I'm definitely stumped. I didn't do anything to our DCs, just added
them to the infrastructure servers in DA, which was part of the
configuration process up front.

Anything on that error in $SEARCHENGINE?

Anything in the event logs on your DCs? (and are all of your site's
DCs listed in DA as infrastructure serers?)

Kurt

On Fri, Apr 24, 2015 at 12:20 PM, Robb Whiting <[email protected]> wrote:
> Nope no errors.  I'm using Server 2012R2, so UAG isn't necessary and IPv6
> isn't required on the domain end.
>
>
>
> My guess is that the DA server isn't talking to the DC so it can't
> authenticate the clients through the tunnel.
>
>
>
> The only error I have to work with is:
>
>
>
>
>
>
>
> and my gpresult /r looks like this:
>
>
>
> ---------------------------------------------------
>
>
>
> OS Configuration:            Member Server
>
> OS Version:                  6.3.9600
>
> Site Name:                   N/A
>
> Roaming Profile:             N/A
>
> Local Profile:               C:\Users\wadmin
>
> Connected over a slow link?: No
>
>
>
>
>
> USER SETTINGS
>
> --------------
>
>     CN=WADMIN,OU=Resource Accounts,DC=NINCAL,DC=com
>
>     Last time Group Policy was applied: 4/24/2015 at 11:48:24 AM
>
>     Group Policy was applied from:      NINS2.NINCAL.COM
>
>     Group Policy slow link threshold:   500 kbps
>
>     Domain Name:                        NINCAL
>
>     Domain Type:                        Windows 2008 or later
>
>
>
>     Applied Group Policy Objects
>
>     -----------------------------
>
>         N/A
>
>
>
>     The following GPOs were not applied because they were filtered out
>
>     -------------------------------------------------------------------
>
>         Information Systems Exemptions
>
>             Filtering:  Denied (Security)
>
>
>
>         Local Group Policy
>
>             Filtering:  Not Applied (Empty)
>
>
>
>         Default Domain Policy
>
>             Filtering:  Denied (Security)
>
>
>
>     The user is a part of the following security groups
>
>     ---------------------------------------------------
>
>         Information Services Permissions Group
>
>         Everyone
>
>         BUILTIN\Users
>
>         BUILTIN\Administrators
>
>         REMOTE INTERACTIVE LOGON
>
>         NT AUTHORITY\INTERACTIVE
>
>         NT AUTHORITY\Authenticated Users
>
>         This Organization
>
>         LOCAL
>
>         RTCHSDomainServices
>
>         Direct Access and VPN Users
>
>         FACSys Administrator
>
>         Domain Admins
>
>         Domain Users
>
>         Schema Admins
>
>         Everyone
>
>         Denied RODC Password Replication Group
>
>         SQLServer2005MSSQLUser$NINS1$BKUPEXEC
>
>         Track-It! Technicians
>
>
>
> See I don't even get a Computer Settings section, and the domain is a
> Computer Settings applicable policy... so that's an issue but there's no
> error as to why it doesn't even attempt to apply Computer Settings.
>
>
>
> What kind of firewall exemptions did you implement for your Domain
> Controllers when you implemented Direct Access?
>
>
>
> -R
>
>
>
>
>
> -----Original Message-----
> From: [email protected] [mailto:[email protected]]
> On Behalf Of Kurt Buff
>
> Sent: Friday, April 24, 2015 12:02 PM
> To: [email protected]
> Subject: Re: [NTSysADM] Hey All, I'm having a mind boggling problem with
> Direct Access
>
>
>
> I'm not sure what problem it is that your having here.
>
>
>
> However, I'm using DA on 2008R2, over UAG 2010 SP1, so what I say next might
> not apply:
>
>
>
> My DA box is only a member of the group I called GatewayServers, which gets
> the Gateway GPO settings, and my box does indeed show that applied, when
> running 'gpresult /r'.
>
>
>
> Anything in the event logs after up do the 'gpupdate /force'?
>
>
>
> Kurt
>
>
>
> On Fri, Apr 24, 2015 at 11:51 AM, Robb Whiting <[email protected]>
> wrote:
>
>> Hmmm...
>
>>
>
>> I was using a domain administrator account, which was able to create and
>> push the accounts to the DC.
>
>>
>
>> But I believe after that it then needs to go back to the DC and grab the
>> configuration to make sure everyone agrees.
>
>>
>
>> That's the step that's failing.
>
>>
>
>> It's able to create and push the GPOs just fine, just not allowed to
>> retrieve them from the domain controller.
>
>>
>
>> When I do a gpresult /r  It shows that it applies none of my Computer
>> Policies...
>
>>
>
>> It doesn't even show that any are found.  In fact, it only shows me a USER
>> SETTINGS section.
>
>>
>
>> Why can't I get my machine that has permissions to apply a GPO to do so
>> for for the computer account for which it qualifies.
>
>>
>
>> Perhaps there is something in my DC GPO setting that needs to be changed
>> to allow the DC to send the GPO?
>
>>
>
>> -R
>
>>
>
>>
>
>>
>
>> -----Original Message-----
>
>> From: [email protected]
>
>> [mailto:[email protected]] On Behalf Of Kurt Buff
>
>> Sent: Friday, April 24, 2015 11:42 AM
>
>> To: [email protected]
>
>> Subject: Re: [NTSysADM] Hey All, I'm having a mind boggling problem
>
>> with Direct Access
>
>>
>
>> I assume, from your description, that you're trying to push the DA
>> configuration to the GPOs that it's trying to set up?
>
>>
>
>> If that's the case, under what account are you doing the DA configuration?
>
>>
>
>> I used a  standard-grade Domain User-only account when configuring
>> DirectAccess that I set up to be an administrator on the box.
>
>>
>
>> If that's what you're doing, you will want to pre-create empty GPOs, then
>> set security on them to allow your DirectAccess administrator account to
>> update them.
>
>>
>
>> Kurt
>
>>
>
>> On Fri, Apr 24, 2015 at 9:49 AM, Robb Whiting <[email protected]>
>> wrote:
>
>>> I've set up Direct Access correctly as far as I know, but for some reason
>>> in the Dashboard, no matter what I do, it says it can never get the
>>> configuration from the Domain Controller.
>
>>>
>
>>> I can ping and access the domain controller just fine, but it still
>
>>> refuses to get the GPO configuration even when I run a gpupdate
>
>>> /force
>
>>>
>
>>> If I get a report, gpreport /r it says that there are no Applied Group
>>> Policy objects despite the fact that GP for Direct Access Server has the
>>> server listed in it.
>
>>>
>
>>> Why the heck won't it get that darn GPO  configuration.  It seems it has
>>> sent it to the server but cannot receive it back.
>
>>>
>
>>> I'm assuming this has some sort of effect that also makes it so when my
>>> clients try to connect to direct access it just says connecting and spins
>>> forever...
>
>>>
>
>>> Anyone know how to get this to work (my VPN settings work fine by the
>
>>> way)
>
>>>
>
>>> -R
>
>>>
>
>>>
>
>>>
>
>>>
>
>>
>
>>
>
>
>
>
>
>


Reply via email to