This DirectAccess Test Lab Extension for DirectAccess in Windows Server 2008 R2 describes how to configure remote management for the DirectAccess clients of the corp.contoso.com domain. You configure and test remote management of CLIENT1 from APP1 with a remote desktop connection.

 

Note  These instructions are designed for a working DirectAccess test lab that is configured from the instructions found in the Test Lab Guide: Demonstrate DirectAccess document.

If you are running the DirectAccess Test Lab in a virtual environment, you can create snapshots of the virtual machines (VMs) for all of the test lab computers before performing the following procedures.

 

Configuring and Demonstrating Remote Management

To demonstrate the lack of remote management capability of CLIENT1 from APP1 using a remote desktop connection:

  1. Connect CLIENT1 to the Internet subnet, and then restart it. Do not log on.
  2. On APP1, click Start, click All Programs, click Accessories, and then click Command Prompt.
  3. In the Command Prompt windows, run the ping client1 command. You should see four successful replies.
  4. Click Start, click All Programs, click Accessories, and then click Remote Desktop Connection.
  5. In the Remote Desktop Connection window, type client1 in Computer, and then click Connect. You should see the error message Remote Desktop can’t connect to the remote computer.
  6. Click OK.

 

APP1 cannot initiate a remote desktop connection to CLIENT1 when there is no user logged on because there are no IPsec tunnels that allow incoming traffic from APP1. When no one has logged on to CLIENT1, the only IPsec tunnel in place is the infrastructure tunnel, which only allows traffic from 2002:836b:2:1:0:5efe:10.0.0.2, the ISATAP address of DC1. After a user has logged on to CLIENT1, the intranet tunnel is used to carry the remote desktop connection traffic between CLIENT1 and APP1.

 

To allow APP1 to remotely manage CLIENT1 even when there is no user logged on, you must add 2002:836b:2:1:0:5efe:10.0.0.3, the ISATAP address of APP1, to the list of management servers in Step 3 of the DirectAccess Setup Wizard.

 

To configure APP1 as a management server:

  1. On DA1, click Start, point to Administrative Tools, and then click DirectAccess Management.
  2. In the console tree, click Setup.
  3. In the details pane, click Edit in Step 3.
  4. On the Location page, click next. On the DNS and Domain Controller page, click next.
  5. On the Management page, right-click the empty entry in the table, and then click New.
  6. In the IPv4 Address window, click IPv4 address, type 10.0.0.3, and then click OK. Notice that the wizard has added a table entry for 2002:836b:2:1:0:5efe:10.0.0.3, the ISATAP address of APP1.
  7. Click Finish.
  8. In the details pane, click Finish, and then click Apply.
  9. When prompted, click OK.
  10. Click Start, click All Programs, click Accessories, and then click Command Prompt.
  11. From the Command Prompt window, run the gpupdate /target:computer command.

 

To update CLIENT1 and demonstrate remote management with a remote desktop connection:

  1. On CLIENT1, log on with the CORP\user1 user account and password.
  2. Click Start, click All Programs, click Accessories, and then click Command Prompt.
  3. From the Command Prompt window, run the gpupdate /target:computer command.
  4. Log off of CLIENT1.
  5. On APP1, click Start, click All Programs, click Accessories, and then click Remote Desktop Connection.
  6. In the Remote Desktop Connection window, type client1 in Computer, and then click Connect.
  7. When prompted for credentials, type the password for the CORP\user1 account, and then click OK. You should see the desktop of CLIENT1.
  8. Close the remote desktop window for CLIENT1.

 

By configuring APP1’s ISATAP address as a management server, the DirectAccess Setup Wizard configures a connection security rule for a management tunnel on DA1 and CLIENT1. This management tunnel, which is separate from the infrastructure and intranet tunnels, allows APP1 to initiate communication with DirectAccess clients even when there is no user logged on.

.

If you are running the DirectAccess Test Lab in a virtual environment, you can discard the changes made by these procedures by restoring the previously made snapshots of the VMs for all of the computers in the test lab. Alternately, if you would like return to a working DirectAccess configuration with remote management configured, you can create a new set of snapshots before restoring the previously made snapshots.

.

To manually restore the configuration of the DirectAccess Test Lab, perform the following procedure.

.

Restoring the DirectAccess Test Lab

To restore the DirectAccess Test Lab to its original configuration:

  1. On DA1, in the console tree of the DirectAccess Management snap-in, click Setup.
  2. In the details pane, click Edit in Step 3.
  3. On the Location page, click Next. On the DNS and Domain Controller page, click Next.
  4. On the Management page, right-click the table entry for 2002:836b:2:1:0:5efe:10.0.0.3, and then click Delete.
  5. Click Finish.
  6. In the details pane, click Finish, and then click Apply.
  7. When prompted, click OK.
  8. From the Command Prompt window, run the gpupdate /target:computer command.
  9. Close the Command Prompt window.
  10. Log on to CLIENT1 with the CORP\user1 account and password.
  11. Click Start, click All Programs, click Accessories, and then click Command Prompt.
  12. From the Command Prompt window, run the gpupdate /target:computer command.
  13. Close the Command Prompt window.

For additional DirectAccess Test Lab extensions and other resources for the DirectAccess Test Lab, click here.