locked
DirectAccess 2012 - Writeable DC Required? RRS feed

  • Question

  • Hi Everyone,

    I am looking to deploy DirectAccess 2012 Server into our DMZ environment and currently working through a Lab install.

    In our Lab we are seeing the prerequisite checks fail when we use a ReadOnly domain controller but when we switch it for a Writeable DC it proceeds without issue, is this expected behaviour?

    Thanks in advance.

    Thursday, November 22, 2012 7:00 AM

All replies

  • Hi,

    It's just the same as DirectAccess with UAG or Windows Server 2012. GPOS must be generated. Active Directory objects cannot be created on a RODC so your Windows Server 2012 need to have access to a writable domain controller. In UAG, you can export the powershell script that generate GPOS and run it on a writable domain controller. I dont have access to a WIndows Server 2012 URA console at present time but this option must be included in the URA console.

    Best regards.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Thursday, November 22, 2012 2:12 PM
  • Hi,

    It's just the same as DirectAccess with UAG or Windows Server 2012. GPOS must be generated. Active Directory objects cannot be created on a RODC so your Windows Server 2012 need to have access to a writable domain controller. In UAG, you can export the powershell script that generate GPOS and run it on a writable domain controller. I dont have access to a WIndows Server 2012 URA console at present time but this option must be included in the URA console.

    Best regards.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx


    No, that option seems to be gone...they are now talking about using staging GPOs; see section 1.8.4 from here: http://technet.microsoft.com/en-us/library/jj134148.aspx

    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Thursday, November 22, 2012 3:27 PM
  • Arg

    bad idea. Staging GPO only limit privileged required to run the URA Powershell commands. This does not solve the RODC problem.

    From my point of view, only solution is to install the URA console on a server located on LAN having access to RWDC. Staging GPOS will be a good options to limit required privileges to configure DirectAccess. Is it an acceptable workaround?

    Best regards.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Thursday, November 22, 2012 3:38 PM
  • Arg

    bad idea. Staging GPO only limit privileged required to run the URA Powershell commands. This does not solve the RODC problem.

    From my point of view, only solution is to install the URA console on a server located on LAN having access to RWDC. Staging GPOS will be a good options to limit required privileges to configure DirectAccess. Is it an acceptable workaround?

    Best regards.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx


    Wasn't suggesting it did, just noticed the ability to export to a script from the UI no longer seems to be available...

    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Thursday, November 22, 2012 3:40 PM
  • Hi Everyone,

    I am looking to deploy DirectAccess 2012 Server into our DMZ environment and currently working through a Lab install.

    In our Lab we are seeing the prerequisite checks fail when we use a ReadOnly domain controller but when we switch it for a Writeable DC it proceeds without issue, is this expected behaviour?

    Thanks in advance.

    Yes, I believe that experience is by design.

    "The server GPO is managed by one of the domain controllers in the Active Directory site associated with the server, or if domain controllers in that site are read-only, by a write-enabled domain controller closest to the Remote Access server."

    Source: http://technet.microsoft.com/en-us/library/jj134148.aspx#bkmk_1_6_AD


    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk


    Thursday, November 22, 2012 3:44 PM
  • That's a technical limitation. It is not possible to manage GPO on a RODC. Running the script from another location was possible with UAG 2010 and Windows Server 2008 R2 because it rely on limited Powershell commands available on any machine. Since Windows Server 2012 and full Powershell configuration, it's just easiser to install the URA console that also provide the Powershell commandlet.

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Thursday, November 22, 2012 3:49 PM
  • Any update on this?

    As far as I understand it is currently not possible to implement Direct Access without access to a writable domain controller.

    The GPOs cannot be changed/update on a RODC.

    Staging GPOs don't help in this case because they need to be changed by the DA server on a writable DC.

    The AD DS requirements for DA aren't unclear in this case. http://technet.microsoft.com/en-us/library/jj134148.aspx#bkmk_1_6_AD

    Set-DAEntryPointDC does not help because the DA server still needs to contact a writable DC.

    Am I wrong?

    Thanks

    Chris

    Wednesday, May 14, 2014 12:24 PM
  • It's an old thead. Did you have a look at section 1.8.4 of your Technet link? We dont change DirectAccess configuration every day, so we need to have access to a RWDC once for all and then enforce DMZ isolation.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Wednesday, May 14, 2014 5:46 PM