none
Two separate DirectAccess servers needing manage out

    Question

  • Hello,

    We built a new 2016 DirectAccess server.  I also made it an isatap router.   All is well with it.  From a client with isatap enabled, I can connect to a computer that is using DirectAccess.

    Our old DirectAccess server is 2012 R2.   I also had made it an isatap router.   All is also well with it.   From a client with isatap enabled, I can connect to a computer that is using DirectAccess.

    I currently have two GPOs to set computers to a ISATAP router.   One to point to the 2016 server and one to the 2012 server.

    Here's the issue.   If the computer's isatap is set to the 2012 server, it can't connect to computers that are using the DirectAccess 2016 server.   Likewise if a computer's isatap is pointing to the 2016 server for the router, it can't connect to the 2012 computers currently on DirectAccess.

    Has anyone found a way to make it where one isatap server can connect to both DirectAccess clients?

    Thank you,
    Matt

    lundi 5 mars 2018 14:42

Toutes les réponses

  • I think the only way this will work is to create a separate ISATAP router server and configure it to point to each DirectAccess server. That's essentially how I set up my customers for ISATAP manage out when they are using external load balancers and/or have multisite enabled.
    • Marqué comme réponse CSMatMan jeudi 8 mars 2018 13:48
    • Non marqué comme réponse CSMatMan dimanche 11 mars 2018 13:32
    mardi 6 mars 2018 13:55
  • Thank you, Richard. I'll look into that.  I'll go ahead and mark answer correct as there's no person to better trust than Richard Hicks!! :)
    jeudi 8 mars 2018 13:48
  • Hi

    Each DA server will have distinct /64 prefix.

    Try adding ISATAP /64 prefix routes on DA servers, so that 2012 DA server is aware about 2016 ISATAP prefix and knows how to route.

    On DA2012:

    netsh int ipv6 add route DA2016Prefix::/64 DA2012ISATAPaddr

    On DA2016:

    netsh int ipv6 add route DA2012Prefix::/64 DA2016ISATAPaddr

    You'll also need to publish the new prefixes for clients, in case Default route isn't published. 


    OS ... VirTuaLiZaTioN ... MaxiMuS ... Fair, Good, Better, Best

    samedi 10 mars 2018 12:26
  • Harmandeep,

    Here's what I tried when I did the steps you mention.

    2012 Server:

    PS C:\Windows\system32> netsh int ipv6 show int

    Idx     Met         MTU          State                Name
    ---  ----------  ----------  ------------  ---------------------------
      1          50  4294967295  connected     Loopback Pseudo-Interface 1
     17          50        1280  disconnected  6TO4 Adapter
     16          10        1280  connected     isatap.{F043D0A0-B381-4435-9CE1-727340632485}
     14          10        1280  connected     isatap.{4A7AC0D7-31CD-4A00-9466-1E86A8A156D3}
     15          50        1280  connected     IPHTTPSInterface
     12          10        1500  connected     Internal Network
     13          10        1500  connected     External Network

    Tunnel adapter isatap.{F043D0A0-B381-4435-9CE1-727340632485}:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : fd46:d456:6924:1:0:5efe:10.100.6.140(Preferred)
       Link-local IPv6 Address . . . . . : fe80::5efe:10.100.6.140%16(Preferred)
       Default Gateway . . . . . . . . . :
       DHCPv6 IAID . . . . . . . . . . . : 503316480
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-86-D9-F9-00-50-56-B6-04-70

    2016 Server:

    Idx     Met         MTU          State                Name
    ---  ----------  ----------  ------------  ---------------------------
      1          75  4294967295  connected     Loopback Pseudo-Interface 1
     13          20        1280  connected     isatap.{C0F4CFAC-2E49-4FCB-9D06-E1794844A378}
     14          15        1500  connected     Internal Network
      9          15        1500  connected     External Network
     17          20        1280  connected     isatap.{E855453E-0844-4BA6-B681-56F5CF59A73F}
     10          75        1280  disconnected  6TO4 Adapter
     12          75        1280  connected     IPHTTPSInterface

    Tunnel adapter isatap.{E855453E-0844-4BA6-B681-56F5CF59A73F}:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : fd15:d176:4efd:1:0:5efe:10.100.6.145(Preferred)
       Link-local IPv6 Address . . . . . : fe80::5efe:10.100.6.145%17(Preferred)
       Default Gateway . . . . . . . . . :
       DHCPv6 IAID . . . . . . . . . . . : 117440512

    Commands I ran:

    2012 DA server:   netsh int ipv6 add route fd15:d176:4efd:1000::/64 16 fd46:d456:6924:1:0:5efe:10.100.6.140

    2016 DA server:  netsh int ipv6 add route fd46:d456:6924:1000::/64 17 fd15:d176:4efd:1:0:5efe:10.100.6.145

    LT5555 currently online accessing corporate network via 2016 DA server

    From 2016 DA server: 

    Pinging lt55555.domain.lan [fd15:d176:4efd:1000:cbf:753b:5630:68a3] with 32 bytes of data:
    Reply from fd15:d176:4efd:1000:cbf:753b:5630:68a3: time=1277ms
    Reply from fd15:d176:4efd:1000:cbf:753b:5630:68a3: time=65ms
    Reply from fd15:d176:4efd:1000:cbf:753b:5630:68a3: time=82ms
    Reply from fd15:d176:4efd:1000:cbf:753b:5630:68a3: time=357ms

    From 2012 DA server:

    Pinging LT55555.domain.lan [fd15:d176:4efd:1000:cbf:753b:5630:68a3] with
    32 bytes of data:
    General failure.
    General failure.
    General failure.
    General failure.

    Routes:

    2012 DA server

    Persistent Routes:
     If Metric Network Destination      Gateway
      0 4294967295 fd46:d456:6924:1000::/64 On-link
      0 4294967295 fd46:d456:6924::/48      On-link
      0 4294967295 fd46:d456:6924:7777::/96 On-link
      0 4294967295 fd46:d456:6924:1::/64    On-link
      0 4294967295 fd15:d176:4efd:1000::/64 fd46:d456:6924:1:0:5efe:10.100.6.140

    2016 DA server

    Persistent Routes:
     If Metric Network Destination      Gateway
      0 4294967295 fd15:d176:4efd:1::/64    On-link
      0 4294967295 fd15:d176:4efd:1000::/64 On-link
      0 4294967295 fd15:d176:4efd::/48      On-link
      0 4294967295 fd15:d176:4efd:7777::/96 On-link
      0 4294967295 fd15:d176:4efd:1::/64    On-link
      0 4294967295 fd46:d456:6924:1000::/64 fd15:d176:4efd:1:0:5efe:10.100.6.145

    Thank you for any help!!



    • Modifié CSMatMan lundi 12 mars 2018 15:05
    lundi 12 mars 2018 14:07