About Me

I am a network and information security expert specializing in Microsoft technologies. An MCP, MCSE, MCITP Enterprise Administrator, and MCSA, I have traveled around the world speaking to network engineers, security administrators, and IT professionals about Microsoft edge security and remote access solutions. With nearly two decades experience working in large scale corporate computing environments, I have designed and deployed perimeter defense and secure remote access solutions for some of the largest companies in the world. I provide independent consulting services to organizations large and small.

In October of 2016 I received my 8th consecutive Microsoft Most Valuable Professional (MVP) for Cloud and Datacenter Management and Enterprise Security. I am currently a PluralSight author, a contributing author for ISAServer.org, WindowSecurity.com, CloudComputingAdmin.com, and the Petri IT Knowledgebase.

I am also the author of Implementing DirectAccess with Windows Server 2016 (ISBN 978-1484220580) by Apress Media. This book is the definitive guide for planning, implementing, and supporting a DirectAccess solution based on Windows Server 2012 R2 or Windows Server 2016. For more information please visit directaccessbook.com.

I live and work in beautiful, sunny Southern California.

In addition to this blog, you can also find me here:

TMG Blog – http://tmgblog.richardhicks.com/
LinkedIn – http://www.linkedin.com/in/richardhicks
Twitter – http://twitter.com/richardhicks/
Facebook – http://www.facebook.com/richardhicksmvp/
Website – http://www.richardhicks.com/
DirectAccess Book – http://directaccessbook.com/

If you have any questions, please don’t hesitate to send me a note.

rich@richardhicks.com

Leave a comment

44 Comments

  1. AndrejK

     /  March 30, 2014

    Hi,
    I’m intalling DA in multi forest environment. I have three separated forests with two-way trust.I can add computer accounts from two of them, on one, I get this error when I run ADD-DAClient:

    I’m confused, why can’t DA find security group? If I add security group throu GUI, I can browse security group from AD, but when I click finish, result is the same?

    any ideas, what I can check?

    VERBOSE: Retrieving server GPO details…
    VERBOSE: Opening the server GPO…
    VERBOSE: Validating security group (XXX\u_dacomps) in the domain…
    Add-DAClient : Security group XXX\u_dacomps cannot be found.
    At line:1 char:1
    + Add-DAClient -SecurityGroupNameList XXX\u_dacomps -v
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ResourceExists: (XXX\u_dacomps:root/Microsoft/…ess/
    nt], CimException
    + FullyQualifiedErrorId : HRESULT 800700ea,Add-DAClient

    Add-DAClient : The operation failed. All of the specified security groups are invalid.
    At line:1 char:1
    + Add-DAClient -SecurityGroupNameList XXX\u_dacomps -v
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (SecurityGroupNameList:root/Microsoft/…ess/PS
    ], CimException
    + FullyQualifiedErrorId : HRESULT 80070057,Add-DAClient

    kind regards,

    Andrej

    Reply
    • As long as there are two-way trusts established between each of the forests, you should be able to add those users. I’m not sure why Add-DAClient is failing here though. :/

      Reply
  2. Hello Richard,

    Thanks for the blog, it is a very useful resource for understanding more about how DirectAccess works and knowing common pitfalls and problems before encountering them in our deployments.

    I have my deployment working quite nicely, with a single exception. Kaspersky.

    I have Kaspersky Security Center 10 and using it to publish security policies to my clients and servers. But when ever KAV gets anywhere near DirectAccess there is nothing but trouble. I have tried setting KAV to not filter traffic on port 443 as I am using IPHTTPS tunnels.

    Not only can external clients not connect to the server, but once back inside the network, KAV seems to stop them to correctly communicating with the internal NLS servers and think they are still outside and then attempt to establish an IPHTTPS link to the server. The network interface also reports back as being not connected to the domain..

    The strange part is that from the clients, I can enter the https address of the internal FQDN for the NLS site in Internet and it is creating a secure connection using my internal Root CA certificates to authentic it. The client can also resolve and ping internal servers, but can’t connect to them (presumably because of the attempted connection to the DirectAccess server).

    So this brings me to my question, of what security software you recommend for DirectAccess and how to ensure that the software you use does not interfere with it?

    Reply
    • I’ve heard numerous horror stories about DirectAccess deployments not working with Kaspersky Anti-Virus. To a lesser extent, I’ve also heard that some DirectAccess users are reporting issues when Symantec Endpoint Protection is installed. At this point, I don’t have a recommendation regarding desktop AV. Obviously the native Microsoft security features work, but that doesn’t help you from an enterprise perspective. 🙂

      Reply
  3. Andy Thomson

     /  June 25, 2015

    Hi Rich,

    Do you know of any way to change the order of Entry Points in a Multisite configuration, without removing and re-adding the Entry Points from the configuration?

    So for example, I want to change:
    Multisite
    Site1
    Site1-EntryPoint
    Site2
    Site2-EntryPoint
    Site3
    Site3-EntryPoint

    to this:
    Multisite
    Site3
    Site3-EntryPoint
    Site2
    Site2-EntryPoint
    Site1
    Site1-EntryPoint

    I was hoping there would be some PowerShell cmdlets but can’t find anything that will do what I’m looking for (which I agree is probably a rare scenario!).

    Many thanks for any help you can provide,
    Andy

    Reply
    • Hi Andy. It’s not possible to change the order of entry points, nor is it really necessary. Windows 7 clients are homed to a specific entry point. Windows 8.x clients are either assigned to a single entry point, or they can be configured to automatically select one. For automatic selection, the entry point order is irrelevant. The Windows 8 client will probe all entry points and connect to whichever entry point responds first. If you have a specific reason to have all clients connect to one entry point first (for example a disaster recovery scenario) and then fail over to another site later, then I would suggest using a Global Server Load Balancer (GSLB). Using GSLB you have much more granular control over traffic distribution.

      Reply
  4. BenZ

     /  June 27, 2015

    Im having the same issue, I pulled the script and basically the Add-DAClient doesnt work. If I run the wizard over and over each time I get different errors. Sometimes it says name cannot be same as certificate. Certificate not found, and I *always* get DA-Client could not find security group. from the server if I do net group ‘VPNComputerGroup’ /domain it comes back instantly with the computer(s) in that group.

    This DA definitely has a LONG way to go even after 5 years the walk throughs dont work, and manually doing the script yields the same results with 800700ea ‘not found’ error on the security group. Anyone figure this out? I have a single domain, 20 servers, 500 workstations, 2 DC’s , flat network.

    Thanks!

    Reply
    • It is entirely possible that this might be a bug. It wouldn’t be the first one. 😉 I’d suggest opening a support case with Microsoft to have them troubleshoot. If they can’t resolve the issue, perhaps they can identify a workaround. If indeed it is a defect, they can produce a hotfix too.

      Reply
  5. Andy Thomson

     /  June 29, 2015

    Thanks Rich, the reason being that Site 3 has a much faster connection but the clients do not seem to be selecting it as I would have expected. Think I will need to do a bit more digging…

    Reply
    • In practice, the native site selection process doesn’t seem to work all that well for some reason. I’d suggest implementing a Global Server Load Balancing (GSLB) solution to address this. A GSLB will allow much more granular control over traffic management. Using GSLB you should be able to configure all of your clients to use site 3 first and fall back to other sites if it isn’t available.

      Reply
  6. Brett Thomas

     /  September 22, 2015

    Rich,
    We initially set up our DA with a NAP. now we would like to remove the NAP. My concern is this. Removing the NAP will alter the DA GPO’s. Offline devices will still have older policies. Will this cause the off line devices any problems attempting connection after GPO is altered?

    Thank you

    Reply
    • Hi Brett,

      You bring up an interesting scenario. Honestly, I’m not certain how the client will behave. However, it might not be disruptive because NAP validation is enforced by the DirectAccess server. If you remove the NAP validation requirement from the server, it’s possible that the clients will be unaffected. I can’t say this with certainty though because I’ve never configured NAP for any of my customers to this point.

      Let me know how it goes! 🙂

      Reply
  7. Jose L Castro

     /  October 1, 2015

    I am using an F5 Load Balancer for Direct Access (Single NIC in the DA server). There are no F5 interfaces in the VLAN where the DA servers connect to. I was able to add the VIP with the external F5 IP address but the previous address of the DA server is also added as a VIP when I configure Load Balancing. How can I remove this VIP?

    Reply
    • There’s no need to use the DirectAccess VIP (originally the dedicated IP address of the first DirectAccess server) on the F5. The VIP on the F5 can be anything, really. The pool members would then be the dedicated IP address of each DirectAccess server. The only thing you’ll need to do is pay attention to the web probe host URL. If you’re using the default, you’ll either have to create a virtual service for that or use another resource.

      Reply
  8. I have a question about the Windows Firewall in DirectAccess for Windows Server 2012 R2. How does it interact with Symantec’s firewall? Can Symantec Firewall be used instead of the Windows firewall? If it cannot, can both be enabled at the same time?

    Thanks,
    Jose L Castro

    Reply
    • You can use any third-party firewall as long as the Windows Firewall is still enabled. Also, the third-party firewall must not block IPv6. You cannot replace the Windows Firewall a with a third-party firewall, however.

      Reply
      • CASTRO, JOSE L

         /  November 11, 2015

        Thank you. I guess we either use both or standardize on Windows Firewall.

  9. Chris Duncan

     /  January 21, 2016

    Hi Richard,

    We have two 2012 direct access servers running on a windows NLB cluster
    At the end of December we encountered an issue with the cluster. As a temporary work around we disabled one of the servers while we investigated. This allowed the remaining server to service clients.
    Earlier this week the live servers ip-https certificate expired. We are using PKI certificate supplied by an internal CA server. We went ahead and created a new IPHTTP certificate from template on the CA and applied to Direct Access.
    All errors within Direct Access disappeared however clients could not connect and reported that they could not connect to the ip-https server and so no ipv4-ipv6 translation was available. We used the troubleshooting tool on the client to view errors.

    We noticed the other direct access server still had a valid certificate and had not expired. We switched to using this server instead and everything worked again at least for two days when it broke again. Clients now are reporting again that they cannot connect to the iphttps server. We have made no changes other than what is listed here (importing a new certificate to one of the direct access servers)

    We have also run the DA Client Troubleshooting Tool and I would be happy to supply the logs.

    Any help or ideas on where to start troubleshooting would be greatly appreciated.

    Regards
    Chris

    Reply
  10. Peter

     /  March 24, 2016

    Hi Richard,

    I was wondering what your consulting services via remote access would cost.

    We have a Main office with Several branch offices connected via SonicWALL VPN

    We created an DA Sever behind our Edge Firewall. Remote Access Dashboard is green.
    No GPo’s for Windows 7 DCA configured yet.

    There is NO device assigned in the Security Group for DA Client settings.
    We have issues that when a system is connect in the inside browsing is very very slow and we cannot connect to Office 365 mail or SharePoint anymore.
    If the system is outside the network everything works fine.
    Ay idea?

    Reply
  11. Rob

     /  April 27, 2016

    Hi Richard

    I have heard rumours of Direct Access potentially being deprecated in the not so far future but I can’t find any info on this.
    Are you aware of the direct access roadmap and futures?

    Reply
    • I’ve not heard anything from Microsoft regarding the deprecation of DirectAccess. They’ve certainly been focusing more on client-based VPN lately, but that doesn’t necessarily mean DirectAccess will go away. Judging by the number customers rapidly deploying it since the release of Windows 10, I can’t see them giving up on it at this point.

      Reply
  12. dameronln

     /  May 13, 2016

    Hi Richard,

    I have a multi-site DirectAccess setup with two entry points running in a lab. The first entry point has 2 DirectAccess servers with NLB running (both with 2 NICs: 1 internal, 1 external). The second entry point has 1 DirectAccess server (1 internal NIC, 1 external NIC).

    I have a windows 10 client able to connect to the first entry point with no problem.

    If I switch that same client to the second entry point, it’s status remains as connecting. On the DA server- Remote Client Status, I briefly see the client making a connection, but then nothing gets listed in the Access Details. Running get-daconnectionstatus returns “NameResolutionFailure”. Also, running the DirectAccess Troubleshooting Tool results in failures in Network Location Tests, IP Connectivity Tests, Infrastructure Tunnel Tests and User Tunnel tests. On this DA server, in the Configuration, Step 3, the DNS server IP address entered is the same address as the DA server (not the Domain Controller/DNS). When I click on Validate, it fails. (Both DA servers in the first entry site validate without any problems.)

    Any suggestions as to what can be wrong?

    Reply
    • If the client is able to connect to one entry point, it should be capable of connecting to any entry point. If it cannot, I suspect there might be a configuration issue with that individual entry point. It might also be a name resolution issue too, though.

      Reply
  13. mark Swinnich

     /  May 20, 2016

    Is this normal? When installing DirectAccess using the get started Wizard, committing the changes that create the DirectAccess Client Settings GPO ? The issue is that the GPO drops at the domain level and assigns all domain Users to the policy. It causes all domain users to get the DA policy screwing up there Machines!. When you have 30k+ workstations and a policy refresh every 15 minutes it effects a lot of employees. I have a Domain group and GPO container that links the DirectAccess GPO and assigns them to a DAClient domain group. You have to be kidding or I am doing this incorrect.
    1. When the DA wizard saves a new Direct access client settings GPO
    2. The GPO deposits at the domain root
    3. The GPO assigns the all Domain users AD Group.
    4. Your boss comes over to yell at you.
    5. You have to manually remove the domain users group at the scope in the GPO then reassign the correct AD group.

    Reply
    • That’s why you shouldn’t use the Getting Started Wizard. 😉 The GSW should be avoided at all costs, really. As you discovered, the GSW assumes you want to deploy DirectAccess settings to every mobile computer in the entire domain. Obviously that’s not a good idea. Using the Remote Access Setup Wizard (subtle but important difference!) you can apply DirectAccess with much more control.

      It might be a good idea to watch my Pluralsight training course on DirectAccess. There’s a subscription required, but they also have a free trial. It should provide you with enough free time to get through the initial part of the course.

      Reply
  14. Nick

     /  June 1, 2016

    Hi Richard,

    Great blog 🙂

    I have a wired issue with direct access. All works perfectly except over 4G Sim Connection.

    The tunnels are not established. Wifi works fine as does cable. The sim has been tested and works fine as does the adapter on the laptop.

    After enabling auditing etc I find an error in the security log relating to main mode negotiation failed, IKE Authentication credentials are unacceptable.

    I also find the same error on a network trace. Do you have any advice at all?

    The server is 2012 R2, The client is windows 10. One network adapter behind a nat.

    All works fine except when using 4G.

    Reply
  15. Vladyslav

     /  June 22, 2016

    Hello, Richard!
    I’m using your tips for DA.

    But I’m struggling on such issue:
    The GPO for specific user could not be applied.
    GPO for computer has been applied. I’ve found that with gpresult /r

    But I can connect to server over explorer and also see GPO directory: \\computer\sysvol\domain\policies…
    On AD server DA GPOs are applied to the root.
    This computer is in DA security group.
    I’m using offline domain join. All is working except user’s GPO.

    Richard, please suggest me where to look.
    Thank you!

    Reply
  16. Paul Yates

     /  July 8, 2016

    Richard,

    Fanstatic Blog, it helps out with some of the more quirky issues! I’m very greatful for your documentation.

    I’m wondering if you might be able to point me in the right direction. We have a functiong DA deployment using isatap, but recently our DC’s stopped replicating. We think we have traced it to an IPv6 DNS issue.

    We noticed that the DNS servers will not respond internally via the ISATAP adapters IPv6 address, however the same nslookup works via DA client. We can see that DNS 64 is failing internally on site, and for some reason the DC’s seem to want to use IPv6 to replicate.
    DNS Servers & DC’s are 2008-R2, DA server Is Server 2012 with isatap router on the same box.

    Again – many thanks for your blog!

    Paul.

    Reply
    • That is certainly unusual. I’m not aware of any IPv6 DNS issues that would prevent replication from working correctly. However, your DNS server should not need an ISATAP interface (or any other IPv6 tunneling adapter) so I’d recommend disabling those on the DC/DNS servers.

      Reply
  17. GarethC

     /  July 10, 2016

    Hi Richard, I’ve been wrestling with setting up DA for a few weeks. Finally got it mostly working today. Question about DNS. We have our DA servers in a child domain (eg abc.xyz.com), we have quite a few DNS zones in our root domain (xyz.com) that are totally different namespaces, eg company.com. Issue is the DA clients can’t resolve names like intranet.company.com, I’m guessing because it doesn’t match any of entries under “Name Suffix” on the DNS page for “Infrastructure Server Setup”, do we really need to add all these extra internal zones into this Name Suffix list with the DA servers IPv6 address? I tested and it worked for 1 zone, but seems like double handling. For a client on the LAN, DNS requests are passed from child DNS to parent DNS so it can resolve names in those zones. Any tips?
    Thanks
    Gareth

    Reply
    • Yes, you’ll have to add each of them to the DirectAccess DNS configuration. It’s not because of delegation, however. It’s for the client to understand which DNS server to send the requests to. If you can produce a text file with all of your internal domains, you can automate this process using the Add-DAClientDnsConfiguration PowerShell command.

      Reply
  18. Megatc101

     /  October 31, 2016

    Hi Richard, I have a question about a comment that you have in your book.
    You state that “the DirectAccess server must be able to reach the public Internet”.
    Are you saying the DA server needs to be able to initiate an outbound connection in order to work?
    I have the DA server configured with a single interface. It is on the internal network and is accessed via a NAT on the firewall. To further complicate matters the external IP is a VIP on an loadbalancer, which is acting as a reverse proxy. This configuration is currently working, and we are able to perform manage out.
    I’m just trying to understand your comment in case I’ve missed something.

    Regards

    Reply
    • For deployments where the DirectAccess server is behind a NAT, then the server must only be “reachable” from the public Internet. It would not necessarily have to have Internet access itself. If the DirectAccess server were in an edge-facing scenario and needed to support Teredo, then it would require Internet access.

      Reply
  19. Stefan

     /  December 12, 2016

    Good day Mr. Hicks,

    I wanted to thank you very much for your work and the offering of deep and helpful knowledge about DirectAccess for the public.

    Your DA-Blog helped me alot during my final work of my apprenticeship. With your help and other sources for Windows 2012 R2, I successfully decommissioned an old Windows 2008 CA and implemented a new 2-level 2012 R2 CA (Root and Issuing) for my DirectAccess environment. Our RDS complicated everything a bit and I had to use a little “hack” to get it on track, but everything works fine now and the Users were super happy!

    Thank you again so much for sharing your knowledge and helping me to finish my apprenticeship as the second best of my whole state 🙂

    Best regards from the cold and cloudy Switzerland and excuse me for my bad English writting. I hope you get the essence of it.

    Reply
  20. Chandrashekar HS

     /  December 13, 2016

    Hi Richard,

    Recently we are doing a POC at our office premises on direct access on windows server 2012 R2 for supporting the following clients

    1) Windows 7
    2) Windows 8
    3) Windows 10
    4) MAC OS

    We are able to do a testing with the Windows Laptops but for MAC OS we are unable to proceed because we don’t know whether direct access will support MAC OS or not but I saw your article in Celestix Networks website that Direct access is supporting MAC OS and for this we need to install the secure access client of Celestix company . So I applied for 30 days trail version of software to check how it works. Could you please let me know any document or any article which speaks about how direct access will support MAC OS.

    I didn’t get trail software and once I get the software I need to do a testing on MAC OS. So it would be great if you have a document about the MAC OS on direct access

    Thanks & Regards
    Chandrashekar HS

    Reply
    • The Mac OS is not a supported DirectAccess client. The only operating systems that work for DirectAccess are Windows 10 Enterprise, Windows 10 Education, Windows 8.x Enterprise, Windows 7 Enterprise, and Windows 7 Ultimate. The Celestix solution is a custom VPN solution and is not DirectAccess.

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: