Revision 5 posted to TechNet Articles by Joe Davies on 1/6/2013 12:22:44 PM
This DirectAccess Test Lab Extension for DirectAccess in Windows Server 2008 R2 describes how to configureremote management for the
DirectAccess clients of the corp.contoso.com domain. You configure and test remote management of CLIENT1 from APP1 with a remote desktop connection.
Note These instructions are designed for a working DirectAccess test lab that is configured from the instructions found in theTest Lab Guide: Demonstrate DirectAccess
document.
If you are running the DirectAccess Test Lab in a virtual environment, you can create snapshots of the virtual machines (VMs) for all of the test lab computers before
performing the following procedures.
Configuring and Demonstrating Remote Management
To demonstrate the lack of remote management capability of CLIENT1 from APP1 using a remote desktop connection:
- Connect CLIENT1 to the Internet subnet, and then restart it. Do not log on.
- On APP1, clickStart, click All Programs, click Accessories, and then clickCommand Prompt.
- In the Command Prompt windows, run theping client1 command. You should see four successful replies.
- ClickStart, click All Programs, click Accessories, and then clickRemote Desktop Connection.
- In theRemote Desktop Connection window, type client1 in Computer, and then clickConnect. You should see the error message Remote Desktop can’t connect to the remote computer.
- ClickOK.
APP1 cannot initiate a remote desktop connection to CLIENT1 when there is no user logged on because there are no IPsec tunnels that allow incoming traffic from APP1.
When no one has logged on to CLIENT1, the only IPsec tunnel in place is the infrastructure tunnel, which only allows traffic from 2002:836b:2:1:0:5efe:10.0.0.2, the ISATAP address of DC1. After a user has logged on to CLIENT1, the intranet tunnel is used to
carry the remote desktop connection traffic between CLIENT1 and APP1.
To allow APP1 to remotely manage CLIENT1 even when there is no user logged on, you must add 2002:836b:2:1:0:5efe:10.0.0.3, the ISATAP address of APP1, to the list of
management servers in Step 3 of the DirectAccess Setup Wizard.
To configure APP1 as a management server:
- On EDGE1, clickStart, point to Administrative Tools, and then click DirectAccess Management.
- In the console tree, clickSetup.
- In the details pane, clickEdit in Step 3.
- On theLocation page, click next. On the DNS and Domain Controller page, clicknext.
- On theManagement page, right-click the empty entry in the table, and then click New.
- In theIPv4 Address window, click IPv4 address, type 10.0.0.3, and then clickOK. Notice that the wizard has added a table entry for 2002:836b:2:1:0:5efe:10.0.0.3, the ISATAP address of APP1.
- ClickFinish.
- In the details pane, clickFinish, and then click Apply.
- When prompted, clickOK.
- ClickStart, click All Programs, click Accessories, and then clickCommand Prompt.
- From the Command Prompt window, run thegpupdate /target:computer command.
To update CLIENT1 and demonstrate remote management with a remote desktop connection:
- On CLIENT1, log on with the CORP\user1 user account and password.
- ClickStart, click All Programs, click Accessories, and then clickCommand Prompt.
- From the Command Prompt window, run thegpupdate /target:computer command.
- Log off of CLIENT1.
- On APP1, clickStart, click All Programs, click Accessories, and then clickRemote Desktop Connection.
- In theRemote Desktop Connection window, type client1 in Computer, and then clickConnect.
- When prompted for credentials, type the password for the CORP\user1 account, and then clickOK. You should see the desktop of CLIENT1.
- Close the remote desktop window for CLIENT1.
By configuring APP1’s ISATAP address as a management server, the DirectAccess Setup Wizard configures a connection security rule for a management tunnel on EDGE1 and
CLIENT1. This management tunnel, which is separate from the infrastructure and intranet tunnels, allows APP1 to initiate communication with DirectAccess clients even when there is no user logged on.
.
If you are running the DirectAccess Test Lab in a virtual environment, you can discard the changes made by these procedures by restoring the previously made snapshots
of the VMs for all of the computers in the test lab. Alternately, if you would like return to a working DirectAccess configuration with remote management configured, you can create a new set of snapshots before restoring the previously made snapshots.
.
To manually restore the configuration of the DirectAccess Test Lab, perform the following procedure.
.
Restoring the DirectAccess Test Lab
To restore the DirectAccess Test Lab to its original configuration:
- On EDGE1, in the console tree of the DirectAccess Management snap-in, clickSetup.
- In the details pane, clickEdit in Step 3.
- On theLocation page, click Next. On the DNS and Domain Controller page, clickNext.
- On theManagement page, right-click the table entry for 2002:836b:2:1:0:5efe:10.0.0.3, and then clickDelete.
- ClickFinish.
- In the details pane, clickFinish, and then click Apply.
- When prompted, clickOK.
- From the Command Prompt window, run thegpupdate /target:computer command.
- Close the Command Prompt window.
- Log on to CLIENT1 with the CORP\user1 account and password.
- ClickStart, click All Programs, click Accessories, and then clickCommand Prompt.
- From the Command Prompt window, run thegpupdate /target:computer command.
- Close the Command Prompt window.
For additional DirectAccess Test Lab extensions and other resources for the DirectAccess Test Lab, clickhere.
Tags: Direct Access, test lab extension
