locked
2012 R2 DirectAccess multi domain forest: Is it possible Limit Auto-discovery of domain controllers? RRS feed

  • Question

  • I've just successfully implemented Multisite server 2012 R2 DirectAccess in a child domain of a global company with numerous sub domains.  I'd like to limit the scope of the auto discovery of management servers in 2012 R2 DA is anyone aware of any way of doing this?

    During the default initial configuration of DirectAccess Auto-discovery of domain controllers is performed for all domains in the same forest as the DirectAccess server and client computers.

    In my scenario the number of sub domains and multinational nature of the company means that the DA servers cannot contact all DCs for every child domain in the forest.

    This means the Operations Status page in the Remote Access Management console always shows the status of the Domain Controller check as "critical" leaving a red X amongst my nice green ticks. It's untidy and at first glance it looks like there are major problems with the service.

    The DA servers, Client machines and users are in a single sub domain so we have no need to contact the other child domain DCs.

    I looked into using the Remove-DAMgmtServer PowerShell cmdlet however this is not applicable since it cannot be used to remove automatically configured management servers such as DCs.

    Also the child domain DCs don't actually appear in the management servers list.

    Thursday, November 13, 2014 3:39 PM

All replies

  • Hi, a colleague of mine had the same problem in a DirectAccess deployment in a large organization tat have a multi-domain forest. He had no choice to open network flow to have at least one domain controller per domain in the forest.  

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Friday, November 14, 2014 6:56 PM
  • Merci Benoit,

    That may not be an option in this case. I'll update the thread if I find an alternative approach.

    Thanks,

    Simon.

    Monday, November 17, 2014 10:31 AM
  • Hi,

    I will have a look on the subject too.

    Best regards.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Monday, November 17, 2014 5:19 PM
  • No changes in the way that the DirectAccess console works, it still pulls them all in. They do this because having the checkboxes in UAG that allowed people to uncheck DCs only ever resulted in problems. The DA server has zero control over what domain controller the client machines try to contact. If a client is trying to connect through DA and tries to hit a DC that is unchecked or not in the list of management servers, that client computer would fail to connect, through nobody's fault but the admin for having unchecked access to that domain controller in the first place. :)

    That is the idea behind including them all, anyway.

    By the way, you can de-select SCCM servers, as after running through the wizards for the first time, if you re-run through Step3 you can then see all of the SCCM servers and delete them, and they are then removed from the management servers list. But not the case with Domain Controllers.

    Friday, January 6, 2017 4:33 PM