none
Direct Access Group policy editing

    Question

  • I have a Direct Access configuration to which I need to modify the group policy for the DNS servers. However, when I open Group Policy management - settings, the settings are shown under Administrative Settings "Extra registry settings". How do I edit these? They are not shown when I open the GPO for editing.

    thanks in advance.

    Thursday, July 2, 2015 12:31 PM

All replies

  • > I have a Direct Access configuration to which I need to modify the group
    > policy for the DNS servers. However, when I open Group Policy management
    > - settings, the settings are shown under Administrative Settings "Extra
    > registry settings". How do I edit these? They are not shown when I open
    > the GPO for editing.
     
    This is expected. The DNS GPO Part is a distinct MMC snapin, but it
    stores its settings within registry.pol, which in turn is used
    "basically" for administrative templates.
     
    Since there is no ADMX template to display the DNS configuration
    settings, it shows up as "extra registry settings".
     
    In gpedit, they do not show up because there you can only edit ADM
    template settings for which an ADMX template is present.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Thursday, July 2, 2015 12:41 PM
  • Thanks for your reply.

    How do I get am admx template for this, as I need to edit the policy as some of the DNS entries are wrong.

    thanks

    Alan

    Thursday, July 2, 2015 1:20 PM
  • > How do I get am admx template for this, as I need to edit the policy as
    > some of the DNS entries are wrong.
     
    If you edit this GPO, you should use Policies - Windows Settings -
    Security Settings - DNS, and not Administrative Templates. If you do not
    have DNS, try using a newer OS version - AFAIR, DNS was introduced in
    W8/2012.
     
    And - maybe I'm totally wrong and it is simply an issue of downlevel
    ADMX templates. Anyway, this too should be resolved when using a newer
    OS version with more up to date ADMX templates.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Thursday, July 2, 2015 1:34 PM
  • My servers are all 2012 R2

    The entry I need to change is listed in the report as

    Software\Policies\Microsoft\Windows\RemoteAccess\Config\DnsServers

    but I cannot find this in the GPO to edit. I can of course modify the registry on my domain controllers, but it gets overwritten the next time GP updates, and I don't want to turn of the GP as there are many other direct access settings it controls.

    Thursday, July 2, 2015 1:53 PM
  • > Software\Policies\Microsoft\Windows\RemoteAccess\Config\DnsServers
    > but I cannot find this in the GPO to edit.
     
    it "should" be in Computer configuration - Policies - Windows Settings -
    Name Resolution Policy.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Thursday, July 2, 2015 2:51 PM
  • There is indeed a DNS policy there for Direct Access, but it is not populated. So I guess it is a different key it is using, but where?
    Friday, July 3, 2015 9:07 AM
  • > So I guess it is a different key it is using, but where?
     
    Unfortunately, I have no idea...
     
    I already checked all ADMX templates, this key isn't present in any of
    them. I also checked the older ADM templates - no result, too :-(
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Friday, July 3, 2015 10:48 AM
  • Bummer :-(

    Thanks anyway for your help

    If anyone else has any ideas they'd be much appreciated.

    Friday, July 3, 2015 10:59 AM
  • Hi Alan,

    Based our testing, the settings are are default after you have configured DirectAccess. Maybe the the only way is that you set the value before you configure DA. When set the value at first manually, then it wil recognize the manual, the system would not create the default one.

    You could refer to the article and set the value before you install DA

    https://technet.microsoft.com/en-us/library/hh831377.aspx?f=255&MSPPError=-2147217396

    Best Regards,

    Mary Dong


    Monday, July 6, 2015 5:16 AM
    Moderator
  • Thanks for your reply.

    We already have DA up and running, so not possible to set the value before we install. I'm thinking there must surly be some way to change the DNS retrospectively, as other organisation must change their DNS servers from time to time. At least I hope so!

    Monday, July 6, 2015 9:44 AM
  • I recently updated my DA Server settings and I can see that even my demoted domain controllers are still showing up in the GPO under "Software\Policies\Microsoft\Windows\RemoteAccess\Config\DomainControllers".

    When I traced it back to the DA server and above registry settings and I see all legacy domain controllers. So just wondering what is best and recommend way of changing those settings and ensure it populated the only present domain controllers?

    Thanks

    Merwin


    Merwin

    Tuesday, February 14, 2017 9:41 AM