Skip to content

Off Premise Client Provisioning with DirectAccess

With Windows Server 2012 Microsoft introduced an server OS with an incredible number of great features, like data deduplication, ReFS, SMB 3.0, Hyper-V replica and many more. In this post I want to expose another great feature: Remote Access!


DirectAccess. Windows Server 2008 R2 introduced DirectAccess, a new remote access feature that allows connectivity to corporate network resources without the need for traditional Virtual Private Network (VPN) connections. DirectAccess provides support only for domain-joined Windows 7 Enterprise and Ultimate edition clients. The Windows Routing and Remote Access Server (RRAS) provides traditional VPN connectivity for legacy clients, non-domain joined clients, and third party VPN clients. RRAS also provides site-to-site connections between servers. RRAS in Windows Server 2008 R2 cannot coexist on the same edge server with DirectAccess, and must be deployed and managed separately from DirectAccess.

Forefront UAG 2010. With Forefront UAG 2010 on top of Windows Server 2008 R2 Microsoft added a number of features like high-availability (NLB), NAT64/DNS64 to enable clients to also access IPv4-only resources, Network Access Protection (NAP) and One -Time Password (RSA SecureID, RADIUS, etc.).

Unified Remote Access. Windows Server 2012 combines the DirectAccess feature and the RRAS role service into a new unified server role. This new Remote Access server role allows for centralized administration, configuration, and monitoring of both DirectAccess and VPN-based remote access services. Additionally, Windows Server 2012 DirectAccess provides multiple updates and improvements to address deployment blockers and provide simplified management. In fact almost all DirectAccess functionality provided by Forefront UAG 2010 is native embedded in Windows Server 2012 and therefore no expensive UAG license costs.

For a complete overview of all benefits, improvements and considerations of Windows Server 2012 Remote Access read these 2 blog posts from Richard Hicks and Shannon Fritz.

DirectAccess Offline Provisioning. An additional killer feature is Offline Provisioning of DirectAccess clients. DirectAccess offline domain join is a process that computers running Windows Server 2012 and Windows 8 can use to join a domain without being physically joined to the corporate network, or connected through VPN. This makes it possible to join computers to a domain from locations where there is no connectivity to a corporate network. Offline domain join for DirectAccess provides DirectAccess policies to clients to allow remote provisioning.

Unified Remote Access

Has nothing to do with DirectAccess but worth to mention is that offline domain join can be automated by MDT. Maik Koster is explaining in a blog post how to automate offline domain join by using task sequences.

By creating a provisioning package  a base64-encoded metadata blob is created which includes DirectAccess GPO settings, Machine Account and certificate information.

join /provision /domain contoso.local /machine CONTOSO-W8-TOGO /machineou OU=Computers,OU=Contoso,DC=Contoso,DC=local /policynames "DirectAccess Client Settings" /certtemplate Machine /savefile c:\Users\Administrator\Desktop\contoso_w8_togo.txt

After applying the provisioning package the remote client will be rebooted and joined to the domain over DirectAccess. Finally you’re able to log on with your domain credentials and access corporate resources. The awesome part is it works with Windows To Go! Enough talking … just do it and convince your self! I’am…




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: