So why would I even want to do this, isn’t Direct Access is great?

Well yes, when Direct Access is working it is great, unless you are using Citrix without a Citrix Secure Gateway. So why is it good to know how to manually remove the Direct Access from a client. I ran in to a problem last week, when changing the Network Location server location some clients got stuck. The NLS server was changed but the NRPT didn’t get the change before triggering the Direct Access connection. AND to make things worse had the customer had problems that stopped the clients from connecting through Direct Access from the inside.

So there I was, when a client refreshed the Direct Access GPO it stopped working. So we disabled the GPO, that stopped new clients getting in to this dark place that is broken Direct Access. Well we still had a couple of clients that now were on the corporate network but still couldn’t access any resources. Fortunately fixing a single computer is quite easy.

  • Make sure you have administrative rights
  • Remove all keys below HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DnsClient\DnsPolicyConfig
  • Restart the DNS Cache

Now you should be able to access the network and download a working copy of the GPO using a standard gpupdate.

For simplicity I saved the required powershell.

$nrpt = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig'
Get-ChildItem -Path $nrpt| ForEach {Remove-Item $_.pspath}
Restart-Service DNSCache