locked
DirectAccess - Certificates and DNS Scavenging RRS feed

  • Question

  • Hey,

    Are there any plans to support a subject altername name entry for DirectAccess.  It obviously has to be the common name at the moment.

    I had an issue over Christmas with DNS scavenging the DA records so things were broken!  What are the options to stop it happening again, other than completely disabling scavenging?

    Can I make them static records so they don't get scavenged again
    Can I exclude just the 'standard' records from being scavenged

    Thanks

    Tuesday, January 3, 2017 11:18 AM

Answers

  • Which records got scavenged? If it was the "webprobehost" record, that shouldn't actually break DA, it will just cause the clients to continually say "Connecting" when they are actually, in fact, connected just fine. My recommendation for this is to change Step1 in the wizards and get rid of webprobehost altogether, and identify your own probe that you know is static. That way you don't even rely on the self-generated probe record and you can delete it.

    Otherwise if you want to continue using the self-generated records, you can just create them in DNS manually and DNS will then let them live. :)

    • Marked as answer by Lanky Doodle Tuesday, January 10, 2017 8:44 AM
    Friday, January 6, 2017 4:09 PM
  • It was all of them! Except for the actual servers IP address.

    What I ended up doing is re-configuring DA so it put all the DNS records back and untick the Timestamp value in each record, which switches the default ones to static.

    Thanks for your reply though.  I'll keep that in mind.

    • Marked as answer by Lanky Doodle Tuesday, January 10, 2017 8:44 AM
    Tuesday, January 10, 2017 8:44 AM

All replies

  • Which records got scavenged? If it was the "webprobehost" record, that shouldn't actually break DA, it will just cause the clients to continually say "Connecting" when they are actually, in fact, connected just fine. My recommendation for this is to change Step1 in the wizards and get rid of webprobehost altogether, and identify your own probe that you know is static. That way you don't even rely on the self-generated probe record and you can delete it.

    Otherwise if you want to continue using the self-generated records, you can just create them in DNS manually and DNS will then let them live. :)

    • Marked as answer by Lanky Doodle Tuesday, January 10, 2017 8:44 AM
    Friday, January 6, 2017 4:09 PM
  • It was all of them! Except for the actual servers IP address.

    What I ended up doing is re-configuring DA so it put all the DNS records back and untick the Timestamp value in each record, which switches the default ones to static.

    Thanks for your reply though.  I'll keep that in mind.

    • Marked as answer by Lanky Doodle Tuesday, January 10, 2017 8:44 AM
    Tuesday, January 10, 2017 8:44 AM