How To Setup Your Own Direct Access Lab With Windows Server 2012

Mark Morowczynski [MSFT]

Mark Morowczynski [MSFT]
Microsoft
MSFT
19,079 Points 15 6 2
Recent Achievements
First Helpful Vote Blogger III Blog Party Starter
View Profile
19 Aug 2013 12:00 AM
Comments 11
Likes
Hello there! Welcome to this edition of the Ask PFEPlat Blog. Im Tom Daniels with the PFE team here to show
you how to setup a basic DirectAccess server configuration. These instructions below will get you setup to allow
Windows 8 clients to connect to your new DirectAccess server. Its possible to get Windows 7 clients to connect
to a Windows 2012 DirectAccess server but there are a few more steps and well cover them another time. First
we are going to get into some checklist items you should cover with any DirectAccess install which starts off
below.
I wanted to build a running list of pre-setup checklist items you will want to do with every DirectAccess
install. First and foremost you are going to need a licensed copy of Windows 2012 installed. You can choose
either Windows 2012 Standard or Data Center Edition, either one has the same exact DirectAccess technical
feature set. Once youve got the OS installed, the next step is to add the Remote Access role. This is the piece
thats going to provide the base components for us to get DirectAccess configured at a later time. Go into Add
Roles and Features and check the Remote Access Role as shown below :

After you select the Role, it will prompt you to install some additional components which you can just select
Add features to continue :

At this point you can keep hitting next until the Install option becomes available. This will install all the Remote
Access components needed to get started with DirectAccess. After all these are installed, its very important to
ensure you are downloading all available Windows Updates for the OS. Not only do we release security updates
each month, starting with Windows 8 and Windows 2012 we also have been releasing monthly reliability
updates that actually have updates for many OS components including DirectAccess. You can refer to the
following article for more information :
http://blogs.technet.com/b/askpfeplat/archive/2013/05/13/update-rollups-for-windows-server-2012-and-
windows-8-explained.aspx
We release these every single month and its very important to include them in your patch installs for Windows
2012 and Windows 8 systems. When building a new DirectAccess server, grab all of the monthly updates as part
of the build process.
Once you have your new Windows 2012 server fully patched and the Remote Access role installed, there is one
final list of DirectAccess Server related hotfixes to grab to avoid hitting known issues with the DirectAccess
setup wizards. I would recommend downloading and installing every single one of these hotfixes for any
DirectAccess install :
http://support.microsoft.com/kb/2782560
http://support.microsoft.com/kb/2788525
http://support.microsoft.com/kb/2836232
http://support.microsoft.com/kb/2859347
http://support.microsoft.com/kb/2845152
http://support.microsoft.com/kb/2844033
http://support.microsoft.com/kb/2855269
Once you get all the Windows Updates and list of hotfixes installed above, we can begin the basic setup for
your new DirectAccess server. Lets start by opening up the Remote Access management snap-in and then
selecting the Run the Getting Started Wizard as shown below :

The next option you are presented with asks if you want to run this Remote Access server as a combination
DirectAccess & VPN server, just a DirectAccess server, or just a VPN server :

Its entirely possible to run this server as your central Remote Access solution providing DirectAccess for your
domain joined Windows 7 & 8 machines while allowing VPN for other devices. In this scenario, we are just
going to cover a DirectAccess deployment only so select option two (Deploy DirectAccess only). After you
select your option, the setup wizard will analyze the OS configuration, network stack, and other prerequisites to
ensure the server is ready to configure DirectAccess.
The next screen that gets presented will ask you about the network configuration you would like to use with
DirectAccess :

It will ask if you want to configure the server on the edge (if your external facing network card has a public IPv4
address), second option is to configure the server behind an edge device (if the external facing network card
has a NATed IPv4 address), or the third option presented is if you want to use a single network card behind the
edge. Select which network profile best represents the server network configuration. You will also have to either
create an external DNS entry and enter in the box at the bottom or enter in the Internet facing IPv4 address
clients will use to connect.
The last and final screen that gets presented will give you a chance to review the configuration settings before
applying them. I highly recommend you click on the here text thats highlighted in blue :

There are a couple of important items to review. First one is the name of the GPOs that will be created. Two
GPOs get created at the root of your domain by default. The first one by default is called DirectAccess Server
Settings. This new GPO will be linked to the root of your domain but will use security filtering to only apply to
the DirectAccess server computer object directly. This GPO has critical settings for the DirectAccess server itself
and always needs to be applied.
The second GPO that gets created is called DirectAccess Client Settings. Just like the name mentions, this GPO
will be linked to the root of the domain but again we use security filtering to scope the GPO to your
DirectAccess clients.
Important note is that you can change the name of the GPOs that get created only during creation in this
screen. Moving forward these will be the permanent names of the GPOs so feel free to change them to suit
your environment at this time.
After reviewing the GPO names, the second item to pay attention is the Remote Clients section which includes
the AD security group that will be used to security filter the DirectAccess Client Settings GPO. The default out
of the box is to apply the DirectAccess Clients GPO to all Domain Computers that are mobile class hardware (we
use a WMI filter to determine if a machine is a mobile computer). I would HIGHLY advise changing the scope to
a different security group. Best practice is to create a new security group in AD and use this new security group
as your DirectAccess Remote Clients scope. You will just need to remember to add new DirectAccess clients into
this AD security group when you want to push out DirectAccess settings. Be sure you add computer accounts to
this newly created AD security group, not user accounts since DirectAccess GPO settings are computer specific :

Now you can hit the finish button to create the GPOs and finalize the DirectAccess server and clients. A
progress screen will pop up and give you the current status. You can click on the more details section to see
whats happening under the covers as shown here :

Make sure this finishes up all green and you will be set! One final fun fact about this progress screen is that you
can right click on the bottom pane and expose an option called copy script :

This will actually give you the exact PowerShell command that was run to configure the DirectAccess!

This is great in case you ever need to setup DirectAccess again quickly using PowerShell. Its also possible to
run DirectAccess on server core and this would be the only way to configure a new DirectAccess server.
Now you will need to open up TCP/443 on your edge firewall to the DirectAccess server and then you should
be ready to have your Windows 8 DirectAccess clients connect. We walked you though using the quick setup
wizard and is great for a quick install for Windows 8 DirectAccess clients only. This is great to setup in the lab or
a small pilot but I would caution against using this for a production install of DirectAccess. The full setup wizard
is much better suited for a production install as it will ask many more questions needed for a proper install.
Remote Access Cmdlets in Windows PowerShell
Windows Server 2012 R2 and Windows 8.1
Other Versions

This topic has not yet been rated - Rate this topic
Updated: October 17, 2013
Applies To: Windows 8.1, Windows PowerShell 4.0, Windows Server 2012 R2
Windows PowerShell is a task-based command-line shell and scripting language designed
especially for system administration. This reference topic for the information technology (IT)
professional provides assistance in utilizing the Windows PowerShell cmdlets to script and
automate tasks.
Remote Access
This reference provides cmdlet descriptions and syntax for all Remote Access-specific cmdlets.
It lists the cmdlets in alphabetical order based on the verb at the beginning of the cmdlet.

cmdlet Description
Add-BgpCustomRoute Adds custom routes to the BGP routing table.
Add-BgpPeer Adds a BGP peer to the current router.
Add-BgpRouter Adds a BGP router.
Add-BgpRoutingPolicy Adds a BGP routing policy to the policy store.
Add-BgpRoutingPolicyForPeer Adds BGP routing policies to BGP peers.
Add-DAAppServer
Adds a new application server security group to
the DirectAccess (DA) deployment, adds an
application servers to an application server
security group that is already part of the
DirectAccess deployment, and adds or updates
application server Group Policy Object (GPO) in a
domain.
Add-DAClient
Adds one or more client computer security groups
(SGs) to the DirectAccess (DA) deployment, adds
one or more DA client Group Policy objects
(GPOs) in one or more domains, adds one or more
SGs of down-level clients to the DA deployment
in a multi-site deployment, or adds one or more
down-level DA client GPOs in one or more
domains in a multi-site deployment.
Add-DAClientDnsConfiguration
Adds the specified DNS suffix, DNS server
addresses, or proxy server set to the Name
Resolution Policy Table (NRPT).
Add-DAEntryPoint Adds an entry point to a multi-site deployment.
Add-DAMgmtServer
Adds the specified Management servers to the
DirectAccess (DA) deployment.
Add-RemoteAccessIpFilter
Adds filters for traffic that passes through an
interface.
Add-RemoteAccessLoadBalancerNode Adds a server to the load balancing cluster.
Add-RemoteAccessRadius
Adds a new external RADIUS server for VPN
authentication, accounting for DirectAccess (DA)
and VPN, or one-time password (OTP)
authentication for DA.
Add-VpnIPAddressRange
Adds a new IPv4 address range from which IPv4
addresses can be assigned to VPN clients.
Add-VpnS2SInterface
Creates a site-to-site (S2S) interface with the
specified parameters.
Clear-RemoteAccessInboxAccountingStore
Clears the inbox accounting store for the specified
time period.
Clear-VpnS2SInterfaceStatistics Clears statistics for a site-to-site (S2S) interface.
Connect-VpnS2SInterface
Connects a site-to-site (S2S) interface that is
currently not connected.
Disable-DAMultiSite
Disables a multi-site deployment that contains a
single entry point.
Disable-DAOtpAuthentication
Disables one-time password (OTP) authentication
for DirectAccess (DA) users.
Disable-RemoteAccessRoutingDomain
Disables remote access functions for a routing
domain.
Disconnect-VpnS2SInterface
Disconnect a site-to-site (S2S) interface that is
currently connected.
Disconnect-VpnUser
Disconnects a VPN connection originated by a
specific user or originating from a specific client
computer.
Enable-DAMultiSite
Enables and configures a multi-site deployment,
and adds the first entry point.
Enable-DAOtpAuthentication
Enables and configures one-time password (OTP)
authentication for DirectAccess (DA) users.
Enable-RemoteAccessRoutingDomain
Enables VPN or S2S functions for a specified
routing domain.
Get-BgpCustomRoute
Gets custom route information from the BGP
router.
Get-BgpPeer Gets configuration information for BGP peers.
Get-BgpRouteInformation
Gets route information for network prefixes from
the BGP router.
Get-BgpRouter Gets configuration information for BGP routers.
Get-BgpRoutingPolicy
Gets configuration information of BGP routing
policies.
Get-BgpStatistics
Retrieves BGP peering-related message and route
advertisement statistics.
Get-DAAppServer
Displays the list of application server security
groups that are part of the DirectAccess (DA)
deployment and the properties of the connections
made to the groups.
Get-DAClient
Displays the list of client security groups that are
part of the DirectAccess (DA) deployment and the
client properties.
Get-DAClientDnsConfiguration
Displays all the Name Resolution Policy Table
(NRPT) entries and the local name resolution
property.
Get-DAEntryPoint Displays the settings for an entry point.
Get-DAEntryPointDC
Retrieves a list of entry points and the associated
domain controllers (DCs).
Get-DAMgmtServer
Displays the configured Management servers.
Management server here refers to update servers,
Domain Controllers and other servers.
Get-DAMultiSite
Retrieves global settings applied to all entry points
in a multi-site deployment.
Get-DANetworkLocationServer
Displays the detailed Network Location Server
(NLS) configuration.
Get-DAOtpAuthentication
Displays one-time password (OTP) authentication
settings for DirectAccess (DA).
Get-DAServer
Displays the properties of the DirectAccess (DA)
Server.
Get-RemoteAccess
Displays the configuration of DirectAccess (DA)
and VPN (both Remote Access VPN and site-to-
site VPN).
Get-RemoteAccessAccounting
Displays the accounting configuration for Remote
Access, such as the different types of accounting
that are enabled and the respective configuration.
Get-RemoteAccessConfiguration Retrieves the remote access configuration.
Get-RemoteAccessConnectionStatistics
Displays the statistics of real-time, currently active
DirectAccess (DA) and VPN connections and the
statistics of DA and VPN historical connections
for a specified time duration.
Get-
RemoteAccessConnectionStatisticsSummary
Displays the summary statistics of real-time,
currently active DirectAccess (DA) and VPN
connections and the summary statistics of DA and
VPN historical connections for a specified time
duration.
Get-RemoteAccessHealth
Obtains the current health of a RemoteAccess
(RA) deployment.
Get-RemoteAccessIpFilter Retrieves IP filters on an interface.
Get-RemoteAccessLoadBalancer Displays load balanced cluster settings.
Get-RemoteAccessRadius
Displays the list of RADIUS servers including
RADIUS for VPN authentication, RADIUS for
DirectAccess (DA) and VPN Accounting, and
RADIUS for one-time password (OTP)
authentication for DA.
Get-RemoteAccessRoutingDomain
Retrieves configuration information for a routing
domain.
Get-RemoteAccessUserActivity
Displays the resources accessed over the active
DirectAccess (DA) and VPN connections and the
resources accessed over historical DA and VPN
connections.
Get-RoutingProtocolPreference Displays preferences for routing protocols.
Get-VpnAuthProtocol
Retrieves authentication parameters configured on
a VPN server.
Get-VpnS2SInterface
Retrieves configuration details for a site-to-site
(S2S) interface.
Get-VpnS2SInterfaceStatistics Retrieves statistics of a site-to-site (S2S) interface.
Get-VpnServerConfiguration Gets VPN server properties.
Install-RemoteAccess
Performs prerequisite checks for DirectAccess
(DA) to ensure that it can be installed, installs DA
for remote access (RA) (includes management of
remote clients) or for management of remote
clients only, and installs VPN (both Remote
Access VPN and site-to-site VPN).
Remove-BgpCustomRoute Removes custom routes from the BGP router.
Remove-BgpPeer Removes BGP peers from a router.
Remove-BgpRouter Removes the BGP router for tenants.
Remove-BgpRoutingPolicy Removes routing policies from the policy store.
Remove-BgpRoutingPolicyForPeer Removes routing policies from BGP peers.
Remove-DAAppServer
Removes the specified lit of application server
security groups (SGs) from the DirectAccess (DA)
deployment, removes the specified application
servers from the specified DA application server
SG,and removes the application server Group
Policy objects (GPOs) in the specified domains.
Remove-DAClient
Removes one or more client computer security
groups (SGs) from the DirectAccess (DA)
deployment, removes one or more DA client
Group Policy objects (GPOs) from domains,
removes one or more SGs of down-level clients
(down-level clients can connect only to the
specified site) from the DA deployment in a multi-
site deployment, and removes one or more down-
level DA client GPOs from domains in a multi-site
deployment.
Remove-DAClientDnsConfiguration
Removes the Name Resolution Policy Table
(NRPT) entry corresponding to the specified DNS
suffix from the NRPT.
Remove-DAEntryPoint
Removes an entry point from a multi-site
deployment.
Remove-DAMgmtServer
Removes the specified management servers from
the DirectAccess (DA) deployment.
Remove-RemoteAccessIpFilter Removes an IP filter for an interface.
Remove-RemoteAccessLoadBalancerNode
Removes a server from the network load balancing
(NLB) cluster.
Remove-RemoteAccessRadius
Removes an external RADIUS server from being
used for VPN authentication, accounting for both
DirectAccess (DA) and VPN, or one-time
password (OTP) authentication for DA.
Remove-VpnIPAddressRange
Removes an existing IPv4 address range from the
pool for IP address assignment.
Remove-VpnS2SInterface Removes a specified site-to-site (S2S) interface.
Set-BgpPeer Modifies BGP configuration.
Set-BgpRouter Modifies the local BGP router configuration.
Set-BgpRoutingPolicy Modifies a routing policy configuration.
Set-BgpRoutingPolicyForPeer Modifies BGP routing policies for BGP peers.
Set-DAAppServerConnection
Configures the properties of the connection to
application servers and the IPsec security traffic
protection policies for the connection.
Set-DAClient
Configures the properties related to a DirectAccess
(DA) client.
Set-DAClientDnsConfiguration
Configures the DNS server and proxy server
addresses of a Name Resolution Policy Table
(NRPT) entry and configures the local name
resolution property.
Set-DAEntryPoint Configures settings for the entry point.
Set-DAEntryPointDC
Modifies domain controller (DC) settings for the
entry point.
Set-DAMultiSite Configures global settings for all entry points in a
multi-site deployment.
Set-DANetworkLocationServer Configures the Network Location Server (NLS).
Set-DAOtpAuthentication
Configures one-time password (OTP)
authentication settings for DirectAccess (DA).
Set-DAServer
Sets the properties specific to the DirectAccess
(DA) server.
Set-RemoteAccess
Modifies the configuration that is common to both
DirectAccess (DA) and VPN such as the
following: SSL certificate, Internal interface, and
Internet interface.
Set-RemoteAccessAccounting
Sets the enabled state for inbox and RADIUS
accounting for both external RADIUS and
Windows accounting and configures the settings
when enabled.
Set-RemoteAccessConfiguration Modifies the configuration of a remote access role.
Set-RemoteAccessInboxAccountingStore Modifies the size of the inbox accounting store.
Set-RemoteAccessIpFilter Modifies IP filter action.
Set-RemoteAccessLoadBalancer
Configures load balancing on the Remote Access
server or the cluster server.
Set-RemoteAccessRadius
Edits the properties associated with an external
RADIUS server being used for VPN
authentication, accounting for DirectAccess (DA)
and VPN, and one-time password (OTP)
authentication for DA.
Set-RemoteAccessRoutingDomain
Configures S2S VPN settings for a routing domain
configuration.
Set-RoutingProtocolPreference Configures preferences for routing protocols.
Set-VpnAuthProtocol
Sets the authentication method for incoming site-
to-site (S2S) VPN interfaces on a Routing and
Remote Access (RRAS) server.
Set-VpnAuthType
Sets the authentication type to be used for
connecting to a VPN.
Set-VpnIPAddressAssignment
Configures the IPv4 address assignment method or
the IPv6 prefix for IPv6 address assignment.
Set-VpnS2SInterface
Modifies parameters for a site-to-site (S2S)
interface.
Set-VpnServerConfiguration Configures VPN server properties.
Start-BgpPeer Starts routing sessions for BGP peers.
Stop-BgpPeer Stops routing sessions for BGP peers.
Uninstall-RemoteAccess
Uninstalls DirectAccess (DA) and VPN, both
remote access VPN and site-to-site VPN.
Update-DAMgmtServer Updates the list of Management servers of the
DirectAccess (DA) deployment.
Note
To list all the cmdlets that are available, use the Get-Command Module RemoteAccess
cmdlet.
For more information about, or for the syntax of, any of the cmdlets, use the Get-Help <cmdlet
name> cmdlet, where <cmdlet name> is the name of the cmdlet that you want to research. For
more detailed information, you can run any of the following cmdlets:

Get-Help <cmdlet name> -Detailed
Get-Help <cmdlet name> -Examples
Get-Help <cmdlet name> -Full