Migrate DirectAccess from 2012 to 2012 R2


  • I know I'm a bit early , but is there perhaps any guidance available on migrating DA from WS2012 to WS2012 R2. Is in place upgrade also supported? I'm only considering this we'll be standardizing on R2.

    How would one approach this from one WS2012 to another WS2012, I'm thinking not much has changed in R2.

    Saturday, September 14, 2013 5:31 PM


All replies

  • Hi,

    I didn’t find any official guide about the migration; but I think there will be.

    Personally, I don’t think windows server 2012 r2 will make a lot of changes.

    Here is some information about 2012 r2:

    What's New in Windows Server 2012 R2

    In addition, we have windows server 2012 r2 preview released; you can do test before RTM is released:

    TechNet Evaluation Center

    Hope this helps.

    Monday, September 16, 2013 9:36 AM
  • Thank you Danile, I already have access to RTM bits, I installed it and did a quick test, but didn't find any differences. The reason for migrating is purely for standardization. All new servers will be WS2012 R2 and I'd like to move our DirectAccess solution to R2 as well (we're still testing it, it will be much harder once it's in full production).
    Monday, September 16, 2013 10:21 AM
  • There are not any significant changes in R2 related to DirectAccess. The easiest way to "swing" is going to be bringing a new R2 instance online in parallel to your existing DA instance, and then swinging the clients from one to the other by changing their group membership. This should all be pretty straightforward if you aren't using ISATAP. If you are using ISATAP, it gets considerably more complicated. I do these kinds of migrations all the time (mostly from UAG to 2012 currently, but it's the same story) - feel free to keep my contact info for when the time comes if you need any assistance:
    Monday, September 16, 2013 2:13 PM
  • Thank you Jordan. An additional question, I assume I have to rename (in the Remote Access wizard) either the existing or the new DirectAccess Client/Server Settings, then just link them at the appropriate OU or group membership.

    I'm using ISATAP on just two servers, SCCM and an additional monitoring/Remote Control box.

    Tuesday, October 01, 2013 8:44 AM
  • Are you bringing a new 2012 R2 box online to take over DirectAccess? If this is the case, you can leave your old environment running and bring the new one online as a second DA entry point. Just make sure that during the wizards to specify different GPO and group names to keep everything separated from the old environment.

    While making this transition, typically I disable ISATAP in the network. If you have ISATAP running globally (which it sounds like you don't, but many people are), then the new DA server will set itself up as an ISATAP host and will cause all sorts of trouble for you. Disable ISATAP, then bring the new system online and cut users over to it, then you can rebuild ISATAP, this time pointing the ISATAP hosts to the new DA server.

    Tuesday, October 01, 2013 1:00 PM
  • Thank you for this, would you ever consider doing an in-place upgrade?
    Saturday, October 19, 2013 4:57 PM
  • I think that I would only do that if I could know that my remote clients would be able to either come into the office if they needed to for new Group Policy settings, or be able to host VPN connections to accomplish the same thing. If you take down the 2012 server and bring a 2012 R2 up in it's place, with the same IPs and name, chances are that the existing GPO is not going to like it and the DA console on the server isn't going to pick up the configuration from the existing GPOs. You'll still be configuring DA as if this were a new server, and you can specify to use the same GPOs, but at the end of the wizard it's going to re-write settings in the GPO with new. Now, they are going to be the same settings (except for the filtering setting for the server GPO), so there is certainly a chance that when you finish this, the clients will simply start connecting right away. But...there is also a chance that they won't, and that you'll have to connect them in some way to do a gpupdate before they will connect. I haven't tried this exact scenario to be able to tell you for sure.

    If you have more IPs available, and bring the two boxes online in parallel, then you can "swing" clients from one to the other by simply changing their group membership settings. This way you can move all DA clients over to the new system at whatever pace you would like, and when you confirm that they are all connecting through the new entry point, you can shut down the old one and delete the old GPOs.

    Monday, October 21, 2013 12:48 PM
  • Jordan, thank you yet again.

    My question was, could I just put a 2012 R2 .iso in our existing 2012 DA server and just upgrade it? Our users would be redirected to using another vendors VPN solution in the time of the upgrade.

    Monday, October 21, 2013 1:46 PM
  • That is a very good question! To which I have no answer. :)

    I have done that exact procedure to move a Surface Pro to be a Surface Enterprise, but I haven't tried it with Server 2012 to R2...

    Monday, October 21, 2013 3:10 PM
  • I made a snapshot and tried it and haven't found any issues so just worked.
    Tuesday, October 22, 2013 8:37 PM
  • Awesome!
    Tuesday, October 22, 2013 8:41 PM
  • Our upgrade failed, had to roll it back to the snapshot.

    DA console failed to connect to DC to pull configuration/GPOs. I checked firewall rules to ensure DA exceptions were carried over from 2012 and it looked correct. Did you have to make any changes/reconfigurations post the upgrade to 20120 R2?

    Thank you vey much for your time.

    Monday, August 11, 2014 8:31 PM
  • G'day,

    Just wanted to confirm that I have just upgraded our 2012 Direct Access server from 2012 to 2012 R2 without any issues.

    The only thing I noticed was it's internal nic dropped its ip address.  I just disconnected and reconnected the NIC and its all good (running VMware 5.0).

    Thanks and Good Luck on the upgrades.  Hope this fixes the Windows 8 computers that always say "connecting to workplace"

    Thursday, August 21, 2014 10:53 AM
  • I also had the "Connecting to Workplace" displaying, then I found out I was missing a DNS entry for "directaccess-WebProbeHost" pointing to my DA server. That solved it for me.

    Mike Pietrorazio

    Tuesday, October 14, 2014 6:19 PM
  • Mine upgrade was not flawless.

    I didn't notice that after 2012->2012R2 upgrade the IPv6 Local Unicast address (fdex:xxxx:) on LAN interface had changed : (

    DirectAccess configuration master proposed me to make a fresh setup.

    The fresh setup did work.. but external DA-clients couldn't resolve DNS, cause DNS was set to old Local address. No connectivity with DCs, no gpupdate :(

    I had to modify IPv6 address on server's LAN interface to match old DA client settings.

    netsh int ipv6 show addr

    netsh int ipv6 delete address interface=X address=Y

    netsh int ipv6 set address interface=X address=Z

    • Edited by i3laze_ Tuesday, September 29, 2015 5:40 PM
    Tuesday, September 29, 2015 5:40 PM