none
Migrate DirectAccess from 2012 to 2012 R2

    Question

  • I know I'm a bit early , but is there perhaps any guidance available on migrating DA from WS2012 to WS2012 R2. Is in place upgrade also supported? I'm only considering this we'll be standardizing on R2.

    How would one approach this from one WS2012 to another WS2012, I'm thinking not much has changed in R2.

    Saturday, September 14, 2013 5:31 PM

Answers

All replies

  • Hi,

    I didn’t find any official guide about the migration; but I think there will be.

    Personally, I don’t think windows server 2012 r2 will make a lot of changes.

    Here is some information about 2012 r2:

    What's New in Windows Server 2012 R2

    http://technet.microsoft.com/en-us/library/dn250019.aspx

    In addition, we have windows server 2012 r2 preview released; you can do test before RTM is released:

    TechNet Evaluation Center

    http://technet.microsoft.com/en-us/evalcenter/dn205286.aspx

    Hope this helps.

    Monday, September 16, 2013 9:36 AM
  • Thank you Danile, I already have access to RTM bits, I installed it and did a quick test, but didn't find any differences. The reason for migrating is purely for standardization. All new servers will be WS2012 R2 and I'd like to move our DirectAccess solution to R2 as well (we're still testing it, it will be much harder once it's in full production).
    Monday, September 16, 2013 10:21 AM
  • There are not any significant changes in R2 related to DirectAccess. The easiest way to "swing" is going to be bringing a new R2 instance online in parallel to your existing DA instance, and then swinging the clients from one to the other by changing their group membership. This should all be pretty straightforward if you aren't using ISATAP. If you are using ISATAP, it gets considerably more complicated. I do these kinds of migrations all the time (mostly from UAG to 2012 currently, but it's the same story) - feel free to keep my contact info for when the time comes if you need any assistance: jordan.krause@ivonetworks.com
    Monday, September 16, 2013 2:13 PM
  • Thank you Jordan. An additional question, I assume I have to rename (in the Remote Access wizard) either the existing or the new DirectAccess Client/Server Settings, then just link them at the appropriate OU or group membership.

    I'm using ISATAP on just two servers, SCCM and an additional monitoring/Remote Control box.

    Tuesday, October 01, 2013 8:44 AM
  • Are you bringing a new 2012 R2 box online to take over DirectAccess? If this is the case, you can leave your old environment running and bring the new one online as a second DA entry point. Just make sure that during the wizards to specify different GPO and group names to keep everything separated from the old environment.

    While making this transition, typically I disable ISATAP in the network. If you have ISATAP running globally (which it sounds like you don't, but many people are), then the new DA server will set itself up as an ISATAP host and will cause all sorts of trouble for you. Disable ISATAP, then bring the new system online and cut users over to it, then you can rebuild ISATAP, this time pointing the ISATAP hosts to the new DA server.

    Tuesday, October 01, 2013 1:00 PM
  • Thank you for this, would you ever consider doing an in-place upgrade?
    Saturday, October 19, 2013 4:57 PM
  • I think that I would only do that if I could know that my remote clients would be able to either come into the office if they needed to for new Group Policy settings, or be able to host VPN connections to accomplish the same thing. If you take down the 2012 server and bring a 2012 R2 up in it's place, with the same IPs and name, chances are that the existing GPO is not going to like it and the DA console on the server isn't going to pick up the configuration from the existing GPOs. You'll still be configuring DA as if this were a new server, and you can specify to use the same GPOs, but at the end of the wizard it's going to re-write settings in the GPO with new. Now, they are going to be the same settings (except for the filtering setting for the server GPO), so there is certainly a chance that when you finish this, the clients will simply start connecting right away. But...there is also a chance that they won't, and that you'll have to connect them in some way to do a gpupdate before they will connect. I haven't tried this exact scenario to be able to tell you for sure.

    If you have more IPs available, and bring the two boxes online in parallel, then you can "swing" clients from one to the other by simply changing their group membership settings. This way you can move all DA clients over to the new system at whatever pace you would like, and when you confirm that they are all connecting through the new entry point, you can shut down the old one and delete the old GPOs.

    Monday, October 21, 2013 12:48 PM
  • Jordan, thank you yet again.

    My question was, could I just put a 2012 R2 .iso in our existing 2012 DA server and just upgrade it? Our users would be redirected to using another vendors VPN solution in the time of the upgrade.

    Monday, October 21, 2013 1:46 PM
  • That is a very good question! To which I have no answer. :)

    I have done that exact procedure to move a Surface Pro to be a Surface Enterprise, but I haven't tried it with Server 2012 to R2...

    Monday, October 21, 2013 3:10 PM
  • I made a snapshot and tried it and haven't found any issues so far...it just worked.
    Tuesday, October 22, 2013 8:37 PM
  • Awesome!
    Tuesday, October 22, 2013 8:41 PM