Module 7

Implementing DirectAccess
Module Overview

• Overview of DirectAccess
• Implementing DirectAccess by using the Getting
Started Wizard
• Implementing and managing an advanced
DirectAccess infrastructure
Lesson 1: Overview of DirectAccess

• DirectAccess components
• DirectAccess server deployment options
• DirectAccess tunneling protocol options
• Managing remote access in Windows Server 2016
• How DirectAccess works for internal clients
• How DirectAccess works for external clients
• Demonstration: Installing the Remote Access
server role
 DirectAccess components
Active Directory
Internal clients domain controller
Internet websites
DNS server

DirectAccess
NRPT server

IPv6/IPsec

External clients

Internal network resources

Network location
server

PKI deployment
DirectAccess server deployment options

• DirectAccess server Deployment options:

• Simple deployment by using the Getting Started Wizard
• Complex deployment by using advance configuration
options
• DirectAccess server advance deployment options:
• Deploy multiple endpoints
• Multiple domain support
• Deploy a server behind a NAT device
• Support for OTP and virtual smart cards
• Support for NIC Teaming
• Off-premise provisioning
DirectAccess tunneling protocol options

DirectAccess tunneling protocols include:

• ISATAP. Tunnels IPv6 traffic over IPv4 networks for
intranet communication
• 6to4. Used by DirectAccess clients with a public IP
address
• Teredo. Used by DirectAccess clients with a private IP
address behind a NAT device
• IP-HTTPS. Used by DirectAccess clients if they are not
able to use ISATAP, 6to4, or Teredo
Managing remote access in Windows Server 2016

Manage the Remote Access server role by

using:
• Remote Access Management console
• Routing and Remote Access console
• Windows PowerShell:
• Set-DAServer
• Get-DAServer
• Set-RemoteAccess
• Get-RemoteAccess
How DirectAccess works for internal clients
AD DS domain
Internal client
Internet controller
computers
websites DNS server
6 Connection
security rules

NRPT
1 DNS
DirectAccess
server
4 5 ADDS
2
3 7

Step 4 Directaccess Network

Rules Ignored location
server
Certificate Internal network
Step 6 Domain Revocation resources
List
Firewall profile
assigned without
connection Security
Tunnel rules
 How DirectAccess works for external clients

2
DirectAccess
DNS server server
4
Internet
websites
Active Directory
domain controller
6 DNS server

Connection
security 3
rules

Internal network
NRPT 1 resources
External
client
computers
Demonstration: Installing the Remote Access
server role

In this demonstration, you will learn how to install

the Remote Access server role
Lesson 2: Implementing DirectAccess by using
the Getting Started Wizard

• Demonstration: Running the Getting Started

Wizard
• Getting Started Wizard configuration changes
• Demonstration: Identifying the Getting Started
Wizard settings
• Limitations of deploying DirectAccess by using the
Getting Started Wizard
Demonstration: Running the Getting Started Wizard

In this demonstration, you will learn how to

configure DirectAccess by running the Getting
Started Wizard
Getting Started Wizard configuration changes

Changes made by the Getting Started Wizard

include:
• GPO settings:
• DirectAccess Server Settings GPO
• DirectAccess Client Settings GPO
• It is not supported to manually edit the GPOs

• DNS server settings

• Remote clients
• Remote access server
• Infrastructure servers
Demonstration: Identifying the Getting Started
Wizard settings

In this demonstration, you will learn how to

identify the changes that are made by the
DirectAccess Getting Started Wizard
Limitations of deploying DirectAccess by using
the Getting Started Wizard
• Certificates:
• Creates self-signed certificates that cannot be used in multisite
deployments or with two-factor authentication
• Needs you to ensure that the CRL distribution point for both
certificates is available externally
• Network location server design:
• Deploys the network location server on the same server as the
DirectAccess server
• Windows client operating system support:
• The Getting Started Wizard configuration is applicable for clients
running: Windows 10, Windows 8.1 or Windows 8 or Windows
Server 2016, Windows Server 2012 R2, or Windows Server 2016
• Windows 7 clients require a client certificate for IPsec
authentication
Lesson 3: Implementing and managing an advanced
DirectAccess infrastructure
• Overview of the advanced DirectAccess options
• Load balancing and high availability options
• Supporting multiple locations
• Integrating a PKI with DirectAccess
• Implementing client certificates for DirectAccess
• Internal network configuration options
• Configuring advanced DNS settings
• Implementing network location servers
• Implementing management servers
• Demonstration: Modifying the DirectAccess infrastructure
• How to monitor DirectAccess connectivity
• How to troubleshoot DirectAccess connectivity
• Demonstration: Monitoring and troubleshooting DirectAccess
connectivity
• Implementing DirectAccess offline domain join
Overview of the advanced DirectAccess options

Advanced DirectAccess configuration options

include:
• Scalable and customized PKI infrastructure
• Customized network configuration options
• Scalable and highly-available server deployment
• Customized monitoring and troubleshooting
Load balancing and high availability options

• DirectAccess can be made highly-available using:

• Network Load Balancing (NLB)
• Third party solution such as Citrix NetScaler, F5 and
others
• If DirectAccess server is running in a Hyper-V
virtual machine, MAC spoofing must be enabled
• All DirectAccess servers in a load balancing
cluster must have the same configuration
• You should consider making the Network
Location Server highly-available as well
Supporting multiple locations

• With a multisite deployment, two or more

DirectAccess servers are placed in multiple locations
• A multisite deployment gives the following benefits:
• Your DirectAccess clients connects to the closest and fastest
DirectAccess server
• If a DirectAccess server in one site goes offline, clients can
connect to DirectAccess server in another site
• A multisite deployment requires:
• A PKI
• A single DirectAccess server with advanced settings already
deployed
• Internal network must be IPv6 enabled
• Windows 7 clients must be manually assigned to a site
Integrating a PKI with DirectAccess

Configuring PKI for DirectAccess includes the

following steps:
1. Add and configure the CA server role (if not
already present)
2. Create the certificate template
3. Create a CRL distribution point and publish the
CRL list
4. Distribute the computer certificates
Implementing client certificates for DirectAccess

• Computer certificate for IPsec authentication is required for

DirectAccess clients running Windows 7
• Steps for deploying certificates for client computers:
1. Create a GPO and link it to the organizational unit that contains
the DirectAccess clients
2. Configure the GPO for automatic certificate request for the
computer account
3. Apply the GPO
4. Verify that the certificates are issued
• DirectAccess can be configured to use OTP
• Typically requires 3rd party software or hardware to supply
the password
Internal network configuration options

Planning for internal network configuration

includes:
• Plan for DirectAccess server location (Edge,
perimeter network, and internal network)
• Plan the IP address assignment
• Plan the firewall configuration
• Plan for AD DS
• Plan for client deployment
Configuring advanced DNS settings

• DirectAccess uses DNS for resolving:

• Network location server
• IP-HTTPS
• CRL distribution point
• ISATAP
• Connectivity verifiers

• You can configure the NRPT by using Group

Policy with the following settings:
• DNS suffixes
• CRL distribution point
• Split-brain DNS
Implementing network location servers

• You can locate the network location server on:

• A DirectAccess server
• Another server with IIS installed
• Requirements for network location server
configuration include:
• Configure a network location server website certificate
• Ensure that DirectAccess clients trust the CA
• Ensure that the network location server website server
certificate is checked against a CRL
• The network location server should be accessible by
internal clients
• The network location server should not be accessible by
Internet clients
• The network location server should be highly available
Implementing management servers

• Management servers in DirectAccess are:

• Domain controllers
• System Center Configuration Manager servers

• Management servers are detected by

DirectAccess:
• Automatically
• Manually if modified

• Management server requirements:

• Should be accessible for the infrastructure tunnel
• Must fully support IPv6
Demonstration: Modifying the DirectAccess
infrastructure

In this demonstration, you will learn how to:

• Modify the DirectAccess infrastructure that you
deployed by using the Getting Started Wizard
• Apply advanced configuration settings
How to monitor DirectAccess connectivity

Remote Access Management Console monitoring

components:
• Dashboard
• Operations Status
• Remote Access Client Status
• Remote Access Reporting
How to troubleshoot DirectAccess connectivity

You can troubleshoot DirectAccess connectivity by

using:
• A troubleshooting methodology
• Command-line tools
• GUI tools
Demonstration: Monitoring and troubleshooting
DirectAccess connectivity

In this demonstration, you will learn how to

monitor and troubleshoot DirectAccess
connectivity
Implementing DirectAccess offline domain join

To configure DirectAccess offline domain join:

1. Create a new computer account for the remote
client computer and run the djoin.exe
command to generate a provisioning package
2. Add the client computer account to the
DirectAccessClients security group
3. Copy the provisioning package to the remote
client computer that will be joining the domain
4. Apply the provisioning package to the remote
client computer
5. Reboot the remote client computer
Lab A: Implementing DirectAccess by using the
Getting Started Wizard
• Exercise 1: Verifying readiness for a DirectAccess
deployment
• Exercise 2: Configuring DirectAccess
• Exercise 3: Validating the DirectAccess deployment
Logon Information
Virtual machines: 20741B-LON-DC1
20741B-LON-SVR1
20741B-EU-RTR
20741B-LON-CL1
User name: Adatum\Administrator
Password: Pa55w.rd

Virtual machine: 20741B-INET1

User name: Administrator
Password: Pa55w.rd
Estimated Time: 45 minutes
Lab Scenario

Many users at A. Datum Corporation work from outside the

organization. This includes mobile users and people who work from
home. These users currently connect to the internal network by using
a non-Microsoft VPN solution. The security department is concerned
about the security of the external connections and wants to ensure
that the connections are as secure as possible. The support team
wants to minimize the number of support calls related to remote
access and would like to have more options for managing remote
computers.
IT management at A. Datum is considering deploying DirectAccess as
the remote access solution for the organization. As an initial proof of
concept deployment, management has requested that you configure a
simple DirectAccess environment that client computers running
Windows 10 can use.
Lab Review

• Why did you create the DirectAccessClients

group?
• How will you configure an IPv6 address for
client computers running Windows 10 to use
DirectAccess?
Lab B: Deploying an advanced DirectAccess solution

• Exercise 1: Preparing the environment for DirectAccess

• Exercise 2: Implementing the advanced DirectAccess infrastructure
• Exercise 3: Validating the DirectAccess deployment

Logon Information
Virtual machines: 20741B-LON-DC1
20741B-LON-SVR1
20741B-EU-RTR
20741B-LON-CL1
20741B-LON-CL2
User name: Adatum\Administrator
Password: Pa55w.rd

Virtual machine: 20741B-INET1

User name: Administrator
Password: Pa55w.rd

Estimated Time: 75 minutes

Lab Scenario

The DirectAccess proof of concept deployment

was a success, so IT management has decided to
enable DirectAccess for all mobile clients,
including computers running Windows 7. IT
management also wants to ensure that the
DirectAccess deployment is scalable and provides
redundancy.
You need to modify the proof of concept
deployment to meet the new requirements.
Lab Review

• Why did you make the CRL available on the Edge

server?
• Why did you install a certificate on the client
computer?
Module Review and Takeaways

• Review Questions
• Tools
• Best Practices
• Common Issues and Troubleshooting Tips