none
DirectAccess Installation Errors Involving Security Group

    Question

  • So I've read that it's best practice to filter DirectAccess GPO Affects to a single Security group instead of the "All Commputers" Group in AD. So I've done this. I created a group called 'DirectAccess' and set that as the target. When I attempt to generate the GPO in the DirectAccess Wizard, I recieve this error:

    "Security Group MyDomain\DirectAccess cannot be found"

    "The Operation Failed. All of the Specified Security Groups are invalid."

    So it looks like the group is invisible to my Server? The only thing I can think of is my AD Structure is sitting on some 2008 R2 boxes and this server is 2012 R2 box. Is there a requirement for AD to be at 2012 Operational Level for DirectAccess to work in 2012 server R2?

    --Aaron

    Tuesday, April 29, 2014 2:33 PM

Answers

  • Update: I had this closed a while ago. Microsoft was finally able to set it up in my environment. I will post the Closure email they sent me detailing the steps needed to successfully install DirectAccess:   **Note I have changed all my Server/AD information to match M$'s Contoso dummy domain

    Issue:
     Unable to configure Direct Access Server (DA_EDGE). Error: Security group CONTOSO\DirectAccess Clients cannot be found..

    Troubleshooting:
     We collected logs from the Direct Access server while configuring Direct Access.
    logman create trace ETWTrace -ow -o c:\ETWTrace.etl -p {AAD4C46D-56DE-4F98-BDA2-B5EAEBDD2B04} 0xffffffffffffffff 0xff -nb 16 16 -bs 1024 -mode 0x2 -max 2048 –ets
    logman update trace ETWTrace -p {62DFF3DA-7513-4FCA-BC73-25B111FBB1DB} 0xffffffffffffffff 0xff –ets
    Configured Direct Access
    logman stop ETWTrace -ets
     We could not find information which could give us clue about the cause of the issue. We found that it was not able to find the group.
    2464: 04: 2014-06-24 11:56:18.627 VERBOSE: Validating security group (CONTOSO\dagroup1) in the domain...
    2464: 04: 2014-06-24 11:56:18.707 NTE: Security group CONTOSO\dagroup1 cannot be found.
     We Collected Network Capture but could not find anything in LDAP Search Request Packet about the same.
     We found that DC has 2 NIC and both were getting Domain Profile.
     We removed the DMZ NIC and kept only NIC connected to LAN.
     We again tried to configure Direct Access however it still came up with error.
     We involved Directory Services team to take a look at the issue however in logs we were not able to find anything.
     We collected Process Monitor and got it analyzed by the on the Direct Access Server and found that we were not able to create GPO. However it does not give clue as to how its failing.
    11:58:51.6421023 PM RAMgmtUI.exe 1836 CreateFile \\DC.contoso.com\SysVol\contoso.com\Policies\{D937469B-6E34-4A7F-9405-F9F97DC200E0} NAME NOT FOUND Desired Access: Read Attributes, Read Control, Dis, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
    11:58:51.6446131 PM RAMgmtUI.exe 1836 CreateFile \\DC.contoso.com\SysVol\contoso.com\Policies\{D937469B-6E34-4A7F-9405-F9F97DC200E0} NAME NOT FOUND Desired Access: Read Control, Dis, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
    11:58:51.6472327 PM RAMgmtUI.exe 1836 CreateFile \\DC.contoso.com\SysVol\contoso.com\Policies\{D937469B-6E34-4A7F-9405-F9F97DC200E0} NAME NOT FOUND Desired Access: Read Data/List Directory, Synchronize, Dis, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
    11:58:51.6500318 PM RAMgmtUI.exe 1836 CreateFile \\DC.contoso.com\SysVol\contoso.com\Policies\{D937469B-6E34-4A7F-9405-F9F97DC200E0} NAME NOT FOUND Desired Access: Read Attributes, Delete, Synchronize, Dis, Options: Directory, Synchronous IO Non-Alert, Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
     We did research internally and decided to configure Direct Access with Domain Computers Security Group (Using PowerShell command) and change it from GPMC – DirectAccess Client Settings GPO to “Direct-Access-Clients” security group and updated Group Policy on Direct Access Server.
    Install-RemoteAccess -NoPrerequisite -Force -PassThru -ServerGpoName 'contoso.com\DirectAccess Server Settings' -ClientGpoName 'contoso.com\DirectAccess Client Settings' -DAInstallType 'FullInstall' -InternetInterface 'Internal' -InternalInterface 'Internal' -ConnectToAddress 'EDGE.contoso.com' -DeployNat -Verbose -ComputerName 'DA_EDGE.contoso.com'
     We Also configured Certificate Authentication, and Exception for “EDGE.contoso.com'” in NRPT ising poweshell.
    Add-DAClientDnsConfiguration -DnsSuffix 'EDGE.contoso.com' -Verbose -ComputerName 'DA_EDGE.contoso.com'
    Set-DAClient -Downlevel 'Enabled' -Verbose -ComputerName 'DA_EDGE.contoso.com'
     Once Direct Access got configured we were able to update GPO and connect client from outside.
     On Windows 7 client machine we found IP Helper Service disabled and after enabling the service we were able to connect on that as well.

    Resolution:
     We configured Direct Access with Domain Computers Security Group (using PowerShell command) and changed the security group from GPMC – DirectAccess Client Settings GPO to “Direct-Access-Clients” security group and updated Group Policy on Direct Access Server.
    Install-RemoteAccess -NoPrerequisite -Force -PassThru -ServerGpoName 'contoso.com\DirectAccess Server Settings' -ClientGpoName 'contoso.com\DirectAccess Client Settings' -DAInstallType 'FullInstall' -InternetInterface 'Internal' -InternalInterface 'Internal' -ConnectToAddress 'EDGE.contoso.com' -DeployNat -Verbose -ComputerName 'DA_EDGE.contoso.com'

    Commands for troubleshooting Direct Access Clients connectivity:

     To check client status:
    netsh dns show state
     To check effective NRPT on the client:
    netsh name show eff
     To Check status of IPHTPS Interface:
    netsh int http show int
     To Check status of Teredo Interface:
    netsh int teredo show state
     To Check Windows Firewall Profile on the client:
    netsh advf show cu
     To Check IPSec Main Mode Security Association:
    netsh advf mon show mmsa
     To Check IPSec Quick Mode Security Association:
    netsh advf mon show qmsa

    Related Articles:

    Manage DirectAccess Clients Remotely
    http://technet.microsoft.com/library/jj574200.aspx

    Remote Access
    http://technet.microsoft.com/en-US/network/dd420463

    Remote Access (DirectAccess, Routing and Remote Access) Overview
    http://technet.microsoft.com/en-us/library/hh831416

    Remote Access (DirectAccess) Prerequisites
    http://technet.microsoft.com/en-us/library/dn464273.aspx

    DirectAccess Offline Domain Join
    http://technet.microsoft.com/en-us/library/jj574150.aspx

    Plan the DirectAccess Infrastructure
    http://technet.microsoft.com/en-us/library/jj574101.aspx

    Configure the DirectAccess Server
    http://technet.microsoft.com/en-us/library/jj574180.aspx

    Configuring and Implementing DirectAccess with Windows Server 2012
    http://technet.microsoft.com/en-us/video/tdbe13-configuring-and-implementing-directaccess-with-windows-server-2012.aspx

    Tuesday, September 23, 2014 4:13 PM

All replies

  • Hi,

    There is no requirement to have an AD 2012 domain to deploy DirectAccess. Even a Windows 2003 based domain would work. Maybe a replication latency to the nearest domain controllers used by your DirectAccess Gateway.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Tuesday, April 29, 2014 5:35 PM
  • So I started looking into this issue again as using just the RRAS VPN solution isn't filling the need. From what I'm seeing, the group isn't available somehow. 
    Tuesday, June 10, 2014 7:42 PM
  • Hi

    Any group can be used if :

    -It's a security group (not distribution group)

    -Group scope is Global or universal (not domain local

    -AD replication to nearest DC from DA Gateway is operational


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Tuesday, June 10, 2014 7:44 PM
  • How do I figure out if replication between the DA And DC is working working? 

    Wednesday, June 11, 2014 7:08 PM
  • Hi,

    It's not DA that MAY have a replication issue but the nearest DC from DA point of view (based on sites & subnet topology) that do not have informations replicated. Have a look at the %logonserver% environment variable and check on this DC for any replication issue in Windows Event logs and AD event logs. 


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Wednesday, June 11, 2014 7:14 PM
  • It looks like it's replicating correctly. I even changed the which domain controller it's pointing to and it's still giving the error. There are no replication errors in the Log. There are some warnings like this:

       

    The File Replication Service is having trouble enabling replication from NS7 to NS8 for c:\windows\sysvol\domain using the DNS name XXX.Domain.net. FRS will keep retrying. 
     Following are some of the reasons you would see this warning. 

     [1] FRS can not correctly resolve the DNS name XXX.Domain.net from this computer. 
     [2] FRS is not running on XXX.Domain.net. 
     [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers. 

     This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

    However, after that error it always corrects itself:

    The File Replication Service is no longer preventing the computer NS8 from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL. 
     
    Type "net share" to check for the SYSVOL share.


    Tuesday, June 17, 2014 6:58 PM
  • Hi,

    FRS issues are not retated to your problem. Can you check with the following command on gour DirectAccess Gateway NET GROUP <Your DirectAccess group> /domain. If you can see group members, your gateway is able to see the group.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Wednesday, June 18, 2014 8:03 AM
  • It says this:

    C:\Users\MyadminUser>Net Group "DirectAcces Clients" /Domain
    The request will be processed at a domain controller for domain MyDomain.
    net.

    The group name could not be found.

    More help is available by typing NET HELPMSG 2220.

    It seems that It cannot see recently created Security Groups in AD. I've queried a few group: the older groups I have in the domain are find-able. However, the ones I've created in the past few months I'm not able to find on during this search.

    Wednesday, June 18, 2014 1:48 PM
  • Never mind on the last post; I made a typo. It sees the group:

    C:\Users\MyAdminUser>Net Group "DirectAccess Clients" /Domain

    The request will be processed at a domain controller for domain My

    Domain.
    net.

    Group name     DirectAccess Clients
    Comment        DirectAccess Group

    Members 

    One other issue i'm seeing is that the wizard isn't creating the Group Policies. When I created them manually, It did edit the Server GPO, but not the Client GPO. I guess due to the error i'm getting, it hasn't gotten to that point yet? This is the wierdest bug. 

    Wednesday, June 18, 2014 1:55 PM
  • OK,

    So the security group is visible from the DA Gateway. To be able to create group policies, you need to have a "domain administrator" level account. Otherwize it would not be possible to create group policies. I made a blog post "how to deploy DirectAccess with least privileges" : http://danstoncloud.com/blogs/simplebydesign/archive/2013/10/08/deploying-directaccess-with-least-privileges.aspx

    It can be done but much more complicated.

    Last check : At the firewall level of your DA Gateway, is your internal network card (or only network card) have a domain firewall profile?


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Wednesday, June 18, 2014 4:15 PM
  • Regarding the permissions: I'm running this wizard installation from a Domain Admin user. Should I use a different user who is not a Domain Admin?

    Should my DirectAccess Security Group be in the Security Filtering of the GPO?

    I read your blog on (David Tennant must be your favorite Doctor...) and it's the same as you noted there. Domain admins did not have Full control on the two GPOs. I check the "Full Control" and "Apply Group Policy" settings and it gave me the same error stating it could not find my Security group for Direct Access.

    The Internal Firewall NIC does indeed have a domain profile. The External NIC is labeled "Unidentified Network" and that's how it should be.

    Wednesday, June 18, 2014 5:34 PM
  • Hi,

    Unidentified network? not good. It should be public/private (not domain) otherwise firewall rules required for DirectAccess and IPSEC tunnels won't apply. If server try to use this interface to access your internal network, it might explain things.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Thursday, June 19, 2014 6:53 AM
  • I've made a little progress.

    I've gotten remote access setup partially.

    I am running the commands in powershell. I keep getting an error with the security group when I run this command:

    Add-DAClient -SecurityGroupNameList @('hometownamerica.net\DirectAccess Clients') -Verbose -ComputerName 'DA-EDGE02.hometownamerica.net'

    VERBOSE: Retrieving server GPO details...
    VERBOSE: Opening the server GPO...
    VERBOSE: Validating security group (MyDomain.net\DirectAccess Clients) in the domain...
    Add-DAClient : Security group MyDomain.net\DirectAccess Clients cannot be found.
    At line:1 char:1
    + Add-DAClient -SecurityGroupNameList @('MyDomain.net\DirectAccess Clients' ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : ResourceExists: (MyDomain.net\DirectAccess Clients:root/Microsoft/...ess/PS_DACli
       ent) [Add-DAClient], CimException
        + FullyQualifiedErrorId : HRESULT 800700ea,Add-DAClient

    Add-DAClient : The operation failed. All of the specified security groups are invalid.
    At line:1 char:1
    + Add-DAClient -SecurityGroupNameList @('MyDomain.net\DirectAccess Clients' ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidArgument: (SecurityGroupNameList:root/Microsoft/...ess/PS_DAClient) [Add-DAClient
       ], CimException
        + FullyQualifiedErrorId : HRESULT 80070057,Add-DAClient

    Thursday, June 19, 2014 10:04 PM
  • I just opened a ticket with Microsoft, so I should have a tech working on this soon and I will share the final solution.
    Friday, June 20, 2014 5:47 PM
  • Did you find a solution?  I'm getting a similar message and you might be able to save me a call to MS.

    Cheers,

    Jon

    Wednesday, June 25, 2014 2:13 AM
  • I'm still battling with M$ Support :-)

    From what I gather with my M$ Tech, he is stating that due to my Domain having a different Pre-2000 Domain name from my Normal domain name, it's not finding the security group.

    However, that doesn't make sense to me because when I alter the command in powershell it still doesn't work. Even if I put in the Pre-2000 domain name it doesn't work.

    I think it has to be a domain thing like he's saying though. I think i may have to create a new domain to get this to work, unless they actually get it to work.


    Wednesday, June 25, 2014 6:55 PM
  • Update: I'm close to 30 days with the same ticket open with M$ :-S

    What they're testing currently is what exactly happens between the DirectAccess Server and the DCs during the DirectAccess Setup wizard. So we did a trace with NetMon on each DC as well as the DA server when the Wizard Fails. I have to followup with them today on this.

    They're also stating that due to the fact that my internal Domain and External Domain are the same, this may be causing an issue as well. 

    Hopefully we get this fixed because DA is a great tool that will definitely help me out with remote users.

    Monday, July 14, 2014 3:39 PM
  • Check that your DNS resolution for hometownamerica.net is going to your internal Active Directory DNS server, not your internet external DNS server.
    Thursday, July 17, 2014 12:40 AM
  • Update: I had this closed a while ago. Microsoft was finally able to set it up in my environment. I will post the Closure email they sent me detailing the steps needed to successfully install DirectAccess:   **Note I have changed all my Server/AD information to match M$'s Contoso dummy domain

    Issue:
     Unable to configure Direct Access Server (DA_EDGE). Error: Security group CONTOSO\DirectAccess Clients cannot be found..

    Troubleshooting:
     We collected logs from the Direct Access server while configuring Direct Access.
    logman create trace ETWTrace -ow -o c:\ETWTrace.etl -p {AAD4C46D-56DE-4F98-BDA2-B5EAEBDD2B04} 0xffffffffffffffff 0xff -nb 16 16 -bs 1024 -mode 0x2 -max 2048 –ets
    logman update trace ETWTrace -p {62DFF3DA-7513-4FCA-BC73-25B111FBB1DB} 0xffffffffffffffff 0xff –ets
    Configured Direct Access
    logman stop ETWTrace -ets
     We could not find information which could give us clue about the cause of the issue. We found that it was not able to find the group.
    2464: 04: 2014-06-24 11:56:18.627 VERBOSE: Validating security group (CONTOSO\dagroup1) in the domain...
    2464: 04: 2014-06-24 11:56:18.707 NTE: Security group CONTOSO\dagroup1 cannot be found.
     We Collected Network Capture but could not find anything in LDAP Search Request Packet about the same.
     We found that DC has 2 NIC and both were getting Domain Profile.
     We removed the DMZ NIC and kept only NIC connected to LAN.
     We again tried to configure Direct Access however it still came up with error.
     We involved Directory Services team to take a look at the issue however in logs we were not able to find anything.
     We collected Process Monitor and got it analyzed by the on the Direct Access Server and found that we were not able to create GPO. However it does not give clue as to how its failing.
    11:58:51.6421023 PM RAMgmtUI.exe 1836 CreateFile \\DC.contoso.com\SysVol\contoso.com\Policies\{D937469B-6E34-4A7F-9405-F9F97DC200E0} NAME NOT FOUND Desired Access: Read Attributes, Read Control, Dis, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
    11:58:51.6446131 PM RAMgmtUI.exe 1836 CreateFile \\DC.contoso.com\SysVol\contoso.com\Policies\{D937469B-6E34-4A7F-9405-F9F97DC200E0} NAME NOT FOUND Desired Access: Read Control, Dis, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
    11:58:51.6472327 PM RAMgmtUI.exe 1836 CreateFile \\DC.contoso.com\SysVol\contoso.com\Policies\{D937469B-6E34-4A7F-9405-F9F97DC200E0} NAME NOT FOUND Desired Access: Read Data/List Directory, Synchronize, Dis, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
    11:58:51.6500318 PM RAMgmtUI.exe 1836 CreateFile \\DC.contoso.com\SysVol\contoso.com\Policies\{D937469B-6E34-4A7F-9405-F9F97DC200E0} NAME NOT FOUND Desired Access: Read Attributes, Delete, Synchronize, Dis, Options: Directory, Synchronous IO Non-Alert, Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
     We did research internally and decided to configure Direct Access with Domain Computers Security Group (Using PowerShell command) and change it from GPMC – DirectAccess Client Settings GPO to “Direct-Access-Clients” security group and updated Group Policy on Direct Access Server.
    Install-RemoteAccess -NoPrerequisite -Force -PassThru -ServerGpoName 'contoso.com\DirectAccess Server Settings' -ClientGpoName 'contoso.com\DirectAccess Client Settings' -DAInstallType 'FullInstall' -InternetInterface 'Internal' -InternalInterface 'Internal' -ConnectToAddress 'EDGE.contoso.com' -DeployNat -Verbose -ComputerName 'DA_EDGE.contoso.com'
     We Also configured Certificate Authentication, and Exception for “EDGE.contoso.com'” in NRPT ising poweshell.
    Add-DAClientDnsConfiguration -DnsSuffix 'EDGE.contoso.com' -Verbose -ComputerName 'DA_EDGE.contoso.com'
    Set-DAClient -Downlevel 'Enabled' -Verbose -ComputerName 'DA_EDGE.contoso.com'
     Once Direct Access got configured we were able to update GPO and connect client from outside.
     On Windows 7 client machine we found IP Helper Service disabled and after enabling the service we were able to connect on that as well.

    Resolution:
     We configured Direct Access with Domain Computers Security Group (using PowerShell command) and changed the security group from GPMC – DirectAccess Client Settings GPO to “Direct-Access-Clients” security group and updated Group Policy on Direct Access Server.
    Install-RemoteAccess -NoPrerequisite -Force -PassThru -ServerGpoName 'contoso.com\DirectAccess Server Settings' -ClientGpoName 'contoso.com\DirectAccess Client Settings' -DAInstallType 'FullInstall' -InternetInterface 'Internal' -InternalInterface 'Internal' -ConnectToAddress 'EDGE.contoso.com' -DeployNat -Verbose -ComputerName 'DA_EDGE.contoso.com'

    Commands for troubleshooting Direct Access Clients connectivity:

     To check client status:
    netsh dns show state
     To check effective NRPT on the client:
    netsh name show eff
     To Check status of IPHTPS Interface:
    netsh int http show int
     To Check status of Teredo Interface:
    netsh int teredo show state
     To Check Windows Firewall Profile on the client:
    netsh advf show cu
     To Check IPSec Main Mode Security Association:
    netsh advf mon show mmsa
     To Check IPSec Quick Mode Security Association:
    netsh advf mon show qmsa

    Related Articles:

    Manage DirectAccess Clients Remotely
    http://technet.microsoft.com/library/jj574200.aspx

    Remote Access
    http://technet.microsoft.com/en-US/network/dd420463

    Remote Access (DirectAccess, Routing and Remote Access) Overview
    http://technet.microsoft.com/en-us/library/hh831416

    Remote Access (DirectAccess) Prerequisites
    http://technet.microsoft.com/en-us/library/dn464273.aspx

    DirectAccess Offline Domain Join
    http://technet.microsoft.com/en-us/library/jj574150.aspx

    Plan the DirectAccess Infrastructure
    http://technet.microsoft.com/en-us/library/jj574101.aspx

    Configure the DirectAccess Server
    http://technet.microsoft.com/en-us/library/jj574180.aspx

    Configuring and Implementing DirectAccess with Windows Server 2012
    http://technet.microsoft.com/en-us/video/tdbe13-configuring-and-implementing-directaccess-with-windows-server-2012.aspx

    Tuesday, September 23, 2014 4:13 PM