none
direct access from home with windows 7 ultimate

    Question

  • What would be the easiest method to set up direct access on a home computer running on Windows 7 Ultimate?  To get the group policy applied you have to join the domain, but how could you do this if you are not physically connected to the domain network? I have tested with Windows 8 Enterprise using an offline join, but as far as I know that method does not work with Windows 7. We do have VPN access to our domain, but I don't know if it is possible to join the domain over a VPN connection. 
    Thursday, March 07, 2013 4:21 PM

Answers

  • I got it to work my using the powershell command 'add-computer'. For some reason using the control panel to join the domain did not work.
    Tuesday, March 12, 2013 4:45 PM

All replies

  • Windows 7 does support djoin for offline domain joins.  Depending on the type of VPN connection you are making, you MAY be able to join the domain that way, but djoin would certainly work.  You have to first run it on your server, then the workstation using the file the server creates.


    C Shane Cribbs
    http://www.georgiatechnologies.com

    Thursday, March 07, 2013 5:36 PM
  • I tried on both Windows 7 Enterprise and Windows 8 Enterprise, and it only worked on  Windows 8. When I did the DJOIN on Windows 8 it updated the registry with direct access configuration information and added a computer certificate. When I ran it on Windows 7 Enterprise it did neither of those things, so I was not able to connect to the intranet.
    Thursday, March 07, 2013 9:12 PM
  • Did you create the Windows 7 computer account and add it to the DirectAccessClients group?


    C Shane Cribbs
    http://www.georgiatechnologies.com

    Thursday, March 07, 2013 9:19 PM
  • Yes I did. I have a batch file that does it automatically. I also checked manually to make suer the computer account was in the correct group.
    Thursday, March 07, 2013 9:22 PM
  • Hi,

    Like you said in your first post, you will not get the GPO/Certificates for a Windows 7 client with Offline domain join.. (you can do a domain join with windows 7 but that is without the GPO settings and the certificates needed for DirectAccess)

    My standard way to add machines to a DA setup when there is no "corporate network" where the clients can be joined locally is through a VPN connection.
    It will require a local account on the client of course and a few reboots with a manual reconnection of the VPN to get the GPO settings after the client has been joined.

    There actually was a thread regarding a way to do this without a VPN that you can read about in this thread (but I would still say that manually connecting the client throug a VPN is much simpler and most likely will save you a lot of troubles and headaches) :

    http://social.technet.microsoft.com/Forums/en/windowsserver2008r2networking/thread/af6b5602-bab1-4765-b161-5283f40457f1


    Jonas Blom | Relevo AB | http://blog.nrpt.se

    Friday, March 08, 2013 11:09 AM
  • I tried joining the domain through a vpn connection but when I try to join the domain the client can't find a domain controller:

    The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "AD":

    The error was: "DNS name does not exist."
    (error code 0x0000232B RCODE_NAME_ERROR)

    The query was for the SRV record for _ldap._tcp.dc._msdcs.AD

    Common causes of this error include the following:

    - The DNS SRV records required to locate a AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when a AD DC is added to a domain. They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following IP addresses:

    199.196.68.2
    199.196.68.1

    - One or more of the following zones do not include delegation to its child zone:

    AD
    . (the root zone)

    However, when I use nslookup to find the srv records it works, so I don't know why it is failing. We are using a third party vpn. I know direct access has a vpn feature but I have not installed or tried it. Is there any way to use the direct access vpn feature to accomplish the same thing?

    Friday, March 08, 2013 3:44 PM
  • Hi again,

    When you use nslookup, what DNS servers are listed?

    Since 199.196.68.1 and .2 are public IP addresses I would guess that these are the external DNS servers that your client has from the ISP/University where it is connected.
    To be able to join the domain it needs to query your internal DNS servers.

    Is 199.196.68.1 and .2 the DNS servers that are listed when you use nslookup?
    If not, check if/that the "Remote Access connections are listed before your LAN/WLAN connections.

    You can find these settings by opening the Network Center -> Select ""Change Adapater settings" and then Advanced -> Advanced Settings.

    //Jonas


    Jonas Blom | Relevo AB | http://blog.nrpt.se

    Friday, March 08, 2013 6:45 PM
  • The 199.*.*.* address are public addresses that we own and use internally. When we connect with vpn those are the addresses we use to look up internal sites. It just seems strange that when I use nslookup it returns the SRV addresses but the windows domain join does not find them. 
    Saturday, March 09, 2013 5:14 PM
  • On running packet traces, I see the problem but I don't know how to fix it. Our domain name is ad.milwaukee.gov. When I try to join the domain from a vpn connection, the client does a lookup for _ldap._tcp.dc._msdcs.AD, not _ldap._tcp.dc._msdcs.AD.MILWAUKEE.GOV, therefore the dns server returns 'record not found'. I tried configuring the client to use the proper dns suffix and it works when I do an nslookup, but when I try joining the domain the client never adds milwaukee.gov to the domain name. I don't know if there is a way to configure the dns server to respond the to dns query when the suffix only contains AD.
    Monday, March 11, 2013 5:11 PM
  • When you tell it to join the domain, do you enter AD.Milwaukee.gov or just AD?  Try the full DNS name if you are just using the shortened NetBIOS name.

    C Shane Cribbs
    http://www.georgiatechnologies.com

    Monday, March 11, 2013 5:42 PM
  • It does the same thing even if I  put in the entire domain name. Just to see what happens I added a forward zone AD to our dns server and added a cname so that ldap._tcp.dc._msdcs.AD resolves to _ldap._tcp.dc._msdcs.AD.milwaukee.gov. Now I get the error:

    DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain "AD":

    The query was for the SRV record for _ldap._tcp.dc._msdcs.AD

    The following domain controllers were identified by the query:
    mfd-mdc02v.ad.milwaukee.gov
    mfd-mdc01.ad.milwaukee.gov
    mc-domain.ad.milwaukee.gov
    exd2.ad.milwaukee.gov
    exd1.ad.milwaukee.gov
    metro.ad.milwaukee.gov
    metro2.ad.milwaukee.gov


    However no domain controllers could be contacted.

    Common causes of this error include:

    - Host (A) or (AAAA) records that map the names of the domain controllers to their IP addresses are missing or contain incorrect addresses.

    - Domain controllers registered in DNS are not connected to the network or are not running.

     The packet trace I am running show a successful lookup for ldap._tcp.dc._msdcs.AD  but does not show any dns lookups for the 'A' records returned.

    Monday, March 11, 2013 6:07 PM
  • Hi,

    Thank you for the post.

    “I tried on both Windows 7 Enterprise and Windows 8 Enterprise, and it only worked on  Windows 8. When I did the DJOIN on Windows 8 it updated the registry with direct access configuration information and added a computer certificate. When I ran it on Windows 7 Enterprise it did neither of those things, so I was not able to connect to the intranet.”- I think it’s normal behavior, DirectAccess offline domain join is a process that computers running Windows Server 2012 and Windows 8 can use to join a domain without being physically joined to the corporate network, or connected through VPN. The computer that you want to join to the domain must also be running Windows Server 2012 or Windows 8.

    Regards,


    Nick Gu - MSFT

    Tuesday, March 12, 2013 2:32 AM
    Moderator
  • I got it to work my using the powershell command 'add-computer'. For some reason using the control panel to join the domain did not work.
    Tuesday, March 12, 2013 4:45 PM
  • the control panel is not the place where you need to go to connect to a domain

    press windows+pause/break and then at the bottom you can change the machine name and domain as needed


    Windows MVP, XP, Vista, 7 and 8. More people have climbed Everest than having 3 MVP's on the wall.

    Hardcore Games, Legendary is the only Way to Play

    Developer | Windows IT | Chess | Economics | Vegan Advocate | PC Reviews

    Tuesday, March 12, 2013 5:24 PM