+ Post New Thread
Results 1 to 11 of 11
Windows Server 2012 Thread, Direct Access in Technical; Has anyone else tried the Direct Access role in 2012 yet? I had a go and managed to cripple my ...
  1. #1
    robjduk's Avatar
    Join Date
    Jun 2011
    Posts
    481
    Thank Post
    20
    Thanked 69 Times in 54 Posts
    Rep Power
    23

    Direct Access

    Has anyone else tried the Direct Access role in 2012 yet? I had a go and managed to cripple my entire network but after all that I am still interested in getting it running. The evil network manager inside me wants to be able to tell all teaching staff they can now work anywhere in the world with no excuse.

    For those of you wondering how the hell you cripple a network by installing a role.... when it says something about applying the group policy it creates to the top of the domain..... pay attention.

  2. #2
    FishCustard's Avatar
    Join Date
    Feb 2013
    Location
    Croydon
    Posts
    426
    Thank Post
    74
    Thanked 43 Times in 39 Posts
    Rep Power
    19
    And pray tell, what does this GPO do?

  3. #3
    robjduk's Avatar
    Join Date
    Jun 2011
    Posts
    481
    Thank Post
    20
    Thanked 69 Times in 54 Posts
    Rep Power
    23
    well my initial idea was to just rush through the settings ,putting what I thought was right but with a view I will test each setting slowly in a controlled environment and then the "I cant login" calls came in.
    The thing had placed a group policy with basically firewall settings blocking access to the internal network. This rolled out across the site fairly quickly and the real beauty was I couldn't refresh the group policy because the new settings blocked any communication and trust with the domain!
    It wasn't the most proud moment of my career so far but taught me the lesson of when a piece of software mentions group policy, don't skip it and say "I will get a coffee and read up what it was talking about later on".

  4. #4
    FishCustard's Avatar
    Join Date
    Feb 2013
    Location
    Croydon
    Posts
    426
    Thank Post
    74
    Thanked 43 Times in 39 Posts
    Rep Power
    19
    Ah. Yes, the 'balls, I've just screwed the network' moment of panic, I know it well. Why, you ask? Well, let's just say that plugging an Ethernet cord from one wall port into another wall port rather than the PC not ten centimeters away is not smart, and proves you shouldn't install PCs at 17:45 after a very long day.

    So you're not alone in doing things like that! How'd you update the GPs in the end?

  5. #5

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,249
    Thank Post
    898
    Thanked 1,785 Times in 1,537 Posts
    Blog Entries
    12
    Rep Power
    463
    I thought you associated those Group polices with a group? So it would only end up applying if a computer was in a particular group?

  6. #6
    robjduk's Avatar
    Join Date
    Jun 2011
    Posts
    481
    Thank Post
    20
    Thanked 69 Times in 54 Posts
    Rep Power
    23
    yeah this just applied it the top of the domain. We had no option but to run around and rebuild every computer that was on. Every student desktop, laptop and admin machine (about 350ish). Luckily we have a nice fast deployment. Lost a few pounds in weight that afternoon but glad our staff laptops and servers have a non inheritance.

  7. #7
    jamesfed's Avatar
    Join Date
    Sep 2009
    Location
    Reading
    Posts
    2,212
    Thank Post
    138
    Thanked 346 Times in 292 Posts
    Rep Power
    90
    By chance did you screw up your DNS on your PCs? I did the same (well only on my testing rig) either way there is a fix here (although it is a manual one) - The F5 Guy » Direct Access – Corrupt NRPT Fix

  8. #8

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,249
    Thank Post
    898
    Thanked 1,785 Times in 1,537 Posts
    Blog Entries
    12
    Rep Power
    463
    Quote Originally Posted by robjduk View Post
    yeah this just applied it the top of the domain. We had no option but to run around and rebuild every computer that was on. Every student desktop, laptop and admin machine (about 350ish). Luckily we have a nice fast deployment. Lost a few pounds in weight that afternoon but glad our staff laptops and servers have a non inheritance.
    What about the group you have to specific? Where all machines part of that group?

  9. #9

    Join Date
    Jun 2009
    Location
    Birmingham
    Posts
    611
    Thank Post
    92
    Thanked 74 Times in 66 Posts
    Rep Power
    24
    I've never implemented it live but did it as part of a training course and it's not simple.
    The Basic jist as I remember it is that you need the 2 external IP addresses and then IPV6 all the way to and through the network. It shouldn't have put the GPO at the very top though as you can designate down to which ever group you need it to be for.

  10. #10

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,249
    Thank Post
    898
    Thanked 1,785 Times in 1,537 Posts
    Blog Entries
    12
    Rep Power
    463
    Quote Originally Posted by Tricky_Dicky View Post
    I've never implemented it live but did it as part of a training course and it's not simple.
    The Basic jist as I remember it is that you need the 2 external IP addresses and then IPV6 all the way to and through the network. It shouldn't have put the GPO at the very top though as you can designate down to which ever group you need it to be for.
    @Tricky_Dicky 2012 DA does not require 2 external IP or IPV6

  11. #11

    Join Date
    Jun 2009
    Location
    Birmingham
    Posts
    611
    Thank Post
    92
    Thanked 74 Times in 66 Posts
    Rep Power
    24
    Quote Originally Posted by FN-GM View Post
    @Tricky_Dicky 2012 DA does not require 2 external IP or IPV6
    Ah, I didn't know that, thanks for the update!



SHARE:
+ Post New Thread

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •