locked
RemoteAccesssServerConfig and parallel DA Server on same domain RRS feed

  • Question

  • Hi all,

    I have configured a DirectAccess Server on Edge all the settings where default (Self Signed certificate). i was getting error on reporting and while troubleshoot this i have deleted XML file (RemoteAccesssServerConfig) which is created on location (C:\Windows\DirectAccess) so is there any way to get that XML file. I can't reconfigure the DirectAccess Server as the DA Client will lose the connectivity. Can i configure parallel DirectAccess Server on same domain with different configuration.?

    Thanks,

    Roshan

    Friday, February 10, 2017 7:22 AM

Answers

  • The DA clients do attempt to self-register with DNS when they connect, just like they do when inside the office. In my experience if that isn't happening, it is usually something on the DNS server side that is blocking the registration from happening for some reason.

    Are you using ISATAP at all with your primary DirectAccess server? I ask because you mentioned trying to ping the client computers, and this outbound traffic flow doesn't work out of the box with DirectAccess, unless you have introduced ISATAP or some form of IPv6 routing into the mix. If you are using ISATAP in the primary DA environment, you'll have to swing ISATAP over to your new DA server in order for the internal servers to have outbound routability to the clients through that other DA server.

    • Marked as answer by roshan kr Wednesday, March 1, 2017 6:09 AM
    Tuesday, February 28, 2017 2:02 PM

All replies

  • I don't know of a way to get that XML back, since at this point the remote access console probably doesn't want to open at all, right? Yes you can definitely bring up another DirectAccess server completely in parallel to the one already running. Just make sure to use new IP addresses, DNS names, GPOs, groups, etc - make everything independent and they will be able to run in parallel without even knowing that each other exist. Then once running you can move computers from the old group to the new group and their GPO settings will swing them over to the new DA server. Once the migration is complete, take down the old DA server and you're all set.

    Sidenote: Never run a production instance of DirectAccess with self-signed certificates. :) This is a big security no-no. Make sure to do the certificates right or you'll cause yourself some big headaches down the road when those self-signed certs expire, not to mention the insecurities of running it that way.

    https://www.ivonetworks.com/news/2012/05/directaccess-help-im-drowning-in-certificates/

    Thursday, February 16, 2017 2:16 PM
  • thanks Jordan,

    I have created a parallel DA Server and my DA Client is getting Connected with the DA Server. DA Client Can ping my DA Server and Active directory but when i am trying MY Server to ping DA Client its not pinging as there is no DNS Entry getting created automatically on my DNS Server.

    Manually process of creating DNS is working but how can this be automatic. Any Help regarding this issue?

    Thanks, 

    Roshan

    Tuesday, February 28, 2017 6:38 AM
  • The DA clients do attempt to self-register with DNS when they connect, just like they do when inside the office. In my experience if that isn't happening, it is usually something on the DNS server side that is blocking the registration from happening for some reason.

    Are you using ISATAP at all with your primary DirectAccess server? I ask because you mentioned trying to ping the client computers, and this outbound traffic flow doesn't work out of the box with DirectAccess, unless you have introduced ISATAP or some form of IPv6 routing into the mix. If you are using ISATAP in the primary DA environment, you'll have to swing ISATAP over to your new DA server in order for the internal servers to have outbound routability to the clients through that other DA server.

    • Marked as answer by roshan kr Wednesday, March 1, 2017 6:09 AM
    Tuesday, February 28, 2017 2:02 PM