+ Post New Thread
Results 1 to 11 of 11
Windows Server 2012 Thread, Direct Access in Technical; Has anyone else tried the Direct Access role in 2012 yet? I had a go and managed to cripple my ...
  1. #1
    robjduk's Avatar
    Join Date
    Jun 2011
    Posts
    395
    Thank Post
    11
    Thanked 61 Times in 48 Posts
    Rep Power
    21

    Direct Access

    Has anyone else tried the Direct Access role in 2012 yet? I had a go and managed to cripple my entire network but after all that I am still interested in getting it running. The evil network manager inside me wants to be able to tell all teaching staff they can now work anywhere in the world with no excuse.

    For those of you wondering how the hell you cripple a network by installing a role.... when it says something about applying the group policy it creates to the top of the domain..... pay attention.

  2. #2
    FishCustard's Avatar
    Join Date
    Feb 2013
    Location
    Croydon
    Posts
    420
    Thank Post
    72
    Thanked 40 Times in 36 Posts
    Rep Power
    17
    And pray tell, what does this GPO do?

  3. #3
    robjduk's Avatar
    Join Date
    Jun 2011
    Posts
    395
    Thank Post
    11
    Thanked 61 Times in 48 Posts
    Rep Power
    21
    well my initial idea was to just rush through the settings ,putting what I thought was right but with a view I will test each setting slowly in a controlled environment and then the "I cant login" calls came in.
    The thing had placed a group policy with basically firewall settings blocking access to the internal network. This rolled out across the site fairly quickly and the real beauty was I couldn't refresh the group policy because the new settings blocked any communication and trust with the domain!
    It wasn't the most proud moment of my career so far but taught me the lesson of when a piece of software mentions group policy, don't skip it and say "I will get a coffee and read up what it was talking about later on".

  4. #4
    FishCustard's Avatar
    Join Date
    Feb 2013
    Location
    Croydon
    Posts
    420
    Thank Post
    72
    Thanked 40 Times in 36 Posts
    Rep Power
    17
    Ah. Yes, the 'balls, I've just screwed the network' moment of panic, I know it well. Why, you ask? Well, let's just say that plugging an Ethernet cord from one wall port into another wall port rather than the PC not ten centimeters away is not smart, and proves you shouldn't install PCs at 17:45 after a very long day.

    So you're not alone in doing things like that! How'd you update the GPs in the end?

  5. #5

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,846
    Thank Post
    877
    Thanked 1,680 Times in 1,460 Posts
    Blog Entries
    12
    Rep Power
    444
    I thought you associated those Group polices with a group? So it would only end up applying if a computer was in a particular group?

  6. #6
    robjduk's Avatar
    Join Date
    Jun 2011
    Posts
    395
    Thank Post
    11
    Thanked 61 Times in 48 Posts
    Rep Power
    21
    yeah this just applied it the top of the domain. We had no option but to run around and rebuild every computer that was on. Every student desktop, laptop and admin machine (about 350ish). Luckily we have a nice fast deployment. Lost a few pounds in weight that afternoon but glad our staff laptops and servers have a non inheritance.

  7. #7
    jamesfed's Avatar
    Join Date
    Sep 2009
    Location
    Reading
    Posts
    2,194
    Thank Post
    134
    Thanked 340 Times in 287 Posts
    Rep Power
    84
    By chance did you screw up your DNS on your PCs? I did the same (well only on my testing rig) either way there is a fix here (although it is a manual one) - The F5 Guy Direct Access – Corrupt NRPT Fix

  8. #8

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,846
    Thank Post
    877
    Thanked 1,680 Times in 1,460 Posts
    Blog Entries
    12
    Rep Power
    444
    Quote Originally Posted by robjduk View Post
    yeah this just applied it the top of the domain. We had no option but to run around and rebuild every computer that was on. Every student desktop, laptop and admin machine (about 350ish). Luckily we have a nice fast deployment. Lost a few pounds in weight that afternoon but glad our staff laptops and servers have a non inheritance.
    What about the group you have to specific? Where all machines part of that group?

  9. #9

    Join Date
    Jun 2009
    Location
    Birmingham
    Posts
    600
    Thank Post
    92
    Thanked 72 Times in 64 Posts
    Rep Power
    24
    I've never implemented it live but did it as part of a training course and it's not simple.
    The Basic jist as I remember it is that you need the 2 external IP addresses and then IPV6 all the way to and through the network. It shouldn't have put the GPO at the very top though as you can designate down to which ever group you need it to be for.

  10. #10

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,846
    Thank Post
    877
    Thanked 1,680 Times in 1,460 Posts
    Blog Entries
    12
    Rep Power
    444
    Quote Originally Posted by Tricky_Dicky View Post
    I've never implemented it live but did it as part of a training course and it's not simple.
    The Basic jist as I remember it is that you need the 2 external IP addresses and then IPV6 all the way to and through the network. It shouldn't have put the GPO at the very top though as you can designate down to which ever group you need it to be for.
    @Tricky_Dicky 2012 DA does not require 2 external IP or IPV6

  11. #11

    Join Date
    Jun 2009
    Location
    Birmingham
    Posts
    600
    Thank Post
    92
    Thanked 72 Times in 64 Posts
    Rep Power
    24
    Quote Originally Posted by FN-GM View Post
    @Tricky_Dicky 2012 DA does not require 2 external IP or IPV6
    Ah, I didn't know that, thanks for the update!

SHARE:
+ Post New Thread

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •