locked
Direct Access won't work when migrated to new domain with Quest tools RRS feed

  • Question

  • Hello Everyone,

    I have a domain (domain2) that is successfully using Direct Access with many Windows 7 clients.  We are migrating users from a different domain (domain1) to ours using the Quest migration tools.  These migrated computers are not able to use Direct Access after migration.  If we don't use the Quest tools and manally disjoin them from domain1 and then manually join them to domain2 Direct Access works fine.  Quest support isn't any help with this problem and don't think it is related to the migration tool.  When looking at Ipconfig you see the Teredo and IPHTTPS interfaces but they don't have an address.  In some cases these interfaces don't even exist.  I verified that the proper group policy is being applied to the computers for Direct Access.

    Does anyone have any suggestions for troubleshooting this?  Thank you!

    Friday, February 18, 2011 5:08 PM

Answers

All replies

  • Do they preserve their SID and group memberships during the migration?

    So what actual symptoms do you get? Do the DA clients establish either of the DA tunnels?

    I would work through the troubleshooting steps in this lab to narrow down which exact element is failing...come back here with the results and we can hopefully help

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Saturday, February 19, 2011 12:45 AM
  • The lab will give a good overview of the tools used to troubleshoot DirectAccess and show what their output looks like when things are working and what it looks like when things are broken.

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Monday, February 21, 2011 2:26 PM
  • Yes, they preserve what is called "SID history" with the old domain so they can reach back to resources until the migration is complete.  Is it possible this would cause DA to fail after migration?  I will take a look at the lab this week and see if that provided any clues.

    Thank you!

    Dennis

    Monday, February 21, 2011 2:40 PM
  • Not sure, but when you disjoin and rejoin the domain (which you said works) you will obtain a new SID...just a thought, but not sure!


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Erez Benari Tuesday, May 17, 2011 10:56 PM
    Monday, February 21, 2011 11:54 PM