Skip to content

Step by Step : Implementing Basic DirectAccess in Windows Server 2012 R2

November 20, 2014

As promised previously, this time i will show you a basic step how you can implement DirectAccess in Windows Server 2012 R2.

But, as usual lets go through a bit information about DirectAccess.

The DirectAccess feature in Windows Server 2012 R2 enables seamless remote access to intranet resources without first establishing a user-initiated VPN connection. The DirectAccess feature also ensures seamless connectivity to the application infrastructure, for both internal users and remote users.

Unlike traditional VPNs that require user intervention to initiate a connection to an intranet, DirectAccess enables any application on the client computer to have complete access to intranet resources. DirectAccess also enables you to specify resources and client-side applications that are restricted for remote access.

To deploy and configure DirectAccess, your organization must support the following infrastructure components:

• DirectAccess server.
• DirectAccess clients.
• Network location server.
• Internal resources, such as corporate applications.
• An AD DS domain.
• Group Policy.
• PKI (optional for the internal network).
• Domain Name System (DNS) server.
• Network Access Protection (NAP) server.

To be honest, implementing DirectAccess not as easy as you read the manual, there are many things you need to understand and familiar with. But, i’ll try my best to present the simple step so that you can try in your Isolated Testing Environment.

For more information, please browse to :

So, ladies & gentlemen.. start your engine.. let drive to the world of DirectAccess…

1st, before we begin, there are few requirement that you need, of course numbers of VM and settings need to be done before implementing the DirectAccess.

For this demo purposes, i will be using 5 VM, consists of 4 Windows Server 2012 R2 VM and 1 Windows 8.1 client VM which is all running in Hyper-V.

Infrastructure Requirement (this is based on the Isolated Environment) it might different in the Real Production implementation.

  • 1 Domain Controller Server (LON-DC01)
  • 1 Routing & Remote Access Server (LON-RTR)
  • 1 Member Server (LON-SVR1 )
  • 1 Internet DNS server (INET1) ** Please take note that INET1 server is use to simulate the Internet DNS server.
  • 1 Client PC running Windows 8.1 (LON-CL1)

2nd, lets verify the network configuration for all our VM’s (please refer to the pictures)

  • LON-DC01

1 - DC01

    • Require 3 NIC
      • Ethernet
      • Ethernet 2
      • Internet

2 - RTR - 1


Ethernet :

3 - RTR - 2

Ethernet 2 :

4 - RTR - 3

Internet :

5 - RTR - 4

  • LON-SVR1

8 - SVR1

  • INET1

9 - INET

  • LON-CL1
    • Require 3 NIC (only for simulation)
      • Ethernet
      • Ethernet 2

Ethernet :

6 - CL1 -1

Ethernet 2 :

7 - CL1 -2

We done on the network configuration, please be careful on the network setup & understand more what ip’s go to which connection.

3rd, Creating DirectAccess OU & Group in Active Directory.

** You need to create the OU & Group because we going to add LON-CL1 into this group so that the client can have DirectAccess connection.

1 – Create a new OU – In the New Object – Organizational Unit dialog box, in the Name box, type DirectAccess _Clients, and
then click OK…


2 – In the Active Directory Users and Computers console, expand, right-click DirectAccess _Clients OU, click New, and then click Group…


3 – In the New Object – Group dialog box, in the Group name box, type Adatum DA_Clients…


4 – Next, right-click Adatum DA_Clients, and then click Properties…


5 – In the Adatum DA_Clients Properties dialog box, click the Members tab, and then click Add and then click Object Types…


6 – Next, click Computers check box, and then click OK…


7 – In the Enter the object names to select (examples) box, type LON-CL1, and then click OK…


8 – Verify that LON-CL1 is displayed under Members, and then click OK…


We done on the Domain Server, now lets switch to LON-RTR server to configure our DirectAccess…

1 – On the LON-RTR Server, open Server Manager, click Tools and then click Remote Access Management (for this demo i expect that you should know how to install Remote Access Role)…


2 – In the Remote Access Management console, under Configuration, click DirectAccess and VPN and then click Run the Getting Started Wizard


3 – On the Configure Remote Access interface, click Deploy DirectAccess only


4 – On the Configure Remote Access interface, verify that Edge is selected, and in Type the public name or IPv4 address used by clients to connect to the Remote Access server box, type, and then click Next


5 – In the Configure Remote Access interface, click the here link…


6 – On the Remote Access Review interface, verify that two GPOs are created, DirectAccess Server Settings and DirectAccess Client settings, and then next to Remote Clients, click the Change


7 – Next, select Domain Computers (Adatum\Domain Computers), and then click Remove


8 – Next, on the same interface, click Add, and then type Adatum DA_Clients, and then click OK


9 – Make sure you clear the Enable DirectAccess for mobile computers only check box, and then click Next…


10 – On the DirectAccess Client Setup interface, click Finish.


11 – On the Remote Access Review interface, verify that ADATUM\Adatum DA_Clients listed under Remote Clients and then click OK…


12 – wait for few minutes for the settings to complete…


13 – Once the configuration complete, click Close…


14 – Confirm that your DirectAccess setup is complete with this interface…


4th, after all the configuration done, now its time for us to test / validate our DirectAccess deployment.

1 – Switch to your client PC, log in as administrator and then open CMD, at the CMD type gpupdate /boot /force

** We doing this because when you configuring DirectAccess server, the wizard created 2 Group Policies and linked them
to the domain, so that you need to apply the policy to our client PC…



2 – Next, lets verify that the DirectAccess Client Settings GPO is applied to our client PC, in the CMD type gpresult /r

** Under the Computer Settings section, verify that the DirectAccess Client Settings GPO is applied.


3 – Next, on the CMD type netsh name show effectivepolicy

** Verify that following message is displayed: DNS Effective Name Resolution Policy Table Settings


4 – Now let move our client from the intranet to the public network, on LON-CL1 please disable Ethernet connection…


5 – Then, enable the Ethernet 2…


6 – Open the Ethernet 2 IPv4 to verify the IP settings…


7 – Now, its time for us to test the DirectAccess connectivity (finger crossed)…

** In LON-CL1, open IE and then type

** verify that the default Internet Information Services (IIS) 8.0 web page for LON-SVR1 appears.

** Restart LON-CL1 if If the default IIS 8.0 web page for LON-SVR1 doesn’t appear…



8 – Next, try access LON-SVR1 server files (just to confirm that all the access is available)…


9 – Next, lets verify Connectivity to the DirectAccess Server, still on the  LON-Cl1, open CMD and type netsh name show effectivepolicy…

** Verify that DNS Effective Name Resolution Policy Table Settings presents 2 entries for and


10 – Next, in the LON-CL1, open PowerShell and type Get-DAClientExperienceConfiguration

** this command just to get the DirectAccess client settings


11 – Finally, to verify LON-CL1 connectivity on DirectAccess Server, switch to LON-RTR server, on the Remote Access Management console, click Remote Client Status and notice that the client is connected via IPHttps…

** we’ve successfully verified that LON-CL1 can access the internal network by using DirectAccess.


I’m done for now, thank you for reading and wait for my next post…

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: