DirectAccess 2012 - Writeable DC Required?

Similar Messages

• DirectAccess 2012 - Best way to deploy between two firewalls (NAT'd)

  We are deploying DirectAccess 2012 and have a requirement that traffic from the internet (red) must be proxied through the DMZ (yellow) before touching anything on the internal network (green). I will initially only be configuring it to use IP-HTTPS (no
  teredo). We have two firewalls, one on the perimeter (FW1), and one between the DMZ and internal networks (FW2).
  I'm trying to determine the best way of deploying this in our environment. I've come up with two possibilities:
  1. Deploy with two network cards, each connected to separate DMZs. In this scenario, NIC 1 would contain the internet facing IP in DMZ 1 (say 10.10.10.2 and NAT'd by FW1), and NIC2 would contain an internal facing IP on DMZ2 (say 10.10.11.2). NIC2 would
  be routable to the internal subnets via the internal firewall.
  Crude diagram:    Internet -> FW1 -> 10.10.10.2---DA---10.10.11.2 -> FW2 -> Internal network
  2. Deploy with one network card in the DMZ. This would be NAT'd by FW1, and then pass traffic through to to FW2. Since I'd be allowing all TCP/UDP traffic (as per MS) through FW2 to the primary network, this method seems unsafe to me.
  Crude diagram:   Internet -> FW1 -> 10.10.10.2---DA -> FW2 -> Internal network
  What is the best and most secure way to deploy this in the DMZ? I do not want to put an internal network IP directly on the DirectAccess server, as it needs to go through FW2 before reaching internal. The DA server should be isolated in the DMZ.
  Advice is appreciated.

  Hi,
  The first solution is better. The DA server is under the protection of FW1, and the DA server
  already offers certain security itself, such as the requirement of a Computer Certificate, domain membership (which mean domain authentication) and so on.
  Here is a related threads,
  DirectAccess 2012 + Security concerns
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/2e394a72-d263-449f-9ec2-02701aa8cb96/directaccess-2012-security-concerns?forum=winserver8gen
  Hope this helps.
  Steven Lee
  TechNet Community Support

• Add DirectAccess 2012 R2 to DirectAccess 2012 Cluster

  Does anyone know if it is supported or possible to add DirectAccess 2012 R2 to an existing DirectAccess 2012 cluster?
  Hoping to use this approach to upgrade and to DirectAccess 2012 R2 without creating a new cluster and configuration.
  Thanks

  I've never tried it, but I don't know of any reason why it wouldn't work. Server 2012 and above handle NLB/clustering quite a bit differently than UAG did, where the nodes are really more individualized and there's not a "master/member" mentality
  anymore. So when you add the new 2012 R2, if you experience problems with it or notice that no user sessions are flowing to it, you can simply remove it from the array again, and then you'll know for sure. :)
  If I had an environment online right now where I could test this for you I would, but I would give it a try if you have the server ready to go. Just make sure that you install the Remote Access Role, and also the NLB feature, to your new server before you
  try adding it to the array. You'll also need to have IP addressing and certificates in place on this new node before you will be able to join it successfully to the array.

• Security/Firewall recommendations for DirectAccess 2012 (Dual-NIC Edge Configuration)

  Hello all,
  We have installed and configured DirectAccess 2012 with the Edge Configuration with the thought that we would be able to install TMG directly on this server (as we did with the original 2008 DirectAccess/UAG). It appears that we cannot install TMG on Server
  2012 R2, so now we have a server directly connected to the outside world with public IP's assigned to it and no firewall other than Windows Firewall. I know that most organizations choose to configure DirectAccess behind an Edge device (hindsight being perfect,
  we should have as well) however we did not and it appears that we can't easily change this without completely reconfiguring DirectAccess (which took several days to get it right).
  So my question: What are the security/firewall recommendations for a DirectAccess server in an Edge scenario? I've Googled this and have not found much. Thanks in advance,
  Brad
  -Brad

  Its always good to have a Firewall infront of a domain joined machine and of course DA Server is not an exception.
  Server 2012 can work behind a Firewall with NAT functionality enabled or disabled.
  if you have a fully functional DA with EDGE profile enabled, still you can configue any firewall(without NATing functionality) without changing the configuration settings in DA.
  Also you can have TMG protecting your existing DA setup. Below is the link for it.
  http://www.isaserver.org/articles-tutorials/general/implementing-windows-server-2012-directaccess-behind-forefront-tmg-part1.html
  Please let me know, how it goes.

• DirectAccess 2012 behind two NATs

  Hi Guys
  I am trying to setup a DirectAccess 2012 server with single NIC on a VM as below
  basically if I get a public IP NAT'd with port 443 via main firewall to a private IP (10.20.1.1 /16) and then if I get this private IP again NAT'd via another firewall with port 443 to the DirectAccess server IP (192.168.2.2/18), will this setup work as
  I will have to do this due to the current network topology at our business ?
  thank you in advance.

  Hi,
  It is supported.  In Windows Server 2012, direct access server can be deployed behind a NAT device with support for only one single network interface and removes the public IPv4 address prerequisite.
  For detailed information, please refer to the link below,
  Windows Server 2012 Direct Access – Part 1 What’s New
  http://blogs.technet.com/b/meamcs/archive/2012/05/03/windows-server-2012-direct-access-part-1-what-s-new.aspx
  Best Regards.
  Steven Lee
  TechNet Community Support

• Updates and Hotfixes for DirectAccess 2012 R2 and Windows 8.1

  for some of you who use DirectAccess probably familiar with the following link
  Recommended hotfixes and updates for Windows Server 2012 DirectAccess
  as far as I know and according to TechNet, DirectAccess hasn't change a bit from 2012 to 2012 R2 servers.
  I use DirectAccess on Windows Server 2012 R2 and I'm surprised to see that there is no single update from that list the applicable with either Server 2012 R2.
  if it's true - shouldn't there be a documentation that talks about the differences of the DirectAccess Client\Server from 2012\8 to 2012 R2 \ 8.1?
  I'm asking because I want to make sure those updates are already include or not needed for 2012 R2\8.1 and not "forgotten" or something.
  Tamir Levy

  I was afraid that you'll said that
  I hate to be the annoying guy but take a look at this KB article:
  http://support.microsoft.com/kb/2787534
  Applied to: Windows 8\2012,
  Doesn't Apply to: Windows 8.1\2012 R2
  and - for a fact, doesn't include in Windows 8.1\2012 R2 as this bug still exists in those operating systems.
  another annoying fact - No other update was released for these version yet.
  this example approves that not every hotfix \ updates that was released for 8\2012 before 8.1\2012 R2, is already included in 8.1\2012 R2
  and allow me to add another fact.
  when you configure DirectAccess via the remote access wizard it creates a WMI query called
  DirectAccess - Laptop Only WMI Filter.
  after you create it in Windows Server 2012 R2 - look at the WMI Query and you'll see that by default it doesn't apply to version 6.3! the version for Windows 8.1.
  if you want to add the support for Windows 8.1 you have to modify manually the query which is of course, not supported by Microsoft.
  That is just another symptom that makes me wonder if Microsoft did ANY change or update to DirectAccess 2012 R2
  Tamir Levy

• SCOM 2012 R2 Hardware Requirements

  Hi,
  I am trying to work out what specification machines to use for a deployment of SCOM 2012 R2. I have searched on this forum, online generally and used the sizing guide but its all a bit vague. The sizing guide spat out the result below but as you can see
  it makes no mention of CPU speeds or server HDD space apart from the DW server which says 300GB. The sizing wizard also spat out 14.43GB for the Ops DB and 427.45GB for the DW DB based on managing 600 servers, no network devices or applications.
  Minimum Hardware Recommendation:
  Role: (Total: 2) (1) management server managing up to 1000 agents, plus (1) management server for HA, managing up to 10 SDK users total
  Hardware:
  • 4 disk RAID 10
  • 16 GB RAM
  • 4 Cores
  Role: Operations Database Server
  Hardware:
  • 6 disk RAID 10 (Data)
  • 2 disk RAID 1 (Log)
  • 16 GB RAM
  • 4 Cores
  Role: Operations Data Warehouse Server
  Hardware:
  • 12 disk RAID 10 (Data) (300 GB)
  • 2 disk RAID 1 (Log)
  • 16 GB RAM
  • 4 Cores
  Role: Web Console Server & SQL Server Reporting Services Server
  Hardware:
  • 2 disk RAID 1
  • 8 GB RAM
  • 4 Cores
  I have also seen in the documentation that the management servers only require 1024MB of free space on the System Drive, that seems a bit overkill to have that spread across 4 disks at RAID 10. With regards to the DW disk requirements does it really need
  300GB on 12 disk RAID 10 plus the 427.45GB for the Data Warehouse?
  If someone could possibly clear this up I would be extremely grateful.
  S

  Your 4 cores CPU have met the requirement. SCOM does not use CPU resource much.
  Juke Chou
  TechNet Community Support

• NAP on 2008 R2 with DirectAccess 2012 RC

  I'm running IPsec NAP on two indentically configured Windows 2008 R2 servers that are also standalone CAs for NAP.
  I'm in the testing phases of a Windows 2012 RC DirectAccess server that is behind a NAT. Certificates from our domain CA (not the standalone ones for NAP) are used so Win7 clients can also connect. When the computer establishes a DirectAccess connection
  it's unable to connect to any resource that are part of NAP (only non-NAP resources, exceptions are available). napstat reveals that the client is healthly (it also has the health certificate).
  Here's how the Connection Security Rules look on a client:
  The first four were automatically generated by the DirectAccess server, the other four are for NAP purposes (before a DA test server was introduced).
  It appears these settings don't coexist all that well. If I go to my DA server and click "Enforce corporate compliance for DirectAccess with NAP" I have even less connectivity (unable to reach DA server from clients in DA...).
  What am I doing wrong, are additonal logs, information needed to better assist me.

  Hi,
  Thanks for your post.
  You may check the following article to troubleshoot this issue. Hope it helps.
  The Cable Guy: DirectAccess with Network Access Protection (NAP)
  http://technet.microsoft.com/en-us/magazine/ff758668.aspx
  DirectAccess with NAP Troubleshooting Guidance
  http://technet.microsoft.com/en-US/library/ff621421(v=ws.10).aspx
  DirectAccess with NAP Architecture Overview
  http://technet.microsoft.com/en-us/library/ff528481(v=ws.10).aspx
  Best Regards,
  Aiden
  Aiden Cao
  TechNet Community Support

• DirectAccess 2012 has wrong DNS servers listed

  Hello,
  I'm setting up DirectAccess on Server 2012 and having issues with the wrong DNS servers continually added to the configuration. My setup is as follows, 2 Server 2008 R2 DCs running DNS, both have a static IPv4 and IPv6 addresses.  The DirectAccess
  server has a single NIC behind a NAT device and also has static IPv4 and IPv6 addresses.  My problem is that I keep getting a DNS: Not working properly error on the dashboard.  It says:
  Error:
  Enterprise DNS servers (fd7e:ed10:5cb6:7777::ac10:a22, fd7e:ed10:5cb6:7777::ac10:a21) used by DirectAccess clients for name resolution are not responding.  This might affect DirectAccess client connectivity to corporate resources.
  The thing is these are not nor ever have been the IP addresses of my DC/DNS servers.  I've removed them by using the configuration editor but with each restart of the server they reappear.  I examined the DirectAccess Server
  Settings GPO and they are listed in the Extra Registry Settings section buy I am unable to edit that portion.  I've read other threads on this forum that state I need to add the IPv6 address of the DA server as the DNS server but I still get DNS errors
  when I do that and after a restart the same two DNS servers show up again.
  Anyone have any ideas?  Your assistance is greatly appreciated.

  Hi,
  Thanks for you reply and sorry for relying so late.
  Did you point the DNS server address to the IP address of the internal NIC? Maybe you can refer to the similar thread below:
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/df08fa06-d3fc-4ca9-b4a2-85824a10819a/direct-access-server-dns-error?forum=winserver8setup
  Best regards,
  Susie

• DirectAccess 2012 force tunneling

  Hi,
  I have a Windows Server 2012 DirectAccess implementation where I want to enable force tunneling so clients using DirectAccess from the Internet will us force all traffic to the
  DA server.
  When I select “use force tunneling” in the DA Wizard and save the configuration, my DA enabled clients loses network connectivity when they are placed on my internal network.
  In the DA wizard I see the help text “DirectAccess clients connected to the internal network and to the Internet via remote Access server” below the “use force tunneling” option.
  Can it be true that the force tunneling apply to all DA clients regardless if they are placed internally or on the Internet?
  If that is true it will give a lot of traffic on the DA server if force tunneling is enabled.
  Thomas Forsmark Soerensen

  I'm having the exact same issue :
  When in the internal network there is still an entry in the NRPT : the one for "."
  DNS Effective Name Resolution Policy Table Settings
  Settings for .
  Certification authority :
  DNSSEC (Validation) : disabled
  IPsec settings : disabled
  DirectAccess (DNS Servers) : fd17:dc02:d12b:3333::1
  DirectAccess (Proxy Settings) : Bypass proxy
  My setup is the following:
  One NIC behind a FW/Reverse Proxy (squid), force tunneling activated, windows 7 clients (PKI deployed), NAP (NPS/HRA deployed and working).
  I tried some tips on DNS resolution:
  - enable "Allow DA clients to use local name resolution"
  - use least restrictive local name resolution option 'use local name resolution for any kind of DNS resolution error" (but I tried others)
  In the configuration there is :
  - "." and the DA DNS Server prefix:3333::1
  - public url of my DA and no DNS server
  - DirectAccess-NLS.internaldomain no DNS Server
  On the netsh dnsclient show state this is also strange:
  C:\Users\administrator>netsh dnsclient show state
  Name Resolution Policy Table Options
  Query Failure Behavior : Always fall back to LLMNR and
  NetBIOS for any kinds of errors
  Query Resolution Behavior : Resolve only IPv6 addresses for names
  Network Location Behavior : Let Network ID determine when Direct
  Access settings are to be used
  Machine Location : Inside corporate network
  Direct Access Settings : Configured and Enabled
  DNSSEC Settings : Not Configured
  It says it is inside corporate network but direct Access settings are "Configured and
  Enabled"
  Do you have some ideas ?

• DirectAccess 2012 not able to connect

  I've got a Direct Access 2012 instance running and clients are unable to connect. I'm really not sure why. I've got all green check marks in the Operations Status page.
  I've uploaded the DCA results
  https://onedrive.live.com/redir?resid=270A675D98E09864!109&authkey=!ACNgL-_6rvNy5Co&ithint=file%2ccab
  https://onedrive.live.com/redir?resid=270A675D98E09864!110&authkey=!AFUtqtOirbg3UxI&ithint=file%2ctxt

  John,
  Thanks for your reply.  Where do you see one IP configured?  I have two configured on the external facing NIC.
  I followed the link you suggested and got this output:
  Microsoft Windows [Version 6.3.9600]
  (c) 2013 Microsoft Corporation. All rights reserved.
  C:\Users\richard>netsh dns show state
  Name Resolution Policy Table Options
  Query Failure Behavior                : Always fall back to LLMNR and NetBIOS
                                          if the name does not exist
  in DNS or
                                          if the DNS servers are
  unreachable
                                          when on a private network
  Query Resolution Behavior             : Resolve only IPv6 addresses for names
  Network Location Behavior             : Let Network ID determine when Direct
                                          Access settings are to
  be used
  Machine Location                      : Outside corporate network
  Direct Access Settings                : Configured and Enabled
  DNSSEC Settings                       : Not Configured
  C:\Users\richard>netsh namespace show effectivepolicy
  DNS Effective Name Resolution Policy Table Settings
  Settings for SDSIDA01.richardenterprises.net
  DirectAccess (Certification Authority)  :
  DirectAccess (IPsec)                    : disabled
  DirectAccess (DNS Servers)              :
  DirectAccess (Proxy Settings)           : Use default browser settings
  Settings for .monitor.richardenterprisessystems.com
  DirectAccess (Certification Authority)  :
  DirectAccess (IPsec)                    : disabled
  DirectAccess (DNS Servers)              : 2002:46a8:346c:3333::1
  DirectAccess (Proxy Settings)           : Bypass proxy
  Settings for .richardenterprisessystems.com
  DirectAccess (Certification Authority)  :
  DirectAccess (IPsec)                    : disabled
  DirectAccess (DNS Servers)              : 2002:46a8:346c:3333::1
  DirectAccess (Proxy Settings)           : Bypass proxy
  Settings for .richardenterprises.net
  DirectAccess (Certification Authority)  :
  DirectAccess (IPsec)                    : disabled
  DirectAccess (DNS Servers)              : 2002:46a8:346c:3333::1
  DirectAccess (Proxy Settings)           : Bypass proxy
  Settings for .qa.richardenterprisessystems.com
  DirectAccess (Certification Authority)  :
  DirectAccess (IPsec)                    : disabled
  DirectAccess (DNS Servers)              : 2002:46a8:346c:3333::1
  DirectAccess (Proxy Settings)           : Bypass proxy
  Settings for .staging.richardenterprisessystems.com
  DirectAccess (Certification Authority)  :
  DirectAccess (IPsec)                    : disabled
  DirectAccess (DNS Servers)              : 2002:46a8:346c:3333::1
  DirectAccess (Proxy Settings)           : Bypass proxy
  Settings for .dev.richardenterprisessystems.com
  DirectAccess (Certification Authority)  :
  DirectAccess (IPsec)                    : disabled
  DirectAccess (DNS Servers)              : 2002:46a8:346c:3333::1
  DirectAccess (Proxy Settings)           : Bypass proxy
  C:\Users\richard>ipconfig /all
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : richard-x240
     Primary Dns Suffix  . . . . . . . : richardenterprises.net
     Node Type . . . . . . . . . . . . : Hybrid
     IP Routing Enabled. . . . . . . . : No
     WINS Proxy Enabled. . . . . . . . : No
     DNS Suffix Search List. . . . . . : richardenterprises.net
                                         richardenterprisessystems.com
                                         monitor.richardenterprisessystems.com
                                         qa.richardenterprisessystems.com
                                         staging.richardenterprisessystems.com
                                         dev.richardenterprisessystems.com
  Wireless LAN adapter Local Area Connection* 13:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft Hosted Network Virtual Adapter
     Physical Address. . . . . . . . . : EA-2A-EA-0C-E2-8E
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
  Wireless LAN adapter Local Area Connection* 12:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
     Physical Address. . . . . . . . . : E8-2A-EA-0C-E2-8F
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
  Ethernet adapter Bluetooth Network Connection:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
     Physical Address. . . . . . . . . : E8-2A-EA-0C-E2-92
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
  Wireless LAN adapter Wi-Fi:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 7260
     Physical Address. . . . . . . . . : E8-2A-EA-0C-E2-8E
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
     IPv6 Address. . . . . . . . . . . : 2600:1012:b127:be8e:fd9d:3679:f76d:187c(P
  referred)
     Temporary IPv6 Address. . . . . . : 2600:1012:b127:be8e:7c0d:e512:7d90:c46d(P
  referred)
     Link-local IPv6 Address . . . . . : fe80::fd9d:3679:f76d:187c%4(Preferred)
     IPv4 Address. . . . . . . . . . . : 192.168.1.2(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Lease Obtained. . . . . . . . . . : Wednesday, July 30, 2014 9:19:11 AM
     Lease Expires . . . . . . . . . . : Thursday, July 31, 2014 9:19:11 AM
     Default Gateway . . . . . . . . . : fe80::215:ffff:fe8f:9ec2%4
                                         192.168.1.1
     DHCP Server . . . . . . . . . . . : 192.168.1.1
     DHCPv6 IAID . . . . . . . . . . . : 384314090
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-3B-27-B3-28-D2-44-8C-13-06
     DNS Servers . . . . . . . . . . . : 192.168.1.1
     Primary WINS Server . . . . . . . : 192.168.1.1
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Ethernet adapter Ethernet:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . : richardenterprises.net
     Description . . . . . . . . . . . : Intel(R) Ethernet Connection I218-LM
     Physical Address. . . . . . . . . : 28-D2-44-8C-13-06
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter isatap.{0A3ACF23-D6FD-47F6-91B8-E5E43DF81BAA}:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter Teredo Tunneling Pseudo-Interface:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv6 Address. . . . . . . . . . . : 2001:0:d10c:afc3:3401:ede1:b92e:2f98(Pref
  erred)
     Link-local IPv6 Address . . . . . : fe80::3401:ede1:b92e:2f98%21(Preferred)
     Default Gateway . . . . . . . . . :
     DHCPv6 IAID . . . . . . . . . . . : 553648128
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-3B-27-B3-28-D2-44-8C-13-06
     NetBIOS over Tcpip. . . . . . . . : Disabled
  Tunnel adapter iphttpsinterface:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : iphttpsinterface
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv6 Address. . . . . . . . . . . : 2002:46a8:346c:1000:bc7f:1f46:b190:e852(P
  referred)
     Temporary IPv6 Address. . . . . . : 2002:46a8:346c:1000:4e3:9a37:3998:f4ac(Pr
  eferred)
     Link-local IPv6 Address . . . . . : fe80::bc7f:1f46:b190:e852%22(Preferred)
     Default Gateway . . . . . . . . . :
     DHCPv6 IAID . . . . . . . . . . . : 369098752
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-3B-27-B3-28-D2-44-8C-13-06
     NetBIOS over Tcpip. . . . . . . . : Disabled
  C:\Users\richard>nltest /dsgetdc:
  Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
  C:\Users\richard>
  Thanks

• Why do some Security Updates get flagged by SCCM 2012 as "Not Required" when the Bulletin ID states they are?

  Hiya
  We've just pushed all updates from the March patch Tuesday Security Bulletin to our test Workstations/Servers (using SCCM 2012 R2)
  One of the patches (MS14-013 - KB2929961) hasn't applied to a selection of 2008 R2 and 2012 Servers, but according to the Bulletin notes for this it is applicable to both. It has applied to my Windows 8 boxes.
  The servers don't already have this applied, its not a superseded update and SCCM has flagged this as "Required" for x64 versions of Windows 7, Windows 8, Windows 8.1 but "Not required" for any servers. 
  Bulletin ID states its applicable to all except Itanium based editions - https://technet.microsoft.com/en-us/security/bulletin/ms14-013
  If I download the update and try to run it manually on the servers I get "The update is not applicable to your computer"
  So it looks as though the WUAgent and SCCM compliance are reporting correctly, but that the Bulletin ID isn't entirely correct??
  Has anyone else found this? We use the Bulletin IDs for monthly meetings on what we're patching and what system it will affect so causes a lot of confusion with system owners when a patch doesn't apply that they're expecting to get applied.
  Thanks!

  Hi,
  Without any indepth investigation if I am not mistaking the update is for Directshow and that component is installed with the Desktop Experience on the server OS's, and therefor the update is not applicable on the servers.. 
  Could that be the case?
  Regards,
  Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• SCCM 2012 R2 - Ports Required through Firewall

  Hi all,
  currently working on the list of ports which i'll need to wing over to the network guys to open on the firewalls. Here is what i've come up with from my various readings:
  Name
  Port
  TCP/UDP
  Purpose
  ICMP
  Echo requests messages go from site server to clients
  RPC
  135
  TCP
  Site Server > Client | Console > Site Server
  NetBIOS
  139
  TCP
  Client < > Site Server
  HTTP
  80
  TCP
  Client < > Site Server
  HTTPS
  443
  TCP
  Client < > Site Server
  SMB
  445
  TCP
  Site Server > Client Computer
  LDAP
  389
  TCP
  Site Server > Domain Controllers
  RemoteControl
  2701
  TCP
  Site Server > Client
  WSUS
  8530
  TCP
  Client > Site Server
  WSUS
  8531
  TCP
  Client > Site Server
  MSSQL
  1433
  TCP
  Site Server > SQL Server
  SQLBroker
  4022
  TCP
  Site Server > SQL Broker Service
  Client Notificaiton
  10123
  TCP
  Site Server > Client
  WakeUpProxy
  9
  UDP
  Client > Site Server
  WakeUpProxy
  25536
  UDP
  Client > Site Server
  Is there anything glaringly obvious that i've missed? Or anything i've included unnecessarily? There was a good illustration diagram of how the ports worked in 2007 (http://technet.microsoft.com/en-gb/library/bb632618.aspx) but couldn't seem to find
  an equivilant for 2012 R2.
  Thanks for the help

  Hi,
  To add to that the ports for PXE is missing as well if you are going to use it. Have a look at this great excel spreadsheet where you can add a servername a roles in excel and it will give you what ports needs to be opened.. great help.
  https://sccmguru.wordpress.com/2012/11/09/configuration-manager-2012-port-information-and-spreadsheet/
  Regards,
  Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• DirectAccess (2012 R2) Force Tunnel & Non-IE Browsers

  I'm setting up a DirectAccess solution with Force Tunneling enabled (don't ask why, the client demanded it). The solution is working flawlessly except for internet access for non-IE browsers. I have a proxy server entry in the nrpt for the '.' dnssuffix
  and IE is honoring that entry and routing all traffic over the DA tunnel to the proxy server correctly.
  however, non-IE browsers like firefox and chrome, while they are browsing the internet off of the DA infrastructure tunnel, are ignoring the proxy entry and browsing directly. (in the environment, the DA Server itself has access to the internet that
  is not proxy-filtered)
  It appears that the proxy server entry in the nrpt is only for IE, and not a global "client" setting. Firefox can still browse the web, but it appears that it's simply throwing the traffic at the DA server directly, which is in turn using its internet
  access as defined by the my clients firewall rules for infrastructure servers.
  or, am I missing something? it seems that the proxy server specified in the nrpt for the '.' dnssuffix should apply to all client traffic and not just IE...

  For anyone that happens to run across a similar issue, here's how I solved it:
  The main problem was that the '.' dns suffix in the nrpt policy that was set to route that suffix to a specified intranet proxy server didn't seem to apply to all traffic, non-ie broswers (such as firefox) would send traffic over the DA tunnel according
  to the force tunnel configuration, but wouldn't have their internet based traffic routed to the proxy server. instead, they would send internet traffic to the DA server, which would access the internet directly, effectively bypassing the corporate proxy and
  it's filtering rules.
  the infrastructure design problem at the client was that the server subnet is granted direct internet access that is not proxied, so the DA server had the ability to forward 6to4 internet traffic directly.
  we ended up changing the windows firewall on the DA server so that the default outgoing policy was set to block, and created explicit allow rules for only the internal subnets and the proxy servers, effectively killing the DA servers internet access, but
  allowing traffic to the internal infrastructure.
  this in turn killed DA clients' ability to browse the internet unfiltered. for non-IE clients or ftp applications a proxy server will now have to be manually (or potentially through group policy) be set, but it closed the loophole in the forced tunnel configuration
  for DA client's web browsing.

• DirectAccess 2012 (VMWare) NLB Setup Help

  Hi All,
  A bit of background on our current setup.
  2 X Physical servers (server 2012 r2) hosting DA 2012 in NLB Cluster (Unicast)
  All working fine.
  I wish to virtualise the DA solution using VMWare. I've built two virtual machines with a view of evicting one of the physical nodes from the existing cluster and introducing the virtual machine.
  However I’ve come across on this forum various posts in relation to unicast/multicast setup and has let me somewhat confused.
  The current servers are plugged into a layer 2 switch going directly out to the inet. Saying that I’ve read something about layer 3 arp entries? i suppose the layer 3 switch would be our ISP? we have no layer 3 switches in between DA and
  the inet here at the office (sorry i am not a networking guy, so this might sound stupid... but I’ve been informed it's  layer 2 switch only)
  On the virtual machines i've added an internal nic and and external nic (the external nic is dedicated on the VMware host and not shared with other port groups)  what do i need to do to ensure i will have no problems when it comes to introducing the
  virtual machine into the existing cluster please?
  I know a couple of you have setup NLB on VMWare for DA, can someone kindly point me in the direction of some documentation specifically for this kind of setup or what be more helpful is if you could kindly explain what i need to do step by step.
  I've read VMWare's documentation but wanted to get some feedback from someone who has done a real world install.
  Do i need to set anything on the VSwitch for example notify switches, allow mac address changes etc?

  Hi All,
  I've managed to virtualize DA fully with Teredo/6to4/IP-Https all working.
  *** Operating in Multicast mode ****
  I have 6 hosts part of a VMWare cluster, i allocated 1 port per host which is connected to the internet directly (no fw in between, expect a switch)
  I then created a vSphere distributed switch/port group with the following settings
  Promiscuous mode: Reject
  Mac Address Changes: Accept
  Forged Transmits: Accept
  Notify Switches: Yes
  Once this had been all setup, next step was to talk to our ISP to add the NLB Cluster MAC address to their ARP table as a static entry pointing back to the external VIP’s
  because I already had DA in place on two physical servers, I changed the NLB settings from unicast to multicast, and yes when I did this on the internal network I lost the IPV6 address from the NLB settings (so make sure you make a note of it to put it back)
  Changing to multicast might cause the servers to become unresponsive (did in my case) I waited a while and one came back, whilst the other needed a reset.
  Next step was to introduce a 3^rd node and evict one of the physical servers, so I built a virtual machine
  Basic spec (4GB 1Vcpu 4cores) 2012 R2
  Two network cards
  Internal (on the same vlan as the physical servers)
  External (connected to the new port group I created above)
  I also (probably didn’t need to) set a static mac address on the VM for both network cards.
  Allocated an external IP address to the external nic on the VM made sure I can ping google etc
  Copied the settings from the physical servers i.e removed GW from internal nic on VM added static route etc etc
  Installed the SSL certificate on the 3^rd node
  Introduced the 3^rd node into the existing DA cluster and made sure to move the VM into the DA servers OU so it gets the DA server policy
  In NLB manager 3^rd host showing as “misconfigured”
  Logged onto 3^rd node (VM) launched NLB manager, noticed was set to unicast – changed to multicast, brought node online.
  Once everything was showing green and I could see connections to the 3^rd host, I removed one of the physical servers from the cluster using the DA console.
  So back down to two nodes.
  Waited 24 hours
  Introduced 2^nd VM or 3^rd node again in this case following same steps as above.
  Removed remaining physical host from DA cluster.