Step 2: Configure the DirectAccess Server


Updated: August 10, 2012

Applies To: Windows Server 2012 R2, Windows Server 2012

This topic describes how to configure the client and server settings required for a basic Remote Access deployment using the Enable DirectAccess Wizard. Before beginning the deployment steps, ensure that you have completed the planning steps described in Step 2: Plan the Remote Access deployment.



Configure DirectAccess clients

Configure the Remote Access server with the security groups containing DirectAccess clients.

Configure the Network Topology

Configure Remote Access server settings.

Configure the DNS Suffix Search List

Modify the Suffix search list if desired.

GPO Configuration

Modify the GPOs if desired.

To Start the Enable DirectAcces Wizard

  1. In the Start screen click Routing and Remote Access and the Enable DirectAcces Wizard will start automatically unless you have selected Do not show this screen again.

  2. If the wizard does not start automatically, right-click the server node in the Routing and Remote Access tree, and then click Enable DirectAccess.

  3. Click Next.

For a client computer to be provisioned to use DirectAccess it must belong to the selected security group. After DirectAccess is configured, client computers in the security group are provisioned to receive the DirectAccess group policy.

To configure DirectAccess clients

  1. On the Select Groups page, click Add.

  2. On the Select Groups dialog box, select the security groups containing DirectAccess client computers.

  3. Select the Enable DirectAccess for mobile computers only check box to allow only mobile computers to access the internal network.

  4. Select the Use force tunneling check box to route all client traffic (to the internal network and to the Internet) through the Remote Access server.

  5. Click Next.

To deploy Remote Access, you need to configure the Remote Access server with the correct network adapters, a public URL for the Remote Access server to which client computers can connect (the connect to address), and an IP-HTTPS certificate whose subject matches the connect to address.

To configure the network topology

  1. On the Network Topology page, click the deployment topology that will be used in your organization. In Type the public name or IPv4 address used by clients to connect to the Remote Access server, enter the public name for the deployment (this name matches the subject name of the IP-HTTPS certificate, for example,, and then click Next.

To configure the DNS suffix search list

  1. Select Configure DirectAccess Clients with DNS client suffix search list to specify additional suffixes for client name searches.

  2. Type a new suffix name in New Suffix: and then click Add. Additionally, you can change the search order and remove suffixes from Domain Suffixes to use:

For DNS clients, you can configure a DNS domain suffix search list that extends or revises their DNS search capabilities. By adding additional suffixes to the list, you can search for short, unqualified computer names in more than one specified DNS domain. Then, if a DNS query fails, the DNS Client service can use this list to append other name suffix endings to your original name and repeat DNS queries to the DNS server for these alternate FQDNs.For computers and servers, the following default DNS search behavior is predetermined and used when completing and resolving short, unqualified names.When the suffix search list is empty or unspecified, the primary DNS suffix of the computer is appended to short unqualified names, and a DNS query is used to resolve the resultant FQDN. If this query fails, the computer can try additional queries for alternate FQDNs by appending any connection-specific DNS suffix configured for network connections.If no connection-specific suffixes are configured or queries for these resultant connection-specific FQDNs fail, then the client can then begin to retry queries based on systematic reduction of the primary suffix (also known as devolution).For example, if the primary suffix were "", the devolution process would be able to retry queries for the short name by searching for it in the "" and "com" domains.When the suffix search list is not empty and has at least one DNS suffix specified, attempts to qualify and resolve short DNS names is limited to searching only those FQDNs made possible by the specified suffix list. If queries for all FQDNs formed as a result of appending and trying each suffix in the list are not resolved, the query process fails, producing a "name not found" result.


If the domain suffix list is used, clients continue to send additional alternate queries based on different DNS domain names when a query is not answered or resolved. Once a name is resolved using an entry in the suffix list, unused list entries are not tried. For this reason, it is most efficient to order the list with the most used domain suffixes first.

Domain name suffix searches are used only when a DNS name entry is not fully qualified. To fully qualify a DNS name, a trailing period (.) is entered at the end of the name.


In a disjoint name space scenario (where one or more domain computers has an DNS suffix that does not match the Active Directory domain to which the computers belong), you should ensure that the search list is customized to include all the required suffixes. The Remote Access wizard will by default configure the Active Directory DNS name as the primary DNS suffix on the client. Admin should ensure that he adds the DNS suffix used by clients for name resolution.

GPO Settings – The DirectAccess server GPO name and Client GPO name are listed. Additionally, you can modify the GPO selection settings.

DirectAccess settings configured when you configure Remote Access are collected into Group Policy Objects (GPO). Two GPOs are populated automatically with DirectAccess settings, and distributed as follows:

  1. DirectAccess client GPO—This GPO contains client settings, including IPv6 transition technology settings, NRPT entries, and Windows Firewall with Advanced Security connection security rules. The GPO is applied to the security groups specified for the client computers.

  2. DirectAccess server GPO—This GPO contains the DirectAccess configuration settings that are applied to any server configured as a Remote Access server in your deployment. It also contains Windows Firewall with Advanced Security connection security rules.

Once the Remote Access configuration is complete the Summary will be displayed. You can change configured setting or click Finish to apply the configuration