Migrate Direct Access (2012) to Windows 2016 RRS feed

  • Question

  • Hey

    How do I migrate from Windows 2012 to Windows 2016 direct access?

    Today we have 2 Windows 2012 running direct access using NLB. 

    (new hardware)

    Best approach?

    Thanks in advance


    Thursday, December 21, 2017 2:21 PM

All replies

  • Early last year I attempted an in-place upgrade from Server 2012 to Server 2012 R2 and it didn't quite succeed. There were half a dozen things 'broken' afterwards and although I was able to manually fix most things, I couldn't fix everything. So we rolled back. I asked Richard Hicks (a Direct Access guru) about our experience and he provided the following advice. I think it may be helpful to your situation:


    In place upgrades are rarely (if ever) successful, so I’m not surprised by your results. While many of these issues could be addressed after the upgrade, the end result is a server that ends up being unstable anyway. Probably best to proceed with deploying a new server.

    There are two approaches you can use. The first is to enable load balancing (n.b. you already have this in place), then add a 2012 R2 or 2016 server to the cluster and then retire the old one(s).

    Alternatively, you prepare a new server in a new deployment and then migrate users over. The old deployment can be retired once everyone has been migrated.

    Here are some considerations for creating parallel DirectAccess deployments:

    Tuesday, January 2, 2018 2:25 AM
  • I would proceed with caution on that first option about adding a newer node to the array. In my experience this does NOT work. For example, having a 2012 and a 2012R2 box together in a DA NLB array does not work, DA only works on whatever node was in there first (the 2012 box in your example) - even though there are no functional differences in DA itself between the two operating systems, they recognize they are different enough that it simply does not work.

    The cleanest way to migrate is to build up the new environment in parallel to your existing one, using a new group, new public DNS name, new hostnames and IP addresses, new GPOs, new everything. Get the new environment up and running 100% (NLB and all), test it out using group membership to the new group, and once you are happy that it's all working as it should be, then you simply move your client computer accounts out of the old group and into the new group.

    Tuesday, January 2, 2018 6:28 PM
  • This is really useful, thank you.  I'm planning a move from 2012 to 2016.

    One thing I don't understand though is if building a new DA, NLS etc how do my clients when external from the LAN know to connect through to the new DA server with new DNS name etc ?  How does the new Group Policy get pushed out to them if they are not within the LAN ?  Basically, I'll have 100+ users that need to hit the new DA server, but will rarely if ever be in the office !

    Is it a case of :

    - Let clients connect to old DA.

    - Change OU or security group to that set in new DA setup whilst they are connected.

    - gpupdate /force on the client.

    Thanks in advance.

    Friday, March 2, 2018 3:47 PM
  • Your process will work, but technically that is being overly cautious. Once you have the new 2016 environment all up and running in parallel (and have tested it all out) - migrating computers over to the new one really is just a matter of adding their computer accounts to the new DA group, and removing the computer accounts from the old DA group. Then sit back and wait/watch for a few days.

    For those computers that are connected when you do it, they will get the new settings if you do a gpupdate /force, or if they just sit around and naturally pull Group Policy at its next interval. (Group Policy processes just fine over a DA connection). They will stay connected to the 2012 environment until they pull new settings.

    And even for those computers that are not connected when you make the group change, they still generally migrate just fine. When those laptops come back online the next time the user boots, they will still have the old DA connectivity settings and will still make a successful DA connection using the 2012 environment (so make sure you leave the 2012 environment online for a while). Then over that DA connection they will do a gpupdate refresh (naturally), and grab the new 2016 settings. Once the client machine has the new 2016 settings, they will generally stay connected to the 2012 site for a little while, but usually Windows 10 machines swing over within a couple of hours of acquiring the new settings.

    Occasionally a machine will continue to stay connected to the 2012 environment until you reboot it, sort of like it has the new settings, but is just sitting on those new settings until the reboot happens, at which point the new 2016 settings are finally put into place.

    I have done this kind of migration many times over the last couple of years and it is a very smooth process. I very rarely get any calls of machines that have been stranded. Usually if this ever does happen (where you find a machine that is no longer connected anywhere) - it is usually because they removed the machine from the old group first and then added it to the new group, and group policy happened to naturally refresh during the few minutes in between, in which case the DA client saw that it was no longer part of any group and removed its DA settings, thereby stranding it until it was able to come back into the office. So when you change the group membership, just make sure you do the addition/removal within a very short window of time.

    • Proposed as answer by Gray_K Thursday, November 1, 2018 8:46 AM
    Friday, March 2, 2018 7:21 PM
  • Jordan thanks so much for this, it worked like a dream.

    Thursday, November 1, 2018 8:46 AM