IMPORTANT ANNOUNCEMENT FOR OUR READERS!
AskPFEPlat is in the process of a transformation to the new Core Infrastructure and Security TechCommunity, and will be moving by the end of March 2019 to our new home at https://aka.ms/CISTechComm (hosted at https://techcommunity.microsoft.com). Please bear with us while we are still under construction!
We will continue bringing you the same great content, from the same great contributors, on our new platform. Until then, you can access our new content on either https://aka.ms/askpfeplat as you do today, or at our new site https://aka.ms/CISTechComm. Please feel free to update your bookmarks accordingly!
Why are we doing this? Simple really; we are looking to expand our team internally in order to provide you even more great content, as well as take on a more proactive role in the future with our readers (more to come on that later)! Since our team encompasses many more roles than Premier Field Engineers these days, we felt it was also time we reflected that initial expansion.
If you have never visited the TechCommunity site, it can be found at https://techcommunity.microsoft.com. On the TechCommunity site, you will find numerous technical communities across many topics, which include discussion areas, along with blog content.
NOTE: In addition to the AskPFEPlat-to-Core Infrastructure and Security transformation, Premier Field Engineers from all technology areas will be working together to expand the TechCommunity site even further, joining together in the technology agnostic Premier Field Engineering TechCommunity (along with Core Infrastructure and Security), which can be found at https://aka.ms/PFETechComm!
As always, thank you for continuing to read the Core Infrastructure and Security (AskPFEPlat) blog, and we look forward to providing you more great content well into the future!
Hello there! Welcome to this edition of the Ask PFEPlat Blog. I’m Tom Daniels with the PFE team here to show you how to setup a basic DirectAccess server configuration. These instructions below will get you setup to allow Windows 8 clients to connect to your new DirectAccess server. It’s possible to get Windows 7 clients to connect to a Windows 2012 DirectAccess server but there are a few more steps and we’ll cover them another time. First we are going to get into some checklist items you should cover with any DirectAccess install which starts off below.
I wanted to build a running list of pre-setup checklist items you will want to do with every DirectAccess install. First and foremost you are going to need a licensed copy of Windows 2012 installed. You can choose either Windows 2012 Standard or Data Center Edition, either one has the same exact DirectAccess technical feature set. Once you’ve got the OS installed, the next step is to add the Remote Access role. This is the piece that’s going to provide the base components for us to get DirectAccess configured at a later time. Go into Add Roles and Features and check the Remote Access Role as shown below :
After you select the Role, it will prompt you to install some additional components which you can just select “Add features” to continue :
At this point you can keep hitting next until the Install option becomes available. This will install all the Remote Access components needed to get started with DirectAccess. After all these are installed, it’s very important to ensure you are downloading all available Windows Updates for the OS. Not only do we release security updates each month, starting with Windows 8 and Windows 2012 we also have been releasing monthly reliability updates that actually have updates for many OS components including DirectAccess. You can refer to the following article for more information :
We release these every single month and it’s very important to include them in your patch installs for Windows 2012 and Windows 8 systems. When building a new DirectAccess server, grab all of the monthly updates as part of the build process.
Once you have your new Windows 2012 server fully patched and the Remote Access role installed, there is one final list of DirectAccess Server related hotfixes to grab to avoid hitting known issues with the DirectAccess setup wizards. I would recommend downloading and installing every single one of these hotfixes for any DirectAccess install :
Once you get all the Windows Updates and list of hotfixes installed above, we can begin the basic setup for your new DirectAccess server. Let’s start by opening up the Remote Access management snap-in and then selecting the “Run the Getting Started Wizard” as shown below :
The next option you are presented with asks if you want to run this Remote Access server as a combination DirectAccess & VPN server, just a DirectAccess server, or just a VPN server :
It’s entirely possible to run this server as your central Remote Access solution providing DirectAccess for your domain joined Windows 7 & 8 machines while allowing VPN for other devices. In this scenario, we are just going to cover a DirectAccess deployment only so select option two (Deploy DirectAccess only). After you select your option, the setup wizard will analyze the OS configuration, network stack, and other prerequisites to ensure the server is ready to configure DirectAccess.
The next screen that gets presented will ask you about the network configuration you would like to use with DirectAccess :
It will ask if you want to configure the server on the edge (if your external facing network card has a public IPv4 address), second option is to configure the server behind an edge device (if the external facing network card has a NATed IPv4 address), or the third option presented is if you want to use a single network card behind the edge. Select which network profile best represents the server network configuration. You will also have to either create an external DNS entry and enter in the box at the bottom or enter in the Internet facing IPv4 address clients will use to connect.
The last and final screen that gets presented will give you a chance to review the configuration settings before applying them. I highly recommend you click on the “here” text that’s highlighted in blue :
There are a couple of important items to review. First one is the name of the GPOs that will be created. Two GPOs get created at the root of your domain by default. The first one by default is called “DirectAccess Server Settings”. This new GPO will be linked to the root of your domain but will use security filtering to only apply to the DirectAccess server computer object directly. This GPO has critical settings for the DirectAccess server itself and always needs to be applied.
The second GPO that gets created is called “DirectAccess Client Settings”. Just like the name mentions, this GPO will be linked to the root of the domain but again we use security filtering to scope the GPO to your DirectAccess clients.
Important note is that you can change the name of the GPOs that get created only during creation in this screen. Moving forward these will be the permanent names of the GPOs so feel free to change them to suit your environment at this time.
After reviewing the GPO names, the second item to pay attention is the Remote Clients section which includes the AD security group that will be used to security filter the “DirectAccess Client Settings” GPO. The default out of the box is to apply the DirectAccess Clients GPO to all Domain Computers that are mobile class hardware (we use a WMI filter to determine if a machine is a mobile computer). I would HIGHLY advise changing the scope to a different security group. Best practice is to create a new security group in AD and use this new security group as your DirectAccess Remote Clients scope. You will just need to remember to add new DirectAccess clients into this AD security group when you want to push out DirectAccess settings. Be sure you add computer accounts to this newly created AD security group, not user accounts since DirectAccess GPO settings are computer specific :
Now you can hit the finish button to create the GPOs and finalize the DirectAccess server and clients. A progress screen will pop up and give you the current status. You can click on the “more details” section to see what’s happening under the covers as shown here :
Make sure this finishes up all green and you will be set! One final fun fact about this progress screen is that you can right click on the bottom pane and expose an option called “copy script” :
This will actually give you the exact PowerShell command that was run to configure the DirectAccess!
This is great in case you ever need to setup DirectAccess again quickly using PowerShell. It’s also possible to run DirectAccess on server core and this would be the only way to configure a new DirectAccess server.
Now you will need to open up TCP/443 on your edge firewall to the DirectAccess server and then you should be ready to have your Windows 8 DirectAccess clients connect. We walked you though using the quick setup wizard and is great for a quick install for Windows 8 DirectAccess clients only. This is great to setup in the lab or a small pilot but I would caution against using this for a production install of DirectAccess. The full setup wizard is much better suited for a production install as it will ask many more questions needed for a proper install.
Hopefully these setups will get you started with DirectAccess. For more in-depth articles you can refer to my DirectAccess blog at www.DirectAccessGuide.com
Tom “Mr DirectAccess” Daniels