Direct Access To Frame Buffer

For graphics demos that need to modify each pixel in the applet each frame, how is that done? Calling a method on a Graphics object for every pixel is waaay too sloooow. Even calling a method that does nothing for every pixel is way too slow. What I think I need is a reference to an array of bytes/chars that make up the frame buffer. How can I get that? Im thinking I need to create an Image object from an array of bytes and then draw that Image onto the Graphics object. How would I do that? I only know how to create an Image object by loading an image from a file. Is there a better way to do this? I know this is possible to do cause iv seen demos that do it.
Advanced Thanks

Nevermind, I got it. For those interested, I used BufferedImage.

Similar Messages

Is DRM needed to configure a VDMA frame buffer?

i have TPG->VDMA->AXIS to video out with a TC configured with constants.
I've been working through the ZC702 TRD
http://www.wiki.xilinx.com/Zynq+Base+TRD+2015.2
My TPG/VDMA drivers seem to load ok by looking at the kernel log. And, I have a /dev/v4l-subdev0 that shows up.
I seem to be able to configure the TPG fine and I think I understand what is going on with the TPG driver.
But, for VDMA if I just have it set up as a frame buffer what's the easiest way to configure/enable it? The TRD code is really large/conplicated and trying to figure out what the general methodology is for accessing the VDMA driver from a user space program.

Configuration of VDMA is done in Xilinx Video pipeline driver (using linux dma engine APIs).
Take a look at drivers/media/platform/xilinx/xilinx-dma.c
In devicetree (software/petalinux/subsystems/linux/configs/device-tree/video-cap.dtsi a video node is instantiated -
Userspace application will use this video node to query/queue/dequeue buffers.
video_cap {
compatible = "xlnx,video";
dmas = <&vdma_1 1>;
dma-names = "port0";
<snip>
In above example video node is using vdma_1 1 instance which is VDMA S2MM channel - it takes TPG streaming input and write it to mem.
In V4L2 framework vdma programming is encapsulated and it is not recomended to configure VDMA directly from userspace.
One question: Is you end goal to capture frames from TPG and displaying those on display( using DRM) ?
For reference take a look at video_lib (rdf0286-zc702-zvik-base-trd-2015-2\software\xsdk\projects\video_lib\src\s2m_pipeline.c) source.
Few other relevant links:
https://lwn.net/Articles/447435
http://lists.freedesktop.org/archives/dri-devel/2012-March/019778.html
http://www.wiki.xilinx.com/Xilinx+V4L2+driver
https://archive.fosdem.org/2014/schedule/.../v4l2_frameworks.pdf
-Radhey

Direct Access URLs in Release 2

What is the format for direct access URLs in release 2? I recall seeing somewhere that it had changed.
Thanks.

I found the documentation. It is in the help file /help/sblpath.htm.

ConfigMgr Clients connection over direct access.

My test client machine is running Windows 8.1 and connecting to network through Direct Access. I am running SCCM 2012 R2 on Windows Server 2012.
Test Machine: NYWIN8
SCCM Server: SCCM01
Domain: demo.local
I would like to understand how configmgr handles clients connecting through direct access. What all functionality is available for such clients?
On my client machine is see following errors:
FSPSTATEMESSAGE.LOG
Failed in WinHttpSendRequest API, ErrorCode = 0x2ee7
[CCMHTTP] ERROR: URL=HTTP://SCCM01.demo.local/SMS_FSP/.sms_fsp, Port=80, Options=480, Code=12007, Text=ERROR_WINHTTP_NAME_NOT_RESOLVED
POLICYAGENT.LOG
Policy
http://SCCM01.demo.local/SMS_MP/.sms_pol?WRC10000.SHA256:BE60C5A54E508758261E6EDAE80AB21576A214309B9E1E19EE1D5A96C4508EC4 is not available.
DATATRANSFERSERVICE.LOG
DTS job {E6FAADEE-F22E-4E89-92EE-C2D9C10C3056} BITS job {9C444FAB-FD3C-4A6B-B8A4-81DA159E4E45} failed to download source file
http://SCCM01.demo.local:80/SMS_MP/.sms_pol?WRC10000.SHA256:BE60C5A54E508758261E6EDAE80AB21576A214309B9E1E19EE1D5A96C4508EC4 to destination C:\Windows\CCM\Temp\{C9AA0DDC-BD37-442D-A00E-EE7404D47C12}.tmp with error 0x80190194
DTS job {E6FAADEE-F22E-4E89-92EE-C2D9C10C3056} BITS job {9C444FAB-FD3C-4A6B-B8A4-81DA159E4E45} partially completed 0/1 with error 0x80190194 context 5
Software Catalog Update Endpoint
Failed to open portal registry key 'Software\Policies\Microsoft\CCM'. maybe haven't been created yet. Error 0x80070002
WEDMTRACE.LOG
No CCM Identification blob
CAS.LOG
The number of discovered DPs(including Branch DP and Multicast) is 0
SMSCLIUI.LOG
Failed to set DNSSuffix value to the registry.
Are there any issues due to connecting using direct access?

When I try to deploy any software (7-ZIP or Notepad++) to this client I get following error:
The software change returned error code 0x87D00607(-2016410105).
I can deploy same software fine to other machines connecting on LAN.
Server Logs:
Portlctl
PORTALWEB's previous status was 0 (0 = Online, 1 = Failed, 4 = Undefined)
PORTALWEBs http check returned hr=0, bFailed=0
awbsctl
AWEBSVCs http check returned hr=0, bFailed=0
AWEBSVC's previous status was 0 (0 = Online, 1 = Failed, 4 = Undefined)
Client Logs:
CAS
The number of discovered DPs(including Branch DP and Multicast) is 0
CCMEVAL
Client's current MP is http://SCCM01.DEMO.local and is accessible
ClientLocation
Current AD forest name is Demo.local, domain name is Demo.local
Domain joined client is in Intranet
Rotating assigned management point, new management point [1] is: SCCM01.demo.local (7958) with capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>
Assigned MP changed from <SCCM01.demo.local> to <SCCM01.demo.local>.
ContentTransferManager
No data since 11/13/2013
CTM job {F6085C09-4C39-489E-A6F6-2C268398B7F2} successfully processed download completion.
DataTransfer
DTS job {B227AB6E-6D0F-4709-B8C6-AA8B66CBBE2D} BITS job {AE61D01C-E251-45FA-8B2C-2E22DDD91016} failed to download source file
http://SCCM01.demo.local:80/SMS_MP/.sms_pol?WRC10000.SHA256:BE60C5A54E508758261E6EDAE80AB21576A214309B9E1E19EE1D5A96C4508EC4 to destination C:\Windows\CCM\Temp\{22619283-47B1-445A-9262-C1FA54AD0F64}.tmp with error 0x80190194
DTS job {B227AB6E-6D0F-4709-B8C6-AA8B66CBBE2D} BITS job {AE61D01C-E251-45FA-8B2C-2E22DDD91016} partially completed 0/1 with error 0x80190194 context 5
Filebits
BranchCache Is Not Enabled
Failed to check PeerDistribution status. NOT able to do branch cache.
FSPSTATEMESSAGE
Failed in WinHttpSendRequest API, ErrorCode = 0x2ee7
[CCMHTTP] ERROR: URL=HTTP://SCCM01.demo.local/SMS_FSP/.sms_fsp, Port=80, Options=480, Code=12007, Text=ERROR_WINHTTP_NAME_NOT_RESOLVED
Successfully sent location services HTTP failure message.
InternetProxy
Failed to get proxy for url 'HTTP://SCCM01.demo.local/SMS_FSP/.sms_fsp'. Error 0x87d00215
InventoryAgent
Inventory: 9 Collection Task(s) failed.
SCCLIENT
Event maps to notification type = Application Enforcement Failed (Microsoft.SoftwareCenter.Client.Data.WmiConnectionManager at EventWatcher_EventArrived)
SMSCLIUI
Failed to set DNSSuffix value to the registry.
IPCONFIG /ALL from CLIENT:
Windows IP Configuration
   Host Name . . . . . . . . . . . . : NYWIN8
   Primary Dns Suffix . . . . . . . : demo.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : demo.local
   System Quarantine State . . . . . : Not Restricted
Ethernet adapter vEthernet (Internal):
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #3
   Physical Address. . . . . . . . . : 00-15-5D-01-0B-07
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::d3f:4e51:c648:7b26%26(Preferred)
   Autoconfiguration IPv4 Address. . : 169.254.123.38(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 872420701
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-EA-A9-CE-E0-DB-55-D2-5E-59
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter vEthernet (External):
   Connection-specific DNS Suffix . : home
   Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #2
   Physical Address. . . . . . . . . : 84-A6-C8-AF-03-DE
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::9cb5:5132:1f47:e7c6%24(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.5(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Thursday, January 2, 2014 1:27:53 PM
   Lease Expires . . . . . . . . . . : Saturday, January 4, 2014 12:27:55 PM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 730113736
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-EA-A9-CE-E0-DB-55-D2-5E-59
   DNS Servers . . . . . . . . . . . : 192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled
Wireless LAN adapter Local Area Connection* 3:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
   Physical Address. . . . . . . . . : 84-A6-C8-AF-03-DF
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
Ethernet adapter Bluetooth Network Connection:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
   Physical Address. . . . . . . . . : 84-A6-C8-AF-03-E2
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
Ethernet adapter Ethernet:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . : home
   Description . . . . . . . . . . . : Realtek PCIe FE Family Controller
   Physical Address. . . . . . . . . : E0-DB-55-D2-5E-59
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.home:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . : home
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Tunnel adapter iphttpsinterface:
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : iphttpsinterface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : fd64:fc00:d17b:1000:e1a7:9cc8:c3c7:d819(Preferred)
   Temporary IPv6 Address. . . . . . : fd64:fc00:d17b:1000:c598:7f17:e286:369d(Preferred)
   Link-local IPv6 Address . . . . . : fe80::e1a7:9cc8:c3c7:d819%10(Preferred)
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 369098752
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-EA-A9-CE-E0-DB-55-D2-5E-59
   NetBIOS over Tcpip. . . . . . . . : Disabled
Tunnel adapter isatap.{DC7D2C63-1506-49EC-A40F-AA4E56DE4001}:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Direct Access on Windows Server 2012 R2 and IPV6

I have a question about IPV6 and Direct Access in Server 2012 R2. Without using UAG is it still mandatory to have IPV6 enabled in the intranet?
Kristopher Turner | Not the brightest bulb but by far not the dimmest bulb.

Hi,
DirectAccess uses IPv6 with IPsec to create a secure connection between DirectAccess client computers and the internal corporate network.
However, DirectAccess does not necessarily require connectivity to the IPv6 Internet or native IPv6 support on internal networks. Instead, it automatically configures and uses IPv6 transition technologies to tunnel IPv6 traffic across the IPv4 Internet (6to4,
Teredo, IP-HTTPS) and across your IPv4-only intranet (NAT64 or ISATAP).
For detailed information, please view the link below,
Plan the DirectAccess Infrastructure
http://technet.microsoft.com/en-us/library/jj574101.aspx
Hope this helps.
Steven Lee
TechNet Community Support

IBM cognos TM1 Executive viewer is not working on direct Access

Hi,
We are implementing DirectAccess in our environment and testing applications in test lab. It has been observed that executive viewer is not working on Direct Access but working fine over VPN mobile checkpoint. When DA client click on open view button it
gives error
" Additional information:
Unable to connect to server XYZ.com using TCP-IP port 7112. Please make sure that IBM cognos TM1 executive viewer server is started and the port is not blocked by any proxy server or firewall"
but from client telnet is working on port 7112. All ports between DA server and application server are open 3389,7112 and 80.
Also select database option is grayed out and user is unable to select the database. When switching to VPN its working fine.
We are using Executive viewer 9.4.
Any help would be appreciated.

It sounds like this program may not be capable of talking over IPv6, which DirectAccess uses. First make sure that when you connect it is trying to talk to a hostname and not an IPv4 address. If your program is calling for "192.168.1.100" - this is never
going to work over DirectAccess. It must call for a name that DirectAccess can resolve to an IPv6 address for communication over DA.
If you confirm it is talking to a name, and then if you confirm that you can do other things to that same name (can you RDP into the server for example?), then that confirms that DirectAccess traffic flow is working to that name/server.
If RDP works but the application still doesn't work, then the application is probably incapable of IPv6. You can either ask IBM if they have a newer version that does talk IPv6, otherwise I have a utility available that can intercept packets from these kinds
of problematic applications and flip the packets into IPv6 on the DA client. Let me know if you need any further information on that: http://www.ivonetworks.com/news/2013/05/ivo-networks-announces-app46-for-directaccess/

How do I go directly from one frame to another particular frame which is far away in the time line? (e.g the two frames are separated by 100 frames)

How do I go directly from one frame to another particular frame which is far away in the time line? (e.g the two frames are separated by 100 frames). I mean, is it possible to take the playhead from one frame to another frame directly which is 100 frames away in the time line? Thanks for any reply.

In the Timeline, go to the first frame and press M to put a marker on it. Go to the other frame you want to jump to and put a marker on that one too.
Now press Ctrl+Semicolon to go to the previous marker - or Ctrl+Comma to go to the next marker.
Andy

How so i get direct Access to the Music/pics stored on NAS

How so i get direct Access to the Music/pics stored on a Buffalo Link Station Live with my iPad without using a App? The NAS is conected with a Router. Privatfreigabe (dont know the english Word) is ok. The iTunes Server on NAS is activated. Nö Problem to get Access from iTunes on PCs.
I just want to use the preinstalled Musik/Photo App to Listen/watch my Music/pics stored on the NAS without losging them on the iPad. Streaming is what i think of.

Have a look at FileBrowser.
https://itunes.apple.com/sg/app/filebrowser-access-files-on/id364738545?mt=8

How to directly access a SELECTED row in a table using MasterColumn

I'm using a table with MasterColumn (TreeByNestingTableColumn) contains checkbox element.
In order to get the selected row I have to navigate the whole tree which is a very expensive when the tree is big.
I also tried without check box by just using MULTI ROW SELECTION property of the table but that didn't work.
Is there a way to directly access selected row like we do in the standrard table control?
Any help would be appretiated.
regards
Qamar

hi, Qamar
Just Check out the Following Link's
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/webdynpro/tutorial on creating a tree structure in a table - 27.htm
and also if u had not seen it before...............
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/webdynpro/tutorial on creating tables in web dynpro - 11_0_.htm
regard's
Dheerendra

Direct Access 2012 R2 - Problems with Force Tunneling and other questions

I have just setup a Direct Access 2012 R2 server in my network, 2012 domain and all Windows 8 clients.
Internal CA environment (no external CRL) using a public issued cert for IPHTTPS tunnel, 2 interfaces for the DA server, 1 internal and 1 in the DMZ behind a NAT firewall (1 public IPv4 address) and my test clients are connecting fine to internal resources.
1. When I enable Force Tunneling the clients no longer are able to access the external internet. Is there anything I need to add to make this work?
2. I am having trouble with our Remote Desktop Session Hosts. I can only assume it has something to do with the DNS as we have our AD domain performing internal DNS of the int.contoso.com domain and public DNS performing for the external
Contoso.com domain (RDWA etc). DA has only int.contoso.com set as a DNS Name Suffix in the Infrastructure Setup. Should I add the external contoso.com Name Suffix in there too?
3. I have a Kaspersky Security Center server for centralized AV admin, can I still push out AV updates to the clients that connect with DA. Do I add my KSC server to the Management Servers list in the Infrastructure Server Setup page on the DA
setup. Does that list allow those servers to access the DA clients?

Hi,
Let's solve problems one by one. Force tunneling. When enabled, all network trafic from DirectAccess clients goes throught IPSEC tunnels. Just configure a proxy on your DirectAccess clients (with a FQDN of course) and your clients should be able to surf
internet again.
RDS : Depend. Where are your RDS servers registred internal zone DNS or external DNS zone. If a DirectAccess client cannot resolve a name it does not know if it has to go throught the tunnel. At last can you ping your RDS Server?
Remote Management : Right. Adding servers in this list allow them to use the IPSEC infrastructure tunnel (computer established tunnel) without users being logged.
BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

Server 2012 Direct Access Single NIC cant get it to work

Hi,
I am having some real issues with setting up Direct Access with Server 2012 and a Windows 8 client, it simply won’t work at all.
First of all I should describe my setup:
I have an internet connection with a static IPv4 address on the external network adapter of the router
The internal network address (the address of the router which has the internet connection) is 192.168.1.1
Server1 (windows 2008 R2 Standard) has a static IPv4 address 192.168.1.2 and has some ports forwarded from the router (443, 25, 80) this server is a domain controller, email server, and has the DNS, DHCP and
certificate services
Server 2 (Windows 2008 R2 standard) has static IPv4 address 192.168.1.3 it has no ports forwarded from the router as it has no services accessed externally, it is used as a file server and print server, backup
domain controller and backup DNS.
Server 3 (Windows 2012) has static IPv4 address 192.168.1.4 and has the Remote Access server role installed along with all the other default features and roles it requires in the setup process.
These servers have all got an IPv6 address which I assume the server has configured automatically, there has been no deliberate configurations made to disable IPv6
I have no UAG or proxy server or anything else to route packets to internal servers. Just this router which has the option for port forwarding (I assume that’s NAT isn’t it?) sorry don’t know much about that
area.
I go through the setup wizard in remote access to configure direct access, in the external URL I have entered da.mydomain.com and created a host A record in my external domain name providers DNS which points
the da record to my external IP address. The wizard creates all the GPO’s, scoped correctly, and applied to a Windows 8 client. The operational status shows its all working and I got green ticks. However, when I connect the client to the internal network it
doesn’t seem to have correctly got the DA settings. I run the following in powershell
Get-DnsClientNrptPolicy
Nothing displays – at all
Get-NCSIPolicyConfiguration
Description
: NCSI Configuration
CorporateDNSProbeHostAddress
: fdd8:dd4a:ea42:7777::7f00:1
CorporateDNSProbeHostName
: directaccess-corpConnectivityHost.mydomain.local
CorporateSitePrefixList
: {fdd8:dd4a:ea42:1::/64, fdd8:dd4a:ea42:7777::/96, fdd8:dd4a:ea42:1000::1/128,
fdd8:dd4a:ea42:1000::2/128}
CorporateWebsiteProbeURL
: http://directaccess-WebProbeHost.mydomain.local
DomainLocationDeterminationURL : https://DirectAccess-NLS.mydomain.local:62000/insideoutside
Get-DAConnectionStatus
Get-DAConnectionStatus : Network Connectivity Assistant service is stopped or not responding.
At line:1 char:1
+ Get-DAConnectionStatus
+ ~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo
: NotSpecified: (MSFT_DAConnectionStatus:root/StandardCi...onnectionStatus) [Get-DAConnect
   ionStatus], CimException
+ FullyQualifiedErrorId : Windows System Error 1753,Get-DAConnectionStatus
I go into services.msc and find that the network connectivity assistant is not started, it wont start either something must trigger it but I have no idea how to get it triggered to start… this might be my only
source of problem perhaps but on a more network level question:
If I have such ports as 80, and 443 (which I assume DA uses in some form with a public IPv4 internet address) directed at server 1, how does the DA connection get to server 3 which has the DA role installed?
I could create another record on the server which also opens port 443 to server as well as for server 1, but then how would the router know which server to pass the DA connection to if the same port is open for two different servers?
Either way, this first issue is that the client doesn’t seem to have the ability to connect internally correctly yet, so maybe this connectivity service is a good place to start? My understanding is that the
networks icon in the system tray should show that there is a corporate connection, but it doesn’t. also, the client seems to have the NLS certificate in the computer certificate store, so the cert side of things is working and the GPO side is working.
Many thanks
Steve

ahh i see, so just to enlighten me even further...
If a company has two web servers that would mean they would need two different public facing IP addresses so they can route to each internal web server. If, like the big companies have, they
may have many web servers (possibly more than 100) I’m assuming that simply buying more public IP addresses would have a limit, especially since the IPv4 address space is pretty much exhausted. So is this where proxy systems come into play like ISA and Forefront,
is this what they do?
I assume if such a product was implemented you could go down to just one or two public IP addresses, point all traffic to the ISA server and that in turn would do all the routing of packets
to each server behind the NAT/router (probably based on some sort of domain name or sub domain namespace as it’s parameter for forwarding?)
Secondly, what I have done is installed windows server 2012 and used that as a direct access client (I read on another forum that the windows 8 RP doesn’t have the enterprise bits to make this
work). I have got much further with the 2012 server acting as a client (installed on laptop, installed desktop experience and wireless LAN),
but when I run the following command on my DA client I get the following status
Get-DAConnectionStatus
Status:
connectedlocally
Substatus:
none
This appears to work fine, when im connected to the local network. But then I disconnect and run the command again and I get the following:
Status:
Error
Substatus:
NameResolutionFailure
On my router what I did is temporarily disable port 443 going to my original server and instead opened it up pointing to my other server, so 443 traffic should be going to my DA server now, but I don’t understand why its giving the name resolution failure
status. I have a host A record called “da” with my domain hoster, and entered the full domain namespace in the DA wizard as da.mydomain.com (the Host A record has been up there for more than a week so it’s propagated through the net)
So, a bit further but stuck again.

Direct Access Migration of Root CA

We have a Domain Controller "DC01" which has the Enterprise Certificate Services role installed and the CA on this Domain Controller is named "DC01"
The CDP location on the CA "DC01" is <servername> so effectively it's LDAP://DC01 (only LDAP is published on the certificates, no http etc.)
The CA "DC01" issues the version1 "Computer" certificates with AutoEnrollment to all clients and all our internal clients and external clients have a "Computer" certificate from CA "DC01"
Now we have an UAG SP3 server with Direct Access and all our clients connect successfull with Direct Access as it's setup now
In the UAG configuration (wizard) on the IPsec Certificate Authentication screen on the option "Use a certificate from a trusted root CA" the "DC01" Root CA certificate is selected
As Microsoft best-practises we want to move the Enterprise Certificate Services to a new member server "CS01" and effectively create a new Root CA "CS01"
As we use the version1 "Computer" certificate template we cannot select "reenroll all certificate holders"
so idea is to duplicate the "Computer" certificate template as a v2 template that supersedes the version1 computer template, this effectively replaces all current Computer certificates based on the old v1 computer template on clients.
Then all clients get a new "Computer" certificate from the new Root CA but in the UAG Direct Access configuration the "IPsec Certificate Authentication" "Use a certificate from a trusted root CA" the old "DC01" Root CA
certificate is still selected
Question1; will this lock out clients that have a new Computer certificate from the new Root CA but the UAG Direct Access configuration still use the Root CA certificate from the old DC01 CA?
Another idea is NOT to supersede the the version1 Computer certificate but AutoEnroll the new v2 duplicated Computer template.
This means that clients will have a Computer certificate from the old CA "DC01" but also a Computer certificate from the new CA "CS1"
Question2; can a client have 2 computer certificates (1 from old DC01 ca and 1 from new CS01 ca) and connect Direct Access and will this still work?

Yes, the clients will still connect with two different certificates. I haven't had your exact situation before, but I have had to deal with a CA server that died, and we had to replace it with a new one. We stood up a new CA, issued "Computer"
certificates again from the new CA (the old certs still existed on all the client computers) - and then switched the UAG settings over to the new root CA. This worked.
I do recommend deleting the old certificates from the client computers if possible, so that there is no potential for conflict down the road, but the above scenario worked fine for us and I have also worked with numerous companies that have multiple machine-type
certificates on their client computers and as long as they have one which meets the DA criteria and chains up to the CA that is active in the UAG config, it'll build tunnels.

Network Positioning of a Windows Server 2012 R2 Direct Access & VPN Server

Reposted moved from Windows Server Forums- Security
Hi
I'm in the process of creating a new active directory forest with a single domain using AD.Contoso.com to use the Microsoft example. The reason I have decided on AD.XXXXXXXXX.com is to get way from using split horizon (Split Brain) DNS. The requirements
for our new domain are :-
2012 R2 AD
Direct Access & VPN
Exchange 2013 OWA, Active Sync Outlook Anywhere (Possibly a Hybrid Config where we have on premises mailboxes and some exchange online mailboxes Office 365 etc)
Lync 2013 ?
SharePoint 2013 ?
Microsoft Active Directory Certificate Services
System Center Configuration Manager 2012 R2
Two way trusts between old forest and new to enable Transition/Migration
Ok so that's what I'm aiming for so now the question.
They are allowing me to purchase a next Generation Firewall may be a Barracuda NG firewall or a Cisco ASA X series so I need some advice on what type of network topology I should configure. I've read that using the two NIC configuration for
the 2012 R2 Direct Access Server is preferable, one nic on the internal network one on the perimeter. The problem I have with this is that it bridges the internal network and the perimeter bypassing the backend Firewall see image
The other alternative is to dispense with the perimeter network use the Direct Access server with a single NIC and setup the NG Firewall in a three-legged config with the DA server on the DMZ.
So all you security experts out there what would be your design for this simple domain? we don't need any HA or Load Balancing.
Thanks
Simon

Ok I'm not sure we are going to get any advice on this subject but one last effort. Our budget can only stretch to one next generation firewall so I'm considering the following three legged firewall design with a two NIC 2012 R2 Direct
Access server. If someone could validate this configuration or suggest an alternative then I would be grateful.

Auto deploying branch office printers with Direct Access

Hello there
I am implementing my first Direct Access topology and have a question. We will have branch offices with workstations deployed using Direct Access for administrative purposes. We have staff moving around from branch to branch with the goal to
make logging on to the network and accessing resources for users as automated as possible. One of the questions I have regards auto configuring branch printers for users using Group Policy. The branch offices have workstations, printers and NAT modem/routers
with DHCP - but no servers.
If we have a stand alone network printer, how do we list that printer in Active Directory allowing the user to auto-configure it using group policy? If we install it on a server at Head Office, would the print job travel there first and then back to
the branch? Obviously this is not ideal. Or can it be directed straight to the printer using a script or something?
Alternatively we can install and share it on a branch workstation and list it in the directory, but would this not be same the problem as above? This is not ideal either as it would depend on the workstation being always on and available.
Any input Direct Access gurus?
Thanks in advance
MIS5000

Hi,
Thanks for your post.
We could have 2 possible solutions for natively deploy printers using Group Policy without the need for any scripting:
1) Group Policy Preferences – available in Windows Server 2008 and later
2) Print Management – available in Windows Server 2003 R2 and later
http://blog.powershell.no/2009/11/08/deploying-printers-using-group-policy/
Did you try to use the Print Management? You can share printers on a network and centralize print server and network printer management tasks using the Print Management Microsoft Management Console (MMC) snap-in. Print Management helps you to monitor print
queues and receive notifications when print queues stop processing print jobs. It also enables you to migrate print servers and deploy printer connections using Group Policy.
https://technet.microsoft.com/en-us/library/cc731857.aspx
Meanwhile, if you have any Direct Access related issue, I think you may ask in network forums:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverNIS
Regards.
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

Configuration of Direct Access 2012

Good morning.
I have tried to set up Direct Access from what I see is pretty much a 30-40 minute job, but has turned out to be something of a pain. Having followed the video on youtube for Windows Server 2012 with Basic PKI configuration and Windows 7 clients. I
have set up a working DA server with no issues and all green ticks.
Here's a run down.
I have a DC (2012) with the CA already installed.
I have a virtual DA (2012) set up with the advanced settings.
I have a a TMG 2010 server as the firewall with a Non-Web Publishing rule designed to forward HTTPS requests to the DA on the internal network.
The set up went as planned and I followed the instruction to set up the PKI and all computers have picked up a computer Certificate for the CA so that the internal root is validated.
The Certificates that I chose for the DA server were as follows;
DirectAccess-NLS.mydomain.local
remote.my-external-domain-name.co.uk
both published from my internal CA so that the root of the certificates were valid.
I have a Third party wildcard cert ( *.my-external-domain-name.co.uk ) for TMG to allow other connection such as VPN and web access.
DA Config:
Step 1: Remote Clients
I set up the DA server as per the video, set the DirectAccessClient group, and in the
Network Connectivity Assistant The resource was filled in with the
http://diectaccess-WebProbeHost URL.
Step 2: Remote Access Server
The Network Topology was set to Behind an edge device (with single network adapter), and then is says to type in the 'PUBLIC NAME' used by clients to connect to the Remove Access Server. Here I typed in the external DNS
name remote.my-external-domain-name.co.uk.
Network Adapters had the one ethernet and an IPv6 address. The
Select Certificate sued to authenticate IP-HTTPS connections has the CN=remote.my-external-domain-name.co.uk.
Authentication is set to AD and I used the root certificate of the CA for
use computer certificates. I also Enabled windows 7 client computers to connect via DirectAccess.
Step 3: Infrastructure Servers
Network Location Sevrer had the NLS is deployed on this server with the
DirectAccess-NLS cert.
DNS had the internal domain and the DirectAccess-NLS. the Internal domain was pointing to the IPv4 address of the DA. I read that I need to put the external name suffix of remote.my-external-domain-name.co.uk entry in and pointed that
to the internal DA IPv4 address also.
DNS Suffix List was set automatically and I also added my external domain name just in case.
Managerment was straight forward and I pointed to our System Centre 2012 R2 server.
Upon clicking finish and applying the GPO policies everything went according to plan. All green ticks. I did a GPupdate on the client I was testing and the GPO policies came through.
Now the issue I have is that on the internal network I get the Last Error 0x80190190 unable to connect to server. Now I am sure that this should say active as it is inside the network. I get the same error out side. When I check the DA server for
netsh int https sh int it returns the value that client authentication = NONE. I set it up to use computer certificates and even is I uncheck that it does not change.
It there a straight forward thing I missed or is it to do with publishing in TMG. Internally the direct access client will not connect as it will find the NLS in the internal DNS as I have the host record for both the server FQDN and the DirectAccess-NLS
potining to the IPv4 address. I also have the external remote.my-external-domain-name.co.uk entry in the internal DNS to point to the internal IPv4.
I have opened the ports for 443, 62000 on the DA for the IIS inbound and outbound.
I have a windows 8 client but need to test it as Windows 8 is supposed to work just like that.
What am I doing wrong here?? Any ideas would be much appreciated.

Thank you for this Jordan.
I have now got it working. The next step is to make sure my applications are all using Names rather than IP addresses.
I have basically setup the system as per my original thread that follows, NOT in BOLD.
I have tried to set up Direct Access from what I see is pretty much a 30-40 minute job, but has turned out to be something of a pain. Having followed the video on youtube for Windows Server 2012 with Basic PKI configuration and Windows 7 clients. I have
set up a working DA server with no issues and all green ticks.
Here's a run down.
I have a DC (2012) with the CA already installed.
I have a virtual DA (2012) set up with the advanced settings.
I have a a TMG 2010 server as the firewall with a Non-Web Publishing rule designed to forward HTTPS requests to the DA on the internal network.
The set up went as planned and I followed the instruction to set up the PKI and all computers have picked up a computer Certificate for the CA so that the internal root is validated.
The Certificates that I chose for the DA server were as follows;
DirectAccess-NLS.mydomain.local
remote.my-external-domain-name.co.uk
both published from my internal CA so that the root of the certificates were valid.
I have a Third party wildcard cert ( *.my-external-domain-name.co.uk ) for TMG to allow other connection such as VPN and web access.
DA Config:
Step
1: Remote Clients
I set up the DA server as per the video, set the DirectAccessClient group, and in the Network Connectivity Assistant The resource was
filled in with the http://diectaccess-WebProbeHost URL.
Step
2: Remote Access Server
The Network Topology was set to Behind
an edge device (with single network adapter), and then is says to type in the 'PUBLIC NAME' used by clients to connect to the Remove Access Server. Here I typed in the external DNS name remote.my-external-domain-name.co.uk.
Network Adapters had the one ethernet and an IPv6 address. The Select
Certificate sued to authenticate IP-HTTPS connections has the CN=remote.my-external-domain-name.co.uk.
Authentication is set to AD and I used the root certificate of the CA for use
computer certificates. I also Enabled windows 7 client computers to connect via DirectAccess.
Step
3: Infrastructure Servers
Network Location Sevrer had the NLS
is deployed on this server with the DirectAccess-NLS cert.
DNS had the internal domain and the DirectAccess-NLS. the Internal domain was pointing to the IPv4 address of the DA. I read that I need
to put the external name suffix of remote.my-external-domain-name.co.uk entry in and pointed that to the internal DA IPv4 address also.
DNS Suffix List was set automatically and I also added my external domain name just in case.
Managerment was straight forward and I pointed to our System Centre 2012 R2 server.
Upon clicking finish and applying the GPO policies everything went according to plan. All green ticks. I did a GPupdate on the client I was testing and the GPO policies came through.
I have set up TMG as per the isa.org forum
http://www.isaserver.org/articles-tutorials/general/implementing-windows-server-2012-directaccess-behind-forefront-tmg-part2.html .
@ Jordan - I ensured that I had a separate external IP address for the requests from the clients to TMG as I publish websites internally.
I used a third party wildcard cert for the IP-HTTPS connect part in DA Config Step 2.
All the rest of the DA set up was pretty much out of the box as stated above.

Direct Access To Frame Buffer

Similar Messages

Maybe you are looking for