Your DirectAccess pre-setup checklist

Hi There!  Welcome to the first posting on our new blog site, DirectAccessGuide.com
We hope our combined documented knowledge of the DirectAccess technology we plan to share in the future will be a valuable resource in your DirectAccess toolkit moving forward.  Please come back regularly as we will have a team of other Microsoft engineers including myself adding content and some excellent how-to guides all about DirectAccess.  Starting with my first blog entry, I wanted to build a running list of pre-setup checklist items you will want to do with every DirectAccess install.  First and foremost you are going to need a licensed copy of Windows 2012 or Windows 2012 R2 installed.  You can choose either Standard or Data Center Edition, either one has the same exact DirectAccess technical feature set.  Once you’ve got the OS installed, the next step is to add the Remote Access role.  This is the piece that’s going to provide the base components for us to get DirectAccess configured at a later time.  Go into Add Roles and Features and check the Remote Access Role as shown below :

Remote Access Role Install

Remote Access Role Install

After you select the Role, it will prompt you to install some additional components which you can just select “Add features” to continue :

Add Features

Add Features

At this point you can keep hitting next until the Install option becomes available. This will install all the Remote Access components needed to get started with DirectAccess. After all these are installed, it’s very important to ensure you are downloading all available Windows Updates for the OS. Not only do we release security updates each month, starting with Windows 8 and Windows 2012 we also have been releasing monthly reliability updates that actually have updates for many OS components including DirectAccess. For example the latest monthly update for Windows 8 and 2012 f0r this month would be :

http://support.microsoft.com/kb/2903938

We release these every single month and it’s very important to include them in your patch installs for any Windows 2012, Windows 2012 R2, Windows 8, and Windows 8.1 systems. When building a new DirectAccess server, grab all of the monthly updates as part of the build process and this will include all of our released hotfixes to date and will prevent you from hitting known setup issues!

Tags: , , , , , , , , , , ,

Categories: Install Tips

5 Comments on “Your DirectAccess pre-setup checklist”

  1. didihai
    May 21, 2014 at 13:57 #

    Hi! After the configuration of Windows NLB we are ready to deploy DirectAccess. Thanks! Your blog and your help made some things possible!

    Is a “post-configuration” checklist out there? How can I check if the infrastructure and configuration is ready to deploy to customers? How do you proof your installation?

    Thanks! Dietmar Haimann

    • June 2, 2014 at 00:09 #

      Hi Dietmar,

      Post install checklist is a future topic I’ve marked down to blog about in the coming weeks. For now, here are a few items I always check after any new DirectAccess install :

      – Enable Performance Monitoring in Server Manager (see http://technet.microsoft.com/en-us/library/hh831394.aspx for more details)
      – Check and ensure Operational Status looks green in Remote Access Management console
      – Enable reporting in Remote Access Management console (allows historical reporting, disabled by default)
      – Delete and re-create DNS records created by DirectAccess. By default they are registered as dynamic DNS records which could get scavenged. I recommend deleting and re-creating them as static DNS records to avoid scavenging (DNS records are directaccess-WebProbeHost and directaccess-CorpConnectivityHost)
      – Ensure NLS location is HIGHLY available. I would recommend this is hosted on an external load balancer (if available) to ensure highest uptime.
      – Disable un-used IPv6 tunneling protocols (if your install is just IP-HTTPS, create a new GPO and disable 6to4 and Teredo for your DirectAccess clients since they are not being used)
      – Make sure the DirectAccess server is fully patched
      – I usually configure an additional GPO for the DirectAccess clients to turn on the Windows firewall in the public & private profiles, set the Windows Firewall service to automatic start, set the IP Helper service to automatic start, and finally add an inbound rule to allow remote management of the DirectAccess clients from the internal network
      – I check to see if DirectAccess clients can reach the DirectAccess server from the corporate network. This simulates if the NLS location becomes unavailable from the corporate network. This can be easily accomplished by editing the hosts file on a DirectAccess client and adding a bogus DNS entry for the NLS location. I usually try to test this scenario to see if DirectAccess clients are able to connect to the DirectAccess server from the corporate network. If they fail to connect, I usually recommend a customer open up the correct ports on their internal/external firewall to allow this traffic. This allows DA clients to keep their view of internal resources if the NLS goes down.

      When I get a chance in the coming weeks, I’ll document up a more detailed article on all these steps for everyone. In the meantime, if you have any questions with the above recommendations, feel free to reply.

  2. June 2, 2014 at 01:47 #

    Hi! Wow, thank you very much for your very detailed answer! I will follow your instructions now to be able to deploy DA. Our customers are waiting for DA and getting nervous 😉 Later I will study your document. Your blog is great! I recommend it nearly everyday!

    Thank you very much!

    Dietmar

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: