locked
Domain Controller as DirectAccess client RRS feed

  • Question

  • I tried to set up a replica DC at an offsite location connected to my internal LAN (corpnet) via DirectAccess (not UAG DirectAccess).  dcpromo ran fine, but replication, at least when done manually using AD Sites and Services, failed after about 30 minutes with a message the the RPC server was unavailable.

    Details: the offsite DC registers its IPv6 (Teredo) address with the corpnet DC (because it's the offsite DC's DirectAccess DNS Server as setup by DA Group Policy), but that registration gets deleted during AD replication.  Additionally, the offsite DC registers only its IPV4 (private) address with itself, because its own DNS server doesn't listen on its Teredo interface.  In the end, only the private IPv4 address of the offsite DC is in DNS, so the offsite DC's FQDN is resolved to an unreachable address - hence the RPC server unavailable error.  Manually creating a AAAA record for the offsite DC's Teredo address doesn't work - it  gets deleted.

    How to fix?

    Thanks.

    • Edited by sejong Tuesday, August 10, 2010 4:39 PM
    Monday, August 2, 2010 8:25 PM

Answers

  • Hi,

    You should probably post this in the Windows DirectAccess forum.

    This is the forum for UAG (and UAG DirectAccess) and the scenario of using a DC as a DirectAccess client is not supported in UAG.

    Tuesday, August 3, 2010 10:54 AM

All replies

  • Hi,

    You should probably post this in the Windows DirectAccess forum.

    This is the forum for UAG (and UAG DirectAccess) and the scenario of using a DC as a DirectAccess client is not supported in UAG.

    Tuesday, August 3, 2010 10:54 AM
  • Try standing up a UAG DirectAccess server - it might solves some of the problems that you're encountering - plus, we'll be able to give you insights into the issues on this forum :)

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Tuesday, August 3, 2010 11:25 AM
    Moderator
  • @ Yaniv Naor - Thanks for pointing out that using a DC as DirectAccess client is not supported in UAG.  I'll ask this question in the DirectAcess forum.

    @ Tom Shinder - I think UAG DirectAccess is overkill, cost-wise at least, for my SMB.

    Tuesday, August 3, 2010 4:37 PM
  • Hi Sejong,

    Ah, well that makes sense.

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Thursday, August 5, 2010 1:19 PM
    Moderator
  • Tom-

    Is DC as DirectAccess client supported in Windows DirectAccess (as opposed to UAG DirectAccess)?

    I think there is much benefit, even for SMB's, in having offsite backup, including an offsite DC.  Toward that end, we have an offsite DPM Server that is a Direct Access client, and would like to have an offsite DC as well.

    Thursday, August 5, 2010 3:22 PM
  • Hi Sejong,

    I don't know if the Windows DA supports a DC as a DA client. I would suspect not - there are a number of issues that make this problematic and would have negative effects on performance. However, one thing that works well in a branch office is BranchCache in distributed mode, if you want to give that option a try.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Friday, August 6, 2010 12:07 PM
    Moderator
  • Tom-

    I read part 1 of your article on BranchCache.  I don't think BrachCache is a good fit for our needs, though.  We have remote users at jobsites that connect to application and mail servers on our corpnet via Remote Desktop, and that works great.  Even users inside the corpnet use Remote Desktop.  What I am looking for is an offsite disaster recovery capability.  I have filled part of that need with DPM, and thought that having an offsite DC would help to rebuild thinkg in the event of a disaster.

    Thanks.

    Friday, August 6, 2010 6:25 PM
  • Hi Sejong,

    I see and it makes sense. I suppose you could put it on an isolated subnet so that no clients try to connect to it, but not sure what the Windows support statement is regarding that deployment.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Monday, August 9, 2010 1:58 PM
    Moderator
  • Back to the original post - and I think this would apply to UAG DirectAccess as well as Windows DirectAcess...

    I have been able to prevent my manually-created AAAA host record for the offiste DC's Teredo address from being deleted by using ADSI Edit to add a Deny "Write DNS Record" ACE for the DC's computer account to the DC's dnsNode object. With this ACE in place, Active Directory replication works. 

    However, the DNS Server log shows an event 4011 every 20 minutes complaining that "The DNS server was unable to add or write an update of domain name dc1 in zone example.com to the Active Directory...(INSUFF_ACCESS_RIGHTS)". 

    So, it looks like the DNS Server service (and possibly other services, but I haven't checked) wants to write to the dnsRecord attribute of the dnsNode object for this DC. The dnsRecord attribute is multi-valued - each DNS address is a separate value. Interestingly, without the the Deny ACE in place, values that contain DNS addresses are overwritten but values that contain text are not. For example, if a DNS Text record for the same DC is manually created, it is stored in the dnsReocord attribute, but is not overwritten.

    The underlying issue here is that the DNS Server doesn't listen on Teredo interfaces and Teredo addresses are not registerd. If they were, the above-described behavior would not be a problem. 

    Wednesday, August 18, 2010 2:11 PM
  • Not saying that this is supported, but the Teredo address should be automatically registered in DNS as long as the DNS server is accepting dynamic updates.

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Wednesday, August 18, 2010 4:15 PM
    Moderator
  • Tom-

    Yes and no. 

    Yes, the DNS Servers on both the corpnet and offsite DC's are accepting dynamic updates. 

    Yes, the offsite DC's Teredo address is automatically registered in DNS of the corpnet DC per the NRPT. 

    No, the Teredo address is not automatically registered on the offsite DC's own DNS, even if a rule applying to the offsite DC is added to the NRPT to use interface-configured DNS instead of the corpnet DNS.

    My checking shows that in an up-to-date installation of Server 2008 R2, the DNS Server listens on active isatap interfaces and registers their addresses.  It does not do so for Teredo interfaces.  I don't know about 6to4 interfaces.

    You probably know the history on this, but it's my impression that in RTM Server 2008 R2 the DNS Server did not listen on isatap interfaces or register their addresses, but this behavior has been changed by a Windows Update.

    Wednesday, August 18, 2010 5:00 PM
  • Update-

    A better workaround (for DirectAccess client DC DNS registration in the absence of automatic registration of Teredo address) is to add a PublishAddresses value (REG_MULTI_SZ) to HKLM\SYSTEM\CurrentControlSet\services\DNS\Parameters, and put the (private and static) IPv4 and (Teredo) IPv6 addresses in it.  This avoids Event 4011.

    Older MSKB articles refer to the PublishAddresses value being of type REG_SZ, but REG_MULTI_SZ works.

    Thursday, August 19, 2010 2:15 PM