DirectAccess Client and Server Settings GPOs Deleted

Microsoft Windows Server Active DirectoryFor DirectAccess deployments where domain controllers are running Windows Server 2003 or Windows Server 2003 R2 using the File Replication Service (FRS) for replication, DirectAccess client and server settings Group Policy Objects (GPOs) may be deleted. If these GPOs are deleted, DirectAccess connectivity will be disrupted. If the GPOs cannot be recovered via backup, it will be necessary to rebuild the entire DirectAccess deployment from scratch.

Microsoft recently updated their DirectAccess Unsupported Configurations documentation to reflect new guidance for DirectAccess deployments where the FRS is used for the distribution of Active Directory GPOs. DirectAccess is no longer supported in environments where FRS is used for SYSVOL replication.

What this means is that if you plan to deploy DirectAccess, domain controllers must be running Windows Server 2008 or later, and Distributed File System Replication (DFS-R) must be used for replication.

More details can be found here.

Leave a comment

4 Comments

  1. Zack

     /  July 29, 2015

    We actually ran into this and it was not fun. Luckily we were able to grab a backup of the GPO off of a DC that hadn’t replicated yet and restored it. Somehow we had made it all the way to 2012R2 DC’s without migrating to DFSR. We just recently did the migration so it’s ironic that this just got posted.

    Reply
    • I’ve heard plenty of anecdotal stories about deleted GPOs, so I’m sure this was probably the root cause all along. I make it a practice to export GPOs immediately after configuration, just for good measure. 🙂

      Reply
  2. upen desai

     /  November 16, 2016

    Hi

    I hope you can help, with our directaccess implementation on Windows 2012, what the best way to get the devices to have mapped drives.

    Can the DirectAccess Clint Settings GPO which is created during the install wizard be amended to map drives.

    many thanks
    Upen Desai

    Reply
    • If you want to map network drives for DirectAccess clients, you can use GPOs to do that easily. However, it is not recommended to edit the existing DirectAccess client and/or server settings GPOs. It is recommended to create new separate GPOs to apply any additional settings required for DirectAccess clients.

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: