Here is the second part of Windows Server 2012 Direct Access blog series.
In the first post we discussed what’s new and what are the design differences between new and previous version of Direct Access feature.
In this blog post, we’ll discuss about our Lab configuration that will lead us for the next parts and help us to design and test Direct Access feature within virtual environment.
To build a reliable Direct Access Lab, Microsoft provides Base and Test Lab guide documentations.
Base Lab: http://www.microsoft.com/en-us/download/details.aspx?id=29010
Test Lab: http://www.microsoft.com/en-us/download/details.aspx?id=29029
Regarding base lab guide, you can build a base lab that includes Infrastructure servers (DNS, Active Directory), Application Server (Intranet IIS Site), Simulated Internet (DNS Server) and single Direct Access Server.
After you build base virtual machines, then you should follow Test Lab guide and configure&test Direct Access feature.
Let’s look at the lab details and introduce virtual machines & roles.
- First of all you must build a Domain Controller as an intranet domain controller, DNS Server and DHCP server. This server will be responsible for authentication purposes and will act as main identity store for the Lab environment. Also a DNS server is a must to built a healthy Active Directory environment. DHCP is another role that you have to install. It will be used to configure Client1’s ip address automatically. Since you will change Client1 subnet frequently during test processes, providing ip addresses automatically will help us.
- One intranet member server running Windows Server 2012 named APP1. It will be configured as a general application and web server. When a client resides on internet network and successfully connects intranet network through IPSEC tunnel (Direct Access Server), to test Direct Access client side functionalities, being able to access real intranet resources will be more helpful test. On application server, a file share and an intranet IIS web site will be created.
- One member client computer running Windows 8 Consumer Preview named Clinet1. You will use that client machine for testing purposes. I recommend that put three network interface to try for internet, intranet and behind NAT communications.
- One intranet member server running Windows Server 2012 named EDGE1. That will be our Direct Access Server. Most important point is that it should have two different network cards to access both intranet and internet networks. This server also will act as a DNS64. That means it will get DNS ipv6 requests from Windows 8 clients that resided in Internet and make ipv4 DNS requests to the intranet DNS server on behalf of DA clients.
- And the last required server for base lab is INET1. It’s required to simulate internet network. You will have to create DNS zones to answer DNS queries from internet clients.
I’m sure if you want to build that lab, you will download base and test lab and follow the steps. So I will only highlight for the important steps that is also covered basically within documents.
- Since this is a limited Lab environment, you can minimize hardware requirements. 1024Gb ram will be enough for each VM.
- Unlike previous Windows 7 Direct Access Test lab guide, this guide includes PowerShell script for each step. You do not have to follow 15-20 steps one by one. Just copy powershell script provided and run within evelated powershell console .
After you complete Base Lab Guide and before to start Test Lab Guide, if you want to test Direct Access functionality behind a NAT device, you also have to build following HomeNet Lab.
Optional mini-module: Homenet subnet
It’s an optional step and will help you to fire up one another Windows 8 virtual machine that will act as a NAT device.
Before you start to install Direct Access Feature and test connectivity, you must have following environment:
I know it seems a little bit crowded, but once you build that kind of virtual lab, you can also use it to test other new Windows Server 8 features.
Next part we will assume that you have a working Lab environment and will start to install and configure Direct Access feature.
When is Part 3 of this article getting released? I am not able to find this article
Hi when because the 3rd part we really comes full of excitement expected.
All the best from Germany
Sorry for the delay. Part 3 will be available in couple of days!
Looking forward to part 3!
Any news for part 3 ?
We are considering direct access 2012, so we are eagerly awaiting your guide.
I too am waiting for the follow up guide. Do you have an ETA?
... the part 3!
Yeah it is easy to setup a lab env, but nobody can talk about "HOW TO IMPLEMENT THIS IN REAL NETWORK ENVIRONMENTS ?" , yeah baby
Don't wait for part 3 ; because with 2012 it is very easy (like everytime they say) just 14 clicks ,it doesnt need teredo, pki, because 2012 creates everything itself event nls web site but for win 8 clients,if you have win 7 client like everytime it is A TORTURE
Crazy question but bear with me if you would as I may have missed it in the reading material. Which nic in the DA (Edge1) box should have the default gateway - internal or external? Normally I would only have a gateway on the external card (TMG/UAG etc) but is it the same for a direct access box? The base lab doc does not mention it as far as I can see.
Great docs though, really helped and saves time.
So I went trough these labs - The basic one and simplified DirectAccess and I have to say either Im missing something or they got a mistake in that step by step guide. Im quite sure I set up everything correctly and yet when I switched CLIENT1 from corpnet to Internet DA status was "connecting" and "unable establish connection to direct access server''. So I went for that optional Homenet minilab and to my surprise it works great. I was wondering where is the difference and found out that in Homenet minilab they are doing "netsh interface 6to4 set state state=disabled" so I disabled 6to4 adapter on a CLIENT1 as well and switched to Internet network and its fixed - connected to direct access server via IP-HTTPS. So as I said either Im missing something or they forgot add the step to disable 6to4 on CLIENT1.
Can DA reside on one server with DC/AD/Exchange?
I believe DA must be a member server not installed on a DC.