Hi all,
Just wondering if anyone has seen similar behavior or has a solution to the following problem.
Scenario
Single global AD domain/forest. An existing DA server setup using W2012 R2 services is configured and services clients in a single region (e.g. US) and works fine.. A new DA server/configuration is to be introduced specifically to service DA clients (e.g. Europe). Clients are Windows 7, so no multi-site/geo-awareness. Additionally, there are desktop clients in remote branch offices that leverage DA, i.e. non "mobile" clients in DA terms.
With a new DA server introduced into AD to service European clients, the configuration wizard is run on the new server. As part of this pre-amble, we target a new GPO (Europe DirectAccess Client and Server Settings etc.) to distinguish from the current US setup. Accordingly, a different security group is targeted (Europe DirectAccessClients) to ensure that the policy applied is limited only to the specific machines concerned.
What we're seeing in the configuration phase with the new DA server, be it via the configuration wizard or via PowerShell, is that there is a "leakage" phase in the setup concerning GPO where policy may be applied to non-intended clients, via the default Domain Computers security group that DA assumes. Only when the wizard defers to the new security group (Europe DirectAccessClients), some 60-90 seconds later in the DA configuration phase is the Domain Computers filter on the GPO removed. In the meantime, this can lead to policy being applied to non DA-clients such as servers, updating their NRPT tables and causing chaos, leading to them disappearing of the network.
Demonstrably this can be seen in PowerShell cmdlet, e.g:
Install-RemoteAccess -DAInstallType FullInstall -ConnectToAddress mydaserver.mydomain.com -InternalInterface 'Ethernet' -InternetInterface 'Ethernet' -DeployNAT -ServerGpoName 'MYDOMAIN\NewDirectAccessServer' -ClientGpoName 'MYDOMAIN\NewDirectAccess
Client'
Add-DAClient -SecurityGroupNameList @('MYDOMAIN\NewDirectaccessClient Settings')
Remove-DAClient -SecurityGroupNameList @('MYDOMAIN\Domain Computers')
Since DA presupposes the use of Domain Computers as the starting point for applying policy, it is not possible to elect an other group as the starter group for application of policy. Instead, the new group must be added before Domain Computers can be removed.
Is there any way to override Domain Computers in the DA GPO setup, instead favoring the preferred security group to filter on the GPO?
http://blog.auth360.net