none
Multiple DirectAccess Servers (different entry points)

    Question

  • Can anyone point me in the direction of documentation or recommended configuration for implementing multiple DirectAccess servers in a single domain?

    I want roaming users in different countries to connect to a local DA server - e.g.

    da-au.domain.com

    da-us.domain.com

    But, I'm guessing when I setup/configure da-au it will create the GPOs etc, then when I setup da-us it will overwrite the GPOs.

    What is the proper way to achieve this?

    Thursday, October 25, 2012 11:13 AM

Answers

  • Hi,

    I suggest you use the TLG for demonstrating DirectAccess MultiSite, it can be found at http://technet.microsoft.com/en-us/library/hh831461.aspx

    A few things though.
    The builtin feature for Multi-Site only works with Windows Server 2012 as the server.
    It is also important to note that only Windows 8 clients can roam between different endpoints.
    Windows 7 clients needs to be assigned to a specific endpoint (and therefore a separate GPO will be created for each endpoint where you have Windows 7 clients assigned)

    Best wishes,
    Jonas Blom


    Jonas Blom | Relevo AB | http://blog.nrpt.se

    Thursday, October 25, 2012 6:06 PM
  • There is a TLG that walks through it: http://technet.microsoft.com/en-us/library/hh831461.aspx

    Basically you walk through configuring your main site first, which sets up the GPOs. Then from that primary interface you configure the multi-site capabilities and start adding your other Remote Access servers, from the primary interface. That way the whole environment knows about all of the entry points.

    Keep in mind, multi-site only works for Windows 8 clients. Win7 clients will point at one particular server. You can do "multi-sites" for Windows 7 and setup multiple entry points that do not know about each other (and then distribute your Win7 clients manually depending on what group they are part of), and each of them will have its own GPOs and client groups. That is how we have done it for UAG/Win7 in the past.

    Thursday, October 25, 2012 6:11 PM

All replies

  • Hi,

    I suggest you use the TLG for demonstrating DirectAccess MultiSite, it can be found at http://technet.microsoft.com/en-us/library/hh831461.aspx

    A few things though.
    The builtin feature for Multi-Site only works with Windows Server 2012 as the server.
    It is also important to note that only Windows 8 clients can roam between different endpoints.
    Windows 7 clients needs to be assigned to a specific endpoint (and therefore a separate GPO will be created for each endpoint where you have Windows 7 clients assigned)

    Best wishes,
    Jonas Blom


    Jonas Blom | Relevo AB | http://blog.nrpt.se

    Thursday, October 25, 2012 6:06 PM
  • There is a TLG that walks through it: http://technet.microsoft.com/en-us/library/hh831461.aspx

    Basically you walk through configuring your main site first, which sets up the GPOs. Then from that primary interface you configure the multi-site capabilities and start adding your other Remote Access servers, from the primary interface. That way the whole environment knows about all of the entry points.

    Keep in mind, multi-site only works for Windows 8 clients. Win7 clients will point at one particular server. You can do "multi-sites" for Windows 7 and setup multiple entry points that do not know about each other (and then distribute your Win7 clients manually depending on what group they are part of), and each of them will have its own GPOs and client groups. That is how we have done it for UAG/Win7 in the past.

    Thursday, October 25, 2012 6:11 PM
  • Thanks to both of you for pointing me in the right direction.

    It's amazing how much doco exists on TechNet, just a shame it can be difficult to navigate/find.

    Thursday, October 25, 2012 11:24 PM
  • LOL, sorry Jonas I promise I didn't just copy and paste your answer :) I must have been typing my response when you posted yours!
    Friday, October 26, 2012 2:00 PM
  • Know the feeling, managed to do that myself once or twice.
    And with two so similar answers one can most certainly say it's the right answer(s). ;)


    Jonas Blom | Relevo AB | http://blog.nrpt.se

    Saturday, October 27, 2012 7:54 AM
  • In a situation where you had 2 sites both with DA 2012 with connecting 7clients. If site 1 failed how could you redirect win 7 clients to site 2?. Would the clients originally configured for site 1 need to have their laptops brought back into the office and added to the site 2 group to have new DA settings applied for site 2? Or am I over complicating the multisite feature with 2012 and Win7? Thanks
    Friday, December 21, 2012 1:20 AM
  • That is correct, Windows 7 clients can only contain one set of connection settings at a time, so they need a "swing" of their GPO settings. This can obviously be done by bringing them into the office, or by connecting them over a VPN of some sort. With a UAG based multi-site DirectAccess solution I always setup a UAG portal on each UAG DirectAccess server that is hosted SSTP VPN, that way if this situation ever happens, the users can simply launch an IE favorite pointing them to the SSTP portal on the other server, and as soon as they login to that portal SSTP VPN launches and they are connected. They can then work over this VPN if they choose to, or the VPN can be used as the connectivity platform to push their new GPO settings down so that they are now connected via DirectAccess to this other entry point.

    Server 2012 doesn't have any UAG portal capabilities :( but it does allow you to use RRAS at the same time as DirectAccess, so you could sort of do the same thing by having the user connect to a traditional VPN, just a little clunkier than the UAG portal in my opinion.

    Friday, December 21, 2012 1:50 PM
  • Hi,

    In a 2012 server setup with 2 sites and hence 2 clusters is it possible to just whack a load balancer in front or round robin DNS?

    Our provider has told us its not possible to do a strecthed vlan, is strectched vlan necessary for the cluster in 2012?  The original design was on UAG 2010 but we have since changed to 2012.

    At the minute if a site goes down we lose half our users and have no way of pointing users at the other site without another VPN to update policy or coming into the office.

    We are a Windows 7 only shop right now.

    Thanks

    Tuesday, February 12, 2013 11:29 AM
  • No, unfortunately Windows 7 computers will only have connection toward one entry point, and it is not supported to do either stretched vlan or using a load balancer in front of the two sites. The IP-HTTPS connection can easily be swung by using a DNS service, but ultimately the Win7 clients will have IPsec connections rules on them from the GPOs that are going to be pointing their IPsec connections are particular IP addresses, and so even if you swing IP-HTTPS, the IPsec tunnels will not build on the new tunnel.

    With UAG in "Multi-Site" mode like you have, I always stand up a UAG portal on each cluster that auto-launches SSTP VPN. That way if a user loses their connection in the event of a datacenter down situation, they can simply launch an IE shortcut they have for the portal in the other datacenter, and be connected that way. With 2012, you would have to put regular VPN connections on the machines as the backup connectivity method.

    Tuesday, February 12, 2013 2:39 PM
  • No, unfortunately Windows 7 computers will only have connection toward one entry point, and it is not supported to do either stretched vlan or using a load balancer in front of the two sites. The IP-HTTPS connection can easily be swung by using a DNS service, but ultimately the Win7 clients will have IPsec connections rules on them from the GPOs that are going to be pointing their IPsec connections are particular IP addresses, and so even if you swing IP-HTTPS, the IPsec tunnels will not build on the new tunnel.

    With UAG in "Multi-Site" mode like you have, I always stand up a UAG portal on each cluster that auto-launches SSTP VPN. That way if a user loses their connection in the event of a datacenter down situation, they can simply launch an IE shortcut they have for the portal in the other datacenter, and be connected that way. With 2012, you would have to put regular VPN connections on the machines as the backup connectivity method.


    Thanks. Do the GPO's not point to DNS names rather than IP's?  If thats the case I dont understand how round robin DNS or a load balancer could not cope with that if it has the same name on the internet as the GPO's?  That situation is to point at 2 clusters.  How do I actually achieve a single cluster across data centres?  Thanks again for your advice.
    Tuesday, February 12, 2013 9:05 PM
  • The transition tunnels (IP-HTTPS and Teredo) point at DNS names, but the IPsec tunnels that build inside of the transition tunnels point at IP addresses. So you can swing the transition tunnels, but your computer will be trying to build IPsec tunnels to the other IPs, and it won't work. For a Windows 7 computer to swing from one set of IPs to another, it needs a Group Policy update.

    You cannot do a single cluster across data centers. I have heard some folks do it with stretched VLAN, but even that is frowned upon by Microsoft because the latency can cause all kinds of problems.

    Tuesday, February 12, 2013 10:09 PM
  • Thanks Jordan, that makes sense.

    If I can achieve a stretched VLAN I assume I would need it on both sides of the connection (internet and intranet) to enable NLB?  I have 2 NIC edge setup. 4 servers, 2 in each site with NLB enabled on both clusters.

    Thanks

    Wednesday, February 13, 2013 6:22 PM
  • Correct, your stretched VLAN would have to accommodate for both internal and external, and you would be setting it up as one single array with 4 members. They would be completely unaware that they were in different physical locations.
    Wednesday, February 13, 2013 7:04 PM
  • Hi guys, I have a related question.  We have two datacenters - one east coast US and one west coast US.  We would like to set up two separate DA servers, but in order to keep it simple and not have to deal with PKI, we would like to simply have east coast users use the east coast DA and west coast users use the west coast.

    I have read that we can simply set up two separate DA server installations, which is easy enough, but I am unclear as to exactly how this will work when it comes to the GPOs.  How do we make sure the two installations maintain their separate GPOs (filtering to clients should be straightforward enough).

    thanks!

    Wes

    Monday, February 18, 2013 9:26 PM
  • In short, when you set them up do not run the Getting Started Wizard to configure DirectAccess. You should really never do that anyway in my opinion. When you run that shortcut tool it makes a bunch of default decisions which could probably cause some overlap in settings. However, if you run the full setup wizards for DirectAccess, you can define the GPO names that you want to use in each site. You simply set each DA server up independently, run through the full wizards on each, and make sure you use separate group and GPO names in each site.

    One note of importance: Going without PKI is only possible if all of your DirectAccess client computers are Windows 8. If you want to connect Windows 7 computers through DirectAccess at all (whether or not it is multi-site), you will still need certificates from your internal PKI. It's really not as complicated as it seems: http://www.ivonetworks.com/news/2012/05/directaccess-help-im-drowning-in-certificates/

    Plus, it's recommended. Using certificates is a better model even if you don't require them.

    • Proposed as answer by pesospesos Tuesday, February 19, 2013 6:50 PM
    Tuesday, February 19, 2013 5:49 PM
  • Thanks Jordan.  We do have an internal CA already set up, and we do have a public 3rd party cert in use for the IP-HTTPS.  I was under the impression that we needed to make the internal CA's CRL available externally, but I guess that's not necessary after all?  All clients are Win8.

    If we already have an existing DA set up with the default GPOs, can I simply go through the full wizard on the 2nd DA server now, and force it to create differently-named GPOs?

    thanks!

    Wes

    Tuesday, February 19, 2013 5:53 PM
  • If you are using a 3rd party cert for IP-HTTPS then you do NOT need to publish your internal CA's CRL.

    And yes you are correct, just run through the wizard, make sure you choose a new Group and GPO names, and then your clients will be able to connect through one entry point or the other simply based on what group they are a member of.

    Since you are all Windows 8, if you do deploy certificates you could then take advantage of Multi-Site DirectAccess where the client computers could be aware of both entry points and would be able to swing back and forth if they ever needed to. Issuing certs is very simple and would provide you will a huge benefit here.

    Tuesday, February 19, 2013 6:46 PM
  • Appreciate the tip - realized that when going through the full wizard, you only get one shot at altering the GPOs (the first time through) - subsequent passes have the GPO names set in stone and greyed out.  Tore down the existing server, then reconfigured both using the wizard and custom GPO names from the start - looks like we're good.  thanks!!
    Tuesday, February 19, 2013 6:50 PM
  • Good to hear that it's working! For future reference, you don't have to take down the server, there is a button in the configuration console to completely remove the DirectAccess config which wipes out the GPOs and everything, then you can simply re-run through the wizards. This only takes a few minutes as opposed to rebuilding a server :)

    Tuesday, February 19, 2013 6:58 PM
  • sorry yes - that's what I meant...  removed config and then re-ran the wizards... didn't tear down the actual OS installation :-)
    Tuesday, February 19, 2013 6:59 PM
  • Hi Jonas (and Jordan)

    I've checked out the TLG, however there is a significant difference between the TLG and my scenario.

    The TLG demonstrates setting up multiple DA servers in different Domains, in my case I want multiple DA servers in a single Domain.

    I'm not looking for roaming (although later when the org migrates to Windows 8 that would be nice), at this stage I just want local entry points for clients within their geographic area to maximise performance to local resources.

    Ben

    Wednesday, May 08, 2013 11:14 AM
  • You can still use the Multi-Site wizards to configure your environment. It will create multiple GPOs in your domain for the different entry points, and you will use different security groups to define which computers get which settings.

    In your scenario you could also choose to stand your DirectAccess servers up completely stand-alone if you wanted, run the wizards on each so that they aren't even aware of each other, but in the future if you move to Windows 8 and want to actually use the roaming part of Multi-Site, then you would have to go back and reconfigure the whole environment.

    Wednesday, May 08, 2013 12:33 PM