Running the DirectAcces Quick Setup Wizard

This posting we are going to cover how to setup a basic DirectAccess server configuration.  These instructions below will get you setup to allow Windows 8 clients to connect to your new DirectAccess server.  It’s possible to get Windows 7 clients to connect to a Windows 2012 DirectAccess server but there are a few more steps and we’ll cover them another time.

Once you get all the Windows Updates and list of recommended DirectAccess server hotfixes installed , we can begin the basic setup for your new DirectAccess server.  You can refer here for the recommended hotfix list :

Now let’s start by opening up the Remote Access management snap-in and then selecting the “Run the Getting Started Wizard” as shown below :

DirectAccess Getting Started Wizard

DirectAccess Getting Started Wizard

The next option you are presented with asks if you want to run this Remote Access server as a combination DirectAccess & VPN server, just a DirectAccess server, or just a VPN server :



It’s entirely possible to run this server as your central Remote Access solution providing DirectAccess for your domain joined Windows 7 & 8 machines while allowing VPN for other devices.  In this scenario, we are just going to cover a DirectAccess deployment only so select option two (Deploy DirectAccess only).  After you select your option, the setup wizard will analyze the OS configuration, network stack, and other prerequisites to ensure the server is ready to configure DirectAccess.

The next screen that gets presented will ask you about the network configuration you would like to use with DirectAccess :

DirectAccess Network Topology Options

DirectAccess Network Topology Options

It will ask if you want to configure the server on the edge (if your external facing network card has a public IPv4 address), second option is to configure the server behind an edge device (if the external facing network card has a NATed IPv4 address), or the third option presented is if you want to use a single network card behind the edge.  Select which network profile best represents the server network configuration.  You will also have to either create an external DNS entry and enter in the box at the bottom or enter in the Internet facing IPv4 address clients will use to connect.

The last and final screen that gets presented will give you a chance to review the configuration settings before applying them.  I highly recommend you click on the “here” text that’s highlighted in blue :

DirectAccess Settings Review

DirectAccess Settings Review

There are a couple of important items to review.  First one is the name of the GPOs that will be created.  Two GPOs get created at the root of your domain by default.  The first one by default is called “DirectAccess Server Settings”.  This new GPO will be linked to the root of your domain but will use security filtering to only apply to the DirectAccess server computer object directly.  This GPO has critical settings for the DirectAccess server itself and always needs to be applied.

The second GPO that gets created is one called “DirectAccess Client Settings”.  Just like the name mentions, this GPO will be linked to the root of the domain but again we use security filtering to scope the GPO to your DirectAccess clients. Important note is that you can change the name of the GPOs that get created only during creation in this screen.  Moving forward these will be the permanent names of the GPOs so feel free to change them to suit your environment at this time. After reviewing the GPO names, the second item to pay attention is the Remote Clients section which includes the AD security group that will be used to security filter the “DirectAccess Client Settings” GPO.  The default out of the box is to apply the DirectAccess Clients GPO to all Domain Computers that are mobile class hardware (we use a WMI filter to determine if a machine is a mobile computer).  I would HIGHY advice changing the scope to a different security group.  Best practice is to create a new security group in AD and use this new security group as your DirectAccess Remote Clients scope.  You will just need to remember to add new DirectAccess clients into this AD security group when you want to push out DirectAccess settings.  Be sure you add computer accounts to this newly created AD security group, not user accounts since DirectAccess GPO settings are computer specific :

Remote Access Review

Remote Access Review

Now you can hit the finish button to create the GPOs and finalize the DirectAccess server and clients.  A progress screen will pop up and give you the current status.  You can click on the “more details” section to see what’s happening under the covers as shown here :

Good DA Status

Good DA Status

Make sure this finishes up all green and you will be set!  One final fun fact about this progress screen is that you can right click on the bottom pane and expose an option called “copy script” :

Copy Script

Copy Script

This will actually give you the exact PowerShell command that was run to configure the DirectAccess!

DirectAccess PowerShell Command

DirectAccess PowerShell Command

This is great in case you ever need to setup DirectAccess again quickly using PowerShell.  It’s also possible to run DirectAccess on server core and this would be the only way to configure a new DirectAccess server.
Now you will need to open up TCP/443 on your edge firewall to the DirectAccess server and then you should be ready to have your Windows 8 DirectAccess clients connect.  We walked you though using the quick setup wizard and is great for a quick install for Windows 8 DirectAccess clients only.  This is great to setup in the lab or a small pilot but I would caution against using this for a production install of DirectAccess.  The full setup wizard is much better suited for a production install as it will ask many more questions needed for a proper install.
Hopefully these setups will get you started with DirectAccess.

Tags: , , , , , , , , , , , , , ,

Categories: Install Tips

2 Comments on “Running the DirectAcces Quick Setup Wizard”

  1. KurtBuff
    February 27, 2015 at 09:58 #

    Love this resource, but am looking for the post (if there is one) on connecting Win7 clients.

    We’re on top of upgrading from UAG SP1 to 2012R2 for DirectAccess, and have a mix of Win7 and Win8.1 machines in the field.

    From what I’ve been reading, Win7 clients require an edge deployment, dual tunnels and a PKI, but I’m getting pushback from my manager on this, who wants (understandably) to put the DirectAccess server behind our firewall.

    Can you point me to more definitive documentation on this?


    • March 10, 2015 at 21:28 #

      Hi Kurt,

      You don’t need to deploy using the edge profile on the DirectAccess servers for a Windows 7 and 8 client deployment. I would recommend you either go with the single or dual NIC behind the edge. This will simply the overall configuration a lot and you will only need to open up a single port inbound from the Internet (TCP/443).

      You will need to have an internal PKI in order to deploy DirectAccess especially if you have Windows 7 clients. Do you already have an internal CA?

      – Tom

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: