Windows Server 2012 Thread, Direct Access in Technical; Has anyone else tried the Direct Access role in 2012 yet? I had a go and managed to cripple my ...
23rd June 2013, 01:03 AM #1
Has anyone else tried the Direct Access role in 2012 yet? I had a go and managed to cripple my entire network but after all that I am still interested in getting it running. The evil network manager inside me wants to be able to tell all teaching staff they can now work anywhere in the world with no excuse.
For those of you wondering how the hell you cripple a network by installing a role.... when it says something about applying the group policy it creates to the top of the domain..... pay attention.
23rd June 2013, 01:18 AM #2
And pray tell, what does this GPO do?
23rd June 2013, 01:23 AM #3
well my initial idea was to just rush through the settings ,putting what I thought was right but with a view I will test each setting slowly in a controlled environment and then the "I cant login" calls came in.
The thing had placed a group policy with basically firewall settings blocking access to the internal network. This rolled out across the site fairly quickly and the real beauty was I couldn't refresh the group policy because the new settings blocked any communication and trust with the domain!
It wasn't the most proud moment of my career so far but taught me the lesson of when a piece of software mentions group policy, don't skip it and say "I will get a coffee and read up what it was talking about later on".
23rd June 2013, 01:44 AM #4
Ah. Yes, the 'balls, I've just screwed the network' moment of panic, I know it well. Why, you ask? Well, let's just say that plugging an Ethernet cord from one wall port into another wall port rather than the PC not ten centimeters away is not smart, and proves you shouldn't install PCs at 17:45 after a very long day.
So you're not alone in doing things like that! How'd you update the GPs in the end?
23rd June 2013, 12:22 PM #5
I thought you associated those Group polices with a group? So it would only end up applying if a computer was in a particular group?
23rd June 2013, 07:35 PM #6
yeah this just applied it the top of the domain. We had no option but to run around and rebuild every computer that was on. Every student desktop, laptop and admin machine (about 350ish). Luckily we have a nice fast deployment. Lost a few pounds in weight that afternoon but glad our staff laptops and servers have a non inheritance.
23rd June 2013, 08:29 PM #7
By chance did you screw up your DNS on your PCs? I did the same (well only on my testing rig) either way there is a fix here (although it is a manual one) - The F5 Guy » Direct Access – Corrupt NRPT Fix
23rd June 2013, 09:15 PM #8
What about the group you have to specific? Where all machines part of that group?
Originally Posted by robjduk
24th June 2013, 08:25 AM #9
I've never implemented it live but did it as part of a training course and it's not simple.
The Basic jist as I remember it is that you need the 2 external IP addresses and then IPV6 all the way to and through the network. It shouldn't have put the GPO at the very top though as you can designate down to which ever group you need it to be for.
24th June 2013, 09:24 AM #10
@Tricky_Dicky 2012 DA does not require 2 external IP or IPV6
Originally Posted by Tricky_Dicky
24th June 2013, 09:27 AM #11
Ah, I didn't know that, thanks for the update!
Originally Posted by FN-GM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)