none
How to configure DirectAccess to access 2003 server resources? RRS feed

  • Question

  • Hi,

    My DA and other servers implemented on MSSRV 2008 R2. I tested this implementation and now can access from clients to R2 servers via iphttps or teredo. I can connect to shared and other resources. On my DNS I have two forward zones mydomain.lt and mydomain2.lt, DA NRPT configured only for mydomain.lt.

    Trouble:

    I have one 2003 server connected to my architecture. DA can ping this server with IPV6 2002:c3b6:5206:1:0:5efe:172.30.xx.xxx_7 and 2003 server can ping da via ipv6. There are some important apps and two websites.

    One of web sites is help.mydomain2.lt. I am trying to configure DA server and client to access to this site. 

    I tryed add DNS IPv6 entry for "help" and add to NRPT second domain "mydomain2.lt" with same DNS servers as mydomain.lt. Then from client I can ping help.mydomain2.lt and got answer from 2002:c3b6:5206:1:0:5efe:172.30.xx.xxx_7, but then tryed to access site with IE I get error.

    Ipconfig for 2003 server:

    Windows IP Configuration
    
       Host Name . . . . . . . . . . . . : fileserver
       Primary Dns Suffix  . . . . . . . : mydomain.lt
       Node Type . . . . . . . . . . . . : Unknown
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : mydomain.lt
    
    Ethernet adapter Local Area Connection 6:
    
       Connection-specific DNS Suffix  . : mydomain.lt
       Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
       Physical Address. . . . . . . . . : 20-00-00-00-00-00
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       IP Address. . . . . . . . . . . . : 172.30.xx.xxx_1
       Subnet Mask . . . . . . . . . . . : 255.255.254.0
       IP Address. . . . . . . . . . . . : fe80::250:56ff:febd:0%4
       Default Gateway . . . . . . . . . : 172.30.xx.xxx_2
       DHCP Server . . . . . . . . . . . : 172.30.xx.xxx_3
       DNS Servers . . . . . . . . . . . : 172.30.xx.xxx_4
                                           172.30.xx.xxx_5
                                           fec0:0:0:ffff::1%1
                                           fec0:0:0:ffff::2%1
                                           fec0:0:0:ffff::3%1
       Lease Obtained. . . . . . . . . . : 2012 m. sausio 25 d. 08:22:38
       Lease Expires . . . . . . . . . . : 2012 m. vasario 1 d. 08:22:38
    
    Ethernet adapter Local Area Connection 7:
    
       Connection-specific DNS Suffix  . : mydomain.lt
       Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
       Physical Address. . . . . . . . . : 10-00-00-00-00-00
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       IP Address. . . . . . . . . . . . : 172.30.xx.xxx_7
       Subnet Mask . . . . . . . . . . . : 255.255.254.0
       IP Address. . . . . . . . . . . . : fe80::250:56ff:febf:f%5
       Default Gateway . . . . . . . . . : 172.30.xx.xxx_2
       DHCP Server . . . . . . . . . . . : 172.30.xx.xxx_3
       DNS Servers . . . . . . . . . . . : 172.30.xx.xxx_4
                                           172.30.xx.xxx_5
                                           fec0:0:0:ffff::1%1
                                           fec0:0:0:ffff::2%1
                                           fec0:0:0:ffff::3%1
       Lease Obtained. . . . . . . . . . : 2012 m. sausio 25 d. 08:22:48
       Lease Expires . . . . . . . . . . : 2012 m. vasario 1 d. 08:22:48
    
    Tunnel adapter Teredo Tunneling Pseudo-Interface:
    
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : FF-FF-FF-FF-FF-FF-FF-FF
       DHCP Enabled. . . . . . . . . . . : No
       IP Address. . . . . . . . . . . . : fe80::ffff:ffff:fffd%6
       Default Gateway . . . . . . . . . :
       NetBIOS over Tcpip. . . . . . . . : Disabled
    
    Tunnel adapter Automatic Tunneling Pseudo-Interface:
    
       Connection-specific DNS Suffix  . : mydomain.lt
       Description . . . . . . . . . . . : Automatic Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 30-00-00-C9
       DHCP Enabled. . . . . . . . . . . : No
       IP Address. . . . . . . . . . . . : 2002:c3b6:5206:1:0:5efe:172.30.xx.xxx_7
       IP Address. . . . . . . . . . . . : fe80::5efe:172.30.xx.xxx_7%2
       Default Gateway . . . . . . . . . : fe80::5efe:172.30.xx.xxx_dasrv%2
       DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                           fec0:0:0:ffff::2%1
                                           fec0:0:0:ffff::3%1
       NetBIOS over Tcpip. . . . . . . . : Disabled
    
    Tunnel adapter Automatic Tunneling Pseudo-Interface:
    
       Connection-specific DNS Suffix  . : mydomain.lt
       Description . . . . . . . . . . . : Automatic Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 40-00-00-E7
       DHCP Enabled. . . . . . . . . . . : No
       IP Address. . . . . . . . . . . . : fe80::5efe:172.30.xx.xxx_1%2
       Default Gateway . . . . . . . . . : fe80::5efe:172.30.xx.xxx_dasrv%2
       DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                           fec0:0:0:ffff::2%1
                                           fec0:0:0:ffff::3%1
       NetBIOS over Tcpip. . . . . . . . : Disabled

     

     

    Maybe I forgot something or have bad configuration? is it possible connect to 2003 web site from DA clients via IP6? 

    Thank you in advance

     

     



    • Edited by DimiKo Thursday, January 26, 2012 1:54 PM
    Thursday, January 26, 2012 1:49 PM

Answers

  • Unfortunately not. There used to be something called NAT-PT but it is no longer supported as there were many problems with it. If you need to contact Server 2003 internal resources with DirectAccess clients UAG is definitely the way to go.

    UAG will also give you numerous other benefits like the ability to load balance multiple servers together and the ability to publish SSLVPN web portals if you ever have the need.

    • Marked as answer by DimiKo Monday, January 30, 2012 12:13 PM
    Thursday, January 26, 2012 2:29 PM
  • As mentioned by jordan, DNS64/NAT64 is only available with Forefront UAG. At last solution jou can install the IPv6 stack on Windows 2003 and configure an ISATAP interface :

    1. Go to Start | Control Panel, and double-click Network Connections.
    2. Right-click the network adapter on which you want to enable IPv6, and select Properties.
    3. Click Install.
    4. Select Protocol from the list of installation choices, and click Add.
    5. Select Microsoft TCP/IP Version 6, and click OK.

    Or simply tun the following command : netsh interface ipv6 install

    Problem, you will have to configure manually with NETSH.EXE. Note that command lines are not exactly the same as in Windows 2008.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    • Marked as answer by DimiKo Monday, January 30, 2012 12:13 PM
    Thursday, January 26, 2012 2:46 PM

All replies

  • Are you using native DirectAccess or DirectAccess provided by UAG? With UAG, this will work just fine without needing IPv6 on that 2003 server at all because UAG contains NAT64/DNS64 that will translate the DA packets into IPv4 packets on the inside of your network.

    It is my understanding that there are a lot of quirks and problems associated with forcing IPv6 to run on a 2003 server.

    Thursday, January 26, 2012 2:00 PM
  • I use native DA, can I implement something like NAT64/DNS64 without UAG? It it standalone server o something like separate device? 
    Thursday, January 26, 2012 2:23 PM
  • Unfortunately not. There used to be something called NAT-PT but it is no longer supported as there were many problems with it. If you need to contact Server 2003 internal resources with DirectAccess clients UAG is definitely the way to go.

    UAG will also give you numerous other benefits like the ability to load balance multiple servers together and the ability to publish SSLVPN web portals if you ever have the need.

    • Marked as answer by DimiKo Monday, January 30, 2012 12:13 PM
    Thursday, January 26, 2012 2:29 PM
  • As mentioned by jordan, DNS64/NAT64 is only available with Forefront UAG. At last solution jou can install the IPv6 stack on Windows 2003 and configure an ISATAP interface :

    1. Go to Start | Control Panel, and double-click Network Connections.
    2. Right-click the network adapter on which you want to enable IPv6, and select Properties.
    3. Click Install.
    4. Select Protocol from the list of installation choices, and click Add.
    5. Select Microsoft TCP/IP Version 6, and click OK.

    Or simply tun the following command : netsh interface ipv6 install

    Problem, you will have to configure manually with NETSH.EXE. Note that command lines are not exactly the same as in Windows 2008.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    • Marked as answer by DimiKo Monday, January 30, 2012 12:13 PM
    Thursday, January 26, 2012 2:46 PM
  • If I have native DirectAccess implementation, can I upgrade it to Forefront UAG?

    Or I need delete all my directaccess configurations and install  Forefront UAG on new server?

    Friday, January 27, 2012 7:46 AM
  • Hi

     

    There is no upgrade plan to upgrade DirectAccess to UAG 2010. You need to remove the DirectAccess Management Console and install UAG. You will also need to remove DirectAccess GPO.

     

     


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    Friday, January 27, 2012 8:22 AM
  • Thank you for help
    Friday, January 27, 2012 10:30 AM