Deploy direct access

HI,
I'm trying to deploy a simple direct access while i'm working with wizard of DA I receive the following error message:
please note that my domain's name: Notovich.com
and my public DNS name is: notovich.asuscomm.com or
notovich.dynalias.org
Please advise if I need to purchase new domain that is similar to my local domain name. Maybe this is the reason?

Hi,
I think I might be able to help, because the error is actually quit simple. The NLS (Network Location Server) url cannot be the same as your DirectAccess Service url. You need two different hostnames, for example:
directaccess.yourdomain.com
inside.yourdomain.local (or inside.yourdomain.com)
The hostname "directaccess.yourdomain.com" should point to your external IP Address of your DirectAccess Server, be resolvable from the internet, this is where your DirectAccess Client will connect to.
The hostname "inside.yourdomain.local" should point to an internal Web Server. It doesn't matter to which server, it is just a simple URL, could be anything you have. But... this hostname should 'NOT' and I repeat 'NOT' be resolvable from the internet.
Client use the NLS url to detect whether they are connected locally to your local intranet or to the internet.
I hope this information makes more sense to you.
Boudewijn Plomp, BPMi Infrastructure & Security | Please remember, if you see a post that helped you please click "Vote as Helpful" and if it answered your question, please click "Mark as Answer".

Similar Messages

  • Windows Server Direct Access Deployment

    Dear Sir,
    Trying to deploy Direct Access on windows server 2008r2 please can some one give me direction on how to make perfect deployment or a webcast Thanks..

    Hi,
    You also can following the following KB and TechNet Video.
    TechNet Video:
    Configuring and Implementing DirectAccess with Windows Server 2012
    http://technet.microsoft.com/en-us/video/tdbe13-configuring-and-implementing-directaccess-with-windows-server-2012.aspx
    Deploy KB:
    Implementing Your DirectAccess Design Plan
    http://technet.microsoft.com/en-us/library/ee649219(v=ws.10).aspx
    DirectAccess for Windows Server 2008 R2
    http://technet.microsoft.com/en-us/library/dd758757(v=ws.10).aspx
    DirectAccess Deployment Guide
    http://technet.microsoft.com/en-us/library/ee649163(v=ws.10).aspx
    Hope this helps.
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • Direct Access: domain.LOCAL supported?

    Hi,
    Our domain was configured using company.local.  I am now trying to deploy Direct Access on a Windows Server 2012 R2 server using a single NIC deployment.
    Do we have to change our domain name to company.com in order to deploy Direct Access? If not - are there any special considerations when deploying using the .local domain?
    We have a forward lookup zone for domain.com in addition to the domain.local on our DNS servers. We intend to use "da.domain.com" as the "public name used by clients to connect to the Remote Access server".

    Hi,
    You do not have to change.
    With a single NIC, I suppose your server is behind a NAT device.
    For your reference:
    Step-By-Step: Enabling DirectAccess in Windows Server 2012 R2
    http://blogs.technet.com/b/canitpro/archive/2014/01/06/step-by-step-enabling-directaccess-in-windows-server-2012.aspx
    STEP 6: Test DirectAccess Client Connectivity from Behind a NAT Device
    http://technet.microsoft.com/en-us/library/hh831524.aspx
    Hope this helps.

  • Auto deploying branch office printers with Direct Access

    Hello there
    I am implementing my first Direct Access topology and have a question. We will have branch offices with workstations deployed using Direct Access for administrative purposes. We have staff moving around from branch to branch with the goal to
    make logging on to the network and accessing resources for users as automated as possible. One of the questions I have regards auto configuring branch printers for users using Group Policy. The branch offices have workstations, printers and NAT modem/routers
    with DHCP - but no servers.
    If we have a stand alone network printer, how do we list that printer in Active Directory allowing the user to auto-configure it using group policy? If we install it on a server at Head Office, would the print job travel there first and then back to
    the branch? Obviously this is not ideal. Or can it be directed straight to the printer using a script or something?
    Alternatively we can install and share it on a branch workstation and list it in the directory, but would this not be same the problem as above? This is not ideal either as it would depend on the workstation being always on and available.
    Any input Direct Access gurus?
    Thanks in advance
    MIS5000

    Hi,
    Thanks for your post.
    We could have 2 possible solutions for natively deploy printers using Group Policy without the need for any scripting:
    1) Group Policy Preferences – available in Windows Server 2008 and later
    2) Print Management – available in Windows Server 2003 R2 and later
    http://blog.powershell.no/2009/11/08/deploying-printers-using-group-policy/
    Did you try to use the Print Management? You can share printers on a network and centralize print server and network printer management tasks using the Print Management Microsoft Management Console (MMC) snap-in. Print Management helps you to monitor print
    queues and receive notifications when print queues stop processing print jobs. It also enables you to migrate print servers and deploy printer connections using Group Policy.
    https://technet.microsoft.com/en-us/library/cc731857.aspx
    Meanwhile, if you have any Direct Access related issue, I think you may ask in network forums:
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverNIS
    Regards.
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

  • ConfigMgr Clients connection over direct access.

    My test client machine is running Windows 8.1 and connecting to network through Direct Access. I am running SCCM 2012 R2 on Windows Server 2012.
    Test Machine: NYWIN8
    SCCM Server: SCCM01
    Domain: demo.local
    I would like to understand how configmgr handles clients connecting through direct access. What all functionality is available for such clients?
    On my client machine is see following errors:
    FSPSTATEMESSAGE.LOG
    Failed in WinHttpSendRequest API, ErrorCode = 0x2ee7
    [CCMHTTP] ERROR: URL=HTTP://SCCM01.demo.local/SMS_FSP/.sms_fsp, Port=80, Options=480, Code=12007, Text=ERROR_WINHTTP_NAME_NOT_RESOLVED
    POLICYAGENT.LOG
    Policy
    http://SCCM01.demo.local/SMS_MP/.sms_pol?WRC10000.SHA256:BE60C5A54E508758261E6EDAE80AB21576A214309B9E1E19EE1D5A96C4508EC4 is not available.
    DATATRANSFERSERVICE.LOG
    DTS job {E6FAADEE-F22E-4E89-92EE-C2D9C10C3056} BITS job {9C444FAB-FD3C-4A6B-B8A4-81DA159E4E45} failed to download source file
    http://SCCM01.demo.local:80/SMS_MP/.sms_pol?WRC10000.SHA256:BE60C5A54E508758261E6EDAE80AB21576A214309B9E1E19EE1D5A96C4508EC4 to destination C:\Windows\CCM\Temp\{C9AA0DDC-BD37-442D-A00E-EE7404D47C12}.tmp with error 0x80190194
    DTS job {E6FAADEE-F22E-4E89-92EE-C2D9C10C3056} BITS job {9C444FAB-FD3C-4A6B-B8A4-81DA159E4E45} partially completed 0/1 with error 0x80190194 context 5
    Software Catalog Update Endpoint
    Failed to open portal registry key 'Software\Policies\Microsoft\CCM'. maybe haven't been created yet. Error 0x80070002
    WEDMTRACE.LOG
    No CCM Identification blob
    CAS.LOG
    The number of discovered DPs(including Branch DP and Multicast) is 0
    SMSCLIUI.LOG
    Failed to set DNSSuffix value to the registry.
    Are there any issues due to connecting using direct access?

    When I try to deploy any software (7-ZIP or Notepad++) to this client I get following error:
    The software change returned error code 0x87D00607(-2016410105).
    I can deploy same software fine to other machines connecting on LAN.
    Server Logs:
    Portlctl
    PORTALWEB's previous status was 0 (0 = Online, 1 = Failed, 4 = Undefined)
    PORTALWEBs http check returned hr=0, bFailed=0
    awbsctl
    AWEBSVCs http check returned hr=0, bFailed=0
    AWEBSVC's previous status was 0 (0 = Online, 1 = Failed, 4 = Undefined)
    Client Logs:
    CAS
    The number of discovered DPs(including Branch DP and Multicast) is 0
    CCMEVAL
    Client's current MP is http://SCCM01.DEMO.local and is accessible
    ClientLocation
    Current AD forest name is Demo.local, domain name is Demo.local
    Domain joined client is in Intranet
    Rotating assigned management point, new management point [1] is: SCCM01.demo.local (7958) with capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>
    Assigned MP changed from <SCCM01.demo.local> to <SCCM01.demo.local>.
    ContentTransferManager
    No data since 11/13/2013
    CTM job {F6085C09-4C39-489E-A6F6-2C268398B7F2} successfully processed download completion.
    DataTransfer
    DTS job {B227AB6E-6D0F-4709-B8C6-AA8B66CBBE2D} BITS job {AE61D01C-E251-45FA-8B2C-2E22DDD91016} failed to download source file
    http://SCCM01.demo.local:80/SMS_MP/.sms_pol?WRC10000.SHA256:BE60C5A54E508758261E6EDAE80AB21576A214309B9E1E19EE1D5A96C4508EC4 to destination C:\Windows\CCM\Temp\{22619283-47B1-445A-9262-C1FA54AD0F64}.tmp with error 0x80190194
    DTS job {B227AB6E-6D0F-4709-B8C6-AA8B66CBBE2D} BITS job {AE61D01C-E251-45FA-8B2C-2E22DDD91016} partially completed 0/1 with error 0x80190194 context 5
    Filebits
    BranchCache Is Not Enabled
    Failed to check PeerDistribution status. NOT able to do branch cache.
    FSPSTATEMESSAGE
    Failed in WinHttpSendRequest API, ErrorCode = 0x2ee7
    [CCMHTTP] ERROR: URL=HTTP://SCCM01.demo.local/SMS_FSP/.sms_fsp, Port=80, Options=480, Code=12007, Text=ERROR_WINHTTP_NAME_NOT_RESOLVED
    Successfully sent location services HTTP failure message.
    InternetProxy
    Failed to get proxy for url 'HTTP://SCCM01.demo.local/SMS_FSP/.sms_fsp'. Error 0x87d00215
    InventoryAgent
    Inventory: 9 Collection Task(s) failed.
    SCCLIENT
    Event maps to notification type = Application Enforcement Failed   (Microsoft.SoftwareCenter.Client.Data.WmiConnectionManager at EventWatcher_EventArrived)
    SMSCLIUI
    Failed to set DNSSuffix value to the registry.
    IPCONFIG /ALL from CLIENT:
    Windows IP Configuration
       Host Name . . . . . . . . . . . . : NYWIN8
       Primary Dns Suffix  . . . . . . . : demo.local
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : demo.local
       System Quarantine State . . . . . : Not Restricted
    Ethernet adapter vEthernet (Internal):
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #3
       Physical Address. . . . . . . . . : 00-15-5D-01-0B-07
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::d3f:4e51:c648:7b26%26(Preferred)
       Autoconfiguration IPv4 Address. . : 169.254.123.38(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.0.0
       Default Gateway . . . . . . . . . :
       DHCPv6 IAID . . . . . . . . . . . : 872420701
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-EA-A9-CE-E0-DB-55-D2-5E-59
       DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                           fec0:0:0:ffff::2%1
                                           fec0:0:0:ffff::3%1
       NetBIOS over Tcpip. . . . . . . . : Enabled
    Ethernet adapter vEthernet (External):
       Connection-specific DNS Suffix  . : home
       Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #2
       Physical Address. . . . . . . . . : 84-A6-C8-AF-03-DE
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::9cb5:5132:1f47:e7c6%24(Preferred)
       IPv4 Address. . . . . . . . . . . : 192.168.1.5(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Lease Obtained. . . . . . . . . . : Thursday, January 2, 2014 1:27:53 PM
       Lease Expires . . . . . . . . . . : Saturday, January 4, 2014 12:27:55 PM
       Default Gateway . . . . . . . . . : 192.168.1.1
       DHCP Server . . . . . . . . . . . : 192.168.1.1
       DHCPv6 IAID . . . . . . . . . . . : 730113736
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-EA-A9-CE-E0-DB-55-D2-5E-59
       DNS Servers . . . . . . . . . . . : 192.168.1.1
       NetBIOS over Tcpip. . . . . . . . : Enabled
    Wireless LAN adapter Local Area Connection* 3:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
       Physical Address. . . . . . . . . : 84-A6-C8-AF-03-DF
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
    Ethernet adapter Bluetooth Network Connection:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
       Physical Address. . . . . . . . . : 84-A6-C8-AF-03-E2
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
    Ethernet adapter Ethernet:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : home
       Description . . . . . . . . . . . : Realtek PCIe FE Family Controller
       Physical Address. . . . . . . . . : E0-DB-55-D2-5E-59
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
    Tunnel adapter isatap.home:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : home
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    Tunnel adapter iphttpsinterface:
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : iphttpsinterface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : fd64:fc00:d17b:1000:e1a7:9cc8:c3c7:d819(Preferred)
       Temporary IPv6 Address. . . . . . : fd64:fc00:d17b:1000:c598:7f17:e286:369d(Preferred)
       Link-local IPv6 Address . . . . . : fe80::e1a7:9cc8:c3c7:d819%10(Preferred)
       Default Gateway . . . . . . . . . :
       DHCPv6 IAID . . . . . . . . . . . : 369098752
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-EA-A9-CE-E0-DB-55-D2-5E-59
       NetBIOS over Tcpip. . . . . . . . : Disabled
    Tunnel adapter isatap.{DC7D2C63-1506-49EC-A40F-AA4E56DE4001}:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

  • Configuration of Direct Access 2012

    Good morning.
    I have tried to set up Direct Access from what I see is pretty much a 30-40 minute job, but has turned out to be something of a pain. Having followed the video on youtube for Windows Server 2012 with Basic PKI configuration and Windows 7 clients. I
    have set up a working DA server with no issues and all green ticks.
    Here's a run down.
    I have a DC (2012) with the CA already installed.
    I have a virtual DA (2012) set up with the advanced settings.
    I have a a TMG 2010 server as the firewall with a Non-Web Publishing rule designed to forward HTTPS requests to the DA on the internal network.
    The set up went as planned and I followed the instruction to set up the PKI and all computers have picked up a computer Certificate for the CA so that the internal root is validated.
    The Certificates that I chose for the DA server were as follows;
    DirectAccess-NLS.mydomain.local
    remote.my-external-domain-name.co.uk
    both published from my internal CA so that the root of the certificates were valid.
    I have a Third party wildcard cert ( *.my-external-domain-name.co.uk ) for TMG to allow other connection such as VPN and web access.
    DA Config:
    Step 1: Remote Clients
    I set up the DA server as per the video, set the DirectAccessClient group, and in the
    Network Connectivity Assistant The resource was filled in with the
    http://diectaccess-WebProbeHost URL.
    Step 2: Remote Access Server
    The Network Topology was set to Behind an edge device (with single network adapter), and then is says to type in the 'PUBLIC NAME' used by clients to connect to the Remove Access Server. Here I typed in the external DNS
    name remote.my-external-domain-name.co.uk.
    Network Adapters had the one ethernet and an IPv6 address. The
    Select Certificate sued to authenticate IP-HTTPS connections has the CN=remote.my-external-domain-name.co.uk.
    Authentication is set to AD and I used the root certificate of the CA for
    use computer certificates. I also Enabled windows 7 client computers to connect via DirectAccess.
    Step 3: Infrastructure Servers
    Network Location Sevrer had the NLS is deployed on this server with the
    DirectAccess-NLS cert.
    DNS had the internal domain and the DirectAccess-NLS. the Internal domain was pointing to the IPv4 address of the DA. I read that I need to put the external name suffix of remote.my-external-domain-name.co.uk entry in and pointed that
    to the internal DA IPv4 address also.
    DNS Suffix List was set automatically and I also added my external domain name just in case.
    Managerment was straight forward and I pointed to our System Centre 2012 R2 server.
    Upon clicking finish and applying the GPO policies everything went according to plan. All green ticks. I did a GPupdate on the client I was testing and the GPO policies came through.
    Now the issue I have is that on the internal network I get the Last Error 0x80190190 unable to connect to server. Now I am sure that this should say active as it is inside the network. I get the same error out side. When I check the DA server for
    netsh int https sh int  it returns the value that client authentication = NONE. I set it up to use computer certificates and even is I uncheck that it does not change. 
    It there a straight forward thing I missed or is it to do with publishing in TMG. Internally the direct access client will not connect as it will find the NLS in the internal DNS as I have the host record for both the server FQDN and the DirectAccess-NLS
    potining to the IPv4 address. I also have the external remote.my-external-domain-name.co.uk entry in the internal DNS to point to the internal IPv4.
    I have opened the ports for 443, 62000 on the DA for the IIS inbound and outbound. 
    I have a windows 8 client but need to test it as Windows 8 is supposed to work just like that.
    What am I doing wrong here?? Any ideas would be much appreciated. 

    Thank you for this Jordan.
    I have now got it working. The next step is to make sure my applications are all using Names rather than IP addresses.
    I have basically setup the system as per my original thread that follows, NOT in BOLD.
    I have tried to set up Direct Access from what I see is pretty much a 30-40 minute job, but has turned out to be something of a pain. Having followed the video on youtube for Windows Server 2012 with Basic PKI configuration and Windows 7 clients. I have
    set up a working DA server with no issues and all green ticks.
    Here's a run down.
    I have a DC (2012) with the CA already installed.
    I have a virtual DA (2012) set up with the advanced settings.
    I have a a TMG 2010 server as the firewall with a Non-Web Publishing rule designed to forward HTTPS requests to the DA on the internal network.
    The set up went as planned and I followed the instruction to set up the PKI and all computers have picked up a computer Certificate for the CA so that the internal root is validated.
    The Certificates that I chose for the DA server were as follows;
    DirectAccess-NLS.mydomain.local
    remote.my-external-domain-name.co.uk
    both published from my internal CA so that the root of the certificates were valid.
    I have a Third party wildcard cert ( *.my-external-domain-name.co.uk ) for TMG to allow other connection such as VPN and web access.
    DA Config:
    Step
    1: Remote Clients
    I set up the DA server as per the video, set the DirectAccessClient group, and in the Network Connectivity Assistant The resource was
    filled in with the http://diectaccess-WebProbeHost URL.
    Step
    2: Remote Access Server
    The Network Topology was set to Behind
    an edge device (with single network adapter), and then is says to type in the 'PUBLIC NAME' used by clients to connect to the Remove Access Server. Here I typed in the external DNS name remote.my-external-domain-name.co.uk.
    Network Adapters had the one ethernet and an IPv6 address. The Select
    Certificate sued to authenticate IP-HTTPS connections has the CN=remote.my-external-domain-name.co.uk.
    Authentication is set to AD and I used the root certificate of the CA for use
    computer certificates. I also Enabled windows 7 client computers to connect via DirectAccess.
    Step
    3: Infrastructure Servers
    Network Location Sevrer had the NLS
    is deployed on this server with the DirectAccess-NLS cert.
    DNS had the internal domain and the DirectAccess-NLS. the Internal domain was pointing to the IPv4 address of the DA. I read that I need
    to put the external name suffix of remote.my-external-domain-name.co.uk entry in and pointed that to the internal DA IPv4 address also.
    DNS Suffix List was set automatically and I also added my external domain name just in case.
    Managerment was straight forward and I pointed to our System Centre 2012 R2 server.
    Upon clicking finish and applying the GPO policies everything went according to plan. All green ticks. I did a GPupdate on the client I was testing and the GPO policies came through.
    I have set up TMG as per the isa.org forum  
    http://www.isaserver.org/articles-tutorials/general/implementing-windows-server-2012-directaccess-behind-forefront-tmg-part2.html .
    @ Jordan - I ensured that I had a separate external IP address for the requests from the clients to TMG as I publish websites internally.
    I used a third party wildcard cert for the IP-HTTPS connect part in DA Config Step 2.
    All the rest of the DA set up was pretty much out of the box as stated above. 

  • Office 365 Direct Access SCCM

    Hi,
    Recently we deployed a bunch of laptops using SCCM (windows 8.1) but having a partial issue with Office 365 via Software Center.
    When laptops are within domain:
    - Office 365 installs during OSD
    - Office 365 installs via Software Center
    When laptops are within domain via Direct Access:
    - Office 365 downloads but fails at installing.
    "exitcode: 17002"
    "The software change returned error code 0x426A(17002)"
    <![LOG[++++++ App enforcement completed (2 seconds) for App DT "VisioProRetail" [ScopeId_538AD476-A160-422A-81FA-BE714BFAD0B1/DeploymentType_3d6a46b6-ffca-477c-b200-cc3392085b38], Revision: 2, User SID: S-1-5-21-2507967118-3678214798-1188983363-2612] ++++++]LOG]!><time="11:33:58.291-600" date="07-10-2014" component="AppEnforce" context="" type="1" thread="6188" file="appprovider.cpp:2448">
    <![LOG[+++ Starting Install enforcement for App DT "VisioProRetail" ApplicationDeliveryType - ScopeId_538AD476-A160-422A-81FA-BE714BFAD0B1/DeploymentType_3d6a46b6-ffca-477c-b200-cc3392085b38, Revision - 2, ContentPath - C:\WINDOWS\ccmcache\d, Execution Context - System]LOG]!><time="11:34:17.546-600" date="07-10-2014" component="AppEnforce" context="" type="1" thread="6188" file="appprovider.cpp:1702">
    <![LOG[ A user is logged on to the system.]LOG]!><time="11:34:17.546-600" date="07-10-2014" component="AppEnforce" context="" type="1" thread="6188" file="appprovider.cpp:2083">
    <![LOG[ Performing detection of app deployment type VisioProRetail(ScopeId_538AD476-A160-422A-81FA-BE714BFAD0B1/DeploymentType_3d6a46b6-ffca-477c-b200-cc3392085b38, revision 2) for user.]LOG]!><time="11:34:17.550-600" date="07-10-2014" component="AppEnforce" context="" type="1" thread="6188" file="appprovider.cpp:2148">
    <![LOG[+++ Application not discovered. [AppDT Id: ScopeId_538AD476-A160-422A-81FA-BE714BFAD0B1/DeploymentType_3d6a46b6-ffca-477c-b200-cc3392085b38, Revision: 2]]LOG]!><time="11:34:17.580-600" date="07-10-2014" component="AppEnforce" context="" type="1" thread="6188" file="localapphandler.cpp:291">
    <![LOG[ App enforcement environment:
    Context: Machine
    Command line: setup.exe /configure configuration.xml
    Allow user interaction: No
    UI mode: 1
    User token: not null
    Session Id: 3
    Content path: C:\WINDOWS\ccmcache\d
    Working directory: ]LOG]!><time="11:34:17.580-600" date="07-10-2014" component="AppEnforce" context="" type="1" thread="6188" file="appcontext.cpp:85">
    <![LOG[ Prepared working directory: C:\WINDOWS\ccmcache\d]LOG]!><time="11:34:17.582-600" date="07-10-2014" component="AppEnforce" context="" type="1" thread="6188" file="appcontext.cpp:189">
    <![LOG[ Prepared command line: "C:\WINDOWS\ccmcache\d\setup.exe" /configure configuration.xml]LOG]!><time="11:34:17.584-600" date="07-10-2014" component="AppEnforce" context="" type="1" thread="6188" file="appcontext.cpp:338">
    <![LOG[ Executing Command line: "C:\WINDOWS\ccmcache\d\setup.exe" /configure configuration.xml with user context]LOG]!><time="11:34:17.585-600" date="07-10-2014" component="AppEnforce" context="" type="1" thread="6188" file="appexcnlib.cpp:201">
    <![LOG[ Working directory C:\WINDOWS\ccmcache\d]LOG]!><time="11:34:17.586-600" date="07-10-2014" component="AppEnforce" context="" type="1" thread="6188" file="appexcnlib.cpp:215">
    <![LOG[ Post install behavior is BasedOnExitCode]LOG]!><time="11:34:17.615-600" date="07-10-2014" component="AppEnforce" context="" type="1" thread="6188" file="appcommon.cpp:1094">
    <![LOG[ Waiting for process 440 to finish. Timeout = 120 minutes.]LOG]!><time="11:34:17.617-600" date="07-10-2014" component="AppEnforce" context="" type="1" thread="6188" file="appexcnlib.cpp:1958">
    <![LOG[ Process 440 terminated with exitcode: 17002]LOG]!><time="11:34:19.687-600" date="07-10-2014" component="AppEnforce" context="" type="1" thread="6188" file="appexcnlib.cpp:1967">
    <![LOG[ Looking for exit code 17002 in exit codes table...]LOG]!><time="11:34:19.689-600" date="07-10-2014" component="AppEnforce" context="" type="1" thread="6188" file="appexcnlib.cpp:505">
    <![LOG[ Unmatched exit code (17002) is considered an execution failure.]LOG]!><time="11:34:19.690-600" date="07-10-2014" component="AppEnforce" context="" type="2" thread="6188" file="appexcnlib.cpp:591">
    <![LOG[++++++ App enforcement completed (2 seconds) for App DT "VisioProRetail" [ScopeId_538AD476-A160-422A-81FA-BE714BFAD0B1/DeploymentType_3d6a46b6-ffca-477c-b200-cc3392085b38], Revision: 2, User SID: S-1-5-21-2507967118-3678214798-1188983363-2612] ++++++]LOG]!><time="11:34:19.692-600" date="07-10-2014" component="AppEnforce" context="" type="1" thread="6188" file="appprovider.cpp:2448">
    I have seen some other post where they suggest it is a permission issue but in my case there are no pop up windows and the content was cached to user directory.
    Also confirming that source folder (files and file sizes) are all matching compare to local cached folder.
    Administrator full access to file (myself logged in as administrator)
    Thank you,
    Jono
    Jonathan

    Hi,
    Found out what the issue was... not really a issue to be honest.
    As I am managing SCCM at the same thing, I have office 365, Visio and Project installation as a separated package.
    When I try to run Visio and Project while Office (Lync and Outlook) are running, it will instantly fails.
    Once I turned those software off, it works like magic.
    Regards,
    Jono
    Jonathan

  • Direct Access on windows 2012 with OTP

    Hello everyone,
    i've just finished setting up Direct Access 2012 with Gemalto's OTP solution for a client,
    i have an issue though, without OTP all is working fine, and when i activate OTP with all the certificates and stuff when i enter the OTP code on my client it looks like its not validating it.
    on the Direct Access Server i get this error:
    Erreur : Challenge returned.
    source: RemoteAccess-RemoteAccessServer
    ID: 10042
    i have absolutely no errors on my radius server... any idea on why the server is rejecting my requests ?
    thanks for the help
    Hitch Bardawil

    Hi
    I deployed this scenario for a Customer of mine a few months ago with GEMALTO. It's a little bit tricky but possible. For some trroubleshooting tips have a look at one of my blog posts :
    http://danstoncloud.com/blogs/simplebydesign/archive/2013/10/26/the-0x80040008-directaccess-otp-case.aspx.
    At last for your OTP operating in Challenge/response mode. It's not possible. It's a NPS limitation :
    http://technet.microsoft.com/fr-fr/library/jj618331.aspx"The OTP
    provider used requires the user to provide additional credentials in the form of a RADIUS challenge/response exchange, which is not supported by Windows Server 2012 DirectAccess OTP."
    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

  • Direct Access for Non Domain Machines

    Hi,
    In My IT-infra, there is multiple machines that is out my Office network & Domain..
    Can we join these machines in domain via Direct Access implementation ? or for implementing Direct Access we required to join those non domain & out of office network machine to Domain first ?
    secondly, can we implement the Direct access without any public certificate purchase, and without any IPV6 configuring in internal network,machines and in servers .currently i am using IPv4  IP on all Machines & Servers.
    I have gone through the Direct Access Technet guide but i feel very complex document there ...can you please brief me about direct access implementation in simpale way, i want to implement direct access to join the internet based client machines  to
    domain and manage via/for SCCM ...
    Shailendra Dev

    Correct, DirectAccess clients must be domain joined. Also, only Windows 7 Ultimate, Windows 7 Enterprise, or Windows 8 Enterprise clients are able to be DirectAccess connected, so that may also make a difference to your situation. I see many customers deploy
    DirectAccess for those Win7/Win8 domain-joined systems, and then make use of the traditional (RRAS) VPN on the same DirectAccess server for connecting any other operating systems or non-domain-joined machines. Those would just have to launch a manual VPN connection,
    where the DirectAccess connections are of course automatically connected.
    You don't "have" to use an SSL certificate that you purchased from a public CA, but you really should. It is definitely a best practice to use a trusted public certificate on your DirectAccess server. Further, if you have Windows 8 client computers,
    you don't even need to distribute the machine certificates inside your network, but it is also a best practice that you do this anyway, to strengthen the authentication process.
    No, you do not need IPv6 inside your network at all for DirectAccess to work.
    Sounds like you might be interested in some additional reading on DA, here are the two books available on the subject:
    https://www.packtpub.com/virtualization-and-cloud/microsoft-directaccess-best-practices-and-troubleshooting
    https://www.packtpub.com/networking-and-servers/windows-server-2012-unified-remote-access-planning-and-deployment

  • LAN side firewall settings for Direct Access (Windows Server 2012 R2) in DMZ?

    I am currently planning to set up our first Direct Access server (Windows Server 2012 R2). I will be in our firewall DMZ and we will be using the IP-HTTPS listener.
    For the Internet facing rule only TCP 443 inbound/outbound is sufficient but for the LAN facing rules (not talking about the Windows server firewall) what would be the recommended firewall rules for a Direct Access server? Is there a best practice guideline
    to follow for this? Appreciate any advice or comments. Thank you.

    Hi Barkley
    Please see this Technet Link which will backup your requirements - https://technet.microsoft.com/en-gb/library/jj574101.aspx
    Section Reads - 
    When using additional firewalls, apply the following internal network firewall exceptions for Remote Access traffic:
    ISATAP—Protocol 41 inbound and outbound
    TCP/UDP for all IPv4/IPv6 traffic
    Also another link from http://www.ironnetworks.com/blog/directaccess-network-deployment-scenarios#.VO3tfvmsVrU
    "I have had a number of conversations with security administrators and network architects who have expressed a desire to place the DirectAccess server between two firewalls (firewall sandwich) in order to explicitly control access from the DirectAccess
    server to the internal corporate network. While at first this may sound like a sensible solution, it is often quite problematic and, in my opinion, does little to improve the overall security of the solution. Restricting network access from the DirectAccess
    server to the internal LAN requires so many ports to be opened on the inside firewall that the benefit of having the firewall is greatly diminished. Placing the DirectAccess server’s internal network interface on the LAN unrestricted is the best configuration
    in terms of supportability and provides the best user experience."
    Kindest Regards
    John Davies
    Thank for your reply and information John. I find it somewhat disappointing that Microsoft does not provide much more in the way of documentation and information regarding this topic. I required more information to show to our security team so they will allow
    us to have the internal facing NIC not have more restrictive rules in place as it is a security concern.

  • Windows 2012 Direct Access ISATAP not working

    I just installed Windows 2012 Direct Access and it's working fine for my company's Windows 7 Ent clients. The only issue I can't around with is that ISATAP is not working on this box.
    We want to be able to manage-out in our native IPv4 environment, the isatap A record has already been created and is resolvable to all client machines including the Direct Access server. Unfortunately, ISATAP still appears to be Disabled. Do we need to manually
    set this to enabled apart from what I've already done?
    PS C:\Windows\system32> Get-RemoteAccessHealth
    Component            RemoteAccessServer   HealthState     TimeStamp            Id
    Server               localhost            OK              1/31/2013
    3:26:43 PM
    6to4                 localhost            Disabled        1/31/2013 3:21:44 PM
    Vpn Addressing       localhost            Disabled        1/31/2013 3:21:44 PM
    Network Security     localhost            OK              1/31/2013 3:21:44 PM
    Dns                  localhost            OK             
    1/31/2013 3:26:43 PM
    IP-Https             localhost            OK              1/31/2013 3:21:44 PM
    Nat64                localhost            OK              1/31/2013
    3:21:44 PM
    Dns64                localhost            OK              1/31/2013
    3:21:44 PM
    IPsec                localhost            OK              1/31/2013
    3:21:44 PM
    Kerberos             localhost            Disabled        1/31/2013 3:21:44 PM
    Domain Controller    localhost            OK              1/31/2013 3:21:44 PM
    Management Servers   localhost            Disabled        1/31/2013 3:21:44 PM
    Network Location ... localhost            OK              1/31/2013 3:26:43 PM
    Otp                  localhost            Disabled        1/31/2013 3:21:44 PM
    High Availability    localhost            Disabled        1/31/2013 3:21:44 PM
    Isatap               localhost            Disabled        1/31/2013 3:21:44 PM
    Vpn Connectivity     localhost            Dis┌───────────────────────────┐4 PM
    Teredo               localhost            Dis│Enter command number:      │4 PM
    Network Adapters     localhost            OK └───────────────────────────┘4 PM
    Services             localhost            OK              1/31/2013 3:26:43 PM
    PS C:\Windows\system32> ping isatap
    Pinging isatap.isat.com [192.168.1.214] with 32 bytes of data:
    Reply from 192.168.1.214: bytes=32 time=1ms TTL=128
    Reply from 192.168.1.214: bytes=32 time<1ms TTL=128
    Reply from 192.168.1.214: bytes=32 time<1ms TTL=128
    Reply from 192.168.1.214: bytes=32 time<1ms TTL=128

    Hi,
    Thank you for the post.
    As far as I understand, ISATAP is not recommended for use as the IPv6 to IPv4 transition technology in DirectAccess in Windows Server 2012. With ISATAP disabled DirectAccess clients can initiate connections to computers
    on the internal network, and the computers on the internal network are able to respond. However, computers on the internal network will not be able to initiate connections to DirectAccess for purposes of remote client management. If you want to be able to
    remote client management, consider deploying native IPv6 for management servers that will connect to DirectAccess client computers.
    Regards,
    Nick Gu - MSFT

  • Direct Access Wizard Failure

    Hi all,
    Having an issue with setting up direct access I have followed the guide located at here
    I am following this guide to the letter, apart from setting up to blank GPO for client and server settings
    I decided to copy the script and run it via powershell (admin) and the following error is returned
    VERBOSE: Retrieving server GPO details...
    VERBOSE: Retrieving DirectAccess server information...
    VERBOSE: Clearing existing stale configuration settings. This might take a few minutes...
    VERBOSE: Checking for deployment state...
    VERBOSE: Checking the specified adapters...
    VERBOSE: Deploying the Remote Access server behind NAT...
    VERBOSE: Searching for a network location server certificate...
    VERBOSE: Checking the specified adapters...
    VERBOSE: Checking for a native IPv6 deployment...
    VERBOSE: Verifying the IP-HTTPS certificate...
    VERBOSE:  Deploying DirectAccess with a single network adapter (Ethernet) behind a NAT device...
     ISATAP is used in the internal network.
    VERBOSE: Retrieving internal network DNS settings...
    VERBOSE: Verifying the GPO to write settings...
    VERBOSE: Checking GPO edit permissions...
    VERBOSE: Creating GPO link if not present...
    VERBOSE: Checking for a client GPO to write settings...
    VERBOSE: Checking for edit permissions for the DirectAccess client GPO...
    VERBOSE: Creating GPO link if not present...
    VERBOSE: Checking for permissions to apply DirectAccess client policies to the GPO...
    VERBOSE: Identifying all domains...
    VERBOSE: Identifying infrastructure servers in domain HOME.local...
    VERBOSE: Registering the DNS entry used to check client connectivity...
    WARNING: A DNS entry for DNS probe directaccess-corpConnectivityHost.HOME.local (IP addresses 127.0.0.1;
    fd10:f4c1:d28d:7777::7f00:1) cannot be added. Add the entry manually.
    VERBOSE: Registering the web probe in DNS...
    VERBOSE: Clearing existing stale configuration settings...
    VERBOSE: Creating DirectAccess client policies...
    VERBOSE: Updating client policies...
    Install-RemoteAccess : The security group setting cannot be applied to DirectAccess server GPO HOME.local\Direct
    Access Server.
    At line:1 char:1
    + Install-RemoteAccess -NoPrerequisite -Force -PassThru -ServerGpoName 'HOME.local ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidArgument: (HOME.local\Direct Access Server:root/Microsoft/...PS_RemoteAccess) [In
       stall-RemoteAccess], CimException
        + FullyQualifiedErrorId : HRESULT 80070057,Install-RemoteAccess
    Remote access is installed.
    Any ideas to what could be causing this?

    Which group are you talking about?
    I have a group for all direct access machines, You have to specify this group during the wizard.
    The permission issue seems to be related to the script trying to modify group policy
    I have tired with the default polices the wizard creates and also specifying 2 blank policies.

  • Direct Access: DNS error on Operations Status (DNS server not responding)

    Hi!
    I am testing Direct Access on Windows 2012 R2 Standard. So far I have deployed the Remote Access role to our server "ABC-DA1". I have completed the configuration wizard for a Single NIC deployment and defined a FQDN as the "public name"
    (da.domain.com).
    After completing the wizard I go to the the Operations Status page and find the an error telling me one of the DNS servers is unavailable. The mentioned server is no longer operational as it was running on an old Win2k8R2 DC server that was demoted. 
    Is there a way to remove the reference to the old server? I have 3 new DNS servers running on the new Domain Controllers but it seems like the old DC did not completely remove itself.
    Below is a screenshot of the operations status.
    Thank you for your help :)

    Hi,
    Please go to the Name Resolution Policy and check if you can change the DNS server there.
    Computer Configuration -> Policies -> Windows Settings -> Name Resolution Policy
    Hope this helps.
    Jeremy Wu
    TechNet Community Support

  • Direct Access client DNS Registration q.

    Hi All,
    We have Direct Access installed, configured and mostly working on Windows 2012 R2 server supporting WIN 8.1 clients (only).
    All internal resources are accessible and have good name resolution, etc.
    However, I now have to enable "manage out" functionality. SCCM based Remote Assistance etc.
    There are various guides and I think manage out is working correctly. There is a major sticking point in that the clients are attempted to register DNS names on the local DHCP server (home/office) router and registration never reaches corporate DNS servers.
    I have enable "secure only" DNS registration by Group Policy.
    We use split tunneling for clients.
    The Direct Access server is behind a NAT firewall. (CISCO) So the only effective transition tech is IP-HTTPS.
    Many thanks for any assistance in pointing me in the right direction.

    Hi,
    >>There is a major sticking point in that the clients are attempted to register DNS names on the local DHCP server (home/office) router and registration never reaches corporate DNS servers.
    Did you deploy the IPv6 in your corpnet? If no, it's normal.
    If we use the IPv4 in the corpnet, the NAT64 and DNS64 will be enabled on the DirectAccess server. When the DirectAccess client sends the DNS update packet, according to the NRPT, the packet will be sent to the DirectAccess server. DirectAccess
    server will on behalf of the client to register the AAAA record.
    Best Regards.
    Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

  • Direct Access URLs in Release 2

    What is the format for direct access URLs in release 2? I recall seeing somewhere that it had changed.
    Thanks.

    I found the documentation. It is in the help file /help/sblpath.htm.

Maybe you are looking for

  • How can i delete apps from the purchased list?

    i have apps from like a while ago, and i deleted them, but with apples new "purchased" feature, you are able to see everything. How do i delete them???

  • Credit Note with out Tax Value.

    Hi gurus, can any one tell me how to manage the system to not calculate the Taxes in case of Credit note to be issued for the Customer Returns. Here we are using only one Pricing procedure for all types of Sales transactions. I have one thought that

  • FTP Sender Channel error " java.lang.StringIndexOutOfBoundsException""

    Dear All, Scenario:File to IDOC File Type: Fixed Length I am getting below error in Sender Channel. Error "Conversion of file content to XML failed at position 0: java.lang.Exception: ERROR converting document line no. 2 according to structure 'Item'

  • Problem with calendat sync

    Itunes syncs the ical from my desktop to my iphone 4s, but not from my phone to my computer.  Thus, my desktop does not have events that I have added to the calendar on my phone, but my phone does get the events that I add to my desktop calendar.  An

  • Dbms_xmldom.getElementsByTagName case insensitive

    is ther a way to make dbms_xmldom.getElementsByTagName be case insensitive for tag name? tks