locked
Is there a way to transfer clients from one single UAG DA server to another in the same domain without interracting with them? RRS feed

  • Question

  • Hi.

    I have a UAG 2010 SP1 Direct Access server in array mode in 172.16.0.0 (DA01) (but actually it's a single server)

    192.168.1.0 is connected with 172.16.0.0 over site-to-site vpn.

    Recently we transferred all corporate resources to 192.168.1.0 & now all DA01 clients have to go to DA01 & then to 192.168.1.0 over vpn.

    I want to deploy another Direct Access server (DA02) in 192.16.1.0 & transfer all DA01 clients to it, so they could connect through DA02 to 192.16.1.0 directly. After that I want to get rid of DA01.

    Is there a way to point DA01 users to use new DA02 without interracting with them?

    Now I see only one way to accomplish it & I don't like it:

    1) Disable Direct Access on DA01, delete GPOs, delete isatap record in 172.16.0.0

    2) Deploy new DA02 server in 192.168.1.0, create new isatap record in 192.168.1.0

    3) Connect to Direct Access users PCs over smth like teamviewer

    4) Create vpn connection to domain on each Direct Access user PC

    5) Gpupdate /force to recieve new settings pointing them to new DA02 server

    Best regards,

    Valeriy Vainkop



    Saturday, June 30, 2012 12:17 PM

Answers

  • Hi,

    What about trying out the scenario below?

    1) Keep your isatap record pointing to your original UAG host (DA01)
    2) Do a new setup for DA02 (new GPO's, new AD group for computers) without changing the isatap DNS record.
    3) Move the computers (a few test machines first of course) from the old AD/DirectAccess/DA01 group to the new AD/DirectAccess/DA02 group.

    These machines should now connect to DA01 as configured, recieve their group policy updates and apply them and then switch over to DA02.
    You will probably have a delay with the machines switching over until they renew their kerberos tickets of course if they were online before you switched groups.

    I often do something similar when switching from a PoC setup to a production setup..
    (Even though I often stick to NAT64/DNS64 if native IPv6 isn't deployed)

    Best wishes,
    Jonas Blom

     

    Wednesday, July 4, 2012 7:42 PM
  • The ISATAP setup surely complicates things, as you can't have both servers acting as ISATAP routers. I recommend that you first remove the ISATAP DNS record completely, and start working with NAT64 traffic only.

    Then, as Jason said, do a new setup for DA02, with new GPOs and new groups. Still without using ISATAP at all.

    Then remove the client group from DA01 and add it to DA02. This way, clients will immediately receive DA02 policies on their next gpupdate. It will not require the client computers to restart in order to realize their new SG membership, so the migration will take less time.

    Later on, you can remove the DA01 configuration, and add back the ISATAP DNS entry for DA02.

    Thursday, July 5, 2012 11:11 AM

All replies

  • Hi,

    What about trying out the scenario below?

    1) Keep your isatap record pointing to your original UAG host (DA01)
    2) Do a new setup for DA02 (new GPO's, new AD group for computers) without changing the isatap DNS record.
    3) Move the computers (a few test machines first of course) from the old AD/DirectAccess/DA01 group to the new AD/DirectAccess/DA02 group.

    These machines should now connect to DA01 as configured, recieve their group policy updates and apply them and then switch over to DA02.
    You will probably have a delay with the machines switching over until they renew their kerberos tickets of course if they were online before you switched groups.

    I often do something similar when switching from a PoC setup to a production setup..
    (Even though I often stick to NAT64/DNS64 if native IPv6 isn't deployed)

    Best wishes,
    Jonas Blom

     

    Wednesday, July 4, 2012 7:42 PM
  • The ISATAP setup surely complicates things, as you can't have both servers acting as ISATAP routers. I recommend that you first remove the ISATAP DNS record completely, and start working with NAT64 traffic only.

    Then, as Jason said, do a new setup for DA02, with new GPOs and new groups. Still without using ISATAP at all.

    Then remove the client group from DA01 and add it to DA02. This way, clients will immediately receive DA02 policies on their next gpupdate. It will not require the client computers to restart in order to realize their new SG membership, so the migration will take less time.

    Later on, you can remove the DA01 configuration, and add back the ISATAP DNS entry for DA02.

    Thursday, July 5, 2012 11:11 AM