none
Two Direct Access on the same domain

    Question

  • 

    Hi

    I have DA 2012 R2 that is installed on Windows Server 2012 R2. I need to implement a new installation of DA with windows server 2016 and move the client to the new DA. I read several KBs and everything pointing that its supported to have to DAs on the same domain, Group policy can be assigned manually, CA NLS..etc can be shared. My concern is that the DNS record for directaccess-webprobehost and directaccess-corpConnectivityHost can only point to one server. Is that something that can be solve? im i missing something else regarding having two DAs?

    Thursday, April 05, 2018 4:40 AM

Answers

  • 1. Deploy the new DA through the wizard point to manually created GPOs.

    2. As soon as the finish with the wizard i have to go back to step1 and delete the all the records under NCA. thats it? what should you add instead?

    3. where do you link the GPOs? domain level?

    1. Manually or let generate.

    1.5. Take backup of your existing DNS records related to DA.

    2. Yes, delete NCA and add any http or ping adresses, which replies/are accessible inside internal network. You will either way need NLS, so you might use same adress there as well. I assume your DNS records will be modified, so you need to modify them back. 

    3. This is up to you. I do not like the idea to link GPOs at domain level, I have Server OU and Workstation OU in my AD hiercy.

    If your client GPO contains NCA records, but they are not there, your DA connection will be established, but the status will remain "Connecting" instead of "Connected". 

    Maybe it would be better no modify your production DA 2012 now and wipe those DNS records away.


    MCSE Mobility. Please remember to mark my post as an answer, if I really helped you out, or vote if usefull. Thank you!

    • Marked as answer by ITinNeed Wednesday, April 18, 2018 7:14 AM
    Tuesday, April 10, 2018 2:43 PM

All replies

  • I just did this project and I had the same concern! These records are not mandatory, if you have other NLS and NCA replying from your domain internally. This is good article to understand: https://directaccess.richardhicks.com/2015/07/06/directaccess-dns-records-explained/

    What we did, we actually did delete these records from 2012 config and replaced them with real http and ping response (other servers). During rolling out 2016 side by side, we also deleted these records and not used them.

    The funny behavior I noticed is, that these records are always created by themselves, even if you do delete them from during the wizard.

    My story. https://social.technet.microsoft.com/Forums/en-US/d8910008-50af-428d-96c6-592cbb646325/can-2-da-serverssetups-coexists-in-the-same-ad-domain?forum=forefrontedgeiag


    MCSE Mobility Please remember to mark my post as an answer, if I really helped you out, or vote if usefull. Thank you!


    • Edited by yannara Sunday, April 08, 2018 10:14 AM
    Sunday, April 08, 2018 10:13 AM
  • Hi Yannara and thank you very much for your replay.

    So let me get this straight. what is needed to be done is the following (correct me if im wrong)

    1. Deploy the new DA through the wizard point to manually created GPOs.

    2. As soon as the finish with the wizard i have to go back to step1 and delete the all the records under NCA. thats it? what should you add instead?

    3. where do you link the GPOs? domain level?

    • Edited by ITinNeed Tuesday, April 10, 2018 10:48 AM
    Tuesday, April 10, 2018 6:13 AM
  • 1. Deploy the new DA through the wizard point to manually created GPOs.

    2. As soon as the finish with the wizard i have to go back to step1 and delete the all the records under NCA. thats it? what should you add instead?

    3. where do you link the GPOs? domain level?

    1. Manually or let generate.

    1.5. Take backup of your existing DNS records related to DA.

    2. Yes, delete NCA and add any http or ping adresses, which replies/are accessible inside internal network. You will either way need NLS, so you might use same adress there as well. I assume your DNS records will be modified, so you need to modify them back. 

    3. This is up to you. I do not like the idea to link GPOs at domain level, I have Server OU and Workstation OU in my AD hiercy.

    If your client GPO contains NCA records, but they are not there, your DA connection will be established, but the status will remain "Connecting" instead of "Connected". 

    Maybe it would be better no modify your production DA 2012 now and wipe those DNS records away.


    MCSE Mobility. Please remember to mark my post as an answer, if I really helped you out, or vote if usefull. Thank you!

    • Marked as answer by ITinNeed Wednesday, April 18, 2018 7:14 AM
    Tuesday, April 10, 2018 2:43 PM