I'm definitely stumped. I didn't do anything to our DCs, just added them to the infrastructure servers in DA, which was part of the configuration process up front.
Anything on that error in $SEARCHENGINE? Anything in the event logs on your DCs? (and are all of your site's DCs listed in DA as infrastructure serers?) Kurt On Fri, Apr 24, 2015 at 12:20 PM, Robb Whiting <[email protected]> wrote: > Nope no errors. I'm using Server 2012R2, so UAG isn't necessary and IPv6 > isn't required on the domain end. > > > > My guess is that the DA server isn't talking to the DC so it can't > authenticate the clients through the tunnel. > > > > The only error I have to work with is: > > > > > > > > and my gpresult /r looks like this: > > > > --------------------------------------------------- > > > > OS Configuration: Member Server > > OS Version: 6.3.9600 > > Site Name: N/A > > Roaming Profile: N/A > > Local Profile: C:\Users\wadmin > > Connected over a slow link?: No > > > > > > USER SETTINGS > > -------------- > > CN=WADMIN,OU=Resource Accounts,DC=NINCAL,DC=com > > Last time Group Policy was applied: 4/24/2015 at 11:48:24 AM > > Group Policy was applied from: NINS2.NINCAL.COM > > Group Policy slow link threshold: 500 kbps > > Domain Name: NINCAL > > Domain Type: Windows 2008 or later > > > > Applied Group Policy Objects > > ----------------------------- > > N/A > > > > The following GPOs were not applied because they were filtered out > > ------------------------------------------------------------------- > > Information Systems Exemptions > > Filtering: Denied (Security) > > > > Local Group Policy > > Filtering: Not Applied (Empty) > > > > Default Domain Policy > > Filtering: Denied (Security) > > > > The user is a part of the following security groups > > --------------------------------------------------- > > Information Services Permissions Group > > Everyone > > BUILTIN\Users > > BUILTIN\Administrators > > REMOTE INTERACTIVE LOGON > > NT AUTHORITY\INTERACTIVE > > NT AUTHORITY\Authenticated Users > > This Organization > > LOCAL > > RTCHSDomainServices > > Direct Access and VPN Users > > FACSys Administrator > > Domain Admins > > Domain Users > > Schema Admins > > Everyone > > Denied RODC Password Replication Group > > SQLServer2005MSSQLUser$NINS1$BKUPEXEC > > Track-It! Technicians > > > > See I don't even get a Computer Settings section, and the domain is a > Computer Settings applicable policy... so that's an issue but there's no > error as to why it doesn't even attempt to apply Computer Settings. > > > > What kind of firewall exemptions did you implement for your Domain > Controllers when you implemented Direct Access? > > > > -R > > > > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Kurt Buff > > Sent: Friday, April 24, 2015 12:02 PM > To: [email protected] > Subject: Re: [NTSysADM] Hey All, I'm having a mind boggling problem with > Direct Access > > > > I'm not sure what problem it is that your having here. > > > > However, I'm using DA on 2008R2, over UAG 2010 SP1, so what I say next might > not apply: > > > > My DA box is only a member of the group I called GatewayServers, which gets > the Gateway GPO settings, and my box does indeed show that applied, when > running 'gpresult /r'. > > > > Anything in the event logs after up do the 'gpupdate /force'? > > > > Kurt > > > > On Fri, Apr 24, 2015 at 11:51 AM, Robb Whiting <[email protected]> > wrote: > >> Hmmm... > >> > >> I was using a domain administrator account, which was able to create and >> push the accounts to the DC. > >> > >> But I believe after that it then needs to go back to the DC and grab the >> configuration to make sure everyone agrees. > >> > >> That's the step that's failing. > >> > >> It's able to create and push the GPOs just fine, just not allowed to >> retrieve them from the domain controller. > >> > >> When I do a gpresult /r It shows that it applies none of my Computer >> Policies... > >> > >> It doesn't even show that any are found. In fact, it only shows me a USER >> SETTINGS section. > >> > >> Why can't I get my machine that has permissions to apply a GPO to do so >> for for the computer account for which it qualifies. > >> > >> Perhaps there is something in my DC GPO setting that needs to be changed >> to allow the DC to send the GPO? > >> > >> -R > >> > >> > >> > >> -----Original Message----- > >> From: [email protected] > >> [mailto:[email protected]] On Behalf Of Kurt Buff > >> Sent: Friday, April 24, 2015 11:42 AM > >> To: [email protected] > >> Subject: Re: [NTSysADM] Hey All, I'm having a mind boggling problem > >> with Direct Access > >> > >> I assume, from your description, that you're trying to push the DA >> configuration to the GPOs that it's trying to set up? > >> > >> If that's the case, under what account are you doing the DA configuration? > >> > >> I used a standard-grade Domain User-only account when configuring >> DirectAccess that I set up to be an administrator on the box. > >> > >> If that's what you're doing, you will want to pre-create empty GPOs, then >> set security on them to allow your DirectAccess administrator account to >> update them. > >> > >> Kurt > >> > >> On Fri, Apr 24, 2015 at 9:49 AM, Robb Whiting <[email protected]> >> wrote: > >>> I've set up Direct Access correctly as far as I know, but for some reason >>> in the Dashboard, no matter what I do, it says it can never get the >>> configuration from the Domain Controller. > >>> > >>> I can ping and access the domain controller just fine, but it still > >>> refuses to get the GPO configuration even when I run a gpupdate > >>> /force > >>> > >>> If I get a report, gpreport /r it says that there are no Applied Group >>> Policy objects despite the fact that GP for Direct Access Server has the >>> server listed in it. > >>> > >>> Why the heck won't it get that darn GPO configuration. It seems it has >>> sent it to the server but cannot receive it back. > >>> > >>> I'm assuming this has some sort of effect that also makes it so when my >>> clients try to connect to direct access it just says connecting and spins >>> forever... > >>> > >>> Anyone know how to get this to work (my VPN settings work fine by the > >>> way) > >>> > >>> -R > >>> > >>> > >>> > >>> > >> > >> > > > > > >
