none
DirectAccess 2012 default DNS records were scavenged

    Question

  • Hoping someone can tell me what the default DNS records look like when set up by the DirectAccess 2012 Wizard.  Unfortunately DNS scavenging came along and removed them.  For each of the following DNS records:

    • directaccess-corpConnectivityHost
    • directaccess-webProbeHost
    • directaccess-NLS

    I need to know:

    • do I need an IPv4 'A' record, or IPv6 'AAAA' record, or both?
    • what is the IP address that this name points to?  (e.g. internal i/face of DA server, etc)

    Thanks in advance for any assistance.  I'm trying to avoid having to restore a backup of my DNS server just to look at what was there before it got scavenged.

    Note for Microsoft: please 'fix' this Wizard so that the DNS records it creates are not subject to scavenging!

    Tuesday, October 15, 2013 9:17 PM

Answers

  • OK,

    from memory.

    -DirectAccess-CorpConnectivityHost A record 127.0.0.1

    -DirectAccess-CorpConnectivityHost AAAA record <ISATAP interface of the URA Server>

    -DirectAccess-WebProbeHost A record <Internal Interface URA Server>

    I'm not sure for the second one.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    • Marked as answer by 0499FROSTY Wednesday, October 23, 2013 11:32 PM
    Wednesday, October 16, 2013 11:03 AM

All replies

  • OK,

    from memory.

    -DirectAccess-CorpConnectivityHost A record 127.0.0.1

    -DirectAccess-CorpConnectivityHost AAAA record <ISATAP interface of the URA Server>

    -DirectAccess-WebProbeHost A record <Internal Interface URA Server>

    I'm not sure for the second one.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    • Marked as answer by 0499FROSTY Wednesday, October 23, 2013 11:32 PM
    Wednesday, October 16, 2013 11:03 AM
  • Thanks for the info.  Looks quite correct.  I double-checked by retrieving a backup of our DC which hosts the DNS records from back before they were scavenged.  The records that were created by default were:

    directaccess-corpConnectivityHost 'A' pointing to: 127.0.0.1

    directaccess-corpConnectivityHost 'AAAA' pointing to:  blah...blah...blah... :7f00:0001

    directaccess-WebProbeHost 'A' pointing to the internal IPv4 address of our DA server

    So it looks like I don't need any DNS records for the -NLS name at all with our configuration.

    Thanks!

    Wednesday, October 23, 2013 11:39 PM
  • Hi,

    You need a NLS DNS record. It does not need to be named NLS bu your URA server need to resolve DNS name of your NLS web site. If you provided an existing web site in your DirectAccess configuration, this web site wont be reachable by DirectAccess clients connected on Internet. They will be able to reach it on LAN.

    For example, it's not a good idea to use your Intranet as NLS because it wont be available to users connected with DirectAccess.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Thursday, October 24, 2013 8:20 AM
  • Yep, in the DirectAccess server config it specifies that the DA server will be the NLS reference point. The wording is as follows:

    "The Network Location Server is deployed on the Remote Access server"

    The certificate used for authentication is the DA server's PKI certificate from our domain.  The server name would only be resolvable internally.  Plus port 62000 on the DA server would only be accessible internally.

    So we don't need a 'special' NLS DNS record; we are just using the internal server name (internal FQDN) of the DA server.

    Thursday, October 24, 2013 10:02 PM
  • So problem closed.

    One point, you wont be able to use the URA internal name as probe for the DAC/NAC. That's the only limitation of this design.

    Best regards.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Friday, October 25, 2013 9:08 AM