Multiple direct access servers with different policies? RRS feed

  • Question

  • So here's the situation. We are mostly running Windows 7, over 3 thousand machines spread out around the world. While we are in the process of upgrading to Windows 10, it's going to be a while. 

    We have Direct Access currently setup in the states and it works great. But we want a European location as well. Windows 7 doesn't support geolocation selection of Direct Access. Is it possible for us to setup a completely different Direct Access setup in Europe, different servers etc, on the same AD domain, with different groups setup for the policy. (Our current Direct Access group is named Direct Access, this one might be Direct Access Europe). 

    Friday, January 13, 2017 2:18 PM

All replies

  • Hi,

    Yes you can have 2 deployment of DA in one AD. I have done it a number of times.

    I would recommend that you also look at a multisite configuration as well. The Win7 client will have to be tattooed to ether US or Europe but it would allow win10 cleints to connect the the closest connection point. But you should note if you enable Multisite on the currect DA it will break all current connections.

    Regards, Rmknight

    Friday, January 13, 2017 2:56 PM
  • Agree with Rmknight, you can certainly setup two completely separate DA entrypoints within the same domain. They will run independently, never having to know anything about each other. You can do this whether the DA servers sit right next to each other on the same subnets, or halfway across the world from each other.

    I have one additional note that may be of interest, given your situation. The company that I work for recently created something we call Failover Client for DirectAccess (FC4DA). This is a true failover technology for DirectAccess clients. Once installed, your DirectAccess client machines will continually remain connected to their primary site, but will also be aware of a backup/failover site. They will only cut over to the failover site if the primary site goes offline. In that event, the clients cut over seamlessly to the failover site, and their DirectAccess is now connected there. When the primary site comes back online, the clients automatically swing their connections back over. It is possible to have different "primary/failover" sites specified depending on where the clients are located. So if you setup one DA server in the US and another in EU, your US users would have US=primary/EU=failover, and your EU users could have EU=primary/US=failover, if you wanted, or if it fits your methods better to have everyone connect to the US as primary, that is fine as well.

    Failover Client for DirectAccess works on Windows 7, Windows 8, and Windows 10. Another huge benefit is that we actually prefer the DirectAccess servers are configured independently - no Multi-Site setup required. This way you don't have to worry about breaking everyone's connections, because if you enable Multi-Site on your existing DA server it will absolutely do that.

    Anyway, I won't turn this into a book. :) If you would like additional details or to have a call about FC4DA, feel free to reach out to me directly:


    Tuesday, January 17, 2017 9:26 PM