DirectAccess Configuration - The command cannot be completed because the GPO was not found in the domain RRS feed

  • Question

  • Hello all,

     I've been banging my head against the wall trying to get DA set up within our organization. When I run through the Configure Remote Access Wizard it fails on the very last set and produces the following error:

     Removing DNS suffix search list settings - the command cannot be completed because a GPO that is named "DirectAccess Client Settings" was not found in the *****.local domain. Make sure that the GPO specified by the name parameter exists in the domain that is specified for the cmdlet. Then run the command again. 

     To me this sounds like it's suggesting that it can't find the GPO - which is rubbish, since when I run a GPRESULT/R on the server it shows that the Direct Access Server settings ARE applied!

     Can anybody shed some light on this for me please? I am losing the will to live at the moment!

    Tuesday, October 2, 2018 11:08 AM

All replies

  • Hello all, I decided to uninstall-remoteaccess and start again from scratch. I'm in a slightly better position now - most of the Operation Status icons are showing as green.

    However the Configuration Status is set to unavailable. The error says 'Configuration for the server retrieved from the domain controller cannot be applied' but doesn't give me any other details.

    Has anyone else come across this before?

    Tuesday, October 2, 2018 1:18 PM
  • Hi Jack, your original message sounds to me like a timing problem when the wizard tries to write the GPOs. When you walk through the DA config wizards and then click "Apply" at the end, the wizard reaches out to Group Policy and does a number of things all very quickly. It creates the GPOs, opens the GPOs, plugs settings into the GPOs, links the GPOs, and Security Filters the GPOs, all within a minute or so. Sometimes this results in errors, because it never waits for replication to happen in between these steps.

    In cases where errors regarding the GPOs show up in that output, I usually create the needed GPOs myself first, then specify them during the wizard so that I know the GPOs are already in existence. Then the wizard doesn't have to worry about that step and can just plug settings in.

    I assume your user account has the necessary permissions to accomplish all of these GPO tasks as well, right? If not that would also cause issues with this process.

    All in all, both your original post and the configuration status being unavailable points toward some interaction between the DA server and Active Directory not working quite right. Everything that you see inside the Remote Access Management Console is dependent on seeing information from the GPOs. When you open RAMC on the DA server, it's really oblivious to the fact that it's running on top of the DA server. The console opens, and it reaches over to the GPOs in order to query information about what it needs to display to you. Running RAMC on a DA server is the same as running it from RSAT tools on your own machine, it's just portraying information relayed from the GPOs and then querying info from the DA server(s) as well, by reaching out and polling them via the network.

    Also make sure that your DA servers can successfully route to all Domain Controllers inside your environment, I have found this to be an important piece of the puzzle in past troubleshooting.

    Friday, November 9, 2018 11:48 AM