Monitor the configuration distribution status of the Remote Access server

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

Note: Windows Server 2012 combines DirectAccess and Remote Access Service (RAS) into a single Remote Access role.

The Remote Access Management Console compares the configuration versions from all the monitored servers to verify that they match and are using the latest configuration version. This shows whether the latest configuration version (which is specified in the Group Policy Objects or GPOs) was distributed to all of the servers and whether it was successfully applied on the servers.

To use the monitoring dashboard to monitor the configuration distribution

  1. In Server Manager, click Tools, and then click Remote Access Management.

  2. Click DASHBOARD to navigate to Remote Access Dashboard in the Remote Access Management Console.

  3. On the monitoring dashboard, notice the Configuration Status tile at the top center. This tile shows the current status of the configuration distribution.

The following table shows the messages that are generated by the Configuration Status tile, their meanings, and the necessary administrative action (if any).

Severity Message Meaning What to do?
Success The configuration was distributed successfully. The configuration in the GPO was successfully applied on the server. No action needed.
Warning Configuration for server [server name] not retrieved from the domain controller. The GPO is not linked. The configuration in the GPO did not yet reach the server. This could be because the GPO is not linked to the server. Link the GPO to a scope of management that is applied to the server, or in a staging GPO scenario, manually export the settings from the staging GPO and import them to the production GPO. For more information about staging GPOs, see Managing Remote Access GPOs with limited permissions in Step-1-Plan-the-DirectAccess-Infrastructure. For GPO staging steps, see Configuring Remote Access GPOs with limited permissions in Step 1: Configure the DirectAccess Infrastructure.
Warning Configuration for server [server name] not yet retrieved from the domain controller. The configuration in the GPO did not yet reach the server.

It can take up to 10 minutes to propagate a new configuration.

Allow more time for the policies to update on the server.
Error Configuration for server [server name] cannot be retrieved from the domain controller. The configuration in the GPO did not reach the server, and more than 10 minutes have passed since the configuration was changed. This could happen in one of the following scenarios:

- The server has no connectivity to the domain to update the policies. You can run "gpupdate /force" on the server to force a policy update.
- GPO replication might be required to retrieve the updated configuration.
- There is no writable domain controller in the Active Directory site of the Remote Access server.

Wait for GPOs to replicate to all domain controllers, and then use the Windows PowerShell cmdlet Set-DAEntryPointDC to associate the entry point with a writable domain controller in Active Directory in the Remote Access server.

Warning Configuration for server [server name] retrieved from the domain controller, but not yet applied. The configuration in the GPO reached the server but is not yet applied.

It can take up to 15 minutes before the configuration is applied.

Allow more time for the configuration to be fully applied to the server.
Error Configuration for server [server name] retrieved from the domain controller cannot be applied. The configuration in the GPO reached the server but is not successfully applied, and more than 15 minutes have passed since the configuration was changed. This could happen in one of the following scenarios:

1. The configuration is currently in the process of being applied. This is shown as an error because it may have taken a long time to retrieve the configuration from the GPO.
To verify whether this is the reason, use Task Scheduler and navigate to Microsoft\Windows\RemoteAccess to verify that RAConfigTask is currently running.
2. If RAConfigTask is not currently running, it may have failed to apply the configuration on the server.
Check for errors in Event Viewer under the Remote Access server operations channel, which is located at \Applications and Services Logs\Microsoft\Windows\RemoteAccess-RemoteAccessServer.
Check for errors in OPERATIONS STATUS in the Remote Access Management Console. For more information, see Monitor the Operations Status of the Remote Access server and its components.

Error Configuration for multisite servers retrieved from the domain controller. The configuration does not match on all servers. There is an inconsistency between the configuration versions of the server GPOs in the multisite deployment.

Ideally, all the server GPOs for all entry points will have the same global configuration, but for some reason, they are out of sync.

This can happen when a configuration change failed and was not rolled back successfully.

You should restore the GPOs from a backup state where all server GPOs were synchronized. For information about a script that you can use, see Back up and Restore Remote Access Configuration.