locked
ISATAP and DA 2012 RRS feed

  • Question

  • Hi,

    I am not even started with deploying DA but only trying to understand the concepts.

    We are in an ipv4 domain only, our DNS servers are running windows 2008R2, DHCP is running for now on a W2k3 R2 server.

    So my understand is that we'll need to use a transition technology like Isatap. I dont see any clear documentation on how enabling and configuring osatap for your network to be ready to run DA2012.

    I have a book where it states that all you need to do is:

    -create an A record for isatap.domain.local that points to your isatap router (it can be the DA 2012 server as you can choose to make the DA server an isatap router during the config of DA)

    -Navigate to HKLM\SYSTEM\CurrentControlSet\Services\DNS \Parameters Double click the GlobalQueryBlockList and remove isatap (do this on all your DNS servers)

    Is that what i need to do? What is the impact on other clients, can i safely do it in our prod. environment?

    Why isn't it documented anywhere in Technet?

    Thursday, April 18, 2013 12:22 PM

Answers

  • Hi

    Yes Transition technologies will be required for DirectAccess but only Teredo and IPHTTPS. ISATAP will not be required because in Windows Server 2012, URA include DNS64/NAT64 features that allow DirectAccess users to access corporate ressources even if they operate in IPv4. Technically speaking, ISATAP is only required when a client connected on the corporate network need to communicate with DirectAccess clients on Internet (eg : Remote control).

    Generalize ISATAP on coprorate network is no longer a recommanded scenario from Microsoft point of view. With DirectAccess, we use ISATAP but for limited usages.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    • Marked as answer by ReMark-IT Friday, April 19, 2013 7:26 AM
    Thursday, April 18, 2013 7:56 PM
  • Hello TomaVit

    BenoitS explanation is right to the point. If you are looking for more documentation, a good starter for IPv4 only is this document:

    Test Lab Guide: Demonstrate DirectAccess Simplified Setup in an IPv4-only Test Environment in Windows Server 2012

    This guide will walk you thru the necessary steps to set up DirectAccess 2012 w/o ISATAP.

    Important note: "Simplified setup" means only support for Windows 8 clients since no internal PKI is required. If you want to use Windows 7 clients, the Test Lab Guide: Demonstrate DirectAccess (written for Windows Server 2008 R2 DirectAccess which required ISATAP) contains some more information on what you need to do on your own PKI.

    /Maurice

    • Marked as answer by ReMark-IT Friday, April 19, 2013 10:16 AM
    Friday, April 19, 2013 9:35 AM

All replies

  • Hi

    Yes Transition technologies will be required for DirectAccess but only Teredo and IPHTTPS. ISATAP will not be required because in Windows Server 2012, URA include DNS64/NAT64 features that allow DirectAccess users to access corporate ressources even if they operate in IPv4. Technically speaking, ISATAP is only required when a client connected on the corporate network need to communicate with DirectAccess clients on Internet (eg : Remote control).

    Generalize ISATAP on coprorate network is no longer a recommanded scenario from Microsoft point of view. With DirectAccess, we use ISATAP but for limited usages.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    • Marked as answer by ReMark-IT Friday, April 19, 2013 7:26 AM
    Thursday, April 18, 2013 7:56 PM
  • Hello TomaVit

    BenoitS explanation is right to the point. If you are looking for more documentation, a good starter for IPv4 only is this document:

    Test Lab Guide: Demonstrate DirectAccess Simplified Setup in an IPv4-only Test Environment in Windows Server 2012

    This guide will walk you thru the necessary steps to set up DirectAccess 2012 w/o ISATAP.

    Important note: "Simplified setup" means only support for Windows 8 clients since no internal PKI is required. If you want to use Windows 7 clients, the Test Lab Guide: Demonstrate DirectAccess (written for Windows Server 2008 R2 DirectAccess which required ISATAP) contains some more information on what you need to do on your own PKI.

    /Maurice

    • Marked as answer by ReMark-IT Friday, April 19, 2013 10:16 AM
    Friday, April 19, 2013 9:35 AM