With the release of Windows 10, many organizations who chose to skip Windows 8 are now beginning to deploy this new client operating systemn. To maximize investment in Windows 10, DirectAccess can be leveraged to provide employees with seamless and transparent, always on, secure remote corporate network connectivity. DirectAccess has been around for many years, and today the most popular DirectAccess client is Windows 7. However, Windows 10 provides better support for DirectAccess features that enhance performance and availability, while at the same making it easier to implement and support. Windows 10 opens up many new and compelling deployment scenarios for small businesses to large scale enterprises.
Full Support for Geographic Redundancy
Without a doubt the most important DirectAccess feature Windows 10 supports is automatic entry point selection and transparent failover for multisite deployments. DirectAccess multisite deployment provides essential geographic redundancy for organizations with multiple physical locations. Windows 7 has only minimal support for multisite deployment, with clients required to be assigned to a single entry point. Windows 10 clients are aware of all entry points and will intelligently select the closest entry point when establishing a DirectAccess connection. If the entry point becomes unavailable during the connection, Windows 10 clients will transparently connect to another entry point automatically.
Better Scalability and Performance
Windows 10, like Windows 8 before it, includes support for IP-HTTPS null encryption. This feature greatly improves scalability on the DirectAccess server by eliminating the needless double encryption that Windows 7 clients perform. This reduces resource consumption on the server and enables the server to support many more DirectAccess client connections.
Enhanced Supportability
Many will also appreciate Windows 10’s built-in DirectAccess connectivity status indicator. No longer will administrators have to deploy, manage, and maintain additional software to provide this essential functionality.
To access DirectAccess information in Windows 10, press Window Key + I, click Network & Internet, and then click the DirectAccess tab. Here you will find vital details about DirectAccess configuration and status such as connection state, currently connected entry point, and a site selection drop down box (if manual site selection is enabled by an administrator). In addition you can generate and collect log information for troubleshooting purposes.
Native PowerShell Support
Anyone tasked with troubleshooting DirectAccess configuration and connectivity issues will appreciate the native PowerShell integration with DirectAccess in Windows 10. With just a few commands a wealth of information about DirectAccess configuration and connectivity status can be obtained.
Need to quickly determine if a Windows 10 client has been provisioned for DirectAccess successfully?
Get-DAClientExperienceConfiguration
Has the Windows 10 client connected successfully? If not, why?
Get-DAConnectionStatus
Need to identify the Network Location Server (NLS) the client is configured to use?
Get-NCSIPolicyConfiguration
Looking for DirectAccess multisite entry point details and connection status?
Get-DAEntryPointTableItem
PKI Optional (But Recommended)
Finally, when Windows 10 (and Windows 8.x) clients are supported exclusively a Public Key Infrastructure (PKI) is optional. Here instead the Kerberos Proxy is leveraged to perform DirectAccess client authentication, which reduces infrastructure requirements by eliminating the need for a PKI. However, this configuration offers only limited support for DirectAccess features. For example, a PKI is still required if any Windows 7 clients are deployed. Also, PKI is required to support features such as one-time password (OTP) authentication, Microsoft Network Access Protection (NAP) integration, load balancing (integrated or external), force tunneling, and multisite configuration.
For optimum security and maximum deployment flexibility it is recommended that PKI be used to manage certificates for all DirectAccess deployments including those supporting only Windows 8.x and Windows 10 clients.
Summary
DirectAccess and Windows 10 are much better together. Windows 10 provides full support for the geographic load balancing features of DirectAccess and at the same time offers improved scalability and performance. Windows 10 also makes supporting and troubleshooting DirectAccess clients much easier. And for smaller deployments, Windows 10 can lower the barrier to entry for organizations considering DirectAccess by eliminating the need for a full PKI deployment.
Additional Resources
Video: DirectAccess and Windows 10 in Action
DirectAccess and Windows 10 in Education
Implementing DirectAccess with Windows Server 2016 Book
Implementing DirectAccess with Windows Server 2016 Video Training Course
DirectAccess Consulting Services
More Information
Have a question about DirectAccess? Fill out the form below and I’ll get in touch with you.
Simon
/ August 4, 2015You have a typo in your powershell cmd.
Get-DAClientExpereicneConfiguration
Richard Hicks
/ August 8, 2015Thanks for pointing that out! I’ve updated the post accordingly. Thanks again! 🙂
[email protected]
/ August 4, 2015Hi Richard,
Is the Windows 10 DirectAccess support not exactly the same as the Windows 8.1 DirectAccess support? Anything new DirectAccess wise in Windows 10?
Thomas
Richard Hicks
/ August 8, 2015The only thing that differs with regard to DirectAccess on Windows 10 clients is that NAP integration is no longer supported. NAP has been deprecated by Microsoft and the plumbing to support it has been removed from Windows 10. If you have NAP integration enabled for your DirectAccess deployment, Windows 10 clients will not work.
Laurens
/ August 5, 2015i have the strangest issue on windows 10 with direct access on a dell venue 11 pro..
When enabling the policies the lock screen turns into a blue screen with spinning balls.. only to get passed it with ctrl/alt/del and then it show the logon screen.
DA works just fine but the logon/lockscreen goes woes..
This is even with a clean windows 10 installation and nothing else..
on my lenovo it works fine but this was 10240 build and updated, my dell runs MSDN version of windows 10 enterprise. build numbers are same..
Can this be a driver issue?
Richard Hicks
/ August 8, 2015I have to assume it is something client specific as I’ve not encountered this issue on any of my test machines. It could be driver related, or perhaps something else. Not sure…
Dietmar
/ September 2, 2015Hi Richard,
how do you generate this windows with frame details to check the usage of IP-HTTPS null encryption? Network Monitor? Every help is appreciated!
Richard M. Hicks
/ September 8, 2015I used Microsoft Network Monitor, but you could easily use any other protocol analyzer too.
Dietmar
/ September 8, 2015And you do this on the client, don’t you? Which frame to look?
Richard M. Hicks
/ September 10, 2015Yes. Filter on TCP port 443 and then look for “Client Hello”. If you drill down in that frame you’ll see it under “Cipher Suites”.
Dietmar
/ September 11, 2015I found it. Cheers!
Dietmar
/ September 2, 2015Hi! One more question: If I enter Get-DAConnectionStatus on my Windows 10 (10240) Enterprise I often get Error, RemoteNetworkAuthenticationFailure. But the connection is established. Shares, Outlook and Intranet works like a charm. Only every 10th attempt I get ConnectedRemotely, None. The generated report looks ok. What can be the issue?
Thanks!
Dietmar
/ September 2, 2015OK. Forget it. We use smart card login and I started PowerShell with an administrative account with username/password. If I start PowerShell as user Get-DAConnectionStatus always deliver ConnectedRemotely. Thanks!
Richard M. Hicks
/ September 8, 2015That stands to reason too. Good catch! 🙂
Richard M. Hicks
/ September 8, 2015I’ve encountered that myself more than once. I think the evaluation mechanism on the client isn’t entirely stable. All I can say is that if you have corporate network connectivity, don’t worry about the output. 🙂
jones1337
/ September 3, 2015How does it “intelligently select the closest entry point”? Does it ping all the entry points and select the one with the lowest round-trip time?
Richard M. Hicks
/ September 8, 2015The client will send an HTTP GET to each entry point and observer the Round Trip Time (RTT) for each reply. The entry point with the quickest reply (shortest RTT) will be selected automatically.
toffitomek
/ June 24, 2016Interesting, we have issue when clients connect to Asia entry points despite Europe based ones are available with almost 5-7 times lower latency. Is there any way to tweak the algorithm?
Richard M. Hicks
/ June 30, 2016Unfortunately, no. The only way to enhance this process is by implementing a Global Server Load Balancer (GSLB).
Michael
/ November 12, 2015Hi Richard,
if I open the DA tab in network &Internet I don´t see the additional info like the collect button for troubleshooting. Is that something needed to be defined in a GPO? I just have a “disconnect” button, which is not operational. And the info that it is successfully connected to the single site Direct Access. I just read that you are doing consultancy also for multiside + Managed out? I thought this combination is not working?
Richard M. Hicks
/ November 14, 2015Common problem! You need to specify a helpdesk email address in the DirectAccess configuration to enable this feature. More details here:
http://directaccess.richardhicks.com/2014/04/22/unable-to-generate-directaccess-troubleshooting-logs-in-windows-8-x-clients/
Enjoy!
Martin
/ November 26, 2015Hi Richard. It seems i have a DNS Problem on the DA Windows 10 client. From my perspective DA is working (I can connect to file Shares ect..), but the DA GUI stuck on “connecting…”. When checking the Get-DAConnectionStatus it throws me a sub Status “NameResolutionFallure”.
When checking the config using Get-DAClientExperienceConfiguration it Looks like this:
Description : DA Client Settings
CorporateResources : {HTTP:http://directaccess-WebProbeHost.int.avbs.ch}
IPsecTunnelEndpoints : {PING:fd3f:71ad:9bea:1000::1, PING:fd3f:71ad:9bea:1000::2}
CustomCommands :
PreferLocalNamesAllowed : False
UserInterface : True
PassiveMode : False
SupportEmail : [email protected]
FriendlyName : AVBS Workplace
ManualEntryPointSelectionAllowed : True
GslbFqdn :
ForceTunneling : Default
i then checked my NRPT policy, it also Looks fine..
Get-DnsClientNrptPolicy
Namespace : .int.avbs.ch
QueryPolicy :
SecureNameQueryFallback :
DirectAccessIPsecCARestriction :
DirectAccessProxyName :
DirectAccessDnsServers : fd3f:71ad:9bea:3333::1
DirectAccessEnabled :
DirectAccessProxyType : NoProxy
DirectAccessQueryIPsecEncryption :
DirectAccessQueryIPsecRequired : False
NameServers :
DnsSecIPsecCARestriction :
DnsSecQueryIPsecEncryption :
DnsSecQueryIPsecRequired : False
DnsSecValidationRequired : False
NameEncoding : Utf8WithoutMapping
Namespace : RAS.int.avbs.ch
QueryPolicy :
SecureNameQueryFallback :
DirectAccessIPsecCARestriction :
DirectAccessProxyName :
DirectAccessDnsServers :
DirectAccessEnabled :
DirectAccessProxyType : UseDefault
DirectAccessQueryIPsecEncryption :
DirectAccessQueryIPsecRequired : False
NameServers :
DnsSecIPsecCARestriction :
DnsSecQueryIPsecEncryption :
DnsSecQueryIPsecRequired : False
DnsSecValidationRequired : False
NameEncoding : Utf8WithoutMapping
i even can resolve internal hosts by using the DNS server fd3f:71ad:9bea:3333::1 without any problem…
Any ideas?
Thanks
Martin
Richard M. Hicks
/ November 28, 2015When the client is connected remotely, can you resolve directaccess-WebProbeHost.int.avbs.ch? If so, are you able to browse to it? It should return the default IIS page.
vogtma
/ November 28, 2015Thanks for the hint Richard. The site was actually not reachable i had to change the binding on IIS. Many thanks again.
Richard M. Hicks
/ November 30, 2015Glad you we able to get it resolved!
Dietmar
/ January 22, 2016Hi Richard! On the Authentication pic you added to this post there is one field to enter the root certificate for computer certificates. Now we must renew our root ca certificate and all computer certificates because of sha1 to sha256. We tested autoenroll group policy but the DA clients do not receive a new computer certificate. How would you do a change of all certificates to keep DA working? Is it only possible to autoenroll computer certificates on LAN via GP? Every help is appreciated!
Richard M. Hicks
/ January 22, 2016If you have to make major changes to the CA configuration, you can certainly do that and reissue certificates but it will break DirectAccess clients that are not on the network at the time. You’ll have to bring them back in to the office to update group policy and enroll in any new certificates as necessary.
Dietmar
/ January 25, 2016Thanks for your answer! Is there absolutely no group policy processing for computer settings in DA? Sometimes I think it works and sometimes not?! But for user settings it works, doesn’t it? This is a very confusing thing within DA. If not, why does group policy processing not work? Very strange because everyting else works like a charm! Thanks for your patience! …Dietmar
Richard M. Hicks
/ January 25, 2016Is it possible that slow link detection is interfering? I might suggest that you lower the threshold for testing purposes. Details here: https://technet.microsoft.com/en-us/library/cc978717.aspx
David
/ January 25, 2016Hi,
I’ve a strange problem with Direct Access.
With Windows 10 (non 1511) Direct Access is working.
With Windows 10 1511 it isn’t.
Richard M. Hicks
/ January 26, 2016As long as it is Enterprise or Education edition, any build of Windows 10 should work. If not, standard troubleshooting will be required. 🙂
David
/ January 28, 2016Hi,
have you a guideline to troubleshoot it a little bit more specific?
Because we made the deploy of Windows 10 with SCCM, and the “base” version of Windows 10 (obviously Enterprise) is working like a charm.
With 10 1511 Direct access stay on : “connecting” forever.
I’ve also tryied to install Windows 10 1511 without sccm (via usb/iso) and same problem.
Thanks for support.
Richard M. Hicks
/ January 28, 2016Well, DirectAccess troubleshooting isn’t exactly trivial. 😉 I don’t really have a documented guide either (that will be changing soon though). If you reach out to me via email I’ll have you collect some information for me and I can give you some suggestions after that if you like. 🙂
Pete
/ March 28, 2016Hi Richard, we’re trying to implement DA2012 on a vm with single network card behind nat. Our windows 10 client says iphttps fails and interface can’t be created, it gives an error of 0x102. Do you have any idea what it might be? Thanks in advance.
Richard M. Hicks
/ March 29, 2016I’m not familiar with that particular error. Does ipconfig /all show an IPHTTPS tunnel interface? And does it have an IPv6 address associated with it?
Justin
/ May 25, 2016Pete, I’m seeing the same error on some 8.1 installs, even after they get past the initial testing and implementation phase. Wondering if its the result of an update. Have about 30 mobile workstations successfully deployed w/ IP-HTTPS only, and have had now two instances where the interface disappears and results in 0x102. Cannot find any reference to this error code, which makes it very difficult to troubleshoot. I’ve had to resort to shooting from the hip (re-image) after more run of the mill troubleshooting hasn’t resolved the issue.
Tim
/ April 28, 2017Pete, we are getting the same issues here with Windows 10 clients unable to create the iphttps interface with 0x102 error. Did you find a resolution other than re imaging??? Thanks
Rafeel Mohamed
/ April 7, 2016is Direct access compatible with Win 10 Pro ?
Richard M. Hicks
/ April 7, 2016It is not. More details here: http://directaccess.richardhicks.com/2015/12/14/directaccess-and-windows-10-professional/
Milivhann Hechanova
/ April 25, 2016Hello Sir Richard Hicks,
I finally reach your blog gee Sir its a great and honor for me reaching your Direct Access Blog…I really appreciate the thing I learned in your Train Signal Video. Indeed Direct Access is great. Anyway Sir one question what’s the best type windows10 recommendation for Direct Access SVR2012???
* Windows 10 Home
* Windows 10 Pro
* Windows 10 Enterprise
* Windows 10 Education
That’s All i want to know Sir Richard Hicks more power God Bless you and thank you very much Sir Richard I really learned a lot from you and your video Train Signal hope you continue more exciting and great videos more complex about Direct Access : ) thank you again Sir Richard..Michael Hechanova here I’m one of avid fan crazy about Direct Access.
Richard M. Hicks
/ April 25, 2016Well, there is no Windows 10 home so you can rule that one out. 😉 Windows 10 Professional isn’t a supported client and doesn’t work with DirectAccess either, so we’re down to two! Honestly, either Windows 10 Enterprise or Education will be fine, as they are both functionally identical. Enjoy!
Jacko
/ July 28, 2016Hello Richard. What mechanism does HA use to determine the best location? The reason I ask is because we have a few people based in a country in Asia and it does not choose their location but another country. Sometimes it will connect to their location and then change. Are there any know issues with the automatic feature in Windows 10 and HA?
Richard M. Hicks
/ July 28, 2016Windows 8.x and Windows 10 clients check connectivity to each entry point when they start up and choose whichever one responds more quickly. The native site selection process doesn’t really work that well, as you have noticed. Best way to resolve it is by using a GSLB solution. I recently did a webinar with Kemp on this. You can view it on-demand here.
Dave
/ September 15, 2016Is there any reason Direct access will not work for me using a Gen 2 Hyper-v Machine ? No matter howmany times i check this over it will not connect end clients.
Richard M. Hicks
/ September 15, 2016I can’t think of any. I use Gen 2 Hyper-V machines running Windows 10 all the time for testing without issue.
Jimmy
/ September 25, 2016Windows 10 Education does not have DirectAccess listed under “Network & Internet”, have you run across that? and if yes, is their a way to get it listed?
Richard M. Hicks
/ September 28, 2016The first step is to ensure that the client has actually received the DirectAccess Client Settings policy. If it has, it is probably the Network Connectivity Assistant service that isn’t running. You can start it using Start-Service NcaSvc. It should show up in the UI after that. 🙂
Morten
/ September 27, 2016Hi, I just setup DA, but when I’m out of the office, and DA are connected my network shares don’t work. Getting an message “An error occurred while reconnecting Z: to \\server\folder – Microsoft Windows Network: The local device name is already in use. This connection has not been restored”
I can browse \\server.domain.local\folder.
After 8-14 minutes they work out okay. Can anybody give me a clue where to look to get my network shares working when DA are connected
Richard M. Hicks
/ September 28, 2016Connection issues are not uncommon for mapped drives, but I’ve never encountered the error message your are getting. Very odd. It sounds like it might be getting mapped twice though, once locally (perhaps via NET USE) and again via GPO. I’d take a close look at that to see if there are any configuration issues like that.
Andrey Zasypkin
/ November 14, 2016Hi Richard, I am having strange issue with DirectAccess deployment 2012 server.. I can see win10 client is connected under server monitoring, but cannot pass traffic any further then internal interface of DA server, i can browse network resources on DA server itself via unc but not any further in corp network. All name resolutions work. Its 2 NIC setup behind Edge firewall. Any suggestions? Thank you .
Richard M. Hicks
/ November 16, 2016Sure sounds like a routing issue. Be sure to follow the guidance outlined here to ensure that your DirectAccess server’s networking configuration is correct. 🙂
https://directaccess.richardhicks.com/2013/06/19/network-interface-configuration-for-multihomed-windows-server-2012-directaccess-servers/
Andrey Zasypkin
/ November 16, 2016Richard thank you for the quick reply… Yes , did flowed this resource to configuring networking components before I rolled out direct access. I have double checked this again , the only difference I found is the the IPV6 was first in priority order to IpV4 on Internal interface. I am not sure if this will make difference. I will test today…
thank you .. Any other recommendations?
Richard M. Hicks
/ November 16, 2016Not at this point. As long as the DirectAccess server can reach the internal resource, the DirectAccess client should be able to as well. If that’s not the case, it is most commonly a routing issue, although it could also be an internal firewall issue too.
Rencontre amoureuse
/ November 15, 2016Hola! I’ve been following yyour web site forr a while now and finally got
the bravery too go ahead and give you a shout out from New Caney Texas!
Just wanted to tell you keep up the great work!
Richard M. Hicks
/ November 16, 2016Thanks! If you have any DirectAccess questions at all, feel free to ask! 🙂
Andrey Zasypkin
/ November 18, 2016So I spoke with MS support, apparently my current 2008 r2 deployment is using ISATAP, witch is not support environment for parallel installation and migration to 2012 r2 . They advised to remove ISATAP from the environment. But how can I don this gracefuly without breaking current working 2008 r2 deployment? What would be my best course of action to achieve this migration.
thank you
Richard M. Hicks
/ November 28, 2016Having ISATAP deployed in your existing Windows Server 2008 R2 DirectAccess deployment should have no impact on deploying a parallel Windows Server 2012 R2 or Windows Server 2016 DirectAccess deployment. You can remove ISATAP after you’ve migrated all of your existing clients to the new implementation.
Ahmed beybars
/ November 29, 2016Hey , Richard ,
Good Day. my DA is Working Properly but i have an issue . when DA server is down . DA Connection on Users Labtobs will be shown as connecting .
should i Disconnect DA Connection on users if i want users use local DNS Resolution ?
my environment have DA Users Using Their exchange mailbox in vm on azure
if DA Server is down they couldn’t be able to connect on their mailbox while Non DA Clients is Connected on the same mailbox server
So i want my DA Clients are able to Connect on their mailbox which is on azure even if the DA is Down ?
Should i disconnect DA Connection manually by clicking Disconnect As it is by default would be connecting ?
Note :_ Our DA Clients is Windows 10 Enterprise
DA : Server 2012 R2
Regards ,,
Richard M. Hicks
/ December 15, 2016If the NLS is installed on the DirectAccess server, then that’s to be expected. When the NLS is unreachable for any reason, clients on the internal network will think they are outside the network and attempt to establish a DirectAccess connection. If they are unable to do so, they will remain in a “connecting” state until the NLS comes back online. There’s not much you can do about this unless you move the NLS to another server (which is recommended).
Eddy Princen
/ January 13, 2017Dear Richard, i like your blog and learned a lot from it. Great work. However i ran into an issue recent and i can’t get it solved. We are getting the following error since a few weeks on a few clients: the ip https interface is not operational last error: 0x80190190. Other clients work normal and connect normal. Any ideas where to start searching?
Eddy Princen
/ January 13, 2017Extra comment: all clients are WIndows 10 enterprise.
Richard M. Hicks
/ January 16, 2017That’s unusual. The error message translates to BG_E_HTTP_ERROR_400, which I’ve never seen. Since other clients can connect without issue it is most definitely a client-side issue. The only thing I can suggest is to test the network path from the client to the DirectAccess server when you have that error to confirm connectivity. After that it’s a much deeper troubleshooting effort that I can probably provide here. You can reach out to me via email if you continue to have trouble and I’ll see what I can do.
Andrey Zasypkin
/ January 16, 2017I had the same behavior after win10 machine for the the first two me has recieved GPO . All tunnel interfaces became disabled. All I had to do is to use netsh command to re-enable tunnel interface I needed for the direct access.
Dietmar
/ February 1, 2017Hi Richard! First of all: Thanks for your great DA book! I love it! Now we try DA on Windows 10 14393.693 because we want to rollout Windows 10 in our company as soon as possible. However, we also run into an issue with very very poor download performance connected with DA. We use 2 physical load balanced Windows Server 2012 R2 machines and IP-HTTPS with force tunneling. This was never a problem with Window 7. With Windows 10 using a mobile LTE connection we stuck at 1-2 Mbit/s download while upload is at 10Mbit/s. Without DA (just stopping the iphelper service) download rates are 30 Mbit/s and higher.
I found this
https://social.technet.microsoft.com/Forums/sharepoint/en-US/9831860a-7ec8-48a4-99b5-fdae0420d5fd/directaccess-upload-ok-download-very-slow-and-unstable?forum=winserver8gen
but no solution for this problem. Do you have more information on this issue? It’s really a show stopper for Windows 10 deployment.
Every help is appreciated!
Richard M. Hicks
/ February 4, 2017I am aware of a few open cases that Microsoft has regarding degraded download performance over DirectAccess connections. I’ve not had the time myself to investigate, and none of my customers are reporting this issue. I will hopefully be able to look in to this in the near future. If I learn anything interesting I’ll be sure to publish it here.
martinvogt2016
/ February 5, 2017I’m also running 14393.693 in a small environment already and the download-speed (from company fileserver to client) is pretty stable at 10MBit/s which matches the company DSL up-link speed. It’s a simple setup with only one DA server (2012r2) and Sophos UTM in front of. So it’s maybe not a DA issue in general…
Dietmar
/ April 11, 2017Hello,
we have opened a case with Microsoft. Sad but true: Microsoft is aware of this problem but it is as it is. Microsoft will not touch DirectAccess anymore.
There will be something like Autoconnect VPN with Windows 10. So we do not invest more resources and money to troubleshoot DirectAccess because it works best with this terrible bug.
If anyone of Microsoft is listen: Please don’t do this! DirectAccess is great and every user who works with it loves it! It’s one of the greatest features you ever designed! Many companies out there use it with many, many, many DirectAccess clients. We invested many resources and money to this project.
Dietmar
Daniel Morris
/ February 22, 2017I have a 2 node 2016 deployment running at a single site with Windows NLB. The service is being provided for our W7 laptops and have just introduced W10. I have no issues with W7, but W10 sees frequent disconnections. Is there something different in the transport that may be causing this? Testing W10 in a dev environment with a single node configuration saw no drops. I’m struggling to see the benefit of DirectAccess on W10 at the moment.
Richard M. Hicks
/ February 27, 2017Not sure what the issue is in your environemnt, but I’ve got numerous customers running this same configuration without issue. I have no idea what the problem could be without performing a detail investigation. No real changes in transport between Windows 7 and 10 other than Windows 10 supports null cipher suites for IP-HTTPS traffic. This would improve performance for you, but it certainly wouldn’t result in frequent disconnections. If your testing with single node configuration yielded positive results, I’d have to suspect some underlying issue with NLB. Perhaps switching to an external load balancer would solve the problem? Not sure, but there are other benefits associated with ELB so it might be worth a try. If expense is an issue, have a look at the solutions from KEMP. They even have a free offering too. 🙂
BaardH
/ March 21, 2017Hello!
My search skills must not be up to par, as i can’t find a suitable article to answer my particular question, hoping you are able to answer:
I’ve been given the responsibility of our DirectAccess installation, despite not knowing anything about it…
The question: We’re rolling out Win10 and wanted to grant DA access to all laptops (resides in their own OU). However, it seems like i have to add all laptops to a group in order to allow access, can this be avoided somehow?
Richard M. Hicks
/ March 22, 2017Absolutely. When you first install DirectAccess you’ll have to specify a security group. When the installation is complete, the wizard creates GPOs in Active Directory and links them to the domain. If you wish to use OUs instead of a security group, you can simply unlink the object from the domain and link it to the OU you want to target. The GPO will still be filtered to the security group, so be sure and change that to authenticated users or domain computers. Should work fine after that. 🙂
BaardH
/ March 23, 2017Most excellent, thank you! 🙂
dp2kblog
/ April 10, 2017Thank you for an excellent article. Can you suggest any best practices on layering a second factor for the Windows 10 login? If my end-user’s AD password is stolen, it is an easy hop into the intranet with an owned machine. TIA!
Richard M. Hicks
/ April 11, 2017I’d have a look at the multifactor authentication solution from PointSharp. They integrate with DirectAccess for sure, but I’m not certain about the desktop itself. I’ve reached out to them for clarification. 🙂
Rob Fuller (@RobFullerSpirx)
/ November 13, 2017I have some users (teachers) with poor quality internet access at home, despite my effects to help them resolve there internet issues there laptops are unusable whilst connected to DA. Is there any recommend method of slow link detection that will stop these devices connecting if a minimum connection speed is not met? I know they could manually disconnect but they keep forgetting and complaining and we are going round in circles. Thank you
Richard M. Hicks
/ November 17, 2017Hi Rob. DirectAccess is great when the Internet connection is fast and reliable, but it does seem to stumble consistently when used with high latency or high loss network connections. You could probably write some type of script that runs on the client to check the connection quality and disconnect DirectAccess in that situation, but that might be challenging too. DirectAccess certainly doesn’t provide anything like that natively though.
Casey
/ February 23, 2018On Windows 10 1703 or 1709, if you are having trouble with the Collect logs button within DirectAccess settings, try the following fixes — number 2 seems the simplest.
1-
Add SeAssignPrimaryTokenPrivilege to RequirePrivileges in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcaSvc
Reboot
2-
Create and set SvcHostSplitDisable DWORD value and set it to 1 in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcaSvc
Reboot
3-
Increase the value of SvcHostSplitThresholdInKB in HKLM\SYSTEM\CSS\Control to disable the svchost splitting across the entire system
Reboot
Richard M. Hicks
/ February 24, 2018Thanks for the tip, Casey! So you don’t have to implement all of these changes, just one of them, correct?
accidentalsysadmin
/ June 28, 2022Hi Richard,
Love the blog, literally the bible. I’m currently dealing with a client who has a DirectAccess deployment, with SHA1 certificate authentication through an Enterprise CA.
If I were to upgrade from SHA1 to SHA2, would this cause any disruption to clients? Thinking of following the ‘Certiifcate Services – Migrate from SHA1 to SHA2 (SHA256)’ guide from PeteNetLive.
There are over 2000 endpoints so nervous of causing any unnecessary downtime and making them all come in to pull a new policy.
Thanks!
Richard M. Hicks
/ June 29, 2022That really depends. If you are simply changing your CAs signing algorithm from SHA-1 to SHA-2, then there should be no impact. However, if you are renewing your CAs certificate, it could be potentially disruptive depending on how you have configured DirectAccess.