Windows Server Direct Access Deployment

Similar Messages

• Windows 2012 Direct Access ISATAP not working

  I just installed Windows 2012 Direct Access and it's working fine for my company's Windows 7 Ent clients. The only issue I can't around with is that ISATAP is not working on this box.
  We want to be able to manage-out in our native IPv4 environment, the isatap A record has already been created and is resolvable to all client machines including the Direct Access server. Unfortunately, ISATAP still appears to be Disabled. Do we need to manually
  set this to enabled apart from what I've already done?
  PS C:\Windows\system32> Get-RemoteAccessHealth
  Component            RemoteAccessServer   HealthState     TimeStamp            Id
  Server               localhost            OK              1/31/2013
  3:26:43 PM
  6to4                 localhost            Disabled        1/31/2013 3:21:44 PM
  Vpn Addressing       localhost            Disabled        1/31/2013 3:21:44 PM
  Network Security     localhost            OK              1/31/2013 3:21:44 PM
  Dns                  localhost            OK             
  1/31/2013 3:26:43 PM
  IP-Https             localhost            OK              1/31/2013 3:21:44 PM
  Nat64                localhost            OK              1/31/2013
  3:21:44 PM
  Dns64                localhost            OK              1/31/2013
  3:21:44 PM
  IPsec                localhost            OK              1/31/2013
  3:21:44 PM
  Kerberos             localhost            Disabled        1/31/2013 3:21:44 PM
  Domain Controller    localhost            OK              1/31/2013 3:21:44 PM
  Management Servers   localhost            Disabled        1/31/2013 3:21:44 PM
  Network Location ... localhost            OK              1/31/2013 3:26:43 PM
  Otp                  localhost            Disabled        1/31/2013 3:21:44 PM
  High Availability    localhost            Disabled        1/31/2013 3:21:44 PM
  Isatap               localhost            Disabled        1/31/2013 3:21:44 PM
  Vpn Connectivity     localhost            Dis┌───────────────────────────┐4 PM
  Teredo               localhost            Dis│Enter command number:      │4 PM
  Network Adapters     localhost            OK └───────────────────────────┘4 PM
  Services             localhost            OK              1/31/2013 3:26:43 PM
  PS C:\Windows\system32> ping isatap
  Pinging isatap.isat.com [192.168.1.214] with 32 bytes of data:
  Reply from 192.168.1.214: bytes=32 time=1ms TTL=128
  Reply from 192.168.1.214: bytes=32 time<1ms TTL=128
  Reply from 192.168.1.214: bytes=32 time<1ms TTL=128
  Reply from 192.168.1.214: bytes=32 time<1ms TTL=128

  Hi,
  Thank you for the post.
  As far as I understand, ISATAP is not recommended for use as the IPv6 to IPv4 transition technology in DirectAccess in Windows Server 2012. With ISATAP disabled DirectAccess clients can initiate connections to computers
  on the internal network, and the computers on the internal network are able to respond. However, computers on the internal network will not be able to initiate connections to DirectAccess for purposes of remote client management. If you want to be able to
  remote client management, consider deploying native IPv6 for management servers that will connect to DirectAccess client computers.
  Regards,
  Nick Gu - MSFT

• Just FYI, Windows Server 2012 R2 and Windows Server 2012 BranchCache Deployment Guide in Word format in the TechNet Gallery

  The Windows Server 2012 R2 and Windows Server 2012 BranchCache Deployment Guide is now available for download in Word format in the TechNet Gallery at
  http://bit.ly/1pYZT3F
  Thanks -
  James McIllece

  hello again,
  meanwhile I was lucky to find this article about Idenity Mapping in TechNet in the Storage Team Blog:
  http://blogs.technet.com/b/filecab/archive/2012/10/09/nfs-identity-mapping-in-windows-server-2012.aspx
  Likely to be overseen at the end of one paragraph it says:
  "Client for NFS does not support NFS V4.1 in Windows 8 or Windows Server 2012"
  Question : Is this an official statement and is it still valid with most recent
  Windows Server 2012 R2 that NFS client does NOT support NFSv4.x  ??
  thanks - Rainer

• I have a time capsule connected directly to fiber connection. I have connected a windows server directly to TC and configured it for remote desktop connection. From my interanet I can access srvr but not from my home. What config I need on TC?

  I have a time capsule directly connected to fibre optic point out. All pcs and macs are connected wirelessly to the internet. I have connected a windows server pc to TC. When configured for Remote desktop connection, I can access windows server from within interanet but don't know how to access it from internet. I guess I need to change some settings in TC to get some ip adress for the remote desktop connection from my home. Anyone who can help me out? Appreciate it.
  Narmin

  I am a little lost now.. I have read again your title and your first post.. and they seem inconsistent.
  In the title you state.
  From my interanet I can access srvr but not from my home.
  Interanet is not a word I know.. I assumed intranet...are you talking about internet or intranet? And just to be clear say WAN or LAN.. !! Is your home part of the interanet??
  In the first post you state,
  I can access windows server from within interanet but don't know how to access it from internet.
  Now this is more normal.. the issue is not in the home at all, it is accessible from there but fails from internet. If this is correct, then you can do a few obvious things to determine where the problem is.
  But first I need to know are you actually testing from a different internet connection to your home lan.. you are not just trying the public IP from inside the LAN as that will fail due to the TC not doing NAT Loopback.
  I am also assuming the TC is the only router in the network, and has the public IP on the WAN interface.
  And I am also assuming you have turned on the ping responder and you can actually ping your public ip from the internet and get a response. This helps no end in figuring out where there are issues. Strange but I have no idea if there is a ping responder in the TC WAN so you might need to forward that as well. Also if you have a dynamic public ip address are you using dyndns or no-ip or some other service to connect.
  1. Test bypassing the TC.. plug the internet connection straight into the windows server,, and test if you have access. If yes, the TC is the problem.. if not, your setup on the windows server is wrong.. look at firewall in particular.
  2. Assuming from test 1 the TC is the problem, Post the screen shots of the port forwarding setup for us to look at.. that is by far the easiest way to check it out.
  There are lots of references to port forwarding in the TC.. eg
  http://must-know-mac.blogspot.com/2008/07/how-to-port-forward-time-capsule.html
  The things that generally go wrong are firewall on the computer that is accepting the port.
  The ISP doesn't allow connections on a particular port. (not likely in your case)
  The router is behind another router.. double NAT will kill any port forward.
  Upnp has already allocated a port.. not an issue as TC doesn't use upnp although a reboot of everything after you set port forwards is well worth it.. amazing how things don't stick properly without a reboot.
  IP on the receiving device is not static and so changes.
  Not enough or right type of ports are opened. This is always messier than it looks as one port is often not enough for two way communications.

• Windows server 2012 and windows 7 direct access

  I am looking for some decent documentation on how to get direct access in windows 2012 to work with windows 7
  Can anyone point me the right direction?

  Hi, I got success through this
  http://syscomlab.blog.com/2012/09/how-to-get-windows-7-to-work-with-directaccess-server-2012/ and this one
  http://syscomlab.blog.com/2012/09/directaccess-for-windows-server-2012-guide/ but I'm using NLS in a dedicated server (what is fine for me) but the Win7 client doesn't connect to DA (EDGE server) through internet. I'm using a LAB where WS2012 host acts
  as a GATEWAY (using NAT) and for Windows 8 client is working fine but when I try using win7 clients it just doesn't work :(
  Server WS 2012 RTM full patched + Win8 Enterprise RTM full patched + Win7 Enterprise RTM ful patched (including the recommended KBs for DA solution)
  regards,
  Thiago
  Thiago Beier Se foi útil marca como resposta! Don´t forget to mark as answer!

• How to make directaccess windows server 2012 access the IPv4 link

  HI all,
  I have built a directaccess for win7 with IPv4 only intrant successfully,and it work's good.but here is a problem that I can't access the IPv4 link,for example I can access
  http://www.test.com ,but I can't access the url http://192.168.13.13 .I have many links use IPv4 address,so I can't access these resources through directaccess,what should
  I do to make it works. 

  Hi,
  Direct Access is an IPv6 technology. Clients send only IPv6 packets to DirectAccess server. We need an IPv6/IPv4 translator here.
  Choose Solutions for IPv4-only Intranet Resources
  http://technet.microsoft.com/en-us/library/ee382298(v=ws.10).aspx
  And in windows server 2012 we have built-in NAT64 and DNS64.
  Windows Server 2012 Direct Access – Part 1 What’s New
  http://blogs.technet.com/b/meamcs/archive/2012/05/03/windows-server-2012-direct-access-part-1-what-s-new.aspx
  Hope this helps.

• Windows server anywhere access not working from outside the lan

  ok so heres what i have done so far i installed windows server 2012 essential on a computer followed the wizard to add a couple of users and gave them anywhere access followed the wizard and ran the anywhere access to completion setup the ports 80 and 443
  on router manually to forward to my router ip 10.0.1.20 
  my server is still on dynamic ip
  then i go to a windows 7 ultimate computer whent to the connect url downloaded the connect tool ran to completion and restarted the computer so far everything working inside my lan i can connect to the server see shared files and open the dash management
  now i go outside connect to a wired or wireless network of a friend and try to connect to http://xxxxxxx.remotewebaccess.com
  but am unsuccessfull then i check on my network adapter page and see that there is a new adapter that is called as my remotewebaccess.com so i click on it and try to connect but still fails........
  please help what am i doing wrong?
  i checked everywhere and cant find a solution.
  Thank you

  It is probably better to assign a static IP to your server, but OTH it may not change.  But you really hate to go off on vacation and have the ip change and everything break.
  Now you said you forwarded ports 80 and 443 to your router, I bet you meant your server?
  Do www.whatismyip.com and from outside ping xxxx.remotewebaccess.com and make sure they are true same ip
  From a PC or the server on your network go to grc.com and do shields up and make sure it reports 80 and 443 as open
  Grey

• Install GoDaddy SSL Certificate to Windows Server 2012 - Access Anywhere

  I would like to activate Access Anywhere on my windows server 2012 essentials. I went through the guided steps and purchased a SSL certificate from Godaddy. Godaddy doesn't offer support regarding the correct installation process of their certificates
  using iis 8 (server 2012 essentials). I noticed that Access Anywhere requires a PFX certificate and Godaddy only provided a PKCS #7 and a cer. file. Please let me know if Godaddy's certificates are compatible with windows server 2012 essentials. Without Access
  Anywhere functioning on my server, the usefulness of the server greatly decreases. Your assistance is greatly appreciated. Thanks. 

  All you need is the standard, lowest level, single domain, no email, no bells, no whistles, no UCC.  Just a simple SSL cert.  Even SBS standard which adds email to the RWA feature, only requires that, thanks to the magic of the dev. team.
  Larry Struckmeyer[SBS-MVP] If your question is answered, please mark the response as the answer so that others can benefit.

• AD FS Windows Server 2012 R2 - Deployment Scenario

  I am deploying with following scenario, need your expert advise.
  Customer local domain
  abc.local
  à AD FS servers member of local domain (ADFS1.abc.local,
  ADFS2.abc.local). ADFS server farm setup with two server load balanced on F5 (sts.abc.sa),
  internal DNS Host name
  Customer External Domain
  abc.sa
  à UPN Suffix Added, all users UPN suffix is changed to abc.sa, external DNS Host (sts.abc.sa)
  My Query
  1-      
  Do I need to change the domain suffix of server before running the Federation PowerShell command or following command will work
  Set-MsolADFSContext –Computer FQDN-OF-ADFS_SERVER
  (FQDN WITH ABC.LOCAL OR
  ABC.SA)
  2-      
  DO I need to run the above command on second ADFS server part of the farm) or how it works as I notice, the second server though it’s part of the ADFS farm
  but not showing the ADFS MMC or responding to STS Metadata URL. Even on F5 NLB the second server is showing down. Is it normal behavior. I read somewhere the second server need to promoted to primary in case first server is unavailable. Please advise.
  Adding: the common name of the certificate is sts.abc.sa

  Hi,
  Do I need to change the domain suffix of server before running the Federation PowerShell command or following command will work
  As far as I know, we don’t need to do that, since we can create a corresponding DNS forward lookup zone and add a host record for the ADFS server.
  Name resolution requirements for ADFS-enabled Web servers
  http://technet.microsoft.com/en-us/library/cc758073(v=WS.10).aspx
  In addition, the act of creating two or more federation servers in the same network, configuring each of them to use the same Federation Service, and adding the public key of each server's token-signing
  certificates to the AD FS Management snap-in creates a federation server farm.
  Quoted from article below:
  When to Create a Federation Server Farm
  http://technet.microsoft.com/en-us/library/dd807062.aspx
  Since we are not very familiar with ADFS, as Mr. X mentioned, there is a dedicated ADFS forum where you can refer to if you have further questions.
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• IIS 6 logs, ASP, Windows server 2003, access 2000

  Hello all,
  I have an asp page on my website that has been throwing some
  500 errors. I
  pulled the following out of the IIS 6 logs:
  2008-02-19 19:58:05 POST /sssssssss_xxxxxxxxxxx.asp
  |145|80020005|Type_mismatch. - 24.111.22.94 HTTP/1.1
  Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322;+InfoPa
  th.1) https://xxxxxx/xxxxxxxxxxxx.asp 500 471
  Is the "145" the line in code that the error is coming from?
  Thanks.

  Ashish,
  This forum is dedicated to Microsoft Project and Project Server, a project management applications.
  I am not seeing how your question is connected to this forum. I suggest you post this in a relevant forum to get better and correct answers.
  Cheers,
  Prasanna Adavi, Project MVP
  Blog:
    Podcast:
     Twitter:   
  LinkedIn:
    

• Windows server permissions -- access limited by share

  This user belongs to a group whose share permissions are set to Read. This should be changed to Full Control?

  I'm having a weird issue and need some help going in the right direction.
  I am trying to determine why a user can't get write access to a folder.
  When I check the effective access I see that "Share" is listed many times as the reason that access is limited (Access limited by column).
  How do I determine which share is causing this?
  This topic first appeared in the Spiceworks Community

• Unable to rename msvcp60.dll in windows server 2008 ( access denied error message)

  Dear all,
  This is to inform you that, i wanted to replace msvcp60.dll file due to some other configuration purpose, but its not allowing me to changed even using local administrator loing, please help how can i get it done.
  Regards,
  Kumar V
  Regards, Kumar.V

  Perhaps it is held by the process. Find process, stop it and do what you want. If you still cannot what you need, make a script and run it in Task Schedule with elevated rights as SYSTEM. You may reregister newly named dll.
  Perhaps more suitable forum for problem like this one is MSDN forum. If problem persists, addres this forum.
  HTH
  Milos

• Windows Server 2012 - Direct Access clients and the Windows 8 firewall

  Hi,
  We're running a simple proof-of-concept for Server 2012 Direct Access, we have a single DA server behind a firewall using NAT. We have a number of client devices setup for DA and running Windows 8.
  Our issue is that we can only get the Windows 8 direct access clients to connect (when outside the corporate network) and work with the windows firewall disabled (public network profile). 
  With the windows firewall disabled everything works exactly as expected. When outside the corporate network the client detects the network state (public network profile), connects via DA and all internal resources can be accessed successfully...fantastic.
  Is there some specific guidance on manually configuring the windows 8 firewall for Direct Access ? We've tried the obvious TCP:443 with edge traversal enabled but without success.
  Much of the information we have found relates to UAG rather than Windows 2012 DA.
  Any assistance is appreciated.

  Hi,
  There isn’t any specific configuration on the firewall.
  Just confirm that port 443 can be forwarded to DirectAccess server.
  Of course, make sure you are using IPsec first.
  Check the links:
  STEP 6: Test DirectAccess Client Connectivity from Behind a NAT Device
  http://technet.microsoft.com/en-us/library/hh831524.aspx#TeredoCLIENT1
  DirectAccess for Windows Server 2012 Installation & Configuration Guide
  http://syscomlab.blog.com/2012/09/directaccess-for-windows-server-2012-guide/
  Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Mac Pro accessing SMB shares on a windows server. After being left on all night, the MP gets "file unavailable" messages when opening files on the share.

  Windows Server 2003 accessed by several PCs and Macs without previous incident.  This one Mac Pro after it's been left on all night (running jobs, or just left idle), and a user tries to reconnect to an SMB share, can go to Finder, Go, Connect to Server, enter the Server info as normal, login as normal, view the directories and files as normal, but as soon as they try to open anything they are given one of the following messages:
  "Word cannot open this document. The document might be in use, the document might not be a valid Word document, or the file name might contain invalid characters (for example, \ /). (<filename>)" - when opening a word document
  "<filename> could not be found.  Check the spelling of the file name and verify that the file location is correct.  If you are trying to open the file from your list of most recently used files on the File menu, make sure that the file has not been renamed, moved, or deleted." - when opening an excel spreadsheet
  Note that these messages are popping up AFTER the user has double-clicked on them to open them.  So the files are certainly there and correctly named (and contain only letters, numbers and underscores).  After restarting the Mac Pro, the error messages are gone and the files can be accessed without problem. Would like it so that they can connect to the server without having to restart every day.

  Windows Server 2003 accessed by several PCs and Macs without previous incident.  This one Mac Pro after it's been left on all night (running jobs, or just left idle), and a user tries to reconnect to an SMB share, can go to Finder, Go, Connect to Server, enter the Server info as normal, login as normal, view the directories and files as normal, but as soon as they try to open anything they are given one of the following messages:
  "Word cannot open this document. The document might be in use, the document might not be a valid Word document, or the file name might contain invalid characters (for example, \ /). (<filename>)" - when opening a word document
  "<filename> could not be found.  Check the spelling of the file name and verify that the file location is correct.  If you are trying to open the file from your list of most recently used files on the File menu, make sure that the file has not been renamed, moved, or deleted." - when opening an excel spreadsheet
  Note that these messages are popping up AFTER the user has double-clicked on them to open them.  So the files are certainly there and correctly named (and contain only letters, numbers and underscores).  After restarting the Mac Pro, the error messages are gone and the files can be accessed without problem. Would like it so that they can connect to the server without having to restart every day.

• LAN side firewall settings for Direct Access (Windows Server 2012 R2) in DMZ?

  I am currently planning to set up our first Direct Access server (Windows Server 2012 R2). I will be in our firewall DMZ and we will be using the IP-HTTPS listener.
  For the Internet facing rule only TCP 443 inbound/outbound is sufficient but for the LAN facing rules (not talking about the Windows server firewall) what would be the recommended firewall rules for a Direct Access server? Is there a best practice guideline
  to follow for this? Appreciate any advice or comments. Thank you.

  Hi Barkley
  Please see this Technet Link which will backup your requirements - https://technet.microsoft.com/en-gb/library/jj574101.aspx
  Section Reads - 
  When using additional firewalls, apply the following internal network firewall exceptions for Remote Access traffic:
  ISATAP—Protocol 41 inbound and outbound
  TCP/UDP for all IPv4/IPv6 traffic
  Also another link from http://www.ironnetworks.com/blog/directaccess-network-deployment-scenarios#.VO3tfvmsVrU
  "I have had a number of conversations with security administrators and network architects who have expressed a desire to place the DirectAccess server between two firewalls (firewall sandwich) in order to explicitly control access from the DirectAccess
  server to the internal corporate network. While at first this may sound like a sensible solution, it is often quite problematic and, in my opinion, does little to improve the overall security of the solution. Restricting network access from the DirectAccess
  server to the internal LAN requires so many ports to be opened on the inside firewall that the benefit of having the firewall is greatly diminished. Placing the DirectAccess server’s internal network interface on the LAN unrestricted is the best configuration
  in terms of supportability and provides the best user experience."
  Kindest Regards
  John Davies
  Thank for your reply and information John. I find it somewhat disappointing that Microsoft does not provide much more in the way of documentation and information regarding this topic. I required more information to show to our security team so they will allow
  us to have the internal facing NIC not have more restrictive rules in place as it is a security concern.