locked
DirectAccess GPO Issues RRS feed

 , 
 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    I have been trying to setup directaccess for over a week now and I can't seem to get the GPO to apply the settings for directaccess to the clients. I checked the GPO and the settings are present and on the clients I ran "gpresult /r /scope:computer" and it shows the policy is applied yet when I check the settings none of them are in place.

    C:\Windows\system32>gpresult /r /scope:computer

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
c 2012 Microsoft Corporation. All rights reserved.

Created on 10/6/2012 at 2:26:56 AM


RSOP data for ****\**** on ***** : Logging Mode
-------------------------------------------------------------

OS Configuration:            Member Workstation
OS Version:                  6.2.9200
Site Name:                   Default-First-Site-Name
Roaming Profile:             N/A
Local Profile:               C:\Users\******
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=*****,CN=Computers,DC=*****,DC=****
    Last time Group Policy was applied: 10/6/2012 at 2:05:47 AM
    Group Policy was applied from:      *****.******.*****
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        *******
    Domain Type:                        Windows 2008 or later

    Applied Group Policy Objects
    -----------------------------
        DirectAccess Client Settings
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

        DirectAccess Server Settings
            Filtering:  Denied (Security)

    The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        This Organization
        ******$
        Domain Computers
        Authentication authority asserted identity
        System Mandatory Level

C:\Windows\system32>netsh dns show state

Name Resolution Policy Table Options
--------------------------------------------------------------------

Direct Access Settings                : Not Configured

DNSSEC Settings                       : Not Configured


C:\Windows\system32>


    • Edited by Pyr3x Saturday, October 6, 2012 9:31 AM
    Saturday, October 6, 2012 9:26 AM

Answers

  • Question
    Sign in to vote
    1
    Sign in to vote

    Hi,

    Since your OS version matches to Windows 8 I just want to verify, you are using Windows 8 Enterprise right?
    In Windows 8, this is the only version where DirectAccess is enabled.

    If you are using enterprise, create a temporary GPO with some custom setting and verify that the setting in is applied correctly.

    Jonas Blom | Relevo AB | http://blog.nrpt.se

    Sunday, October 7, 2012 7:26 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Glad to hear you got it to work.

    Regarding manage-out (ie, reach external clients from the corporate network).
    For this to work you need to have an IPv6 address on those hosts that need to connect out to the external clients.
    This is basically an IPv6 routing issue.
    A good blogpost that describes how to do this with a limited deployment of ISATAP is http://blog.msedge.org.uk/2011/11/limiting-isatap-services-to-uag.htm
    (Even though is refers to UAG, the same thing applies to a Windows Server 2012 setup)

    Jonas Blom | Relevo AB | http://blog.nrpt.se


    Tuesday, October 9, 2012 7:26 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    Use GPMC and verify that the DirectAccess Client Settings GPO is correct and actually contains settings.
    To be sure that it has not been corrupted somehow and that is the reason.

    Have you doublechecked other settings also?
    (For example the list of domains in NRPT can be seen with netsh namespace show policy)

    Jonas Blom | Relevo AB | http://blog.nrpt.se

    Saturday, October 6, 2012 3:26 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    The GPO does in fact have the settings I did verify that.

    C:\Windows\system32>netsh namespace show policy

DNS Name Resolution Policy Table Settings



C:\Windows\system32>

    Saturday, October 6, 2012 5:51 PM
  • Question
    Sign in to vote
    1
    Sign in to vote

    Hi,

    Since your OS version matches to Windows 8 I just want to verify, you are using Windows 8 Enterprise right?
    In Windows 8, this is the only version where DirectAccess is enabled.

    If you are using enterprise, create a temporary GPO with some custom setting and verify that the setting in is applied correctly.

    Jonas Blom | Relevo AB | http://blog.nrpt.se

    Sunday, October 7, 2012 7:26 AM
  • Question
    Sign in to vote
    1
    Sign in to vote

    You were right and I caught it way late in the game. I was using Windows 8 Pro, after switching out to Enterprise everything fell into place and I am able to use directacess.

    My only concern now is I can ping from the outside in and access shares however, I am unable to ping from the inside out or even interact with the remote systems. Is this a limitation of DA or is something in my network still not right?


    • Edited by Pyr3x Monday, October 8, 2012 11:08 PM
    Monday, October 8, 2012 11:03 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Glad to hear you got it to work.

    Regarding manage-out (ie, reach external clients from the corporate network).
    For this to work you need to have an IPv6 address on those hosts that need to connect out to the external clients.
    This is basically an IPv6 routing issue.
    A good blogpost that describes how to do this with a limited deployment of ISATAP is http://blog.msedge.org.uk/2011/11/limiting-isatap-services-to-uag.htm
    (Even though is refers to UAG, the same thing applies to a Windows Server 2012 setup)

    Jonas Blom | Relevo AB | http://blog.nrpt.se


    Tuesday, October 9, 2012 7:26 AM