none
DNS entries created by second DirectAccess Server duplicate existing records

    Question

  • I want to add in a second DirectAccess server so I can transition my staff to AD authentication instead of certs, now they're all on Windows 10 (My understanding is that the only way to change the settings without forcing clients to come back to the office for a GP update is to migrate them to a new server)

    I added a new server in and it all seemed to work from my testing but I noticed that duplicate directaccess-corpConnectivyHost, DirectAccess-NLS and directaccess-WebProbeHost records were created in DNS.

    As they day went on, I then started to see clients on the LAN connecting via DA (but strangely still able to work) so I pulled the new server and its DNS out completely to get things back to normal.

    How can you add in the second DA server without causing DNS related issues?


    Richard P

    Friday, June 1, 2018 1:36 AM

Answers

  • By not using the DirectAccess server for the NLS (and simply putting a SSL cert onto another internal server) no duplicate records were created that impact on IP-HTTPs

    Richard P

    • Marked as answer by RichardParry Tuesday, June 12, 2018 7:26 PM
    Tuesday, June 12, 2018 6:52 PM

All replies

  • Hi,

    Thanks for your question.

    Based on the specific situation, we need to collect more information about this issue for troubleshooting.

    1. Please check if using the same name or IP for initial deployment of second DA and register its records to DNS, also check the DNS server.

    2. May I know how many network cards did the DA server configure? Please check the DA server's intra-network adapter if it had connected to the domain network and can communicate with DC on local domain.

    3. Please also check the Event Viewer or Remote Access Management on DA if there is any error message so we can find more clue about this issue.

    4. In addition, we need to check if Direct Access GPOs have applied to the server and clients. Please type the command gpresult /r to check it.

    Hope this helps. If you have any question and concern, please feel free to let me know.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com



    Saturday, June 2, 2018 2:15 PM
  • Hi,

    1) Different name and different IP address

    2) Single NIC configuration - DA did work on both servers as mentioned

    3) Server since removed

    4) As above

    Note the issue seemed to be that the new DA server created identical DNS records to the existing server, only using its IPs. Clients seemed to get confused as to which NLS server they were meant to be using (self singed certs -> untrusted certs issue)


    Richard P

    Sunday, June 3, 2018 2:25 AM
  • Hi,

    Thanks for your update.

    Please try to configure the setting Network Connectivity Assistance to DA as the following figure. What this step is trying to do is find a resource on the internal network that the client can "ping" to ensure the DirectAccess client has successfully connectd to the internal network. We can set DCs or other Network Location Servers as prefer and alternate resources to detect by PING or HTTP.

    Here is an article about this implementation for your reference. Hope this helps.

    http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com



    Monday, June 4, 2018 1:41 PM
  • Hi,

    How are things going on?

    Please let us know if you would like further assistance.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, June 6, 2018 12:50 PM
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, June 12, 2018 3:32 PM
  • By not using the DirectAccess server for the NLS (and simply putting a SSL cert onto another internal server) no duplicate records were created that impact on IP-HTTPs

    Richard P

    • Marked as answer by RichardParry Tuesday, June 12, 2018 7:26 PM
    Tuesday, June 12, 2018 6:52 PM