From your feedback, we have heard that some DirectAccess and RRAS customers are having difficulty finding the information they need to deploy these technologies.

This blog post answers the questions we’ve been hearing about the documentation and these products in general.

Let me start by letting you know that at the bottom of this article, you’ll find descriptions and links to the most current Remote Access documentation resources. And in case you don’t make it that far J, here they are:

We should start with a brief history of Remote Access in Windows Server to understand the product and naming evolution, since the names and technologies have changed over the years.

Remote Access Technologies Historic Overview

Starting with WS2012, DirectAccess was integrated into the Remote Access server role along with Routing and Remote Access Services (RRAS). This was a change from WS2008R2 in which DirectAccess was a Windows Server feature, and RRAS were installed separately as the Routing and Remote Access Services role service. In addition, when it was discontinued, the enterprise level features of Forefront UAG DirectAccess were integrated into the Remote Access server role as well.

RRAS has been a mainstay of Windows networking ever since Windows 2000 Server, and it combines the Routing, VPN, and Dial-up services. RRAS and Direct Access are still very much the same as they were in version of Windows Server prior to 2012, but they have been moved around into different sever roles in different versions of Server. To simplify configuration and management, all of these technologies were brought together in WS2012 under one server role called, Remote Access.

All that history can be pretty confusing, so here is an illustration that shows the Windows Server versions along with their associated remote access technologies that might help make it clearer:


Note that this graphic does not represent all the versions of Windows Server that have been released – just the major releases, and the minor releases that have had a significant change in Remote Access technologies.

Now that you have an understanding of how remote access has evolved over the various releases, we’ll take a little bit more in-depth look at why it happened like it did.

Routing and Remote Access combined in Windows 2000 Server

Back in the early days of Windows Server, Routing and Remote Access were two separate services, and Windows Server was called Windows NT Server (the NT stood for “new technology”). In Windows Server, 2000 the Routing Service and the Remote Access Service were combined to become known as Routing and Remote Access Services, or RRAS.

The reason for combining the two services lies in the Point-to-Point Protocol (PPP), which is the protocol suite that is commonly used to negotiate point-to-point connections for remote access clients. Demand-dial routing connections use PPP to provide the same kinds of services as remote access connections (link negotiation, authentication, and network layer negotiation). Therefore, the integration of routing (which includes demand-dial routing) and remote access was done to leverage the existing PPP client/server infrastructure that existed for the remote access components.

Routing and Remote Access Services moved under the Network Policy and Access Services Server Role in WS2008 and R2

With the advent of new technologies for securing networks, Network Policy and Access Services (NPAS) in WS2008 and R2 combined technologies that could define and enforce policies for network access authentication, authorization, and client health using Network Policy Server (NPS), Routing and Remote Access Service, Health Registration Authority (HRA), and Host Credential Authorization Protocol (HCAP).

DirectAccess introduced in WS2008R2 and Forefront Unified Access Gateway (UAG) 2010

DirectAccess enables remote users to securely access shared resources, websites, and applications on an internal network without connecting to a virtual private network (VPN). Forefront UAG DirectAccess extends the benefits of Windows DirectAccess across your infrastructure, enhancing scalability, and simplifying deployments and ongoing management. In WS2008R2, DirectAccess and RRAS were installed and managed separately.

DirectAccess and RRAS combined in WS2012 Remote Access Server Role

In WS2012, the DirectAccess feature and the RRAS role service were combined into a new unified server role. In addition, DirectAccess enterprise level features were brought into WS2012 when Forefront UAG was discontinued.

This new Remote Access server role allows for centralized administration, configuration, and monitoring of both DirectAccess and VPN-based remote access services. Additionally, WS2012 DirectAccess provided multiple updates and improvements to address deployment blockers and provide simplified management. The Remote Access Console was introduced to manage all aspects of Remote Access in a consolidated fashion.

Now that DirectAccess and RRAS are combined in WS2012 and R2, where can I find the documentation?

The main documentation for WS2012 DirectAccess is located in the TechNet Library under the Remote Access technology heading here: Remote Access (DirectAccess, Routing and Remote Access) Overview. In this section, you’ll find three main Remote Access deployment scenarios:

  • Basic
  • Advanced
  • Enterprise DirectAccess

These deployment scenarios touch briefly on how to install RRAS, but they are mostly about deploying DirectAccess.

The Basic scenario describes an easy deployment method using the Remote Access Getting Started Wizard. The Getting Started wizard is something of a misnomer because you most likely won’t want to use it if you are getting started with a deployment in a corporate environment. In that case, you’ll want to use the Remote Access Advanced Setup Wizard. Taking the advanced path allows you to later install Enterprise DirectAccess features which you cannot do if you’ve deployed Remote Access using the Getting Started Wizard. The Enterprise DirectAccess features that you can install after deploying with the Advanced Setup Wizard include:

  • OTP/Smartcard
  • NLB
  • Multisite

RRAS documentation is in the WS2008 and R2 TechNet Library

With the exception of the new front end installation Wizards and the unified Remote Access console, the basic functionality of RRAS didn’t change much in WS2012. Because of this, the WS2008R2 RRAS documentation was not updated and it is still current.  You can find links to all the relevant previous Remote Access documentation at the Remote Access TechCenter.

Conventions Used in this Blog Post

  • DirectAccess is a Microsoft trademarked name and so it is all one word, as opposed to Direct Access with a space.
  • Lowercase remote access is used to refer to remote access technologies in general. Uppercase Remote Access is used to refer to the Remote Access Server Role.
  • Windows Server is abbreviated WS followed by the version. So, for example, Windows Server 2012 R2 would be abbreviated as WS2012R2.