All posts tagged management

DirectAccess WinRM Conflicts and Errors

Introduction

When installing DirectAccess for the first time, an administrator may encounter the following error message while running the Remote Access Setup wizard.

Error. The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: “winrm quickconfig”.

DirectAccess WinRM Conflicts and Errors

Troubleshooting

Running winrm quickconfig in an elevated PowerShell command window returns the following message.

WinRM service is already running on this machine.
WinRM is already set up for remote management on this computer.

DirectAccess WinRM Conflicts and Errors

Clicking Check prerequisites again does not resolve the error message.

Post-Installation Errors

If DirectAccess is already installed and working properly, an administrator may encounter a scenario in which the operations status page displays nothing, yet remote DirectAccess clients are connected and able to access corporate resources without issue.

DirectAccess WinRM Conflicts and Errors

In addition, clicking Edit on Step 2 in the Remote Access Management console and choosing Network Adapters produces an error message stating “An error occurred when validating interfaces”. You can select a network adapter from the drop-down list, but the Next and Finish buttons are grayed out.

DirectAccess WinRM Conflicts and Errors

Conflicts with WinRM

These errors are commonly caused by a conflict with WinRM Service settings enforced via Active Directory group policy. To confirm this, open an elevated PowerShell command window run the winrm enumerate winrm/config/listener command. The listener configuration source will be listed as GPO.

DirectAccess WinRM Conflicts and Errors

The administrator will also find the presence of the following registry keys on the DirectAccess server.

HKLM\Software\Policies\Microsoft\Windows\WinRM\Service\AllowAutoConfig
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service\IPv4Filter
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service\IPv6Filter

Resolution

To resolve this conflict, prevent the GPO with this setting from being applied to the DirectAccess server(s). You will find this GPO setting in the Group Policy Management console (GPMC) by navigating to Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows Remote Management (WinRM) -> WinRM Service and setting the state of Allow remote server management through WinRM to Not configured.

DirectAccess WinRM Conflicts and Errors

Additional Resources

DirectAccess and Windows 10 Better Together

DirectAccess and Windows 10 in Education

VIDEO – DirectAccess and Windows 10 in Action 

BOOK – Implementing DirectAccess with Windows Server 2016

Leave a comment
by Richard M. Hicks on February 13, 2017  •  Permalink
Posted in DirectAccess, PowerShell, Remote Access, troubleshooting, Windows Server 2012 R2, Windows Server 2016
Tagged , , , , , , , , , ,

Posted by Richard M. Hicks on February 13, 2017

https://directaccess.richardhicks.com/2017/02/13/directaccess-winrm-conflicts-and-errors/

DirectAccess and Windows 10 in Education

DirectAccess and Windows 10 in EducationIntroduction

DirectAccess provides seamless and transparent, always on remote network connectivity for managed Windows clients. It is commonly installed in large enterprises to provide better management for field-based assets, and to streamline the remote access experience for end users. Today, DirectAccess is a mature technology that is widely deployed across many verticals, but education is one that is often overlooked.

Benefits of DirectAccess

For commercial enterprises, the benefits of DirectAccess are many. Windows 10 DirectAccess clients have ubiquitous access to on-premises applications and data without requiring user interaction. This streamlined user access improves productivity and reduces helpdesk costs. DirectAccess is always on, allowing client machines to stay in contact with domain controllers and systems management servers, ensuring they are always managed.

DirectAccess in Education

Many of the same benefits DirectAccess provides for the enterprise are also important in the education sector. Often administrators for schools and colleges have many Windows-based machines that they must both manage and provide secure remote access for. In addition, they struggle with the same issues that enterprises do, such as maintaining configuration and security posture for devices that are predominantly remote.

Windows 10 and Education

Windows 10 November Update Available TodayThe Windows 10 Education SKU is a supported client operating system for DirectAccess, enabling educational institutions using this license to implement a remote access solution with DirectAccess using Windows Server 2012 R2 or Windows Server 2016. Implementing a DirectAccess remote access solution can result in significant cost savings, as DirectAccess requires no investments in proprietary hardware and has no associated per-user licensing.

Windows 10 Anniversary Update

Microsoft is making a concerted effort to address the education sector with new and compelling features to be included in the Windows 10 Anniversary Update, released earlier this week. For example, they have introduced apps that simplify the setup of school PCs. App discovery and purchasing are easier, and stylus support is improved. Native integration with Office 365 is another important factor. There are also a number of significant new security features that will make migrating to Windows 10 a worthy investment.

DirectAccess and Windows 10 in Education

Summary

If you are an administrator working for any educational institution and are struggling with maintaining and supporting your field-based Windows devices, consider a DirectAccess remote access solution today. With DirectAccess implemented, users will be more productive and remote machines better managed. DirectAccess can also be deployed using existing infrastructure, and it supports flexible network deployment along with many scalability features that will ensure the highest levels of availability.

Additional Resources

Video: DirectAccess and Windows 10 in Action
3 Important Things about Windows 10 and DirectAccess
DirectAccess and Windows 10 Better Together
DirectAccess Consulting Services
Book: Implementing DirectAccess with Windows Server 2016

2 Comments
by Richard M. Hicks on August 4, 2016  •  Permalink
Posted in DirectAccess, education, Remote Access, Security, Windows 10, Windows Server 2012 R2, Windows Server 2016
Tagged , , , , , , , , , , , ,

Posted by Richard M. Hicks on August 4, 2016

https://directaccess.richardhicks.com/2016/08/04/directaccess-and-windows-10-in-education/

DirectAccess and Windows Server 2012 R2 Core

Important Note: The ability to switch back and forth between the full GUI and core versions of Windows was removed from Windows Server 2016. If you are deploying DirectAccess on Windows Server 2016, you must install server core initially. More details here.

DirectAccess and Windows Server 2012 R2 Core

Windows Server Core is an operating system configuration option that does not include a Graphical User Interface (GUI). Server Core was first introduced with Windows Server 2008 and originally included only a limited number of supported roles. With each subsequent release, Microsoft continues to add support for additional roles on Server Core. Beginning with Windows Server 2012, the Routing and Remote Access (RRAS) role, which includes DirectAccess, is a supported workload on Server Core.

Advantages of Server Core

There are a number of important advantages that come with running DirectAccess on Server Core. Server Core has a greatly reduced attack surface compared to the full GUI version, which is positive from a security perspective. Server Core also features a dramatically reduced footprint, consuming less RAM and disk space. System startup times are faster, and this refactored installation option also reduces servicing requirements (patching), eliminating many reboots and increasing availability and overall system uptime.

DirectAccess and Windows Server 2012 R2 Core

Figure 1 – Windows Server 2012 R2 Core Desktop (Yes, that’s it!)

Server Core Configuration

DirectAccess is a workload that lends itself well to running on Server Core, and I highly recommend leveraging this configuration whenever possible. Based on my experience, I suggest performing initial configuration and testing of the DirectAccess solution with the GUI installed, and then removing the GUI just before placing the DirectAccess server in to production. Removing the GUI can be accomplished by executing the following PowerShell command:

Remove-WindowsFeature Server-Gui-Mgmt-Infra –Restart

Once the server has been converted to Server Core, all administration must be performed at the command line on the server, or remotely from a management server or workstation using the command line or GUI administration tools. You can install the Remote Access Management console on any Windows Server 2012 R2 server using the following PowerShell command:

Install-WindowsFeature RSAT-RemoteAccess

Optionally you can download and install the Windows Server Remote Administrations Tools (RSAT) on a Windows client workstation, if desired.

Minimal Server Interface Configuration

If you prefer to be able to manage the DirectAccess server locally using the GUI, consider enabling the Minimal Server Interface. Minimal Server Interface is a configuration option that lies between Server Core and the full GUI interface. It features some of the benefits of Server Core, while at the same time providing local access to GUI management tools such as the Remote Access Management console. You can configure Minimal Server Interface using the following PowerShell command:

Remove-WindowsFeature Server-Gui-Shell -Restart

You can access the Remote Access Management console by entering RaMgmtUI.exe from the command line.

Revert to Full GUI

If at any point in the future you require the GUI for some reason, re-installing it can be accomplished using the following PowerShell command:

Install-WindowsFeature Server-Gui-Shell –Restart

Summary

With the Unified Remote Access role supported on Windows Server Core, consider implementing DirectAccess using this option to improve the security and increase the availability of your remote access solution. You’ll find that almost all ongoing server maintenance and support can be accomplished remotely using GUI tools, or locally using PowerShell. And if you ever need the GUI again, you can always add it back if necessary!

Additional Resources

DirectAccess on Windows Server 2016 Core

3 Comments
by Richard M. Hicks on November 16, 2015  •  Permalink
Posted in DirectAccess, Enterprise, High Availability, PowerShell, Remote Access, Security, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016
Tagged , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on November 16, 2015

https://directaccess.richardhicks.com/2015/11/16/directaccess-and-windows-server-2012-r2-core/

« Older Posts
Newer Posts »