Nope no errors.  I'm using Server 2012R2, so UAG isn't necessary and IPv6 isn't 
required on the domain end.



My guess is that the DA server isn't talking to the DC so it can't authenticate 
the clients through the tunnel.



The only error I have to work with is:

[cid:[email protected]]




and my gpresult /r looks like this:



---------------------------------------------------



OS Configuration:            Member Server

OS Version:                  6.3.9600

Site Name:                   N/A

Roaming Profile:             N/A

Local Profile:               C:\Users\wadmin

Connected over a slow link?: No





USER SETTINGS

--------------

    CN=WADMIN,OU=Resource Accounts,DC=NINCAL,DC=com

    Last time Group Policy was applied: 4/24/2015 at 11:48:24 AM

    Group Policy was applied from:      NINS2.NINCAL.COM

    Group Policy slow link threshold:   500 kbps

    Domain Name:                        NINCAL

    Domain Type:                        Windows 2008 or later



    Applied Group Policy Objects

    -----------------------------

        N/A



    The following GPOs were not applied because they were filtered out

    -------------------------------------------------------------------

        Information Systems Exemptions

            Filtering:  Denied (Security)



        Local Group Policy

            Filtering:  Not Applied (Empty)



        Default Domain Policy

            Filtering:  Denied (Security)



    The user is a part of the following security groups

    ---------------------------------------------------

        Information Services Permissions Group

        Everyone

        BUILTIN\Users

        BUILTIN\Administrators

        REMOTE INTERACTIVE LOGON

        NT AUTHORITY\INTERACTIVE

        NT AUTHORITY\Authenticated Users

        This Organization

        LOCAL

        RTCHSDomainServices

        Direct Access and VPN Users

        FACSys Administrator

        Domain Admins

        Domain Users

        Schema Admins

        Everyone

        Denied RODC Password Replication Group

        SQLServer2005MSSQLUser$NINS1$BKUPEXEC

        Track-It! Technicians



See I don't even get a Computer Settings section, and the domain is a Computer 
Settings applicable policy... so that's an issue but there's no error as to why 
it doesn't even attempt to apply Computer Settings.



What kind of firewall exemptions did you implement for your Domain Controllers 
when you implemented Direct Access?



-R





-----Original Message-----
From: [email protected] [mailto:[email protected]] On 
Behalf Of Kurt Buff
Sent: Friday, April 24, 2015 12:02 PM
To: [email protected]
Subject: Re: [NTSysADM] Hey All, I'm having a mind boggling problem with Direct 
Access



I'm not sure what problem it is that your having here.



However, I'm using DA on 2008R2, over UAG 2010 SP1, so what I say next might 
not apply:



My DA box is only a member of the group I called GatewayServers, which gets the 
Gateway GPO settings, and my box does indeed show that applied, when running 
'gpresult /r'.



Anything in the event logs after up do the 'gpupdate /force'?



Kurt



On Fri, Apr 24, 2015 at 11:51 AM, Robb Whiting 
<[email protected]<mailto:[email protected]>> wrote:

> Hmmm...

>

> I was using a domain administrator account, which was able to create and push 
> the accounts to the DC.

>

> But I believe after that it then needs to go back to the DC and grab the 
> configuration to make sure everyone agrees.

>

> That's the step that's failing.

>

> It's able to create and push the GPOs just fine, just not allowed to retrieve 
> them from the domain controller.

>

> When I do a gpresult /r  It shows that it applies none of my Computer 
> Policies...

>

> It doesn't even show that any are found.  In fact, it only shows me a USER 
> SETTINGS section.

>

> Why can't I get my machine that has permissions to apply a GPO to do so for 
> for the computer account for which it qualifies.

>

> Perhaps there is something in my DC GPO setting that needs to be changed to 
> allow the DC to send the GPO?

>

> -R

>

>

>

> -----Original Message-----

> From: [email protected]<mailto:[email protected]>

> [mailto:[email protected]] On Behalf Of Kurt Buff

> Sent: Friday, April 24, 2015 11:42 AM

> To: [email protected]<mailto:[email protected]>

> Subject: Re: [NTSysADM] Hey All, I'm having a mind boggling problem

> with Direct Access

>

> I assume, from your description, that you're trying to push the DA 
> configuration to the GPOs that it's trying to set up?

>

> If that's the case, under what account are you doing the DA configuration?

>

> I used a  standard-grade Domain User-only account when configuring 
> DirectAccess that I set up to be an administrator on the box.

>

> If that's what you're doing, you will want to pre-create empty GPOs, then set 
> security on them to allow your DirectAccess administrator account to update 
> them.

>

> Kurt

>

> On Fri, Apr 24, 2015 at 9:49 AM, Robb Whiting 
> <[email protected]<mailto:[email protected]>> wrote:

>> I've set up Direct Access correctly as far as I know, but for some reason in 
>> the Dashboard, no matter what I do, it says it can never get the 
>> configuration from the Domain Controller.

>>

>> I can ping and access the domain controller just fine, but it still

>> refuses to get the GPO configuration even when I run a gpupdate

>> /force

>>

>> If I get a report, gpreport /r it says that there are no Applied Group 
>> Policy objects despite the fact that GP for Direct Access Server has the 
>> server listed in it.

>>

>> Why the heck won't it get that darn GPO  configuration.  It seems it has 
>> sent it to the server but cannot receive it back.

>>

>> I'm assuming this has some sort of effect that also makes it so when my 
>> clients try to connect to direct access it just says connecting and spins 
>> forever...

>>

>> Anyone know how to get this to work (my VPN settings work fine by the

>> way)

>>

>> -R

>>

>>

>>

>>

>

>






Reply via email to