The Netsh.exe Command Line Tool
Updated: May 24, 2010
Applies To: Windows Server 2008 R2
You can use the following Network Shell (Netsh) commands to gather information when troubleshooting DirectAccess:
netsh dnsclient show state
netsh namespace show effectivepolicy and netsh namespace show policy
netsh interface 6to4 show relay
netsh interface teredo show state
netsh interface httpstunnel show interfaces
netsh interface istatap show state and netsh interface istatap show router
netsh interface httpstunnel show interfaces
netsh advfirewall monitor show mmsa
netsh advfirewall monitor show qmsa
netsh advfirewall monitor show consec rule name=all
netsh advfirewall monitor show currentprofile
netsh interface ipv6 show interfaces
netsh interface ipv6 show interfaces level=verbose
netsh interface ipv6 show route
Note
The example displays of Netsh.exe commands in this topic were obtained from the DirectAccess test lab (https://go.microsoft.com/fwlink/?Linkid=150613).
netsh dnsclient show state
This command shows the settings for the Name Resolution Policy Table (NRPT) on a DirectAccess client, including where the client is located (either on the intranet or on the Internet), whether the client has been configured with DirectAccess NRPT rules, and whether the rules are enabled.
The following is an example of output from the netsh dnsclient show state command.
Name Resolution Policy Table Options
--------------------------------------------------------------------
Query Failure Behavior : Only use LLMNR and NetBIOS if the name does not exist in DNS
Query Resolution Behavior : Resolve only IPv6 addresses for names
Network Location Behavior : Let Network ID determine when DirectAccess settings are to be used
Machine Location : Inside corporate network
DirectAccess Settings : Configured and Disabled
DNSSEC Settings : Not Configured
In this example, the DirectAccess client is located on the intranet (Machine location: Inside corporate network) and has been configured with DirectAccess NRPT rules, but they are disabled (DirectAccess Settings: Configured and Disabled).
You use the netsh dnsclient show state command to determine the results of network location detection (the Machine location field) and the state of DirectAccess NRPT rules (the DirectAccess Settings field).
netsh namespace show effectivepolicy and netsh namespace show policy
This command shows the rules in the NRPT on a DirectAccess client. The netsh namespace show policy shows the NRPT rules as configured with Group Policy and the netsh namespace show effectivepolicy command shows the active rules.
The following is an example of output from the netsh namespace show effectivepolicy command.
DNS Effective Name Resolution Policy Table Settings
Settings for nls.corp.contoso.com
----------------------------------------------------------------------
Certification authority : DC=com, DC=contoso, DC=corp, CN=corp-D
C1-CA
DNSSEC (Validation) : disabled
IPsec settings : disabled
DirectAccess (DNS Servers) :
DirectAccess (Proxy Settings) : Bypass proxy
Settings for .corp.contoso.com
----------------------------------------------------------------------
Certification authority : DC=com, DC=contoso, DC=corp, CN=corp-D
C1-CA
DNSSEC (Validation) : disabled
IPsec settings : disabled
DirectAccess (DNS Servers) : 2002:836b:2:1:0:5efe:10.0.0.1
DirectAccess (Proxy Settings) : Bypass proxy
In this example, the DirectAccess client is located on the Internet and has a namespace rule for its intranet namespace (the example rule for .corp.contoso.com) and an exemption rule for the FQDN of its network location server (the example rule for .nls.corp.contoso.com).
You use the netsh namespace show effectivepolicy command to determine the results of network location detection and the Internet Protocol version 6 (IPv6) addresses of intranet Domain Name System (DNS) servers for additional troubleshooting.
If there are active rules in the NRPT, the DirectAccess client has determined that it is not on the intranet. If there are no active rules in the NRPT, the DirectAccess client has determined that it is on the intranet or it has not been correctly configured with NRPT rules.
If there are no rules in the NRPT as configured through Group Policy (from the display of the netsh namespace show policy command), the DirectAccess client has not been properly configured. Verify that the computer account of the DirectAccess client is a member of the appropriate security group to which DirectAccess client Group Policy settings are applied.
Note
The DirectAccess server is not a DirectAccess client and is not configured with NRPT rules. The netsh namespace show effectivepolicy command on a DirectAccess server should always display no rules.
netsh interface 6to4 show relay
This command shows the Internet Protocol version 4 (IPv4) address or fully qualified domain name (FQDN) of the 6to4 relay on a DirectAccess client. This is set by default through Group Policy to the first consecutive public IPv4 address that is assigned to the Internet interface of the DirectAccess server. The following is an example of output from the netsh interface 6to4 show relay command.
Relay Name : 131.107.0.2 (Group Policy)
Use Relay : default
Resolution Interval : default
In this example, the DirectAccess client has been configured with the 6to4 relay IPv4 address of 131.107.0.2 through Group Policy.
You use the netsh interface 6to4 show relay command to determine where the DirectAccess client is sending its default route IPv6 traffic when it has been configured with a public IPv4 address and is using 6to4 to tunnel IPv6 traffic across the Internet.
netsh interface teredo show state
This command shows the state and configuration of the Teredo component on a DirectAccess server or client. On a DirectAccess client, the Teredo client configuration is set by default through Group Policy and the Server Name is set to the first consecutive public IPv4 address assigned to the Internet interface of the DirectAccess server.
The following is an example of output from the netsh interface teredo show state command on a DirectAccess client.
Teredo Parameters
---------------------------------------------
Type : client
Server Name : 131.107.0.2 (Group Policy)
Client Refresh Interval : 30 seconds
Client Port : unspecified
State : offline
Error : client is in a managed network
In this example, the DirectAccess client has been configured with the Teredo server IPv4 address of 131.107.0.2 through Group Policy and is in an offline state.
The following is an example of output from the netsh interface teredo show state command on a DirectAccess server.
Teredo Parameters
---------------------------------------------
Type : server
Virtual Server Ip : 0.0.0.0
Client Refresh Interval : 30 seconds
State : online
Server Packets Received : 0
Success : 0 (Bubble 0, Echo 0, RS1 0 RS2 0)
Failure : 0 (Hdr 0, Src 0, Dest 0, Auth 0)
Relay Packets Received : 0
Success : 0 (Bubble 0, Data 0)
Failure : 0 (Hdr 0, Src 0, Dest 0)
Relay Packets Sent : 2
Success : 0 (Bubble 0, Data 0)
Failure : 2 (Hdr 0, Src 2, Dest 0)
Packets Received in the last 30 seconds:
Bubble 0, Echo 0, RS1 0, RS2 0
6to4 source address 0, native IPv6 source address 0
6to4 destination address 0, native IPv6 destination address 0
Estimated Bandwidth consumed in the last 30 seconds (in BPS):
Bubble 0, Echo 0, Primary 0, Secondary 0
6to4 source address 0, native IPv6 source address 0
6to4 destination address 0, native IPv6 destination address 0
In this example, the DirectAccess server is acting as a Teredo server and a Teredo relay and is in an online state.
You use the netsh interface teredo show state command on a DirectAccess client to determine the Teredo server of a DirectAccess client and its current state. You use the netsh interface teredo show state command on a DirectAccess server to determine whether it is acting as a Teredo server and relay and its current state.
netsh interface httpstunnel show interfaces
This command shows the state and configuration of the Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS) component on a DirectAccess server or client. On a DirectAccess client, the IP-HTTPS client configuration is set by default through Group Policy. The uniform resource locator (URL) of the IP-HTTPS server is based on the Subject field in the certificate chosen for IP-HTTPS connections in Step 2 of the DirectAccess Setup Wizard.
The following is an example of output from the netsh interface httpstunnel show interfaces command on a DirectAccess client.
Interface IPHTTPSInterface (Group Policy) Parameters
------------------------------------------------------------
Role : client
URL : https://da1.contoso.com:443/IPHTTPS
Last Error Code : 0x0
Interface Status : IPHTTPS interface deactivated
In this example, the DirectAccess client has been configured as an IP-HTTPS client with the URL https://da1.contoso.com:443/IPHTTPS.
The following is an example of output from the netsh interface httpstunnel show interfaces command on a DirectAccess server.
Interface IPHTTPSInterface Parameters
------------------------------------------------------------
Role : server
URL : https://da1.contoso.com:443/IPHTTPS
Client authentication mode : certificates
Last Error Code : 0x0
Interface Status : IPHTTPS interface active
In this example, the DirectAccess server has been configured as an IP-HTTPS server with the URL https://da1.contoso.com:443/IPHTTPS and uses certificates for authentication.
You use the netsh interface httpstunnel show interfaces command on a DirectAccess client to determine the URL of the IP-HTTPS server and the current state of the IP-HTTPS client component. You use the netsh interface httpstunnel show interfaces command on a DirectAccess server to determine URL of the IP-HTTPS server and to verify that it is acting as an IP-HTTPS server and the authentication method. The URL on both the DirectAccess client and server should be the same.
netsh interface istatap show state and netsh interface istatap show router
These commands show the state and configuration of the Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) component on the ISATAP router (the DirectAccess server) or an ISATAP host. Unlike 6to4, Teredo, and IP-HTTPS transition technologies, the DirectAccess Setup Wizard does not configure a name or IPv4 address for an ISATAP router in Group Policy. Instead, it attempts to register the name ISATAP and an assigned intranet IPv4 address with its DNS server. ISATAP hosts on the intranet use the name ISATAP to resolve the IPv4 address of the ISATAP router (the DirectAccess server).
The following is an example of output from the netsh interface istatap show state command on a DirectAccess server.
ISATAP State : enabled
In this example, the DirectAccess server has the ISATAP component enabled.
The following is an example of output from the netsh interface istatap show router command on the DirectAccess server.
Router Name : isatap.corp.contoso.com
Use Relay : default
Resolution Interval : default
In this example, the DirectAccess server has constructed the ISATAP router name from the name ISATAP and the DNS suffix assigned to the computer (corp.contoso.com).
You use the netsh interface istatap show state and netsh interface istatap show router commands on the DirectAccess server to ensure that it is configured to act as an ISATAP router. You use the netsh interface istatap show state and netsh interface istatap show router commands on an intranet node to ensure that it has a default configuration.
To determine if an ISATAP host has successfully configured an ISATAP-based address, use the ipconfig command and look for an interface named **Tunnel adapter isatap.**ComputerDNSSuffix. Ensure that it has been assigned an ISATAP-based IPv6 address that begins with 2 or 3 and a default gateway.
netsh advfirewall monitor show mmsa
This command shows the currently active main mode security associations (SAs) for Internet Protocol security (IPsec)-protected traffic on a DirectAccess client, a DirectAccess server, or an intranet resource.
The following is an example of output from the netsh advfirewall monitor show mmsa command on a DirectAccess client.
Main Mode SA at 09/11/2009 10:43:59
----------------------------------------------------------------------
Local IP Address: 2002:836b:65::836b:65
Remote IP Address: 2002:836b:2::836b:2
Auth1: ComputerCert
Auth2: UserNTLM
MM Offer: None-AES128-SHA256
Cookie Pair: a075a1437682ad8e:0afed90d0f2a8cac
Health Cert: No
Main Mode SA at 09/11/2009 10:43:59
----------------------------------------------------------------------
Local IP Address: 2002:836b:65::836b:65
Remote IP Address: 2002:836b:2::836b:2
Auth1: ComputerCert
Auth2: UserNTLM
MM Offer: None-AES128-SHA256
Cookie Pair: 9e355ec21d66e39b:d748c6e2ddd09424
Health Cert: No
Main Mode SA at 09/11/2009 10:43:59
----------------------------------------------------------------------
Local IP Address: 2002:836b:65::836b:65
Remote IP Address: 2002:836b:2:1:0:5efe:10.0.0.3
Auth2 Local ID: CORP\User1
Auth2 Remote ID: host/APP1.corp.contoso.com
Auth1: ComputerCert
Auth2: UserKerb
MM Offer: None-AES128-SHA256
Cookie Pair: 912ff504e979e831:4eb6fb986fa84eb9
Health Cert: No
Main Mode SA at 09/11/2009 10:43:59
----------------------------------------------------------------------
Local IP Address: 2002:836b:65::836b:65
Remote IP Address: 2002:836b:3::836b:3
Auth2 Local ID: host/CLIENT2.corp.contoso.com
Auth2 Remote ID: CORP\DA1$
Auth1: ComputerCert
Auth2: UserKerb
MM Offer: None-AES128-SHA256
Cookie Pair: 96d2b451be5756e9:0d2515c811c26034
Health Cert: No
Main Mode SA at 09/11/2009 10:43:59
----------------------------------------------------------------------
Local IP Address: 2002:836b:65::836b:65
Remote IP Address: 2002:836b:3::836b:3
Auth2 Local ID: NT AUTHORITY\SYSTEM
Auth2 Remote ID: host/da1.corp.contoso.com
Auth1: ComputerCert
Auth2: UserKerb
MM Offer: None-AES128-SHA256
Cookie Pair: 2ba50b46a6820026:24b64b78e8f7ac0d
Health Cert: No
Main Mode SA at 09/11/2009 10:43:59
----------------------------------------------------------------------
Local IP Address: 2002:836b:65::836b:65
Remote IP Address: 2002:836b:3::836b:3
Auth2 Local ID: CORP\User1
Auth2 Remote ID: host/da1.corp.contoso.com
Auth1: ComputerCert
Auth2: UserKerb
MM Offer: None-AES128-SHA256
Cookie Pair: 4775f7dd32e268b2:b0ad96d598518fa7
Health Cert: No
Ok.
The following is an example of output from the netsh advfirewall monitor show mmsa command on the DirectAccess server of the DirectAccess client.
Main Mode SA at 09/11/2009 10:44:03
----------------------------------------------------------------------
Local IP Address: 2002:836b:2::836b:2
Remote IP Address: 2002:836b:65::836b:65
Auth1: ComputerCert
Auth2: UserNTLM
MM Offer: None-AES128-SHA256
Cookie Pair: a075a1437682ad8e:0afed90d0f2a8cac
Health Cert: No
Main Mode SA at 09/11/2009 10:44:03
----------------------------------------------------------------------
Local IP Address: 2002:836b:2::836b:2
Remote IP Address: 2002:836b:65::836b:65
Auth1: ComputerCert
Auth2: UserNTLM
MM Offer: None-AES128-SHA256
Cookie Pair: 9e355ec21d66e39b:d748c6e2ddd09424
Health Cert: No
Main Mode SA at 09/11/2009 10:44:03
----------------------------------------------------------------------
Local IP Address: 2002:836b:3::836b:3
Remote IP Address: 2002:836b:65::836b:65
Auth2 Local ID: NT AUTHORITY\SYSTEM
Auth2 Remote ID: host/CLIENT2.corp.contoso.com
Auth1: ComputerCert
Auth2: UserKerb
MM Offer: None-AES128-SHA256
Cookie Pair: 96d2b451be5756e9:0d2515c811c26034
Health Cert: No
Main Mode SA at 09/11/2009 10:44:03
----------------------------------------------------------------------
Local IP Address: 2002:836b:3::836b:3
Remote IP Address: 2002:836b:65::836b:65
Auth2 Local ID: host/da1.corp.contoso.com
Auth2 Remote ID: CORP\CLIENT2$
Auth1: ComputerCert
Auth2: UserKerb
MM Offer: None-AES128-SHA256
Cookie Pair: 2ba50b46a6820026:24b64b78e8f7ac0d
Health Cert: No
Main Mode SA at 09/11/2009 10:44:03
----------------------------------------------------------------------
Local IP Address: 2002:836b:3::836b:3
Remote IP Address: 2002:836b:65::836b:65
Auth2 Local ID: host/da1.corp.contoso.com
Auth2 Remote ID: CORP\User1
Auth1: ComputerCert
Auth2: UserKerb
MM Offer: None-AES128-SHA256
Cookie Pair: 4775f7dd32e268b2:b0ad96d598518fa7
Health Cert: No
Ok.
You can correlate the main mode SAs on the DirectAccess client and server through the Cookie Pair.
You use the netsh advfirewall monitor show mmsa command to verify that the DirectAccess client and server can successfully negotiate main mode IPsec SAs. If there are no main mode IPsec SAs on the DirectAccess client after attempting to access an intranet resource, investigate the inability to perform IPsec peer authentication with installed certificates.
netsh advfirewall monitor show qmsa
This command shows the currently active quick mode SAs on a DirectAccess client, a DirectAccess server, or an intranet resource.
The following is an example of output from the netsh advfirewall monitor show qmsa command on a DirectAccess client.
Quick Mode SA at 09/11/2009 10:56:38
----------------------------------------------------------------------
Local IP Address: 2002:836b:65::836b:65
Remote IP Address: 2002:836b:2::836b:2
Local Port: Any
Remote Port: Any
Protocol: Any
Direction: Both
QM Offer: ESP:SHA1-AES192+60min+100000kb
PFS: None
Quick Mode SA at 09/11/2009 10:56:38
----------------------------------------------------------------------
Local IP Address: 2002:836b:65::836b:65
Remote IP Address: 2002:836b:3::836b:3
Local Port: Any
Remote Port: Any
Protocol: Any
Direction: Both
QM Offer: ESP:SHA1-AES192+60min+100000kb
PFS: None
Quick Mode SA at 09/11/2009 10:56:38
----------------------------------------------------------------------
Local IP Address: 2002:836b:65::836b:65
Remote IP Address: 2002:836b:2:1:0:5efe:10.0.0.3
Local Port: Any
Remote Port: Any
Protocol: Any
Direction: Both
QM Offer: ESP:SHA256-None+60min+100000kb
PFS: None
Quick Mode SA at 09/11/2009 10:56:38
----------------------------------------------------------------------
Local IP Address: 2002:836b:65::836b:65
Remote IP Address: 2002:836b:3::836b:3
Local Port: Any
Remote Port: Any
Protocol: Any
Direction: Both
QM Offer: ESP:SHA1-AES192+60min+100000kb
PFS: None
Ok.
The following is an example of output from the netsh advfirewall monitor show qmsa command on the DirectAccess server of the DirectAccess client.
Quick Mode SA at 09/11/2009 10:56:47
----------------------------------------------------------------------
Local IP Address: 2002:836b:2::836b:2
Remote IP Address: 2002:836b:65::836b:65
Local Port: Any
Remote Port: Any
Protocol: Any
Direction: Both
QM Offer: ESP:SHA1-AES192+60min+100000kb
PFS: None
Quick Mode SA at 09/11/2009 10:56:47
----------------------------------------------------------------------
Local IP Address: 2002:836b:3::836b:3
Remote IP Address: 2002:836b:65::836b:65
Local Port: Any
Remote Port: Any
Protocol: Any
Direction: Both
QM Offer: ESP:SHA1-AES192+60min+100000kb
PFS: None
Quick Mode SA at 09/11/2009 10:56:47
----------------------------------------------------------------------
Local IP Address: 2002:836b:3::836b:3
Remote IP Address: 2002:836b:65::836b:65
Local Port: Any
Remote Port: Any
Protocol: Any
Direction: Both
QM Offer: ESP:SHA1-AES192+60min+100000kb
PFS: None
Ok.
You can correlate the quick mode SAs on the DirectAccess client and server through the local and remote Internet Protocol (IP) address pairs and Quick Mode (QM) offers.
You use the netsh advfirewall monitor show qmsa command to verify that the DirectAccess client and server can successfully negotiate quick mode IPsec SAs. If there are no quick mode IPsec SAs on the DirectAccess client after attempting to access an intranet resource, investigate the correlation of quick mode settings between the DirectAccess client, the DirectAccess server, and the intranet node.
netsh advfirewall monitor show consec rule name=all
This command shows the active connection security rules on a DirectAccess client, DirectAccess server, or intranet node.
The following is an example of the output from the netsh advfirewall monitor show consec rule name=all command on a DirectAccess client.
Connection Security Rules:
Rule Name: DirectAccess Policy-clientToNlaExempt
----------------------------------------------------------------------
Enabled: Yes
Profiles: Private,Public
Type: Dynamic
Mode: Tunnel
LocalTunnelEndpoint: Any
RemoteTunnelEndpoint: Any
Endpoint1: 2002:836b:2:1::/64
Endpoint2: 2002:836b:2:1:0:5efe:10.0.0.3-2002:836b:2:
1:0:5efe:10.0.0.3
Port1: Any
Port2: 443
Protocol: TCP
Action: NoAuthentication
ExemptIPsecProtectedConnections: No
ApplyAuthorization: No
Rule Name: DirectAccess Policy-clientToAppServer
----------------------------------------------------------------------
Enabled: Yes
Profiles: Private,Public
Type: Dynamic
Mode: Transport
Endpoint1: Any
Endpoint2: 2002:836b:2:1:0:5efe:10.0.0.3-2002:836b:2:
1:0:5efe:10.0.0.3
Protocol: Any
Action: RequestInRequestOut
Auth1: ComputerCert,ComputerKerb
Auth1CAName: DC=com, DC=contoso, DC=corp, CN=corp-DC1-C
A
Auth1CertMapping: No
Auth1ExcludeCAName: No
Auth1CertType: Root
Auth1HealthCert: No
Auth2: UserKerb
MainModeSecMethods: DHGroup2-AES128-SHA256,DHGroup2-AES128-SHA
1,DHGroup2-3DES-SHA1
QuickModeSecMethods: ESP:SHA256-None+60min+100000kb,AH:SHA256+6
0min+100000kb,AuthNoEncap:SHA256+60min+100000kb
Rule Name: DirectAccess Policy-ClientToMgmt
----------------------------------------------------------------------
Enabled: Yes
Profiles: Private,Public
Type: Dynamic
Mode: Tunnel
LocalTunnelEndpoint: Any
RemoteTunnelEndpoint: 2002:836b:2::836b:2
Endpoint1: Any
Endpoint2: 2002:836b:2:1:200:5efe:157.60.79.2-2002:83
6b:2:1:200:5efe:157.60.79.2
Protocol: Any
Action: RequireInRequireOut
Auth1: ComputerCert
Auth1CAName: DC=com, DC=contoso, DC=corp, CN=corp-DC1-C
A
Auth1CertMapping: No
Auth1ExcludeCAName: No
Auth1CertType: Root
Auth1HealthCert: No
Auth2: UserNTLM
MainModeSecMethods: DHGroup2-AES128-SHA256,DHGroup2-AES128-SHA
1,DHGroup2-3DES-SHA1
QuickModeSecMethods: ESP:SHA1-AES192+60min+100000kb,ESP:SHA1-AE
S128+60min+100000kb
ExemptIPsecProtectedConnections: No
ApplyAuthorization: No
Rule Name: DirectAccess Policy-ClientToCorp
----------------------------------------------------------------------
Enabled: Yes
Profiles: Private,Public
Type: Dynamic
Mode: Tunnel
LocalTunnelEndpoint: Any
RemoteTunnelEndpoint: 2002:836b:3::836b:3
Endpoint1: Any
Endpoint2: 2002:836b:2:1::/64
Protocol: Any
Action: RequireInRequireOut
Auth1: ComputerCert
Auth1CAName: DC=com, DC=contoso, DC=corp, CN=corp-DC1-C
A
Auth1CertMapping: No
Auth1ExcludeCAName: No
Auth1CertType: Root
Auth1HealthCert: No
Auth2: UserKerb
MainModeSecMethods: DHGroup2-AES128-SHA256,DHGroup2-AES128-SHA
1,DHGroup2-3DES-SHA1
QuickModeSecMethods: ESP:SHA1-AES192+60min+100000kb,ESP:SHA1-AE
S128+60min+100000kb
ExemptIPsecProtectedConnections: No
ApplyAuthorization: No
Rule Name: DirectAccess Policy-ClientToDnsDc
----------------------------------------------------------------------
Enabled: Yes
Profiles: Private,Public
Type: Dynamic
Mode: Tunnel
LocalTunnelEndpoint: Any
RemoteTunnelEndpoint: 2002:836b:2::836b:2
Endpoint1: Any
Endpoint2: 2002:836b:2:1:0:5efe:10.0.0.1-2002:836b:2:
1:0:5efe:10.0.0.1
Protocol: Any
Action: RequireInRequireOut
Auth1: ComputerCert
Auth1CAName: DC=com, DC=contoso, DC=corp, CN=corp-DC1-C
A
Auth1CertMapping: No
Auth1ExcludeCAName: No
Auth1CertType: Root
Auth1HealthCert: No
Auth2: UserNTLM
MainModeSecMethods: DHGroup2-AES128-SHA256,DHGroup2-AES128-SHA
1,DHGroup2-3DES-SHA1
QuickModeSecMethods: ESP:SHA1-AES192+60min+100000kb,ESP:SHA1-AE
S128+60min+100000kb
ExemptIPsecProtectedConnections: No
ApplyAuthorization: No
Ok.
You use the netsh advfirewall monitor show consec rule name=all command to verify that a DirectAccess client, DirectAccess server, or selected server has been configured with the correct connection security rules.
netsh advfirewall monitor show currentprofile
This command shows the networks to which the computer is attached and the firewall profiles (public, private, or domain) assigned to each network.
The following is an example of the output from the netsh advfirewall monitor show currentprofile command on a DirectAccess server.
Domain Profile:
----------------------------------------------------------------------
corp.contoso.com
Public Profile:
----------------------------------------------------------------------
Unidentified network
Ok.
In this example, the DirectAccess server is attached to two networks (corp.contoso.com and Unidentified network). The corp.contoso.com network is assigned the domain profile and the Unidentified network is assigned the public profile.
You use the netsh advfirewall monitor show currentprofile command to determine the profiles that are assigned to DirectAccess clients when troubleshooting network location detection and the profiles assigned to a DirectAccess server when troubleshooting DirectAccess Setup Wizard problems.
netsh interface ipv6 show interfaces
This command shows the set of IPv6 interfaces on a computer and their state. The following is an example of the output from the netsh interface ipv6 show interfaces command on a DirectAccess server.
Idx Met MTU State Name
--- ---------- ---------- ------------ ---------------------------
1 50 4294967295 connected Loopback Pseudo-Interface 1
13 25 1280 connected isatap.corp.contoso.com
14 25 1280 connected isatap.isp.example.com
11 20 1500 connected Corpnet
15 25 1280 connected 6TO4 Adapter
16 50 1280 connected Teredo Tunneling Pseudo-Interface
17 50 1280 connected IPHTTPSInterface
12 20 1500 connected Internet
You use the netsh interface ipv6 show interfaces command to quickly determine the set of IPv6 interfaces and whether ISATAP, 6to4, Teredo, and IP-HTTPS tunneling interfaces are present and their state (connected or disconnected).
netsh interface ipv6 show interfaces level=verbose
This command shows the set of IPv6 interfaces on a computer and detailed information about their configuration.
The following is an example of the output from the netsh interface ipv6 show interfaces level=verbose command on a DirectAccess server.
Interface Loopback Pseudo-Interface 1 Parameters
----------------------------------------------
IfLuid : loopback_1
IfIndex : 1
State : connected
Metric : 50
Link MTU : 4294967295 bytes
Reachable Time : 31000 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 0
Site Prefix Length : 64
Site Id : 1
Forwarding : disabled
Advertising : disabled
Neighbor Discovery : disabled
Neighbor Unreachability Detection : disabled
Router Discovery : enabled
Managed Address Configuration : disabled
Other Stateful Configuration : disabled
Weak Host Sends : enabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled
Interface isatap.corp.contoso.com Parameters
----------------------------------------------
IfLuid : tunnel_4
IfIndex : 13
State : connected
Metric : 25
Link MTU : 1280 bytes
Reachable Time : 16500 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 0
Site Prefix Length : 64
Site Id : 1
Forwarding : enabled
Advertising : enabled
Neighbor Discovery : enabled
Neighbor Unreachability Detection : disabled
Router Discovery : enabled
Managed Address Configuration : disabled
Other Stateful Configuration : disabled
Weak Host Sends : enabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : enabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled
Interface isatap.isp.example.com Parameters
----------------------------------------------
IfLuid : tunnel_5
IfIndex : 14
State : connected
Metric : 25
Link MTU : 1280 bytes
Reachable Time : 36000 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 0
Site Prefix Length : 64
Site Id : 1
Forwarding : disabled
Advertising : disabled
Neighbor Discovery : enabled
Neighbor Unreachability Detection : disabled
Router Discovery : enabled
Managed Address Configuration : disabled
Other Stateful Configuration : disabled
Weak Host Sends : enabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled
Interface Corpnet Parameters
----------------------------------------------
IfLuid : ethernet_6
IfIndex : 11
State : connected
Metric : 20
Link MTU : 1500 bytes
Reachable Time : 19500 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 1
Site Prefix Length : 64
Site Id : 1
Forwarding : enabled
Advertising : disabled
Neighbor Discovery : enabled
Neighbor Unreachability Detection : enabled
Router Discovery : enabled
Managed Address Configuration : enabled
Other Stateful Configuration : enabled
Weak Host Sends : enabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled
Interface 6TO4 Adapter Parameters
----------------------------------------------
IfLuid : tunnel_6
IfIndex : 15
State : connected
Metric : 25
Link MTU : 1280 bytes
Reachable Time : 37000 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 0
Site Prefix Length : 64
Site Id : 1
Forwarding : enabled
Advertising : disabled
Neighbor Discovery : disabled
Neighbor Unreachability Detection : disabled
Router Discovery : enabled
Managed Address Configuration : disabled
Other Stateful Configuration : disabled
Weak Host Sends : enabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled
Interface Teredo Tunneling Pseudo-Interface Parameters
----------------------------------------------
IfLuid : tunnel_7
IfIndex : 16
State : connected
Metric : 50
Link MTU : 1280 bytes
Reachable Time : 13500 ms
Base Reachable Time : 15000 ms
Retransmission Interval : 2000 ms
DAD Transmits : 0
Site Prefix Length : 64
Site Id : 1
Forwarding : enabled
Advertising : disabled
Neighbor Discovery : enabled
Neighbor Unreachability Detection : enabled
Router Discovery : enabled
Managed Address Configuration : disabled
Other Stateful Configuration : disabled
Weak Host Sends : enabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled
Interface IPHTTPSInterface Parameters
----------------------------------------------
IfLuid : tunnel_8
IfIndex : 17
State : connected
Metric : 50
Link MTU : 1280 bytes
Reachable Time : 35000 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 1
Site Prefix Length : 64
Site Id : 1
Forwarding : enabled
Advertising : enabled
Neighbor Discovery : enabled
Neighbor Unreachability Detection : enabled
Router Discovery : enabled
Managed Address Configuration : disabled
Other Stateful Configuration : disabled
Weak Host Sends : enabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled
Interface Internet Parameters
----------------------------------------------
IfLuid : ethernet_9
IfIndex : 12
State : connected
Metric : 20
Link MTU : 1500 bytes
Reachable Time : 37000 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 1
Site Prefix Length : 64
Site Id : 1
Forwarding : enabled
Advertising : disabled
Neighbor Discovery : enabled
Neighbor Unreachability Detection : enabled
Router Discovery : enabled
Managed Address Configuration : enabled
Other Stateful Configuration : enabled
Weak Host Sends : enabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled
You use the netsh interface ipv6 show interfaces level=verbose command on a DirectAccess server to verify that forwarding has been enabled on the 6to4, Teredo, IP-HTTPS, ISATAP, and local area network (LAN) interfaces and that advertising has been enabled on the IP-HTTPS and ISATAP interfaces.
netsh interface ipv6 show route
This command shows the entries in the IPv6 route table. The following is an example of the output from the netsh interface ipv6 show route command on a DirectAccess server.
Publish Type Met Prefix Idx Gateway/Interface Name
------- -------- --- ------------------------ --- ------------------------
No Manual 256 ::1/128 1 Loopback Pseudo-Interface
1
No Manual 8 2001::/32 16 Teredo Tunneling Pseudo-I
nterface
Yes Manual 1000 2002::/16 15 6TO4 Adapter
No Manual 256 2002:836b:2::836b:2/128 15 6TO4 Adapter
Yes Manual 256 2002:836b:2:1::/64 13 isatap.corp.contoso.com
No Manual 256 2002:836b:2:1::/128 13 isatap.corp.contoso.com
No Manual 256 2002:836b:2:1:0:5efe:10.0.0.2/128 13 isatap.corp.cont
oso.com
Yes Manual 256 2002:836b:2:2::/64 17 IPHTTPSInterface
No Manual 256 2002:836b:2:2::/128 17 IPHTTPSInterface
No Manual 256 2002:836b:2:2:6d5c:17f7:69e8:dd2b/128 17 IPHTTPSInter
face
No Manual 256 2002:836b:3::836b:3/128 15 6TO4 Adapter
No Manual 256 fe80::/64 11 Corpnet
No Manual 256 fe80::/64 12 Internet
No Manual 256 fe80::/64 16 Teredo Tunneling Pseudo-I
nterface
No Manual 256 fe80::/64 17 IPHTTPSInterface
No Manual 256 fe80::5efe:10.0.0.2/128 13 isatap.corp.contoso.com
No Manual 256 fe80::200:5efe:131.107.0.2/128 14 isatap.isp.example.
com
No Manual 256 fe80::200:5efe:131.107.0.3/128 14 isatap.isp.example.
com
No Manual 256 fe80::45d1:e335:2f5e:865c/128 11 Corpnet
No Manual 256 fe80::6d5c:17f7:69e8:dd2b/128 17 IPHTTPSInterface
No Manual 256 fe80::8000:f227:7c94:fffd/128 16 Teredo Tunneling Pse
udo-Interface
No Manual 256 fe80::c862:7866:fd45:2ccf/128 12 Internet
No Manual 256 ff00::/8 1 Loopback Pseudo-Interface
1
No Manual 256 ff00::/8 17 IPHTTPSInterface
No Manual 256 ff00::/8 16 Teredo Tunneling Pseudo-I
nterface
No Manual 256 ff00::/8 11 Corpnet
No Manual 256 ff00::/8 12 Internet
You use the netsh interface ipv6 show route command to troubleshoot reachability problems for communication between DirectAccess clients and the DirectAccess server and between DirectAccess clients and intranet resources. You can also use the netsh interface ipv6 show route command to determine the IPv6 prefix that the DirectAccess server is advertising to IP-HTTPS clients, which is the 64-bit route that begins with 2 or 3 and has the Gateway/Interface Name of IPHTTPSInterface (2002:836b:2:2::/64 in the example).