Step 2 Configure the Basic DirectAccess Server
Applies To: Windows Server 2016
This topic describes how to configure the client and server settings required for a basic DirectAccess deployment. Before beginning the deployment steps, ensure that you have completed the planning steps described in Plan a Basic DirectAccess Deployment.
|Install the Remote Access role||Install the Remote Access role.|
|Configure DirectAccess Using the Getting Started Wizard||The new Getting Started Wizard presents a greatly simplified configuration experience. The wizard masks the complexity of DirectAccess, and allows for an automated setup in a few simple steps. The wizard provides a seamless experience for the administrator by configuring Kerberos proxy automatically to eliminate the need for an internal PKI deployment.|
|Update clients with the DirectAccess configuration||To receive the DirectAccess settings, clients must update group policy while connected to the intranet.|
This topic includes sample Windows PowerShell cmdlets that you can use to automate some of the procedures described. For more information, see Using Cmdlets.
To deploy Remote Access, you must install the Remote Access role on a server in your organization that will act as the Remote Access server.
To install the Remote Access role
On the Remote Access server, in the Server Manager console, in the Dashboard, click Add roles and features.
Click Next three times to get to the server role selection screen.
On the Select server roles dialog, select Remote Access, and then click Next.
On the Select features dialog, click Next.
Click Next, and then on the Select role services dialog, click the DirectAccess and VPN (RAS) check box.
Click Add Features, click Next, and then click Install.
On the Installation progress dialog, verify that the installation was successful, and then click Close.
*Windows PowerShell equivalent commands*
The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.
Install-WindowsFeature RemoteAccess -IncludeManagementTools
Configure DirectAccess with the Getting Started Wizard
To configure DirectAccess using the Getting Started Wizard
In Server Manager click Tools, and then click Remote Access Management.
In the Remote Access Management console, select the role service to configure in the left navigation pane, and then click Run the Getting Started Wizard.
Click Deploy DirectAccess only.
Select the topology of your network configuration and type the public name to which remote access clients will connect. Click Next.
By default, the Getting Started Wizard deploys DirectAccess to all laptops and notebook computers in the domain by applying a WMI filter to the client settings GPO.
Since there is no PKI used in this deployment, if certificates are not found, the wizard will automatically provision self-signed certificates for IP-HTTPS and the Network Location Server, and will automatically enable Kerberos proxy. The wizard will also enable NAT64 and DNS64 for protocol translation in the IPv4-only environment. After the wizard successfully completes applying the configuration, click Close.
In the console tree of the Remote Access Management console, select Operations Status. Wait until the status of all monitors display as "Working". In the Tasks pane under Monitoring, click Refresh periodically to update the display.
Update clients with the DirectAccess configuration
To update DirectAccess clients
Open PowerShell as an administrator.
In the PowerShell window, type gpupdate and then press ENTER.
Wait for the computer policy update to complete successfully.
Type Get-DnsClientNrptPolicy and then press ENTER
The Name Resolution Policy Table (NRPT) entries for DirectAccess are displayed. Note that the NLS server exemption is displayed. The Getting Started wizard automatically created this DNS entry for the DirectAccess server, and provisioned an associated self-signed certificate so that the DirectAccess server can function as the Network Location Server.
Type Get-NCSIPolicyConfiguration and then press ENTER. The network connectivity status indicator settings deployed by the wizard are displayed. Note the value of DomainLocationDeterminationURL. Whenever this network location server URL is accessible, the client will determine that it is inside the corporate network, and NRPT settings will not be applied.
Type Get-DAConnectionStatus and then press ENTER. Since the client can reach the network location server URL, the status will display as ConnectedLocally.