Hi everyone,

We are using DirectAccess over Server 2012. There is just one server, no load balancing.

Everything works fine, all clients can connect successfully and operations status page shows all in green. Nevertheless on the dashboard page in the configuration status section it say Configuration for server [servername] cannot be retrieved from the domain controller.

I found a few hints what could cause this problem:

In my case, the RAConfigTask, a scheduled task, was not enabled on the affected WS2012 server (DA entry point in a multisite deployment). After just enabling it, the errors has gone." http://blog.gocloud-security.ch/2013/01/11/ws2012-directaccess-and-the-configuration-for-server-server-name-retrieved-from-the-domain-controller-cannot-be-applied-error/

Group Policy was filtering out my DA server from the GPO object for some reason. To fix, I opened up Group Policy Management on the domain controller and made sure that my DA server was a part of the group."http://www.joedissmeyer.com/2012/12/more-issues-and-solutions-for.html

Server has no connectivity to the domain in order to update the policies. Run gpupdate /force on the server to force policy update. GPO replication might be required in order to retrieve the updated configuration.  This could be because there is no writable domain controller in the Active Directory site of the Remote Access server. http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/56fedb17-1274-4e1a-b2d0-fea809f0bc45

I checked everything. Task is enabled and completed successfully, GPO is not filtered out, run gpupdate without any errors, could connect to domain controller, no errors on domain controller, domain controller is writable.

So, I have no idea what could cause this error. Any ideas or hints?

Thanks

Regards

Sebastian

• Edited by skrueck Thursday, June 13, 2013 1:48 PM

i have the exact same problem i figured out that there was a problem with the logon as a service

secpol.msc --> Local Policies --> User Rights Assignement, Logon as a service i have NT Service\All Services

i can acces the group policy via the cpnsole just fine i have not connectivity issues what so ever.

i decided to open a call with microsoft, their suggestion .... we dont know reinstall so i did and here we are same problem and no solution. it is getting frustrating...

Exact  same problems here. Anyone find a solution please post.

G'day,

I had the same issue, I literally waited 15 minutes and then clicked refresh and it was all good.

Hope that helps someone

Hi All - i have seen this where sites and services have not been configured in AD and also when replication of GPO's between Domain Controllers has an issue - perhaps just check all is well with the DC's.

I have a similar issue that says that I dont have access to the GPO. The Direct Access itself still works, but all of the sudden I cannot access the wizard to make changes or see the configuration. I have done the same troubleshooting you listed above and found no answer thus far. I have a ticket open with Microsoft on the issue. If/when I get a resolution I will share it.  

I have a similar problem. The GPO is downloaded to the server, but the scheduled task that applies the setting fails with code "0x1" but no where can one see what the code does, or whats going wrong. Elsewhere its suggested that certificates on the hidden interfaces are whats causing the problem, but why hide all the interfcaes....

I wonder if there is a RODC in play here. RODC's don't allow you to access GPO settings.

I'm getting the same error and I think it's because the server is on the same subnet/site as the RODC we have in our DMZ. I'm thinking if there is a way to force the logon to only go to specific domain controllers, then I can skip the RODC for AD queries and tasks.

Hi,

Using DirectAccess with RODC is not supported : https://technet.microsoft.com/en-us/library/dn464274.aspx?f=255&MSPPError=-2147217396#bkmk_rodc

You can try to use the Windows Firewall of your DirectAccess server to deny connexions to the RODC's IP Address.

Check also this article, it's for Windows 7 but it may help you: http://www.windowsnetworking.com/kbase/WindowsTips/Windows7/AdminTips/ActiveDirectory/Hardcodingthelogondomaincontroller.html

Gerald

Hi,

We also have this problem in a new deployment.  I have added the server subnet to sites and services and also added the server account to the GPO object and removed authenticated users.  Tried running Set-DAEntryPointDC command but it's not a multi site deployment so doesn't apply.

Suggestion:  Do 2012 ADMX GPO Templates require installing?    

Tried a re-install but still no joy.  Anyone else got any suggestions for further troubleshooting steps?  Thanks.

• Edited by MattRW Friday, July 24, 2015 9:37 AM