Remove From My Forums

Windows Server 2012 DirectAccess implementation questions

Question
0

Sign in to vote
I am trying to implement a Windows Server 2012 DirectAccess and have a few questions regarding this.

I am trying to install a DA server behind a NAT and with two network adapters (one in DMZ and one on internal network). I use PKI and need Windows 7 client support.

The questions are:

Deployment guide

Does anyone know where to find a Windows Server 2012 DirectAccess deployment guide?
The only thing I can find is this from Microsoft. http://technet.microsoft.com/en-us/library/hh831416.aspx. In the bottom of the page there is a link for deployment, but it only takes me back to the same page as the link is on. MS also have some guides for specific DA test labs, but they are very specific.
I can find a few blogs describing how to deploy DirectAccess in different scenarios but again they are very specific.

ISATAP

When installing DirectAccess in Windows Server 2008 R2 the DA server would be configured as an ISATAP router. When installing Windows Server 2012 DirectAccess the DA server is not configured as an ISATAP server. I think that is because of the DNA6to4 and DNS6to4 is now supported in native 2012 DA. Is that correct that the DA server should not be configured as an ISATAP server?
As far as I can figure out (MS wrote it here http://technet.microsoft.com/en-us/library/hh831416.aspx) ISATAP or native IPV6 internally is needed to be able to manage-out. Is that correct?

I have a nearly functional DA setup now. I can ping the DNS server and the DA server on the IPV6 addresses (from a client) but I have no DNS resolution for the other internal servers.

Any ideas what I am missing?

Thomas Forsmark Soerensen
Wednesday, September 26, 2012 9:23 AM

Answers

0

Sign in to vote
Hi,

For a step by step guide to install I would suggest that you use http://technet.microsoft.com/en-us/library/jj134158.aspx if you still need one.

* Manage-Out
You are correct regarding manage-out, some kind of IPv6 is needed on those clients that you need to do manage-out FROM.

* ISATAP
It is often suggested to skip deploying ISATAP globally on your infrastructure since it add an extra layer of complexity to your internal environment.
If you have the need to do manage-out and can not/will not deploy native IPv6 it is often recommended to deploy an alternative ISATAP dns record and enable it only on those selected clients that need it.

Regarding your last comment, it sounds like you have an issued with establishing the IPSec tunnels.
Check that your client and server have a machine certificate that maches their hostname.

Jonas Blom | Relevo AB | http://blog.nrpt.se
- Proposed as answer by Jonas Blom Wednesday, September 26, 2012 1:50 PM
- Marked as answer by Rick TanModerator Thursday, October 4, 2012 6:28 AM
Wednesday, September 26, 2012 10:16 AM

All replies

0

Sign in to vote
Hi,

For a step by step guide to install I would suggest that you use http://technet.microsoft.com/en-us/library/jj134158.aspx if you still need one.

* Manage-Out
You are correct regarding manage-out, some kind of IPv6 is needed on those clients that you need to do manage-out FROM.

* ISATAP
It is often suggested to skip deploying ISATAP globally on your infrastructure since it add an extra layer of complexity to your internal environment.
If you have the need to do manage-out and can not/will not deploy native IPv6 it is often recommended to deploy an alternative ISATAP dns record and enable it only on those selected clients that need it.

Regarding your last comment, it sounds like you have an issued with establishing the IPSec tunnels.
Check that your client and server have a machine certificate that maches their hostname.

Jonas Blom | Relevo AB | http://blog.nrpt.se
- Proposed as answer by Jonas Blom Wednesday, September 26, 2012 1:50 PM
- Marked as answer by Rick TanModerator Thursday, October 4, 2012 6:28 AM
Wednesday, September 26, 2012 10:16 AM
0

Sign in to vote

Hi Jonas,

Thanks for your help. I have now a DirectAccess implementation with two servers in a NLB.

Regarding the manage out I can understand that it is not needed when using SCCM and WSUS because is is client based initialized traffic. So if I can live without the option to remote connect (RDP or Dameware) from the internal network to the DA clients, and then ISATAP is not needed.

If I want to use ISATAP isn't a problem that (as far as I understand) can only have one ISATAP server. Normally I would configure the ISATAP router on the DA server. But when I am running DA in a NLB cluster then where should I place the ISATAP router? Not on any of the DA servers I suppose.

An last I have a problem. My DA servers in the NLB cluster is running fine for some time and then they (one or both of them) will complain that they cannot connect to the internal DNS servers. I cannot ping the DNS servers but I can ping the gateway on the internal network. As far as I remember I can also ping other internal servers, but I am not 100% sure here.

Any suggestions?

Thomas Forsmark Soerensen

Friday, October 19, 2012 2:10 PM
0

Sign in to vote

Hi,

A suggestion, post additional questions in a new/separate thread.
That way you will get more people looking at the question instead of reusing an existing thread. (and it will also be easier for others that have similar problems/questions)

Regarding ISATAP with NLB I can really only comment on old experiences with Forefront UAG but I think/hope most of it will work the same in Windows Server 2012. (Still waiting for the time to test the setup myself in a labenvironment)
Basically, I would try using the DA servers as your ISATAP routers, just make sure to add both the DIPs and the VIP addresses on your isatap DNS record.
And another suggestions, follow the guide from Jason Jones to setup an unique isatap DNS record and only enable it on separate hosts where you need manage-out, you can find it here: http://blog.msedge.org.uk/2011/11/limiting-isatap-services-to-uag.html
Jonas Blom | Relevo AB | http://blog.nrpt.se

Wednesday, October 24, 2012 6:43 PM
0

Sign in to vote

Hi,

A suggestion, post additional questions in a new/separate thread.
That way you will get more people looking at the question instead of reusing an existing thread. (and it will also be easier for others that have similar problems/questions)

Regarding ISATAP with NLB I can really only comment on old experiences with Forefront UAG but I think/hope most of it will work the same in Windows Server 2012. (Still waiting for the time to test the setup myself in a labenvironment)
Basically, I would try using the DA servers as your ISATAP routers, just make sure to add both the DIPs and the VIP addresses on your isatap DNS record.
And another suggestions, follow the guide from Jason Jones to setup an unique isatap DNS record and only enable it on separate hosts where you need manage-out, you can find it here: http://blog.msedge.org.uk/2011/11/limiting-isatap-services-to-uag.html

Jonas Blom | Relevo AB | http://blog.nrpt.se

Hey Jonas,

I think the old UAG guidance still holds true with reagrd to the ISATAP router DIP/VIP configuration and recommendations...
Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

Wednesday, October 24, 2012 10:56 PM
0

Sign in to vote

Hi,

With manage out ISATAP what happens if you have 2 clusters in 2 datacentres and half your clients are GPO'd and configured to point at one and half the other. When the helpdesk computers initiate that connection how does the helpdesk machine know which DA cluster the client is connected on to establish said connection?

Thanks

Wednesday, February 13, 2013 6:32 PM
0

Sign in to vote

I'm also working on that one, i presume a seperate ISATAP router with awareness of your other DA entry points..... Any ideas anyone?

Friday, September 13, 2013 10:00 AM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Windows Server 2012 DirectAccess implementation questions

Question

Answers

All replies