locked
domain connection error RRS feed

  • Question

  • Hi,

    My configuration is exactly as per the steps described within the "testlab gudide to demonstrate UAG directAccess_DA" By Thomas Shindler.

    But one point as stated as below(extract from the guide

    "On the Management Servers and DCs page, click the Domains\corp.contoso.com entry. Note in the Servers List that DC1.corp.contoso.com was automatically discovered. Click Finish . (Note: infrastructure servers are those servers that are accessed through the infrastructure tunnel, which is established before the use logs on. The infrastructure tunnel enables DirectAccess client computer management even when there is no logged on user)". 

    In my case the UAG server is a member of a secure Domain "SecAD" and users are within the Intranet AD so i need to add this domain to the UAG  within this wizard but, i get "error while connecting to domain"

    No firewall restrictions for the connection.

    the internal NIC also configured with the domain suffix

     

    Any expert advice to resolve this is much appreciated

     

    Thanks in Advance


     

     

    Tuesday, August 10, 2010 8:55 AM

Answers

  • Hi,

    Call it co-incidence, but I was just chatting with Tom today about a similar scenario for one our customers.

    I understand that your UAG computer is a member of one domain (SecAD) and you are trying to add a domain controller belonging to another domain to your infrastructure servers list.

    - What kind of trust relationship exists between the two domains? Are they in the same forest?

    For the solution to work, you need a two-way trust between the two domains. You will also need to ensure all the client machines have the required certificates.

    Regards

    Shijaz


    Shijaz Abdulla | Microsoft Qatar http://www.microsoftnow.com
    Tuesday, August 10, 2010 11:21 AM

All replies

  • Hi,

    Call it co-incidence, but I was just chatting with Tom today about a similar scenario for one our customers.

    I understand that your UAG computer is a member of one domain (SecAD) and you are trying to add a domain controller belonging to another domain to your infrastructure servers list.

    - What kind of trust relationship exists between the two domains? Are they in the same forest?

    For the solution to work, you need a two-way trust between the two domains. You will also need to ensure all the client machines have the required certificates.

    Regards

    Shijaz


    Shijaz Abdulla | Microsoft Qatar http://www.microsoftnow.com
    Tuesday, August 10, 2010 11:21 AM
  • Hi Shijaz,

     

    Thanks for the reply

    You got the right picture.

    The SecAD and the intranet AD are having one way trust relationship i.e. SecAD trusts Intranet AD but not viceversa.

    The Certificates are required by all clients are already available and are coming from the intranet AD.

    do let me know further.

     

    Thanks

     

    Tuesday, August 10, 2010 1:48 PM
  • The SecAD and the intranet AD are having one way trust relationship i.e. SecAD trusts Intranet AD but not viceversa.

    Hi Nbud,

    For starters, you need to have a two-way trust between the domains. Both domains should trust each other.

    Also let me know if the two domains are in the same forest?

    Shijaz


    Shijaz Abdulla | Microsoft Qatar | http://www.microsoftnow.com
    Thursday, August 12, 2010 7:00 AM
  • Hi,

     

    understood on the trust relationship

    the 2 domains are not under one forest.

     

    Another question the clients access the internet and corporate network simultaneously kind of split tunneling, can this be disabled to ensure that only one is possible to access either direct internet or just the corporate network.

     

    Thanks in Advance

    Thursday, August 12, 2010 1:18 PM
  • Hi Nbud,

    You need a two-way trust between the forests.

    Check out:

    http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=2ba2e429-1385-4253-9667-63c2c85747e7

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Friday, August 13, 2010 12:25 PM
  • Hi,

    Once two way trust is established between the domains, you should also make sure the other domain's DCs are reachable from the UAG server. you can try to ping the Intranet domain name from the UAG server and see if there's any reply.

    Regarding force tunneling, it is possible, but not recommended. Since DirectAccess is designed to be always connected, there is no way to have one without the other. The DirectAccess force tunneling solution means that once DirectAccess clients are abled to connect to the UAG server (and it happens automatically), the internet connectivity is disconnected, and all internet traffic must go through the UAG server as well.

    This also means that all of your internet traffic works through "DirectAccess", so only IPv6 applications are supported. Client applications that do not support IPv6, such as Office Communicator, will never be able to work remotely.

    Read this for more information: http://technet.microsoft.com/en-us/library/ee809072.aspx

    Friday, August 13, 2010 12:30 PM
  • Hi Yaniv,

    Good info!

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Thursday, August 19, 2010 2:50 PM