- Microsoft DirectAccess Best Practices and Troubleshooting
- Jordan Krause
- 520字
- 2021-08-04 09:57:30
Hostname and domain membership
Now that our network traffic is flowing, we need to finalize a couple of other regular items on the DirectAccess server. First is setting the hostname. While this seems like a menial, regular task, don't take it lightly. It is recommended that once your hostname is set, it should not be changed in the future. So choose the name carefully, and choose a name that meets your naming standards. It is not recommended to change the hostname of a DirectAccess server, because there are items external to the server itself which are bound to that particular name, such as Group membership, Group Policy Objects (GPOs) filtering, and certificates. A change in the hostname of a DirectAccess server will result in a number of external factors needing to be changed, adjusted, or reissued, and there is a huge potential for problems. So all that to say—choose your name wisely and don't think you can name it DA-Test for now, and simply rename it later.
Once your name is set, it is time to join it to the domain. This is required for DirectAccess to work, as the solution is tightly integrated with Active Directory. You do not have to join it to the same domain as the rest of your internal network or the same domain as the DirectAccess client machines, but whatever domain you join it to must have a two-way trust to those domains, so that traffic can flow successfully between the DirectAccess server and the resources with which it is going to interact.
Prestage the computer account
I highly recommend prestaging the computer account for your DirectAccess server(s) in Active Directory before you join them to the domain. This is not required, but I recommend it because I have seen many cases where upon joining the domain, a DirectAccess server had some existing GPOs applied to it which disabled items in Windows that are necessary for DirectAccess to function. What I see most often are GPOs in place on the network which disable or make changes to the Windows Firewall, and if any of these policies get applied to your DirectAccess servers, it will certainly interfere with operability.
Try your best to make sure that no existing polices get applied to the servers at all. It is best to create a separate Organizational Unit (OU) for them to reside in, which blocks the inheritance of existing policies. In the end, there are going to be policies that need to apply to them, the actual DirectAccess Server policy for example, but try to keep them as clean as possible from changes. Once you have DirectAccess connectivity established and working, you can try applying your policies one at a time if you so choose, but keep in mind that if a GPO gets applied and changes are made, then simply removing the device from that GPO's filtering doesn't always reverse the settings that were changed. It is possible that you could break the DirectAccess server to the point that the quickest resolution is to re-prep the server and start over, so tread lightly here.
- VMware Horizon View 6 Desktop Virtualization Cookbook
- Windows Server 2012 Hyper-V Cookbook
- Instant Optimizing Embedded Systems using Busybox
- Windows 7中文版從入門(mén)到精通(修訂版)
- 8051軟核處理器設(shè)計(jì)實(shí)戰(zhàn)
- Windows 8實(shí)戰(zhàn)從入門(mén)到精通(超值版)
- Windows 7實(shí)戰(zhàn)從入門(mén)到精通
- Heroku Cloud Application Development
- UI設(shè)計(jì)手繪表現(xiàn)從入門(mén)到精通
- Web Penetration Testing with Kali Linux(Third Edition)
- Azure Resource Manager Templates Quick Start Guide
- Angular權(quán)威教程
- 樹(shù)莓派+傳感器:創(chuàng)建智能交互項(xiàng)目的實(shí)用方法、工具及最佳實(shí)踐
- Mastering AWS CloudFormation
- Docker for Developers