DirectAccess 2012 - Writeable DC Required?
Hi Everyone,
I am looking to deploy DirectAccess 2012 Server into our DMZ environment and currently working through a Lab install.
In our Lab we are seeing the prerequisite checks fail when we use a ReadOnly domain controller but when we switch it for a Writeable DC it proceeds without issue, is this expected behaviour?
Thanks in advance.
Hi Everyone,
I am looking to deploy DirectAccess 2012 Server into our DMZ environment and currently working through a Lab install.
In our Lab we are seeing the prerequisite checks fail when we use a ReadOnly domain controller but when we switch it for a Writeable DC it proceeds without issue, is this expected behaviour?
Thanks in advance.
Yes, I believe that experience is by design.
"The server GPO is managed by one of the domain controllers in the Active Directory site associated with the server, or if domain controllers in that site are read-only, by a write-enabled domain controller closest to the Remote Access server."
Source:
http://technet.microsoft.com/en-us/library/jj134148.aspx#bkmk_1_6_AD
Jason Jones |
Microsoft MVP | Silversands Ltd | My Blogs:
http://blog.msedge.org.uk and
http://blog.msfirewall.org.uk
Similar Messages
-
DirectAccess 2012 - Best way to deploy between two firewalls (NAT'd)
We are deploying DirectAccess 2012 and have a requirement that traffic from the internet (red) must be proxied through the DMZ (yellow) before touching anything on the internal network (green). I will initially only be configuring it to use IP-HTTPS (no
teredo). We have two firewalls, one on the perimeter (FW1), and one between the DMZ and internal networks (FW2).
I'm trying to determine the best way of deploying this in our environment. I've come up with two possibilities:
1. Deploy with two network cards, each connected to separate DMZs. In this scenario, NIC 1 would contain the internet facing IP in DMZ 1 (say 10.10.10.2 and NAT'd by FW1), and NIC2 would contain an internal facing IP on DMZ2 (say 10.10.11.2). NIC2 would
be routable to the internal subnets via the internal firewall.
Crude diagram: Internet -> FW1 -> 10.10.10.2---DA---10.10.11.2 -> FW2 -> Internal network
2. Deploy with one network card in the DMZ. This would be NAT'd by FW1, and then pass traffic through to to FW2. Since I'd be allowing all TCP/UDP traffic (as per MS) through FW2 to the primary network, this method seems unsafe to me.
Crude diagram: Internet -> FW1 -> 10.10.10.2---DA -> FW2 -> Internal network
What is the best and most secure way to deploy this in the DMZ? I do not want to put an internal network IP directly on the DirectAccess server, as it needs to go through FW2 before reaching internal. The DA server should be isolated in the DMZ.
Advice is appreciated.Hi,
The first solution is better. The DA server is under the protection of FW1, and the DA server
already offers certain security itself, such as the requirement of a Computer Certificate, domain membership (which mean domain authentication) and so on.
Here is a related threads,
DirectAccess 2012 + Security concerns
http://social.technet.microsoft.com/Forums/windowsserver/en-US/2e394a72-d263-449f-9ec2-02701aa8cb96/directaccess-2012-security-concerns?forum=winserver8gen
Hope this helps.
Steven Lee
TechNet Community Support -
Add DirectAccess 2012 R2 to DirectAccess 2012 Cluster
Does anyone know if it is supported or possible to add DirectAccess 2012 R2 to an existing DirectAccess 2012 cluster?
Hoping to use this approach to upgrade and to DirectAccess 2012 R2 without creating a new cluster and configuration.
ThanksI've never tried it, but I don't know of any reason why it wouldn't work. Server 2012 and above handle NLB/clustering quite a bit differently than UAG did, where the nodes are really more individualized and there's not a "master/member" mentality
anymore. So when you add the new 2012 R2, if you experience problems with it or notice that no user sessions are flowing to it, you can simply remove it from the array again, and then you'll know for sure. :)
If I had an environment online right now where I could test this for you I would, but I would give it a try if you have the server ready to go. Just make sure that you install the Remote Access Role, and also the NLB feature, to your new server before you
try adding it to the array. You'll also need to have IP addressing and certificates in place on this new node before you will be able to join it successfully to the array. -
Security/Firewall recommendations for DirectAccess 2012 (Dual-NIC Edge Configuration)
Hello all,
We have installed and configured DirectAccess 2012 with the Edge Configuration with the thought that we would be able to install TMG directly on this server (as we did with the original 2008 DirectAccess/UAG). It appears that we cannot install TMG on Server
2012 R2, so now we have a server directly connected to the outside world with public IP's assigned to it and no firewall other than Windows Firewall. I know that most organizations choose to configure DirectAccess behind an Edge device (hindsight being perfect,
we should have as well) however we did not and it appears that we can't easily change this without completely reconfiguring DirectAccess (which took several days to get it right).
So my question: What are the security/firewall recommendations for a DirectAccess server in an Edge scenario? I've Googled this and have not found much. Thanks in advance,
Brad
-BradIts always good to have a Firewall infront of a domain joined machine and of course DA Server is not an exception.
Server 2012 can work behind a Firewall with NAT functionality enabled or disabled.
if you have a fully functional DA with EDGE profile enabled, still you can configue any firewall(without NATing functionality) without changing the configuration settings in DA.
Also you can have TMG protecting your existing DA setup. Below is the link for it.
http://www.isaserver.org/articles-tutorials/general/implementing-windows-server-2012-directaccess-behind-forefront-tmg-part1.html
Please let me know, how it goes. -
DirectAccess 2012 behind two NATs
Hi Guys
I am trying to setup a DirectAccess 2012 server with single NIC on a VM as below
basically if I get a public IP NAT'd with port 443 via main firewall to a private IP (10.20.1.1 /16) and then if I get this private IP again NAT'd via another firewall with port 443 to the DirectAccess server IP (192.168.2.2/18), will this setup work as
I will have to do this due to the current network topology at our business ?
thank you in advance.Hi,
It is supported. In Windows Server 2012, direct access server can be deployed behind a NAT device with support for only one single network interface and removes the public IPv4 address prerequisite.
For detailed information, please refer to the link below,
Windows Server 2012 Direct Access – Part 1 What’s New
http://blogs.technet.com/b/meamcs/archive/2012/05/03/windows-server-2012-direct-access-part-1-what-s-new.aspx
Best Regards.
Steven Lee
TechNet Community Support -
Updates and Hotfixes for DirectAccess 2012 R2 and Windows 8.1
for some of you who use DirectAccess probably familiar with the following link
Recommended hotfixes and updates for Windows Server 2012 DirectAccess
as far as I know and according to TechNet, DirectAccess hasn't change a bit from 2012 to 2012 R2 servers.
I use DirectAccess on Windows Server 2012 R2 and I'm surprised to see that there is no single update from that list the applicable with either Server 2012 R2.
if it's true - shouldn't there be a documentation that talks about the differences of the DirectAccess Client\Server from 2012\8 to 2012 R2 \ 8.1?
I'm asking because I want to make sure those updates are already include or not needed for 2012 R2\8.1 and not "forgotten" or something.
Tamir LevyI was afraid that you'll said that
I hate to be the annoying guy but take a look at this KB article:
http://support.microsoft.com/kb/2787534
Applied to: Windows 8\2012,
Doesn't Apply to: Windows 8.1\2012 R2
and - for a fact, doesn't include in Windows 8.1\2012 R2 as this bug still exists in those operating systems.
another annoying fact - No other update was released for these version yet.
this example approves that not every hotfix \ updates that was released for 8\2012 before 8.1\2012 R2, is already included in 8.1\2012 R2
and allow me to add another fact.
when you configure DirectAccess via the remote access wizard it creates a WMI query called
DirectAccess - Laptop Only WMI Filter.
after you create it in Windows Server 2012 R2 - look at the WMI Query and you'll see that by default it doesn't apply to version 6.3! the version for Windows 8.1.
if you want to add the support for Windows 8.1 you have to modify manually the query which is of course, not supported by Microsoft.
That is just another symptom that makes me wonder if Microsoft did ANY change or update to DirectAccess 2012 R2
Tamir Levy -
SCOM 2012 R2 Hardware Requirements
Hi,
I am trying to work out what specification machines to use for a deployment of SCOM 2012 R2. I have searched on this forum, online generally and used the sizing guide but its all a bit vague. The sizing guide spat out the result below but as you can see
it makes no mention of CPU speeds or server HDD space apart from the DW server which says 300GB. The sizing wizard also spat out 14.43GB for the Ops DB and 427.45GB for the DW DB based on managing 600 servers, no network devices or applications.
Minimum Hardware Recommendation:
Role: (Total: 2) (1) management server managing up to 1000 agents, plus (1) management server for HA, managing up to 10 SDK users total
Hardware:
• 4 disk RAID 10
• 16 GB RAM
• 4 Cores
Role: Operations Database Server
Hardware:
• 6 disk RAID 10 (Data)
• 2 disk RAID 1 (Log)
• 16 GB RAM
• 4 Cores
Role: Operations Data Warehouse Server
Hardware:
• 12 disk RAID 10 (Data) (300 GB)
• 2 disk RAID 1 (Log)
• 16 GB RAM
• 4 Cores
Role: Web Console Server & SQL Server Reporting Services Server
Hardware:
• 2 disk RAID 1
• 8 GB RAM
• 4 Cores
I have also seen in the documentation that the management servers only require 1024MB of free space on the System Drive, that seems a bit overkill to have that spread across 4 disks at RAID 10. With regards to the DW disk requirements does it really need
300GB on 12 disk RAID 10 plus the 427.45GB for the Data Warehouse?
If someone could possibly clear this up I would be extremely grateful.
SYour 4 cores CPU have met the requirement. SCOM does not use CPU resource much.
Juke Chou
TechNet Community Support -
NAP on 2008 R2 with DirectAccess 2012 RC
I'm running IPsec NAP on two indentically configured Windows 2008 R2 servers that are also standalone CAs for NAP.
I'm in the testing phases of a Windows 2012 RC DirectAccess server that is behind a NAT. Certificates from our domain CA (not the standalone ones for NAP) are used so Win7 clients can also connect. When the computer establishes a DirectAccess connection
it's unable to connect to any resource that are part of NAP (only non-NAP resources, exceptions are available). napstat reveals that the client is healthly (it also has the health certificate).
Here's how the Connection Security Rules look on a client:
The first four were automatically generated by the DirectAccess server, the other four are for NAP purposes (before a DA test server was introduced).
It appears these settings don't coexist all that well. If I go to my DA server and click "Enforce corporate compliance for DirectAccess with NAP" I have even less connectivity (unable to reach DA server from clients in DA...).
What am I doing wrong, are additonal logs, information needed to better assist me.Hi,
Thanks for your post.
You may check the following article to troubleshoot this issue. Hope it helps.
The Cable Guy: DirectAccess with Network Access Protection (NAP)
http://technet.microsoft.com/en-us/magazine/ff758668.aspx
DirectAccess with NAP Troubleshooting Guidance
http://technet.microsoft.com/en-US/library/ff621421(v=ws.10).aspx
DirectAccess with NAP Architecture Overview
http://technet.microsoft.com/en-us/library/ff528481(v=ws.10).aspx
Best Regards,
Aiden
Aiden Cao
TechNet Community Support -
DirectAccess 2012 has wrong DNS servers listed
Hello,
I'm setting up DirectAccess on Server 2012 and having issues with the wrong DNS servers continually added to the configuration. My setup is as follows, 2 Server 2008 R2 DCs running DNS, both have a static IPv4 and IPv6 addresses. The DirectAccess
server has a single NIC behind a NAT device and also has static IPv4 and IPv6 addresses. My problem is that I keep getting a DNS: Not working properly error on the dashboard. It says:
Error:
Enterprise DNS servers (fd7e:ed10:5cb6:7777::ac10:a22, fd7e:ed10:5cb6:7777::ac10:a21) used by DirectAccess clients for name resolution are not responding. This might affect DirectAccess client connectivity to corporate resources.
The thing is these are not nor ever have been the IP addresses of my DC/DNS servers. I've removed them by using the configuration editor but with each restart of the server they reappear. I examined the DirectAccess Server
Settings GPO and they are listed in the Extra Registry Settings section buy I am unable to edit that portion. I've read other threads on this forum that state I need to add the IPv6 address of the DA server as the DNS server but I still get DNS errors
when I do that and after a restart the same two DNS servers show up again.
Anyone have any ideas? Your assistance is greatly appreciated.Hi,
Thanks for you reply and sorry for relying so late.
Did you point the DNS server address to the IP address of the internal NIC? Maybe you can refer to the similar thread below:
http://social.technet.microsoft.com/Forums/windowsserver/en-US/df08fa06-d3fc-4ca9-b4a2-85824a10819a/direct-access-server-dns-error?forum=winserver8setup
Best regards,
Susie -
DirectAccess 2012 force tunneling
Hi,
I have a Windows Server 2012 DirectAccess implementation where I want to enable force tunneling so clients using DirectAccess from the Internet will us force all traffic to the
DA server.
When I select “use force tunneling” in the DA Wizard and save the configuration, my DA enabled clients loses network connectivity when they are placed on my internal network.
In the DA wizard I see the help text “DirectAccess clients connected to the internal network and to the Internet via remote Access server” below the “use force tunneling” option.
Can it be true that the force tunneling apply to all DA clients regardless if they are placed internally or on the Internet?
If that is true it will give a lot of traffic on the DA server if force tunneling is enabled.
Thomas Forsmark SoerensenI'm having the exact same issue :
When in the internal network there is still an entry in the NRPT : the one for "."
DNS Effective Name Resolution Policy Table Settings
Settings for .
Certification authority :
DNSSEC (Validation) : disabled
IPsec settings : disabled
DirectAccess (DNS Servers) : fd17:dc02:d12b:3333::1
DirectAccess (Proxy Settings) : Bypass proxy
My setup is the following:
One NIC behind a FW/Reverse Proxy (squid), force tunneling activated, windows 7 clients (PKI deployed), NAP (NPS/HRA deployed and working).
I tried some tips on DNS resolution:
- enable "Allow DA clients to use local name resolution"
- use least restrictive local name resolution option 'use local name resolution for any kind of DNS resolution error" (but I tried others)
In the configuration there is :
- "." and the DA DNS Server prefix:3333::1
- public url of my DA and no DNS server
- DirectAccess-NLS.internaldomain no DNS Server
On the netsh dnsclient show state this is also strange:
C:\Users\administrator>netsh dnsclient show state
Name Resolution Policy Table Options
Query Failure Behavior : Always fall back to LLMNR and
NetBIOS for any kinds of errors
Query Resolution Behavior : Resolve only IPv6 addresses for names
Network Location Behavior : Let Network ID determine when Direct
Access settings are to be used
Machine Location : Inside corporate network
Direct Access Settings : Configured and Enabled
DNSSEC Settings : Not Configured
It says it is inside corporate network but direct Access settings are "Configured and
Enabled"
Do you have some ideas ? -
DirectAccess 2012 not able to connect
I've got a Direct Access 2012 instance running and clients are unable to connect. I'm really not sure why. I've got all green check marks in the Operations Status page.
I've uploaded the DCA results
https://onedrive.live.com/redir?resid=270A675D98E09864!109&authkey=!ACNgL-_6rvNy5Co&ithint=file%2ccab
https://onedrive.live.com/redir?resid=270A675D98E09864!110&authkey=!AFUtqtOirbg3UxI&ithint=file%2ctxtJohn,
Thanks for your reply. Where do you see one IP configured? I have two configured on the external facing NIC.
I followed the link you suggested and got this output:
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\richard>netsh dns show state
Name Resolution Policy Table Options
Query Failure Behavior : Always fall back to LLMNR and NetBIOS
if the name does not exist
in DNS or
if the DNS servers are
unreachable
when on a private network
Query Resolution Behavior : Resolve only IPv6 addresses for names
Network Location Behavior : Let Network ID determine when Direct
Access settings are to
be used
Machine Location : Outside corporate network
Direct Access Settings : Configured and Enabled
DNSSEC Settings : Not Configured
C:\Users\richard>netsh namespace show effectivepolicy
DNS Effective Name Resolution Policy Table Settings
Settings for SDSIDA01.richardenterprises.net
DirectAccess (Certification Authority) :
DirectAccess (IPsec) : disabled
DirectAccess (DNS Servers) :
DirectAccess (Proxy Settings) : Use default browser settings
Settings for .monitor.richardenterprisessystems.com
DirectAccess (Certification Authority) :
DirectAccess (IPsec) : disabled
DirectAccess (DNS Servers) : 2002:46a8:346c:3333::1
DirectAccess (Proxy Settings) : Bypass proxy
Settings for .richardenterprisessystems.com
DirectAccess (Certification Authority) :
DirectAccess (IPsec) : disabled
DirectAccess (DNS Servers) : 2002:46a8:346c:3333::1
DirectAccess (Proxy Settings) : Bypass proxy
Settings for .richardenterprises.net
DirectAccess (Certification Authority) :
DirectAccess (IPsec) : disabled
DirectAccess (DNS Servers) : 2002:46a8:346c:3333::1
DirectAccess (Proxy Settings) : Bypass proxy
Settings for .qa.richardenterprisessystems.com
DirectAccess (Certification Authority) :
DirectAccess (IPsec) : disabled
DirectAccess (DNS Servers) : 2002:46a8:346c:3333::1
DirectAccess (Proxy Settings) : Bypass proxy
Settings for .staging.richardenterprisessystems.com
DirectAccess (Certification Authority) :
DirectAccess (IPsec) : disabled
DirectAccess (DNS Servers) : 2002:46a8:346c:3333::1
DirectAccess (Proxy Settings) : Bypass proxy
Settings for .dev.richardenterprisessystems.com
DirectAccess (Certification Authority) :
DirectAccess (IPsec) : disabled
DirectAccess (DNS Servers) : 2002:46a8:346c:3333::1
DirectAccess (Proxy Settings) : Bypass proxy
C:\Users\richard>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : richard-x240
Primary Dns Suffix . . . . . . . : richardenterprises.net
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : richardenterprises.net
richardenterprisessystems.com
monitor.richardenterprisessystems.com
qa.richardenterprisessystems.com
staging.richardenterprisessystems.com
dev.richardenterprisessystems.com
Wireless LAN adapter Local Area Connection* 13:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Hosted Network Virtual Adapter
Physical Address. . . . . . . . . : EA-2A-EA-0C-E2-8E
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Wireless LAN adapter Local Area Connection* 12:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
Physical Address. . . . . . . . . : E8-2A-EA-0C-E2-8F
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Ethernet adapter Bluetooth Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
Physical Address. . . . . . . . . : E8-2A-EA-0C-E2-92
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Wireless LAN adapter Wi-Fi:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 7260
Physical Address. . . . . . . . . : E8-2A-EA-0C-E2-8E
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2600:1012:b127:be8e:fd9d:3679:f76d:187c(P
referred)
Temporary IPv6 Address. . . . . . : 2600:1012:b127:be8e:7c0d:e512:7d90:c46d(P
referred)
Link-local IPv6 Address . . . . . : fe80::fd9d:3679:f76d:187c%4(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.2(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Wednesday, July 30, 2014 9:19:11 AM
Lease Expires . . . . . . . . . . : Thursday, July 31, 2014 9:19:11 AM
Default Gateway . . . . . . . . . : fe80::215:ffff:fe8f:9ec2%4
192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 384314090
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-3B-27-B3-28-D2-44-8C-13-06
DNS Servers . . . . . . . . . . . : 192.168.1.1
Primary WINS Server . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Ethernet:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : richardenterprises.net
Description . . . . . . . . . . . : Intel(R) Ethernet Connection I218-LM
Physical Address. . . . . . . . . : 28-D2-44-8C-13-06
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.{0A3ACF23-D6FD-47F6-91B8-E5E43DF81BAA}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:d10c:afc3:3401:ede1:b92e:2f98(Pref
erred)
Link-local IPv6 Address . . . . . : fe80::3401:ede1:b92e:2f98%21(Preferred)
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 553648128
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-3B-27-B3-28-D2-44-8C-13-06
NetBIOS over Tcpip. . . . . . . . : Disabled
Tunnel adapter iphttpsinterface:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : iphttpsinterface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2002:46a8:346c:1000:bc7f:1f46:b190:e852(P
referred)
Temporary IPv6 Address. . . . . . : 2002:46a8:346c:1000:4e3:9a37:3998:f4ac(Pr
eferred)
Link-local IPv6 Address . . . . . : fe80::bc7f:1f46:b190:e852%22(Preferred)
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 369098752
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-3B-27-B3-28-D2-44-8C-13-06
NetBIOS over Tcpip. . . . . . . . : Disabled
C:\Users\richard>nltest /dsgetdc:
Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
C:\Users\richard>
Thanks -
Hiya
We've just pushed all updates from the March patch Tuesday Security Bulletin to our test Workstations/Servers (using SCCM 2012 R2)
One of the patches (MS14-013 - KB2929961) hasn't applied to a selection of 2008 R2 and 2012 Servers, but according to the Bulletin notes for this it is applicable to both. It has applied to my Windows 8 boxes.
The servers don't already have this applied, its not a superseded update and SCCM has flagged this as "Required" for x64 versions of Windows 7, Windows 8, Windows 8.1 but "Not required" for any servers.
Bulletin ID states its applicable to all except Itanium based editions - https://technet.microsoft.com/en-us/security/bulletin/ms14-013
If I download the update and try to run it manually on the servers I get "The update is not applicable to your computer"
So it looks as though the WUAgent and SCCM compliance are reporting correctly, but that the Bulletin ID isn't entirely correct??
Has anyone else found this? We use the Bulletin IDs for monthly meetings on what we're patching and what system it will affect so causes a lot of confusion with system owners when a patch doesn't apply that they're expecting to get applied.
Thanks!Hi,
Without any indepth investigation if I am not mistaking the update is for Directshow and that component is installed with the Desktop Experience on the server OS's, and therefor the update is not applicable on the servers..
Could that be the case?
Regards,
Jörgen
-- My System Center blog ccmexec.com -- Twitter
@ccmexec -
SCCM 2012 R2 - Ports Required through Firewall
Hi all,
currently working on the list of ports which i'll need to wing over to the network guys to open on the firewalls. Here is what i've come up with from my various readings:
Name
Port
TCP/UDP
Purpose
ICMP
Echo requests messages go from site server to clients
RPC
135
TCP
Site Server > Client | Console > Site Server
NetBIOS
139
TCP
Client < > Site Server
HTTP
80
TCP
Client < > Site Server
HTTPS
443
TCP
Client < > Site Server
SMB
445
TCP
Site Server > Client Computer
LDAP
389
TCP
Site Server > Domain Controllers
RemoteControl
2701
TCP
Site Server > Client
WSUS
8530
TCP
Client > Site Server
WSUS
8531
TCP
Client > Site Server
MSSQL
1433
TCP
Site Server > SQL Server
SQLBroker
4022
TCP
Site Server > SQL Broker Service
Client Notificaiton
10123
TCP
Site Server > Client
WakeUpProxy
9
UDP
Client > Site Server
WakeUpProxy
25536
UDP
Client > Site Server
Is there anything glaringly obvious that i've missed? Or anything i've included unnecessarily? There was a good illustration diagram of how the ports worked in 2007 (http://technet.microsoft.com/en-gb/library/bb632618.aspx) but couldn't seem to find
an equivilant for 2012 R2.
Thanks for the helpHi,
To add to that the ports for PXE is missing as well if you are going to use it. Have a look at this great excel spreadsheet where you can add a servername a roles in excel and it will give you what ports needs to be opened.. great help.
https://sccmguru.wordpress.com/2012/11/09/configuration-manager-2012-port-information-and-spreadsheet/
Regards,
Jörgen
-- My System Center blog ccmexec.com -- Twitter
@ccmexec -
DirectAccess (2012 R2) Force Tunnel & Non-IE Browsers
I'm setting up a DirectAccess solution with Force Tunneling enabled (don't ask why, the client demanded it). The solution is working flawlessly except for internet access for non-IE browsers. I have a proxy server entry in the nrpt for the '.' dnssuffix
and IE is honoring that entry and routing all traffic over the DA tunnel to the proxy server correctly.
however, non-IE browsers like firefox and chrome, while they are browsing the internet off of the DA infrastructure tunnel, are ignoring the proxy entry and browsing directly. (in the environment, the DA Server itself has access to the internet that
is not proxy-filtered)
It appears that the proxy server entry in the nrpt is only for IE, and not a global "client" setting. Firefox can still browse the web, but it appears that it's simply throwing the traffic at the DA server directly, which is in turn using its internet
access as defined by the my clients firewall rules for infrastructure servers.
or, am I missing something? it seems that the proxy server specified in the nrpt for the '.' dnssuffix should apply to all client traffic and not just IE...For anyone that happens to run across a similar issue, here's how I solved it:
The main problem was that the '.' dns suffix in the nrpt policy that was set to route that suffix to a specified intranet proxy server didn't seem to apply to all traffic, non-ie broswers (such as firefox) would send traffic over the DA tunnel according
to the force tunnel configuration, but wouldn't have their internet based traffic routed to the proxy server. instead, they would send internet traffic to the DA server, which would access the internet directly, effectively bypassing the corporate proxy and
it's filtering rules.
the infrastructure design problem at the client was that the server subnet is granted direct internet access that is not proxied, so the DA server had the ability to forward 6to4 internet traffic directly.
we ended up changing the windows firewall on the DA server so that the default outgoing policy was set to block, and created explicit allow rules for only the internal subnets and the proxy servers, effectively killing the DA servers internet access, but
allowing traffic to the internal infrastructure.
this in turn killed DA clients' ability to browse the internet unfiltered. for non-IE clients or ftp applications a proxy server will now have to be manually (or potentially through group policy) be set, but it closed the loophole in the forced tunnel configuration
for DA client's web browsing. -
DirectAccess 2012 (VMWare) NLB Setup Help
Hi All,
A bit of background on our current setup.
2 X Physical servers (server 2012 r2) hosting DA 2012 in NLB Cluster (Unicast)
All working fine.
I wish to virtualise the DA solution using VMWare. I've built two virtual machines with a view of evicting one of the physical nodes from the existing cluster and introducing the virtual machine.
However I’ve come across on this forum various posts in relation to unicast/multicast setup and has let me somewhat confused.
The current servers are plugged into a layer 2 switch going directly out to the inet. Saying that I’ve read something about layer 3 arp entries? i suppose the layer 3 switch would be our ISP? we have no layer 3 switches in between DA and
the inet here at the office (sorry i am not a networking guy, so this might sound stupid... but I’ve been informed it's layer 2 switch only)
On the virtual machines i've added an internal nic and and external nic (the external nic is dedicated on the VMware host and not shared with other port groups) what do i need to do to ensure i will have no problems when it comes to introducing the
virtual machine into the existing cluster please?
I know a couple of you have setup NLB on VMWare for DA, can someone kindly point me in the direction of some documentation specifically for this kind of setup or what be more helpful is if you could kindly explain what i need to do step by step.
I've read VMWare's documentation but wanted to get some feedback from someone who has done a real world install.
Do i need to set anything on the VSwitch for example notify switches, allow mac address changes etc?Hi All,
I've managed to virtualize DA fully with Teredo/6to4/IP-Https all working.
*** Operating in Multicast mode ****
I have 6 hosts part of a VMWare cluster, i allocated 1 port per host which is connected to the internet directly (no fw in between, expect a switch)
I then created a vSphere distributed switch/port group with the following settings
Promiscuous mode: Reject
Mac Address Changes: Accept
Forged Transmits: Accept
Notify Switches: Yes
Once this had been all setup, next step was to talk to our ISP to add the NLB Cluster MAC address to their ARP table as a static entry pointing back to the external VIP’s
because I already had DA in place on two physical servers, I changed the NLB settings from unicast to multicast, and yes when I did this on the internal network I lost the IPV6 address from the NLB settings (so make sure you make a note of it to put it back)
Changing to multicast might cause the servers to become unresponsive (did in my case) I waited a while and one came back, whilst the other needed a reset.
Next step was to introduce a 3<sup>rd</sup> node and evict one of the physical servers, so I built a virtual machine
Basic spec (4GB 1Vcpu 4cores) 2012 R2
Two network cards
Internal (on the same vlan as the physical servers)
External (connected to the new port group I created above)
I also (probably didn’t need to) set a static mac address on the VM for both network cards.
Allocated an external IP address to the external nic on the VM made sure I can ping google etc
Copied the settings from the physical servers i.e removed GW from internal nic on VM added static route etc etc
Installed the SSL certificate on the 3<sup>rd</sup> node
Introduced the 3<sup>rd</sup> node into the existing DA cluster and made sure to move the VM into the DA servers OU so it gets the DA server policy
In NLB manager 3<sup>rd</sup> host showing as “misconfigured”
Logged onto 3<sup>rd</sup> node (VM) launched NLB manager, noticed was set to unicast – changed to multicast, brought node online.
Once everything was showing green and I could see connections to the 3<sup>rd</sup> host, I removed one of the physical servers from the cluster using the DA console.
So back down to two nodes.
Waited 24 hours
Introduced 2<sup>nd</sup> VM or 3<sup>rd</sup> node again in this case following same steps as above.
Removed remaining physical host from DA cluster.
Maybe you are looking for
-
Why does iTunes stop working when I click on the menu bar?
Whenever I click the grey menu bar (artists, genre, videos, playlists, match, etc) iTunes stops working and Windows has a pop up that says it's closing. I tried updating to 11.4... but then itunes says it is missing a file or something like that and
-
Problem with services hierarchy and purchase order
Hi I'm in Srm 7 EHP8(classic scenario) and i have a problem with services hierarchies: I create a Purchase requisition in ECC with the next structure: 1.Hier 1.1 Serv1 1.2 Serv2 1.3 Serv3 Then I upload this PR to SRM(I activated the BBP_EXTLOCALPO_BA
-
IOS7 Update is failing to install correctly, frozen on 'Terms and Conditions' window
Tried to install updates to IOS7 to keep my IPad current, set-up has frozen at the 'Terms and Conditions' page, will not let me proceed. Neither 'Agree' nor 'Disagree' work, and therefore set-up will not complete, rendering the machine unusable
-
Premiere Pro CC 2014 crashing when playing back especially when playing back graphics.
I updated Premiere Pro to CC 2014 last week and found it crashing a lot when playing back especially when playing back graphics. Has anyone else had this problem?
-
HT4527 home sharing is only adding songs that i purchased on itunes store help
Iam changing from one laptop to another and home sharing is only adding songs that i bought from itunes store and not downloaded myself, how do i fix this?