Direct access - manual policy update?

Hi,

Hope someone can help me. If having a pc that is is off the business network and need direct access, is it possible manually to apply the settings for that ?
Normally policies are pushed out when on network, but is it possible to do it manually or is it certificate based somehow, where you cannot apply this manually?

I have tried to copy registry settings(maybe some settings are missing) from a pc where DA is working, but not working

April 17th, 2015 5:44am

Hello,

If your system requires a computer certificate to validate your access, you're screwed because the only way to receive it is to have the rights policies applied on your computer and your Certificate Authority to receive your certificate.

Is your computer already joined to your domain?

If not, you can use the Offline Domain Join procedure to prepare your distant computer for DirectAccess.

https://technet.microsoft.com/en-us/library/jj574150.aspx

Gerald

Free Windows Admin Tool Kit Click here and download it now
April 17th, 2015 8:18am

Hello There,

Below is the step by step guide for Offline Domain Join:

https://technet.microsoft.com/en-us/library/offline-domain-join-djoin-step-by-step(v=ws.10).aspx

Using "offline domain join", you will be able to provision a DirectAccess client (ONLY if you have Windows 2012 DA and Windows 8 or above as the clients) --> this is becasue Windows 2012 DA/Windows 8 clients doesn't require Certificates to make a DA connection.

If you have Windows 7/UAG DA/or Certificate based authentication (In case of DA2012 with Multisite or similar configuration) for your DA, apart from the above step you might have to manually import the certificates needed for DA on to clients to make a successful IPSec(DA) connection.

On a longer run, you might also consider deploying a CEP/CES for certificate provisioning over internet; after "OfflineDomain Join"

http://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx

Please let me know, how it goes.

  • Proposed as answer by Vasu Deva Monday, April 20, 2015 12:56 PM
April 17th, 2015 10:45am

The pc is already on the domain - but I will try and check
Free Windows Admin Tool Kit Click here and download it now
April 17th, 2015 11:05am

Hi all,

Offline Domain Join works with certificate authentication too. The required computer certificate is included in the provisioning file if you use required parameters. I have done this several times.

Here is the command: Djoin /provision /machine <remote machine name> /domain <Your Domain name> /policynames <DA Client GPO name> /certtemplate <Name of client computer cert template> /savefile c:\files\provision.txt /reuse

April 24th, 2015 3:25am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics