Uninstalling and Removing DirectAccess

Uninstalling and Removing DirectAccess This web site is primarily dedicated to installing, configuring, managing, and troubleshooting DirectAccess on Windows Server 2012 R2 and Windows Server 2016. However, there’s little documentation on how to properly uninstall and remove DirectAccess. This post provides guidance for gracefully uninstalling and removing DirectAccess after it has been deployed.

DirectAccess Clients

It is recommended that all clients be deprovisioned prior to decommissioning a DirectAccess deployment. This is especially true if the Network Location Server (NLS) is hosted on the DirectAccess server itself. Remove all client computers from the DirectAccess client security group or unlink DirectAccess client settings GPOs (but don’t delete them!) from any OUs where they are applied. Allow sufficient time for all clients to process security group membership changes and update group policy before uninstalling DirectAccess.

Network Location Server

If the NLS is installed separate from the DirectAccess server, it is recommended that it remain online for a period of time after DirectAccess has been decommissioned. Clients will be unable to access local resources if they still have DirectAccess client settings applied and the NLS is offline. Keeping the NLS online prevents this from happening. If this does happen, you’ll need to delete the Name Resolution Policy Table (NRPT) on the client to restore connectivity. To do this, run the following command in an elevated PowerShell command window and restart the computer.

Get-Item -Path “HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig” | Remove-Item -Confirm:$false

Uninstall DirectAccess

It is not recommended to decommission DirectAccess by simply turning off all DirectAccess servers and manually deleting all of the associated group policy objects (GPOs) in Active Directory. A better way is to gracefully remove DirectAccess using the GUI or PowerShell.

To uninstall DirectAccess using the GUI, open the Remote Access Management console, highlight DirectAccess and VPN, and then click Remove Configuration Settings in the Tasks pane.

Uninstalling and Removing DirectAccess

Alternatively, DirectAccess can be removed by running the following command in an elevated PowerShell command window.

Uninstall-RemoteAccess -Force

Additional Resources

DirectAccess Network Location Server (NLS) Guidance

DirectAccess Network Location Server (NLS) Deployment Considerations for Large Enterprises

Implementing DirectAccess with Windows Server 2016

DirectAccess Troubleshooting and Configuration Training at TechMentor Redmond 2017

DirectAccess and Windows 10 in EducationI’m really excited to announce that I have once again been invited to speak at the upcoming TechMentor event in Redmond, WA August 7-11, 2017! This year I’ll be presenting two important deep-dive training sessions on DirectAccess. The first is a three-hour course on implementing DirectAccess using Windows Server 2016. This session will cover infrastructure prerequisites as well as tips, tricks, and best practices for implementing DirectAccess using Windows Server 2016. In addition I will also be delivering a three-hour deep dive on DirectAccess troubleshooting. In this session, I’ll share valuable insight, tools, and techniques for quickly identifying and resolving many common DirectAccess connectivity and performance issues. In addition I will also be giving a short talk on getting started with Azure site-to-site networking. If you want to take advantage of the power and flexibility that the Azure public cloud has to offer, extending your on-premises datacenter using site-to-site VPN is essential.

Register today using code TMSPK05 and save!

M01: Implementing DirectAccess with Windows Server 2016
T03: DirectAccess Troubleshooting Deep Dive
T07: Getting Started with Azure Site-to-Site Networking

TechMentor Redmond 2017

DirectAccess IP-HTTPS Preauthentication using F5 BIG-IP

Note: For information about configuring the Citrix NetScaler to perform IP-HTTPS preauthentication, click here. For information about configuring Windows Server 2012 R2 to perform IP-HTTPS preauthentication natively, click here.

Introduction

DirectAccess IP-HTTPS Preauthentication using F5 BIG-IPRecently I wrote about security challenges with DirectAccess and the IP-HTTPS IPv6 transition technology. Specifically, IP-HTTPS transition tunnel connections are not authenticated by the DirectAccess server, only the client. This allows an unauthorized device to obtain an IPv6 address on the DirectAccess client network. With it, an attacker can perform network reconnaissance using ICMPv6 and potentially launch a variety of Denial-of-Service (DoS) attacks. For more details, click here.

Note: DirectAccess IPsec data connections not at risk. Data is never exposed at any time with the default configuration.

Mitigation

To mitigate these issues, it is recommended that an Application Delivery Controller (ADC) be used to terminate SSL connections and enforce client certificate authentication. Doing this will ensure that only authorized connections will be accepted by the DirectAccess server. In addition, there are some scalability and performance benefits to implementing this configuration when supporting Windows 7 clients.

Important Considerations

Performing IP-HTTPS preauthentication on the F5 BIG-IP is formally unsupported by Microsoft. In addition, terminating IP-HTTPS on the F5 appliance breaks OTP authentication.

F5 BIG-IP Configuration

To configure the F5 BIG-IP to perform SSL offload for DirectAccess IP-HTTPS, follow the guidance documented here. In addition, to configure the F5 BIG-IP to perform preauthentication for DirectAccess clients, when creating the client SSL profile, click Custom above the Client Authentication section and choose Require from the Client Certificate drop-down list and Always from the Frequency drop-down list. In addition, choose your internal PKI’s root Certification Authority (CA) certificate from the Trusted Certificate Authorities drop-down list and from the Advertised Certificate Authorities drop-down list.

DirectAccess IP-HTTPS Preauthentication using F5 BIG-IP

Summary

Enabling client certificate authentication for IP-HTTPS connections ensures that only authorized DirectAccess clients can establish a connection to the DirectAccess server and obtain an IPv6 address. It also prevents an unauthorized user from performing network reconnaissance or launching IPv6 Denial-of-Service (DoS) attacks.

Windows Clients Do Not Receive DirectAccess Configuration Changes

Windows Clients Do Not Receive DirectAccess Configuration Changes

A scenario can occur in which changes to the DirectAccess configuration made using the Remote Access Management console or at the command line using PowerShell are not reflected on the DirectAccess client, even after receiving the latest group policy updates. The issue occurs for DirectAccess clients that are provisioned with the Offline Domain Join (ODJ, or djoin.exe) tool.

When the ODJ provisioning package is initially created, it does not add the new computer account to the DirectAccess security group. The ODJ-provisioned client receives all DirectAccess configuration settings at the time of provisioning, but it will not receive subsequent changes to the DirectAccess configuration made after it was originally provisioned.

To resolve this issue, be sure to proactively add the DirectAccess client’s computer account to the appropriate DirectAccess security group in Active Directory after provisioning with ODJ using Active Directory Users and Computers (ADUC), the Active Directory Administrative Center (ADAC), or by executing the following PowerShell command:

Add-ADGroupMember -Identity [DirectAccess Client Security Group] -Members [computername]

Once the DirectAccess client has been added to the security group and restarted, it will then receive DirectAccess configuration settings changes going forward.

DirectAccess DNS Not Working Properly

Name resolution and proper DNS server configuration is vital to the functionality of DirectAccess. When performing initial configuration of DirectAccess, or making changes to the DNS server configuration after initial configuration, you may notice the operations status for DNS indicates Critical, and that the operations state shows Server responsiveness.

DirectAccess DNS Not Working Correctly

Highlighting the DNS server on the Operations Status page and viewing the details shows that DNS is not working properly with the following error message:

None of the enterprise DNS servers <IPv6_address> used by DirectAccess
clients for name resolution are responding. This might affect DirectAccess
client connectivity to corporate resources.

DirectAccess DNS Not Working Correctly

There are a number of things that can contribute to this problem, but a common cause is an error made when assigning a DNS server to a specific DNS suffix. An inexperienced DirectAccess administrator might specify the IPv4 address of an internal corporate DNS server, which is incorrect. The DNS server IPv4 address should be the address assigned to the DirectAccess server’s internal network interface.

The best way to ensure that the DNS server is configured correctly for DirectAccess is to delete the existing entry and then click Detect.

DirectAccess DNS Not Working Correctly

An IPv6 address will be added automatically. This is the IPv6 address of the DNS64 service running on the DirectAccess server, which is how the DNS server should be configured for proper DirectAccess operation.

DirectAccess DNS Not Working Correctly

Once the changes have been saved and applied, the DNS server should once again respond and the status should return to Working.

DirectAccess DNS Not Working Correctly

DirectAccess Client and Server Settings GPOs Deleted

Microsoft Windows Server Active DirectoryFor DirectAccess deployments where domain controllers are running Windows Server 2003 or Windows Server 2003 R2 using the File Replication Service (FRS) for replication, DirectAccess client and server settings Group Policy Objects (GPOs) may be deleted. If these GPOs are deleted, DirectAccess connectivity will be disrupted. If the GPOs cannot be recovered via backup, it will be necessary to rebuild the entire DirectAccess deployment from scratch.

Microsoft recently updated their DirectAccess Unsupported Configurations documentation to reflect new guidance for DirectAccess deployments where the FRS is used for the distribution of Active Directory GPOs. DirectAccess is no longer supported in environments where FRS is used for SYSVOL replication.

What this means is that if you plan to deploy DirectAccess, domain controllers must be running Windows Server 2008 or later, and Distributed File System Replication (DFS-R) must be used for replication.

More details can be found here.

Hotfix Available for DirectAccess OTP Configuration Issues

If you’ve ever tried configuring DirectAccess to use One-Time Password (OTP) authentication, you’ve no doubt discovered that the native Microsoft Remote Access Management console would return the following error when trying to detect and locate Certificate Authority (CA) servers.

No CA servers can be detected, and OTP cannot be configured. Ensure that
servers added to the list are available on each domain controller in the
corporate network.

Configure DirectAccess with OTP Authentication

The workaround for this issue required dropping to the command line and executing PowerShell commands to complete this configuration as I outlined here.

Thankfully Microsoft has made available a hotfix to address this issue, returning full GUI functionality for configuring DirectAccess and OTP authentication. For additional details about this hotfix and to request the update itself, click here.

Configure DirectAccess with OTP Authentication

Updated 6/10/2015: This post was revised to include instructions for enabling OTP support for Windows 7 clients and for configuring OTP on the DirectAccess server using the Remote Access Management console.

Introduction

DirectAccess in Windows Server 2012 R2 provides significantly improved authentication over traditional client-based VPN solutions. When configured to use certificate authentication (a recommended best practice) the DirectAccess client is authenticated using its machine certificate and its Active Directory computer account. Once the client machine has been authenticated, the user is also authenticated via Kerberos against a live domain controller over the existing DirectAccess connection. These multiple authentication steps provide a high level of assurance for DirectAccess-connected clients. If that’s not enough to meet your needs, additional strong user authentication is supported using dynamic One-Time Passwords (OTP).

Drawbacks for DirectAccess with OTP

While OTP provides an additional level of assurance, it does come with a few drawbacks. OTP adds additional complexity and makes troubleshooting more difficult. OTP cannot be configured with force tunneling; the two security features are mutually exclusive. DirectAccess OTP does not support RADIUS challenge-response. For Windows 7 clients, the DirectAccess Connectivity Assistant (DCA) v2.0 must be deployed. In addition, enabling OTP with DirectAccess disables the use of null cipher suites for IP-HTTPS. This can potentially have a negative effect on performance and scalability (more details here). Also, OTP fundamentally breaks the seamless and transparent nature of DirectAccess.

Configuring DirectAccess OTP

OTP for DirectAccess makes use of short-lived certificates for user authentication. Thus, enabling OTP for DirectAccess requires making changes to the internal Public Key Infrastructure (PKI). DirectAccess in Windows Server 2012 R2 can be configured to use the same Certificate Authority (CA) that is used to issue computer certificates to the DirectAccess clients and servers. This differs from DirectAccess with Forefront Unified Access Gateway (UAG) 2010, where a separate, dedicated CA was required.

To configure DirectAccess OTP, follow the instructions below.

OTP Certificate Request Signing Template

Open the Certification Authority management console, right-click Certificate Templates, and then choose Manage. Alternatively you can enter certtmpl.msc in the Start/Run box or search from the Windows Start menu. Right-click the Computer template and choose Duplicate Template. On a Windows Server 2008 or 2008 R2 CA, select Windows Server 2008 Enterprise when prompted for the duplicate certificate template version.

Configure DirectAccess with OTP Authentication

On a Windows Server 2012 or 2012 R2 CA, select Compatibility tab and then select Windows Server 2008 R2 for the Certification Authority and Windows 7/Windows Server 2008 R2 for the Certificate recipient.

Configure DirectAccess with OTP Authentication

Select the General tab and provide a descriptive name for the Template Display Name. Specify a validity period of 2 days and a renewal period of 1 day.

Configure DirectAccess with OTP Authentication

Select the Security tab and click Add. Click Object Types and then select Computers and click Ok. Enter the names of each DirectAccess server separated by semicolons and click Check Names. Click Ok when finished. For each DirectAccess server, grant Read, Enroll, and Autoenroll permissions. Select Authenticated Users and remove any permissions other than Read. Select Domain Computers and remove the Enroll permission. Select Domain Admins and grant Full Control permission. Do the same for Enterprise Admins.

Configure DirectAccess with OTP Authentication

Select the Subject Name tab and choose the option to Build from this Active Directory information. Select DNS name in the Subject name format drop-down list and confirm that DNS name is checked under Include this information in alternate subject name.

Configure DirectAccess with OTP Authentication

Select the Extensions tab, highlight Application Policies and click Edit.

Configure DirectAccess with OTP Authentication

Remove all existing application policies and then click Add and then New. Provide a descriptive name for the new application policy and enter 1.3.6.1.4.1.311.81.1.1 for the Object Identifier. Click Ok for all remaining dialog boxes.

Configure DirectAccess with OTP Authentication

OTP Certificate Template

In the Certificate Templates Console, right-click the Smartcard Logon certificate template and choose Duplicate Template. On a Windows Server 2008 or 2008 R2 CA, select Windows Server 2008 Enterprise when prompted for the duplicate certificate template version.

Configure DirectAccess with OTP Authentication

On a Windows Server 2012 or 2012 R2 CA, select the Compatibility tab and then select Windows Server 2008 R2 for the Certification Authority and Windows 7/Windows Server 2008 R2 for the Certificate recipient.

Configure DirectAccess with OTP Authentication

Select the General tab and provide a descriptive name for the Template Display Name. Specify a validity period of 1 hour and a renewal period of 0 hours.

Configure DirectAccess with OTP Authentication

Note: It is not possible to set the validity period to hours on a Windows Server 2003 Certificate Authority (CA). As a workaround, use the Certificate Templates snap-in on another system running Windows 7/Windows Server 2008 R2 or later. Also, if the CA is running Windows Server 2008 R2, the template must be configured to use a Renewal Period of 1 or 2 hours and a Validity Period that is longer but no more than 4 hours.

Select the Security tab, then highlight Authenticated Users and grant Read and Enroll permissions. Select Domain Admins and grant Full Control permission. Do the same for Enterprise Admins.

Configure DirectAccess with OTP Authentication

Select the Subject Name tab and choose the option to Build from this Active Directory information. Select Fully distinguished name in the Subject name format drop-down list and confirm that User principal name (UPN) is checked under Include this information in alternate subject name.

Configure DirectAccess with OTP Authentication

Select the Server tab and choose the option Do not store certificates and requests in the CA database. Clear the checkbox next to Do not include revocation information issued in certificates.

Configure DirectAccess with OTP Authentication

Select the Issuance Requirements tab and set the value for This number of authorized signatures to 1. Confirm that Application Policy is selected from the Policy type required in signature drop-down list and choose the OTP certificate request signing template created previously.

Configure DirectAccess with OTP Authentication

Select the Extensions tab, highlight Application Policies and click Edit. Highlight Client Authentication and click Remove. Ensure that the only application policy listed is Smart Card Logon.

Configure DirectAccess with OTP Authentication

Certificate Authority Configuration

In the Certificate Authority management console, right-click Certificate Templates, choose New, and then Certificate Template to Issue. Highlight both of the certificate templates created previously and click Ok.

Configure DirectAccess with OTP Authentication

Open an elevated command prompt and enter the following command:

certutil.exe -setreg dbflags +DBFLAGS_ENABLEVOLATILEREQUESTS

Configure DirectAccess with OTP Authentication

Restart the Certificate Authority service by right-clicking the CA in the Certificate Authority management console and choosing All Tasks and then Stop Service. Once complete, repeat these steps and choose Start Service.

DirectAccess Server Configuration

In the Remote Access Management console, select DirectAccess and VPN under Configuration in the navigate pane and then click Edit on Step 2 – Remote Access Server. Select Authentication, choose Two-factor authentication (smart card or one-time password (OTP)), and then check the option to Use OTP.

Configure DirectAccess with OTP Authentication

Click Next and then add the RADIUS servers that will be used for OTP authentication. Provide the hostname, FQDN, or IP address of the server, the shared secret, and specify the service port.

Configure DirectAccess with OTP Authentication

Click Next, select the CA server that will be used to issue certificates to DirectAccess clients for OTP authentication, and then click Add.

Click Next, select the CA server that will be used to issue certificates to DirectAccess clients for OTP authentication, and then click Add.

Note: When performing this step you may receive the following error.

No CA servers can be detected, and OTP cannot be configured. Ensure that
servers added to the list are available on each domain controller in the
corporate network.

Configure DirectAccess with OTP Authentication

If this occurs, close out of the Remote Access Management console and install this hotfix.

Click Next and select the certificate templates to be used for the enrollment of certificates that are issued for OTP authentication. Also select a certificate template used to enroll the certificate used by the DirectAccess server to sign OTP certificate enrollment requests.

Configure DirectAccess with OTP Authentication

Click Next and specify whether selected DirectAccess users can authenticate with a user name and password when OTP authentication is disabled. If some users need to be exempted from using OTP, specify the security group as required and click Finish.

Configure DirectAccess with OTP Authentication

Click Edit on Step 3 – Infrastructure Servers. Select Management and add the CA server used for OTP authentication to the list of management servers.

Configure DirectAccess with OTP Authentication

Click Ok and then Finish. Click Finish once more and then apply the changes.

DirectAccess OTP Client Experience

When a DirectAccess client is outside of the corporate network and has established DirectAccess connectivity, users can log on to their machine and access their desktop, but they will not be able to access corporate resources without first providing their OTP.

For Windows 8 clients, swipe in from the right side of the screen or press Window Key + I and click on the active network connection. The DirectAccess Workplace Connection will indicate that action is needed. Clicking on the Workplace Connection will indicate that credentials are needed. Clicking Continue will prompt the user to press Ctrl+Alt+Delete and provide their OTP.

Configure DirectAccess with OTP Authentication

For Windows 7 clients, an alert from the DirectAccess Connectivity Assistant (DCA) in the system tray will indicate that Windows needs your smart card credentials. Clicking on the notification Window will prompt the user to provide their OTP.

Configure DirectAccess with OTP Authentication

Alternatively the user can click on the DCA icon in the system tray and then click Lock and unlock your computer with a smartcard or a one-time password. The user will then press CTRL+ALT+DELETE, choose Other Credentials, select One-time password (OTP), and then provide their OTP.

Configure DirectAccess with OTP Authentication

Summary

Using dynamic, one-time passwords is an effective way to provide the highest level of assurance for remote DirectAccess clients. It does come with some potential drawbacks, so be sure to consider those before implementing OTP.

DirectAccess Configuration Load Error after Enabling NLB in Hyper-V

When the Windows Server 2012 R2 DirectAccess server is deployed on a virtual machine running in Microsoft Hyper-V, a complete loss of network connectivity immediately after enabling Network Load Balancing (NLB) may occur. In addition, the Remote Access Management console may report the following error .

Configuration Load Error
Settings for <da_hostname> cannot be retrieved.
Domain controller <dc_hostname> cannot be reached for localhost.
Try to reload the configuration.

DirectAccess Configuration Load Error after Enabling NLB in Hyper-V

This issue may be caused by incorrect virtual network adapter settings on the Hyper-V host. To resolve this issue, open the Hyper-V management console, right-click the DirectAccess guest virtual machine and choose Settings. Expand the virtual network adapter and select Advanced Features, then select the option to Enable MAC address spoofing. Repeat these steps for each virtual network adapter assigned to the DirectAccess server virtual machine. Apply the settings and restart the DirectAccess server.

DirectAccess Configuration Load Error after Enabling NLB in Hyper-V

%d bloggers like this: