Updated: Can I Migrate My Windows DirectAccess Configuration to UAG DirectAccess?

(Updated Oct 5, 2010)

I’ve seen a number of questions asking if there was a method you could use to migrate your Windows DirectAccess configuration to a UAG DirectAccess deployment.

The answer to this question is that there is no automated method to do this. However, the manual steps aren’t very difficult. Here’s what you need to do:

  • Open the Windows DirectAccess console and turn off the DirectAccess configuration. This will disable the DirectAccess server side configuration on the Windows DirectAccess server.
  • Open the Group Policy Management console and delete the two or three Group Policy Objects created by the Windows DirectAccess wizard. If you didn’t create any end-to-end security connections, then there will be two. If you did configure some end-to-end security connections, then there will be three.
  • Change the ISATAP DNS record if you are going to use a different IP address for the internal interface of the UAG DirectAccess server
  • UPDATE: If you set up Active Directory subnets corresponding to your ISATAP prefix, you might want to consider removing them to keep things well organized
  • UPDATE: If you are not going to reuse the certificates you used for the IP-HTTPS listener and the machine certificate for the former DirectAccess server’s computer account, you might want to revoke those.

That’s all there is to it!

Now you can install UAG on the server that you had configured as the Windows DirectAccess server, or you can install UAG on a completely different server.

Let me know if you run into any issues with your migration from Windows DirectAccess to UAG DirectAccess. If this scenario is popular enough, I’ll put together a Test Lab Guide that demonstrates the process!

(Thanks to Yaniv Naor for the heads up on this)

(Thanks to Pat Telford for the information included in the update)



Tom Shinder
Microsoft DAIP iX/SCD iX
UAG Direct Access/Anywhere Access Group (AAG)
The “Edge Man” blog (DA all the time):
Follow me on Twitter:

Comments (2)

  1. Anonymous says:

    How are client workstations affected?

    If thre a way to leave the existing DA server in place and stand up UAG DA with a different Security Group and the new GPOs then move the computers from the old group into the new so they can pull gpupdate over directaccess and transfer to the new UAG server?

    I am looking for a way to get existing DA clients to use a new UAG server on a new IP / Internet connection without needing them to bring their laptops in to the office.

  2. Pat Telford says:

    …and if you went far enough along in your WIndows DirectAccess deployment that you set up Active Directory subnets corresponding to your previous ISATAP prefix, you should probably remove those IPv6 subnets from AD in teh name of tidiness. If you are not going to re-use them, you might want to revoke the certificates on the server you used for IP-HTTPS and IPsec too.

Skip to main content