Error Code            : 0x0
Interface Status           : IPHTTPS interface active

In this example, the DirectAccess server has been configured as an IP-HTTPS server with the URL https://da1.contoso.com:443/IPHTTPS and uses certificates for authentication.

You use the netsh interface httpstunnel show interfaces command on a DirectAccess client to determine the URL of the IP-HTTPS server and the current state of the IP-HTTPS client component. You use the netsh interface httpstunnel show interfaces command on a DirectAccess server to determine URL of the IP-HTTPS server and to verify that it is acting as an IP-HTTPS server and the authentication method. The URL on both the DirectAccess client and server should be the same.

netsh interface istatap show state and netsh interface istatap show router

These commands show the state and configuration of the Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) component on the ISATAP router (the DirectAccess server) or an ISATAP host. Unlike 6to4, Teredo, and IP-HTTPS transition technologies, the DirectAccess Setup Wizard does not configure a name or IPv4 address for an ISATAP router in Group Policy. Instead, it attempts to register the name ISATAP and an assigned intranet IPv4 address with its DNS server. ISATAP hosts on the intranet use the name ISATAP to resolve the IPv4 address of the ISATAP router (the DirectAccess server).

The following is an example of output from the netsh interface istatap show state command on a DirectAccess server.

ISATAP State           : enabled

In this example, the DirectAccess server has the ISATAP component enabled.

The following is an example of output from the netsh interface istatap show router command on the DirectAccess server.

Router Name            : isatap.corp.contoso.com
Use Relay              : default
Resolution Interval    : default

In this example, the DirectAccess server has constructed the ISATAP router name from the name ISATAP and the DNS suffix assigned to the computer (corp.contoso.com).

You use the netsh interface istatap show state and netsh interface istatap show router commands on the DirectAccess server to ensure that it is configured to act as an ISATAP router. You use the netsh interface istatap show state and netsh interface istatap show router commands on an intranet node to ensure that it has a default configuration.

To determine if an ISATAP host has successfully configured an ISATAP-based address, use the ipconfig command and look for an interface named **Tunnel adapter isatap.**ComputerDNSSuffix. Ensure that it has been assigned an ISATAP-based IPv6 address that begins with 2 or 3 and a default gateway.

netsh advfirewall monitor show mmsa

This command shows the currently active main mode security associations (SAs) for Internet Protocol security (IPsec)-protected traffic on a DirectAccess client, a DirectAccess server, or an intranet resource.

The following is an example of output from the netsh advfirewall monitor show mmsa command on a DirectAccess client.

Main Mode SA at 09/11/2009 10:43:59
----------------------------------------------------------------------
Local IP Address:                     2002:836b:65::836b:65
Remote IP Address:                    2002:836b:2::836b:2
Auth1:                                ComputerCert
Auth2:                                UserNTLM
MM Offer:                             None-AES128-SHA256
Cookie Pair:                          a075a1437682ad8e:0afed90d0f2a8cac
Health Cert:                          No

Main Mode SA at 09/11/2009 10:43:59
----------------------------------------------------------------------
Local IP Address:                     2002:836b:65::836b:65
Remote IP Address:                    2002:836b:2::836b:2
Auth1:                                ComputerCert
Auth2:                                UserNTLM
MM Offer:                             None-AES128-SHA256
Cookie Pair:                          9e355ec21d66e39b:d748c6e2ddd09424
Health Cert:                          No

Main Mode SA at 09/11/2009 10:43:59
----------------------------------------------------------------------
Local IP Address:                     2002:836b:65::836b:65
Remote IP Address:                    2002:836b:2:1:0:5efe:10.0.0.3
Auth2 Local ID:                       CORP\User1
Auth2 Remote ID:                      host/APP1.corp.contoso.com
Auth1:                                ComputerCert
Auth2:                                UserKerb
MM Offer:                             None-AES128-SHA256
Cookie Pair:                          912ff504e979e831:4eb6fb986fa84eb9
Health Cert:                          No

Main Mode SA at 09/11/2009 10:43:59
----------------------------------------------------------------------
Local IP Address:                     2002:836b:65::836b:65
Remote IP Address:                    2002:836b:3::836b:3
Auth2 Local ID:                       host/CLIENT2.corp.contoso.com
Auth2 Remote ID:                      CORP\DA1$
Auth1:                                ComputerCert
Auth2:                                UserKerb
MM Offer:                             None-AES128-SHA256
Cookie Pair:                          96d2b451be5756e9:0d2515c811c26034
Health Cert:                          No

Main Mode SA at 09/11/2009 10:43:59
----------------------------------------------------------------------
Local IP Address:                     2002:836b:65::836b:65
Remote IP Address:                    2002:836b:3::836b:3
Auth2 Local ID:                       NT AUTHORITY\SYSTEM
Auth2 Remote ID:                      host/da1.corp.contoso.com
Auth1:                                ComputerCert
Auth2:                                UserKerb
MM Offer:                             None-AES128-SHA256
Cookie Pair:                          2ba50b46a6820026:24b64b78e8f7ac0d
Health Cert:                          No

Main Mode SA at 09/11/2009 10:43:59
----------------------------------------------------------------------
Local IP Address:                     2002:836b:65::836b:65
Remote IP Address:                    2002:836b:3::836b:3
Auth2 Local ID:                       CORP\User1
Auth2 Remote ID:                      host/da1.corp.contoso.com
Auth1:                                ComputerCert
Auth2:                                UserKerb
MM Offer:                             None-AES128-SHA256
Cookie Pair:                          4775f7dd32e268b2:b0ad96d598518fa7
Health Cert:                          No
Ok.

The following is an example of output from the netsh advfirewall monitor show mmsa command on the DirectAccess server of the DirectAccess client.

Main Mode SA at 09/11/2009 10:44:03
----------------------------------------------------------------------
Local IP Address:                     2002:836b:2::836b:2
Remote IP Address:                    2002:836b:65::836b:65
Auth1:                                ComputerCert
Auth2:                                UserNTLM
MM Offer:                             None-AES128-SHA256
Cookie Pair:                          a075a1437682ad8e:0afed90d0f2a8cac
Health Cert:                          No

Main Mode SA at 09/11/2009 10:44:03
----------------------------------------------------------------------
Local IP Address:                     2002:836b:2::836b:2
Remote IP Address:                    2002:836b:65::836b:65
Auth1:                                ComputerCert
Auth2:                                UserNTLM
MM Offer:                             None-AES128-SHA256
Cookie Pair:                          9e355ec21d66e39b:d748c6e2ddd09424
Health Cert:                          No

Main Mode SA at 09/11/2009 10:44:03
----------------------------------------------------------------------
Local IP Address:                     2002:836b:3::836b:3
Remote IP Address:                    2002:836b:65::836b:65
Auth2 Local ID:                       NT AUTHORITY\SYSTEM
Auth2 Remote ID:                      host/CLIENT2.corp.contoso.com
Auth1:                                ComputerCert
Auth2:                                UserKerb
MM Offer:                             None-AES128-SHA256
Cookie Pair:                          96d2b451be5756e9:0d2515c811c26034
Health Cert:                          No

Main Mode SA at 09/11/2009 10:44:03
----------------------------------------------------------------------
Local IP Address:                     2002:836b:3::836b:3
Remote IP Address:                    2002:836b:65::836b:65
Auth2 Local ID:                       host/da1.corp.contoso.com
Auth2 Remote ID:                      CORP\CLIENT2$
Auth1:                                ComputerCert
Auth2:                                UserKerb
MM Offer:                             None-AES128-SHA256
Cookie Pair:                          2ba50b46a6820026:24b64b78e8f7ac0d
Health Cert:                          No

Main Mode SA at 09/11/2009 10:44:03
----------------------------------------------------------------------
Local IP Address:                     2002:836b:3::836b:3
Remote IP Address:                    2002:836b:65::836b:65
Auth2 Local ID:                       host/da1.corp.contoso.com
Auth2 Remote ID:                      CORP\User1
Auth1:                                ComputerCert
Auth2:                                UserKerb
MM Offer:                             None-AES128-SHA256
Cookie Pair:                          4775f7dd32e268b2:b0ad96d598518fa7
Health Cert:                          No
Ok.

You can correlate the main mode SAs on the DirectAccess client and server through the Cookie Pair.

You use the netsh advfirewall monitor show mmsa command to verify that the DirectAccess client and server can successfully negotiate main mode IPsec SAs. If there are no main mode IPsec SAs on the DirectAccess client after attempting to access an intranet resource, investigate the inability to perform IPsec peer authentication with installed certificates.

netsh advfirewall monitor show qmsa

This command shows the currently active quick mode SAs on a DirectAccess client, a DirectAccess server, or an intranet resource.

The following is an example of output from the netsh advfirewall monitor show qmsa command on a DirectAccess client.

Quick Mode SA at 09/11/2009 10:56:38
----------------------------------------------------------------------
Local IP Address:                     2002:836b:65::836b:65
Remote IP Address:                    2002:836b:2::836b:2
Local Port:                           Any
Remote Port:                          Any
Protocol:                             Any
Direction:                            Both
QM Offer:                             ESP:SHA1-AES192+60min+100000kb
PFS:                                  None

Quick Mode SA at 09/11/2009 10:56:38
----------------------------------------------------------------------
Local IP Address:                     2002:836b:65::836b:65
Remote IP Address:                    2002:836b:3::836b:3
Local Port:                           Any
Remote Port:                          Any
Protocol:                             Any
Direction:                            Both
QM Offer:                             ESP:SHA1-AES192+60min+100000kb
PFS:                                  None

Quick Mode SA at 09/11/2009 10:56:38
----------------------------------------------------------------------
Local IP Address:                     2002:836b:65::836b:65
Remote IP Address:                    2002:836b:2:1:0:5efe:10.0.0.3
Local Port:                           Any
Remote Port:                          Any
Protocol:                             Any
Direction:                            Both
QM Offer:                             ESP:SHA256-None+60min+100000kb
PFS:                                  None

Quick Mode SA at 09/11/2009 10:56:38
----------------------------------------------------------------------
Local IP Address:                     2002:836b:65::836b:65
Remote IP Address:                    2002:836b:3::836b:3
Local Port:                           Any
Remote Port:                          Any
Protocol:                             Any
Direction:                            Both
QM Offer:                             ESP:SHA1-AES192+60min+100000kb
PFS:                                  None
Ok.

The following is an example of output from the netsh advfirewall monitor show qmsa command on the DirectAccess server of the DirectAccess client.

Quick Mode SA at 09/11/2009 10:56:47
----------------------------------------------------------------------
Local IP Address:                     2002:836b:2::836b:2
Remote IP Address:                    2002:836b:65::836b:65
Local Port:                           Any
Remote Port:                          Any
Protocol:                             Any
Direction:                            Both
QM Offer:                             ESP:SHA1-AES192+60min+100000kb
PFS:                                  None

Quick Mode SA at 09/11/2009 10:56:47
----------------------------------------------------------------------
Local IP Address:                     2002:836b:3::836b:3
Remote IP Address:                    2002:836b:65::836b:65
Local Port:                           Any
Remote Port:                          Any
Protocol:                             Any
Direction:                            Both
QM Offer:                             ESP:SHA1-AES192+60min+100000kb
PFS:                                  None

Quick Mode SA at 09/11/2009 10:56:47
----------------------------------------------------------------------
Local IP Address:                     2002:836b:3::836b:3
Remote IP Address:                    2002:836b:65::836b:65
Local Port:                           Any
Remote Port:                          Any
Protocol:                             Any
Direction:                            Both
QM Offer:                             ESP:SHA1-AES192+60min+100000kb
PFS:                                  None
Ok.

You can correlate the quick mode SAs on the DirectAccess client and server through the local and remote Internet Protocol (IP) address pairs and Quick Mode (QM) offers.

You use the netsh advfirewall monitor show qmsa command to verify that the DirectAccess client and server can successfully negotiate quick mode IPsec SAs. If there are no quick mode IPsec SAs on the DirectAccess client after attempting to access an intranet resource, investigate the correlation of quick mode settings between the DirectAccess client, the DirectAccess server, and the intranet node.

netsh advfirewall monitor show consec rule name=all

This command shows the active connection security rules on a DirectAccess client, DirectAccess server, or intranet node.

The following is an example of the output from the netsh advfirewall monitor show consec rule name=all command on a DirectAccess client.

Connection Security Rules:

Rule Name:                            DirectAccess Policy-clientToNlaExempt
----------------------------------------------------------------------
Enabled:                              Yes
Profiles:                             Private,Public
Type:                                 Dynamic
Mode:                                 Tunnel
LocalTunnelEndpoint:                  Any
RemoteTunnelEndpoint:                 Any
Endpoint1:                            2002:836b:2:1::/64
Endpoint2:                            2002:836b:2:1:0:5efe:10.0.0.3-2002:836b:2:
1:0:5efe:10.0.0.3
Port1:                                Any
Port2:                                443
Protocol:                             TCP
Action:                               NoAuthentication
ExemptIPsecProtectedConnections:      No
ApplyAuthorization:                   No

Rule Name:                            DirectAccess Policy-clientToAppServer
----------------------------------------------------------------------
Enabled:                              Yes
Profiles:                             Private,Public
Type:                                 Dynamic
Mode:                                 Transport
Endpoint1:                            Any
Endpoint2:                            2002:836b:2:1:0:5efe:10.0.0.3-2002:836b:2:
1:0:5efe:10.0.0.3
Protocol:                             Any
Action:                               RequestInRequestOut
Auth1:                                ComputerCert,ComputerKerb
Auth1CAName:                          DC=com, DC=contoso, DC=corp, CN=corp-DC1-C
A
Auth1CertMapping:                     No
Auth1ExcludeCAName:                   No
Auth1CertType:                        Root
Auth1HealthCert:                      No
Auth2:                                UserKerb
MainModeSecMethods:                   DHGroup2-AES128-SHA256,DHGroup2-AES128-SHA
1,DHGroup2-3DES-SHA1
QuickModeSecMethods:                  ESP:SHA256-None+60min+100000kb,AH:SHA256+6
0min+100000kb,AuthNoEncap:SHA256+60min+100000kb

Rule Name:                            DirectAccess Policy-ClientToMgmt
----------------------------------------------------------------------
Enabled:                              Yes
Profiles:                             Private,Public
Type:                                 Dynamic
Mode:                                 Tunnel
LocalTunnelEndpoint:                  Any
RemoteTunnelEndpoint:                 2002:836b:2::836b:2
Endpoint1:                            Any
Endpoint2:                            2002:836b:2:1:200:5efe:157.60.79.2-2002:83
6b:2:1:200:5efe:157.60.79.2
Protocol:                             Any
Action:                               RequireInRequireOut
Auth1:                                ComputerCert
Auth1CAName:                          DC=com, DC=contoso, DC=corp, CN=corp-DC1-C
A
Auth1CertMapping:                     No
Auth1ExcludeCAName:                   No
Auth1CertType:                        Root
Auth1HealthCert:                      No
Auth2:                                UserNTLM
MainModeSecMethods:                   DHGroup2-AES128-SHA256,DHGroup2-AES128-SHA
1,DHGroup2-3DES-SHA1
QuickModeSecMethods:                  ESP:SHA1-AES192+60min+100000kb,ESP:SHA1-AE
S128+60min+100000kb
ExemptIPsecProtectedConnections:      No
ApplyAuthorization:                   No

Rule Name:                            DirectAccess Policy-ClientToCorp
----------------------------------------------------------------------
Enabled:                              Yes
Profiles:                             Private,Public
Type:                                 Dynamic
Mode:                                 Tunnel
LocalTunnelEndpoint:                  Any
RemoteTunnelEndpoint:                 2002:836b:3::836b:3
Endpoint1:                            Any
Endpoint2:                            2002:836b:2:1::/64
Protocol:                             Any
Action:                               RequireInRequireOut
Auth1:                                ComputerCert
Auth1CAName:                          DC=com, DC=contoso, DC=corp, CN=corp-DC1-C
A
Auth1CertMapping:                     No
Auth1ExcludeCAName:                   No
Auth1CertType:                        Root
Auth1HealthCert:                      No
Auth2:                                UserKerb
MainModeSecMethods:                   DHGroup2-AES128-SHA256,DHGroup2-AES128-SHA
1,DHGroup2-3DES-SHA1
QuickModeSecMethods:                  ESP:SHA1-AES192+60min+100000kb,ESP:SHA1-AE
S128+60min+100000kb
ExemptIPsecProtectedConnections:      No
ApplyAuthorization:                   No

Rule Name:                            DirectAccess Policy-ClientToDnsDc
----------------------------------------------------------------------
Enabled:                              Yes
Profiles:                             Private,Public
Type:                                 Dynamic
Mode:                                 Tunnel
LocalTunnelEndpoint:                  Any
RemoteTunnelEndpoint:                 2002:836b:2::836b:2
Endpoint1:                            Any
Endpoint2:                            2002:836b:2:1:0:5efe:10.0.0.1-2002:836b:2:
1:0:5efe:10.0.0.1
Protocol:                             Any
Action:                               RequireInRequireOut
Auth1:                                ComputerCert
Auth1CAName:                          DC=com, DC=contoso, DC=corp, CN=corp-DC1-C
A
Auth1CertMapping:                     No
Auth1ExcludeCAName:                   No
Auth1CertType:                        Root
Auth1HealthCert:                      No
Auth2:                                UserNTLM
MainModeSecMethods:                   DHGroup2-AES128-SHA256,DHGroup2-AES128-SHA
1,DHGroup2-3DES-SHA1
QuickModeSecMethods:                  ESP:SHA1-AES192+60min+100000kb,ESP:SHA1-AE
S128+60min+100000kb
ExemptIPsecProtectedConnections:      No
ApplyAuthorization:                   No

Ok.

You use the netsh advfirewall monitor show consec rule name=all command to verify that a DirectAccess client, DirectAccess server, or selected server has been configured with the correct connection security rules.

netsh advfirewall monitor show currentprofile

This command shows the networks to which the computer is attached and the firewall profiles (public, private, or domain) assigned to each network.

The following is an example of the output from the netsh advfirewall monitor show currentprofile command on a DirectAccess server.

Domain Profile:
----------------------------------------------------------------------
corp.contoso.com

Public Profile:
----------------------------------------------------------------------
Unidentified network
Ok.

In this example, the DirectAccess server is attached to two networks (corp.contoso.com and Unidentified network). The corp.contoso.com network is assigned the domain profile and the Unidentified network is assigned the public profile.

You use the netsh advfirewall monitor show currentprofile command to determine the profiles that are assigned to DirectAccess clients when troubleshooting network location detection and the profiles assigned to a DirectAccess server when troubleshooting DirectAccess Setup Wizard problems.

netsh interface ipv6 show interfaces

This command shows the set of IPv6 interfaces on a computer and their state. The following is an example of the output from the netsh interface ipv6 show interfaces command on a DirectAccess server.

Idx     Met         MTU          State                Name
---  ----------  ----------  ------------  ---------------------------
  1          50  4294967295  connected     Loopback Pseudo-Interface 1
 13          25        1280  connected     isatap.corp.contoso.com
 14          25        1280  connected     isatap.isp.example.com
 11          20        1500  connected     Corpnet
 15          25        1280  connected     6TO4 Adapter
 16          50        1280  connected     Teredo Tunneling Pseudo-Interface
 17          50        1280  connected     IPHTTPSInterface
 12          20        1500  connected     Internet

You use the netsh interface ipv6 show interfaces command to quickly determine the set of IPv6 interfaces and whether ISATAP, 6to4, Teredo, and IP-HTTPS tunneling interfaces are present and their state (connected or disconnected).

netsh interface ipv6 show interfaces level=verbose

This command shows the set of IPv6 interfaces on a computer and detailed information about their configuration.

The following is an example of the output from the netsh interface ipv6 show interfaces level=verbose command on a DirectAccess server.

Interface Loopback Pseudo-Interface 1 Parameters
----------------------------------------------
IfLuid                             : loopback_1
IfIndex                            : 1
State                              : connected
Metric                             : 50
Link MTU                           : 4294967295 bytes
Reachable Time                     : 31000 ms
Base Reachable Time                : 30000 ms
Retransmission Interval            : 1000 ms
DAD Transmits                      : 0
Site Prefix Length                 : 64
Site Id                            : 1
Forwarding                         : disabled
Advertising                        : disabled
Neighbor Discovery                 : disabled
Neighbor Unreachability Detection  : disabled
Router Discovery                   : enabled
Managed Address Configuration      : disabled
Other Stateful Configuration       : disabled
Weak Host Sends                    : enabled
Weak Host Receives                 : disabled
Use Automatic Metric               : enabled
Ignore Default Routes              : disabled
Advertised Router Lifetime         : 1800 seconds
Advertise Default Route            : disabled
Current Hop Limit                  : 0
Force ARPND Wake up patterns       : disabled
Directed MAC Wake up patterns      : disabled

Interface isatap.corp.contoso.com Parameters
----------------------------------------------
IfLuid                             : tunnel_4
IfIndex                            : 13
State                              : connected
Metric                             : 25
Link MTU                           : 1280 bytes
Reachable Time                     : 16500 ms
Base Reachable Time                : 30000 ms
Retransmission Interval            : 1000 ms
DAD Transmits                      : 0
Site Prefix Length                 : 64
Site Id                            : 1
Forwarding                         : enabled
Advertising                        : enabled
Neighbor Discovery                 : enabled
Neighbor Unreachability Detection  : disabled
Router Discovery                   : enabled
Managed Address Configuration      : disabled
Other Stateful Configuration       : disabled
Weak Host Sends                    : enabled
Weak Host Receives                 : disabled
Use Automatic Metric               : enabled
Ignore Default Routes              : disabled
Advertised Router Lifetime         : 1800 seconds
Advertise Default Route            : enabled
Current Hop Limit                  : 0
Force ARPND Wake up patterns       : disabled
Directed MAC Wake up patterns      : disabled

Interface isatap.isp.example.com Parameters
----------------------------------------------
IfLuid                             : tunnel_5
IfIndex                            : 14
State                              : connected
Metric                             : 25
Link MTU                           : 1280 bytes
Reachable Time                     : 36000 ms
Base Reachable Time                : 30000 ms
Retransmission Interval            : 1000 ms
DAD Transmits                      : 0
Site Prefix Length                 : 64
Site Id                            : 1
Forwarding                         : disabled
Advertising                        : disabled
Neighbor Discovery                 : enabled
Neighbor Unreachability Detection  : disabled
Router Discovery                   : enabled
Managed Address Configuration      : disabled
Other Stateful Configuration       : disabled
Weak Host Sends                    : enabled
Weak Host Receives                 : disabled
Use Automatic Metric               : enabled
Ignore Default Routes              : disabled
Advertised Router Lifetime         : 1800 seconds
Advertise Default Route            : disabled
Current Hop Limit                  : 0
Force ARPND Wake up patterns       : disabled
Directed MAC Wake up patterns      : disabled

Interface Corpnet Parameters
----------------------------------------------
IfLuid                             : ethernet_6
IfIndex                            : 11
State                              : connected
Metric                             : 20
Link MTU                           : 1500 bytes
Reachable Time                     : 19500 ms
Base Reachable Time                : 30000 ms
Retransmission Interval            : 1000 ms
DAD Transmits                      : 1
Site Prefix Length                 : 64
Site Id                            : 1
Forwarding                         : enabled
Advertising                        : disabled
Neighbor Discovery                 : enabled
Neighbor Unreachability Detection  : enabled
Router Discovery                   : enabled
Managed Address Configuration      : enabled
Other Stateful Configuration       : enabled
Weak Host Sends                    : enabled
Weak Host Receives                 : disabled
Use Automatic Metric               : enabled
Ignore Default Routes              : disabled
Advertised Router Lifetime         : 1800 seconds
Advertise Default Route            : disabled
Current Hop Limit                  : 0
Force ARPND Wake up patterns       : disabled
Directed MAC Wake up patterns      : disabled

Interface 6TO4 Adapter Parameters
----------------------------------------------
IfLuid                             : tunnel_6
IfIndex                            : 15
State                              : connected
Metric                             : 25
Link MTU                           : 1280 bytes
Reachable Time                     : 37000 ms
Base Reachable Time                : 30000 ms
Retransmission Interval            : 1000 ms
DAD Transmits                      : 0
Site Prefix Length                 : 64
Site Id                            : 1
Forwarding                         : enabled
Advertising                        : disabled
Neighbor Discovery                 : disabled
Neighbor Unreachability Detection  : disabled
Router Discovery                   : enabled
Managed Address Configuration      : disabled
Other Stateful Configuration       : disabled
Weak Host Sends                    : enabled
Weak Host Receives                 : disabled
Use Automatic Metric               : enabled
Ignore Default Routes              : disabled
Advertised Router Lifetime         : 1800 seconds
Advertise Default Route            : disabled
Current Hop Limit                  : 0
Force ARPND Wake up patterns       : disabled
Directed MAC Wake up patterns      : disabled

Interface Teredo Tunneling Pseudo-Interface Parameters
----------------------------------------------
IfLuid                             : tunnel_7
IfIndex                            : 16
State                              : connected
Metric                             : 50
Link MTU                           : 1280 bytes
Reachable Time                     : 13500 ms
Base Reachable Time                : 15000 ms
Retransmission Interval            : 2000 ms
DAD Transmits                      : 0
Site Prefix Length                 : 64
Site Id                            : 1
Forwarding                         : enabled
Advertising                        : disabled
Neighbor Discovery                 : enabled
Neighbor Unreachability Detection  : enabled
Router Discovery                   : enabled
Managed Address Configuration      : disabled
Other Stateful Configuration       : disabled
Weak Host Sends                    : enabled
Weak Host Receives                 : disabled
Use Automatic Metric               : enabled
Ignore Default Routes              : disabled
Advertised Router Lifetime         : 1800 seconds
Advertise Default Route            : disabled
Current Hop Limit                  : 0
Force ARPND Wake up patterns       : disabled
Directed MAC Wake up patterns      : disabled

Interface IPHTTPSInterface Parameters
----------------------------------------------
IfLuid                             : tunnel_8
IfIndex                            : 17
State                              : connected
Metric                             : 50
Link MTU                           : 1280 bytes
Reachable Time                     : 35000 ms
Base Reachable Time                : 30000 ms
Retransmission Interval            : 1000 ms
DAD Transmits                      : 1
Site Prefix Length                 : 64
Site Id                            : 1
Forwarding                         : enabled
Advertising                        : enabled
Neighbor Discovery                 : enabled
Neighbor Unreachability Detection  : enabled
Router Discovery                   : enabled
Managed Address Configuration      : disabled
Other Stateful Configuration       : disabled
Weak Host Sends                    : enabled
Weak Host Receives                 : disabled
Use Automatic Metric               : enabled
Ignore Default Routes              : disabled
Advertised Router Lifetime         : 1800 seconds
Advertise Default Route            : disabled
Current Hop Limit                  : 0
Force ARPND Wake up patterns       : disabled
Directed MAC Wake up patterns      : disabled

Interface Internet Parameters
----------------------------------------------
IfLuid                             : ethernet_9
IfIndex                            : 12
State                              : connected
Metric                             : 20
Link MTU                           : 1500 bytes
Reachable Time                     : 37000 ms
Base Reachable Time                : 30000 ms
Retransmission Interval            : 1000 ms
DAD Transmits                      : 1
Site Prefix Length                 : 64
Site Id                            : 1
Forwarding                         : enabled
Advertising                        : disabled
Neighbor Discovery                 : enabled
Neighbor Unreachability Detection  : enabled
Router Discovery                   : enabled
Managed Address Configuration      : enabled
Other Stateful Configuration       : enabled
Weak Host Sends                    : enabled
Weak Host Receives                 : disabled
Use Automatic Metric               : enabled
Ignore Default Routes              : disabled
Advertised Router Lifetime         : 1800 seconds
Advertise Default Route            : disabled
Current Hop Limit                  : 0
Force ARPND Wake up patterns       : disabled
Directed MAC Wake up patterns      : disabled

You use the netsh interface ipv6 show interfaces level=verbose command on a DirectAccess server to verify that forwarding has been enabled on the 6to4, Teredo, IP-HTTPS, ISATAP, and local area network (LAN) interfaces and that advertising has been enabled on the IP-HTTPS and ISATAP interfaces.

netsh interface ipv6 show route

This command shows the entries in the IPv6 route table. The following is an example of the output from the netsh interface ipv6 show route command on a DirectAccess server.

Publish  Type      Met  Prefix                    Idx  Gateway/Interface Name
-------  --------  ---  ------------------------  ---  ------------------------
No       Manual    256  ::1/128                     1  Loopback Pseudo-Interface
 1
No       Manual    8    2001::/32                  16  Teredo Tunneling Pseudo-I
nterface
Yes      Manual    1000  2002::/16                  15  6TO4 Adapter
No       Manual    256  2002:836b:2::836b:2/128    15  6TO4 Adapter
Yes      Manual    256  2002:836b:2:1::/64         13  isatap.corp.contoso.com
No       Manual    256  2002:836b:2:1::/128        13  isatap.corp.contoso.com
No       Manual    256  2002:836b:2:1:0:5efe:10.0.0.2/128   13  isatap.corp.cont
oso.com
Yes      Manual    256  2002:836b:2:2::/64         17  IPHTTPSInterface
No       Manual    256  2002:836b:2:2::/128        17  IPHTTPSInterface
No       Manual    256  2002:836b:2:2:6d5c:17f7:69e8:dd2b/128   17  IPHTTPSInter
face
No       Manual    256  2002:836b:3::836b:3/128    15  6TO4 Adapter
No       Manual    256  fe80::/64                  11  Corpnet
No       Manual    256  fe80::/64                  12  Internet
No       Manual    256  fe80::/64                  16  Teredo Tunneling Pseudo-I
nterface
No       Manual    256  fe80::/64                  17  IPHTTPSInterface
No       Manual    256  fe80::5efe:10.0.0.2/128    13  isatap.corp.contoso.com
No       Manual    256  fe80::200:5efe:131.107.0.2/128   14  isatap.isp.example.
com
No       Manual    256  fe80::200:5efe:131.107.0.3/128   14  isatap.isp.example.
com
No       Manual    256  fe80::45d1:e335:2f5e:865c/128   11  Corpnet
No       Manual    256  fe80::6d5c:17f7:69e8:dd2b/128   17  IPHTTPSInterface
No       Manual    256  fe80::8000:f227:7c94:fffd/128   16  Teredo Tunneling Pse
udo-Interface
No       Manual    256  fe80::c862:7866:fd45:2ccf/128   12  Internet
No       Manual    256  ff00::/8                    1  Loopback Pseudo-Interface
 1
No       Manual    256  ff00::/8                   17  IPHTTPSInterface
No       Manual    256  ff00::/8                   16  Teredo Tunneling Pseudo-I
nterface
No       Manual    256  ff00::/8                   11  Corpnet
No       Manual    256  ff00::/8                   12  Internet

You use the netsh interface ipv6 show route command to troubleshoot reachability problems for communication between DirectAccess clients and the DirectAccess server and between DirectAccess clients and intranet resources. You can also use the netsh interface ipv6 show route command to determine the IPv6 prefix that the DirectAccess server is advertising to IP-HTTPS clients, which is the 64-bit route that begins with 2 or 3 and has the Gateway/Interface Name of IPHTTPSInterface (2002:836b:2:2::/64 in the example).