none
UAG DA clients cannot access resources in a trusted domain RRS feed

  • Question

  • We have full two way trust between trusted domain and corp domain. My UAG DA clients can access all resouces in the local corp domain. However, they cannot ping (much less access resourcse) in our trusted domain. Our UAG server sits in the corp domain with no issues for our remote users. However, they can't get to any resources in our trusted domain.

    Users on our local network can access resources in the trusted domain normally, wtih no issue. Did I miss something in the UAG DA setup wizard, or is my DNS wrong (I am using DNS forwarders to forward queries to the trusted domain)? I don't believe I have problems with my trust because other technologies that use the trust work as expected (like DPM 2010 and RemoteApp).

    Thanks in advance!

    Wednesday, March 2, 2011 2:34 AM

Answers

  • Hi,

     

    Just a few question to have a full picture :

    -I suppose we have two different domains

    -I suppose it is a forest trust between the two forests

     

    In your DirectAccess configuration, you must declare your trusted domain just like your current domain with a dns suffix and one or more IPv6 DNS servers. Clients computers must be aware that they have to contact specific IPv6 DNS servers to resole DNS names.

     

    Have a nice day.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    Wednesday, March 2, 2011 6:35 AM
  • Hi,

     

    UAG DNS64 was the good choice. It is the same configuration for both domain

    Are you sure your client updated it's GPO. You should see new entries with a NETSH NAMESPACE SHOW POLICY.

     

    Now let see certificates. Do you use the same CA for both domains. If they bellong to the same forest it's OK, on the contrary two different forests will cause problems. In your situation you should consider Cross-Forest ADCS mode (only available in Windows 2008 R2 enterprise edition). If you want an example, have a look at my blog post : http://danstoncloud.com/blogs/simplebydesign/archive/2011/02/21/adcs-en-mode-cross-forest.aspx (Sorry, it's in french).

     

    Have a nice day.

     

    Have a nice day.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    Friday, March 4, 2011 12:43 AM
  • Hi,

     

    News NRPT entries are to linked with the presence of a CA in your trusted domain. NRPT entries are parameters of the DirectAccess Client-Side GPO. Does clients computers bellong to the same domain or are locared in both domains?

     

    IPSEC Tunnels established from client to DA Servers and infrastructure servers need to use a single CA. If you have multiple trsted domains, then theses domains must be able to get certificate from that CA.

     

    if your trusted domain is a sub-domain of your forest, there should be no problem. It's just a question of certificate enrollment. Otherwise, you should consider looking at ADCS Cross-Forest mode, only available in ADCS role but only in WIndows 2008 R2 enterprise edition. Look at my blog post is you want more information about it.

     

    Have a nice day

     


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    Saturday, March 5, 2011 10:05 AM

All replies

  • Hi,

     

    Just a few question to have a full picture :

    -I suppose we have two different domains

    -I suppose it is a forest trust between the two forests

     

    In your DirectAccess configuration, you must declare your trusted domain just like your current domain with a dns suffix and one or more IPv6 DNS servers. Clients computers must be aware that they have to contact specific IPv6 DNS servers to resole DNS names.

     

    Have a nice day.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    Wednesday, March 2, 2011 6:35 AM
  • Hello BenoitS,

    Thanks for the reply. That definately makes sense. You are correct in both points.

    I'm not certain I know exactly where to make this change. I am guessing it's under Step 3: Infrastructure Servers, and then Infrastructure Server Configuration.

    To add my trusted domain, do I enter it as a DNS suffix, like *.TrustedDomain.local? And then choose option 'Other DNS Servers (IPv4)'?

    Last question. When I make this change, will it kill my existing remote DA clients? Will they need to come back into the office to get this group policy update?

    Thanks again!

    RTSTEPHN.

    Wednesday, March 2, 2011 2:35 PM
  • I just added my trusted domain into this list of Instrastructure Server configuration page. I configured the DNS suffix to use the two DCs in my trusted domain. I saved the config, enabled it. and then ran a gpudate /force on both uag server and on a few clients. Nothing appeared to have changed.

    How can I test to this if this should have worked, or did I miss something when trying to add the two DCs from my trusted domain?

    Thanks -RTSTEPHN

    Wednesday, March 2, 2011 9:32 PM
  • Hi,

     

    Yes, it's on infrastructure servers. In this steps we will add one or more DNS Servers of your trusted domain and choose IPV6 DNS addresses. This will add a new entry for the DNS domain in the NRTP on the client side. This change will generate a new GPO version on server side and client side. Clients computers will take the new configuration at the next GPO refresh (90-120 minutes).

     

    Have a nice day.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    Thursday, March 3, 2011 6:48 AM
  • Hi again,

     

    You should see new entries in NRPT with the NETSH NAMESPACE SHOW POLICY

    You should be able to ping theses IP addresses

    You should be able to use "NSLOOKUP SET SERVER=<IPV6 Address> FQDN" to resolve DNS names in this domain.

     

    Have a nice day.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    Thursday, March 3, 2011 6:51 AM
  • For some  reason, none of the new entries for the trusted domain that I configured in the UAG server are showing up on my clients. I doubled checked to make sure that my clients are in the right OUs, and that UAG is pushing the policy to those same OUs. I can see all my other entries when I run the "netsh namespace show policy", but not the new ones that I configured.

    Not sure how to proceed. Just to clarify, I open the DA wizard for Infrastructure (step 3), and proceeded to "infrastructure Server Configuration". I clicked 'DNS suffic' option, and then I entered my trusted domain this format: .TrustedDomain.local. I chose the first option (UAG DNS64 server) and clicked OK. I have also tried setting it up with the option "Other DNS servers(IPv4)" From there I saved the config and then applied it.

    I cannot seem to update my clients.

    Any thoughts?

    Thursday, March 3, 2011 10:34 PM
  • Hi,

     

    UAG DNS64 was the good choice. It is the same configuration for both domain

    Are you sure your client updated it's GPO. You should see new entries with a NETSH NAMESPACE SHOW POLICY.

     

    Now let see certificates. Do you use the same CA for both domains. If they bellong to the same forest it's OK, on the contrary two different forests will cause problems. In your situation you should consider Cross-Forest ADCS mode (only available in Windows 2008 R2 enterprise edition). If you want an example, have a look at my blog post : http://danstoncloud.com/blogs/simplebydesign/archive/2011/02/21/adcs-en-mode-cross-forest.aspx (Sorry, it's in french).

     

    Have a nice day.

     

    Have a nice day.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    Friday, March 4, 2011 12:43 AM
  • Will the GPO still have the updated entries if my trusted domain does not have or use a CA. The only CA we have is in our Corp domain.

    I am guessing this must be teh problem then. Is that correct? Without a CA in teh trusted domain, will those entries I put in UAG not show up in the client GPOs?

    Friday, March 4, 2011 4:12 PM
  • Hi,

     

    News NRPT entries are to linked with the presence of a CA in your trusted domain. NRPT entries are parameters of the DirectAccess Client-Side GPO. Does clients computers bellong to the same domain or are locared in both domains?

     

    IPSEC Tunnels established from client to DA Servers and infrastructure servers need to use a single CA. If you have multiple trsted domains, then theses domains must be able to get certificate from that CA.

     

    if your trusted domain is a sub-domain of your forest, there should be no problem. It's just a question of certificate enrollment. Otherwise, you should consider looking at ADCS Cross-Forest mode, only available in ADCS role but only in WIndows 2008 R2 enterprise edition. Look at my blog post is you want more information about it.

     

    Have a nice day

     


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    Saturday, March 5, 2011 10:05 AM
  • Thank you, BenoitS, for your help in getting this working. It turned out it was a Cert issue. My trusted domain now trusts certs from my corp domain, so now UAG publishes those NRPT entires.

    It works! Thanks again, RTSTEPHN

    Wednesday, March 9, 2011 4:39 PM