Unable to activate DirectAccess UAG configuration - The adapter configured as external-facing is connected to a domain. This interface cannot be used with UAG DirectAccess.

DESCRIPTION:

Unable to activate DirectAccess UAG configuration - The adapter configured as external-facing is connected to a domain. This interface cannot be used with UAG DirectAccess.

July 02, 2012 21:53:10               Error                                                                             The adapter configured as external-facing is connected to a domain. This interface cannot be used with UAG DirectAccess.
July 02, 2012 21:53:10               Error                                                                             The UAG DirectAccess configuration cannot be activated.
July 02, 2012 21:53:10               Error                                                                             DirectAccess could not be activated.

CAUSE
 

How Domain Determination

In all cases, detection starts the same way that it does in Windows XP. If the Connection Specific DNS Name matches the “HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkName” registry key then the machine will attempt to contact a Domain Controller via LDAP. If both these steps succeed, you will get the Domain profile. It is important to note that if the steps succeed, processing stops here. This allows you to roam across multiple access points in the same domain without having to stop and identify each of them individually.

If you restart the UAG you can see that connection from the External IP reach the Internal Domain Controllers.

If you restart the Network Location Awareness again after UAG / TMG fully started no more connections arrive with external IP.

During startup the connection occurs because when you restart UAG or TMG the NLASvc starts faster than the TMG Firewall Service.

During that period the connection from External IP to DC is not controlled and connection is allowed.

 

RESOLUTION:

Make sure that Network Location Awareness starts only after fwsrv. DependOnService registry key for NLASvc and add fwsrv.