UAG DirectAccess Group Policy Assignment – Make Sure the Right Policies are Applied

UAG DirectAccess Group Policy Assignment – Make Sure the Right Policies are Applied

[This article originally appeared in "The Edge Man" blog at http://blogs.technet.com/tomshinder/archive/2010/03/13/uag-directaccess-group-policy-assignment-make-sure-the-right-policies-are-applied.aspx]

(Discuss UAG DirectAccess issues on the TechNet Forums over at http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag)

When you run the configuration wizard on the UAG DirectAccess (DA) server, one of the things it does is create Group Policy Objects (GPOs) and Group Policy Settings in those GPOs. After the UAG DA server creates the GPOs and configures the settings, it can automatically deploy these settings into your domain. These settings are linked to the root of the domain that the UAG DA server belongs to. There are three GPOs created by the DA wizard, as seen in the figure below.

 

image

These GPOs are:

  • UAG DirectAccess: AppServer {GUID} – these GPO settings are applied to machines that you include in the application servers groups, which are called out at the end of the UAG DA configuration wizard. These policies enable end to end IPsec protection between the DA client and the destination server.
  • UAG DirectAccess: Client {GUID} – these GPO settings are applied to the DA clients. DA clients are assigned to a security group that you create when you configure the DA solution for your organization. There is no “built in” DA clients security group, you need to create this yourself.
  • UAG DirectAccess: DaServer {GUID} – these GPO settings are applied to the UAG DA servers themselves. If you have a single UAG DA server, then these settings will be applied to that server. If you have an array of UAG DA servers, then the GPO settings will be applied to each of the servers in the UAG DA server array.

Group Policy assignment uses GPO Security Filtering to assign the GPO settings to the correct machines. In the figure below, you can see that I’ve selected the UAG DirectAccess: DaServer {GUID} policy in the left pane of the console. In the right pane, in the Security Filtering section, you can see that the policy is applied to the machine accounts of the two UAG DA servers participating in a UAG DA high availability array.

image

Security Filtering is also used to assign the GPO settings to the DA clients. In the figure below you can see that I’ve selected the UAG DirectAccess: Clients {GUID} GPO. In the right pane of the console you can see in the Security Filtering section that the GPO is applied to members of the DA_Clients (CORP\DA_Clients) security group. Keep in mind that DA is made available to computers, not users. Therefore, you need to put the computer accounts into the security group you’ve designated for your DA client computers. After you create the security group, add the computer accounts to that group. Then the DA Clients GPO settings will be applied to those machines.

image

It’s critical that you apply the Group Policy settings to the correct computer accounts and groups. If you apply the DA Clients GPO settings to the wrong computers, some very bad things can happen, such as name resolution failing throughout your network in some scenarios. There can be many unintended effects if you apply the settings to all authenticated users or any of the built-in security groups included in Active Directory, such as the Domain Computers security group.

If you find that you’ve applied the GPOs to the wrong computers, and end up with problems with network connectivity or name resolution on your network, I want to recommend to you that you call Microsoft Customer Support Services (CSS). While there are some things I can recommend to you that might help fix the problem, there are too many different scenarios where this problem might find itself so that a generic solution is unlikely to be useful in your case.

The UAG DA wizard will assign the correct GPO settings to the right computers if you made the correct selections in the wizard. For more information on how to use the UAG DirectAccess wizard, check out the UAG DirectAccess Deployment Guide at http://technet.microsoft.com/en-us/library/dd857320.aspx

Sort by: Published Date | Most Recent | Most Useful
Comments
  • On importing thing to note, if your UAG DA Array servers reside in an OU which blocks inheritance you will need to link the new DA Server and possibly the App Server GPO's to the container in which they reside.  You should do this after appling the script that creates the GPO's, but before you click "Activate".  It's also a good idea to wait 15 minutes to make sure the new policies and policy links have propegated to all of your domain controllers.

    Another special thing to note is that I have found that if you update your DA configuration in any way which requires you to re-apply and re-activate the changes, that the links to those blocked containers disappear!  So as a SOP, you should always follow my instructions when ever you make even the most minor of changes to your DA config.

    In hind sight, I think I may have to rethink my group policy design and rely more on security filtering and less on blocking inheritance.

    Good luck and cheers.

Page 1 of 1 (1 items)