TechOnTip Weblog

Run book for Technocrats

Windows 2012 Direct Access – Windows 7 Client Testing

Posted by Brajesh Panda on March 10, 2013

Click here for other Direct Access related articles.

In last article I have discussed how to test Windows 8 Direct Access Clients with and without computer certificate. In this article let’s test a Win 7 computer. To read other Windows 2012 Direct Access articles visit Direct Access tab on the home page of the blog.

  • Install Windows 7 Enterprise or Ultimate version of client Computer
  • Join it Contoso. Local Domain
  • Add the Computer Account to “Contoso\DirectAccessClients-Win7” security group
  • As Computer certificate is necessary for Windows 7 “Contoso\DirectAccessClients-Win7” group has been configured for auto enrollment of computer certificates
  • Make sure computer certificate is installed in Windows 7 Client Certificate store
  • Enable Windows 7 Access in Remote Access Server Management Console

  • Make sure GPO is applied to the computer. To validate run “Gpresult /r” and make sure direct access client policy is applied under computer configuration
  • Move the computer to public internet and disconnect from corporate network. Check IPConfig & make sure it got IP-HTTPS IP address
  • Try to ping tunnel end points & direct access server IPv6 Address
  • Try to ping Contoso. Local & other internal corporate servers
  • Try to access RDP & \\UNC path for internal resources
  • Check advance firewall console for created tunnels “wf.msc”
  • Check corporate DNS server for dynamic registration of IP-HTTPS interface IP address for Win 7 client.
  • However in Windows 7 there is NO inbuilt Network Connectivity Assistant
    to troubleshoot or disconnect or use local name resolution. So we have to install Direct Access Connectivity 2.0
    tool & configure related settings as per DCA 2.0 guide.
  • Download Direct Access Connectivity Assistant 2.0 Package to Windows 7 client & extract. Package contains below files

  • As per OS version (x64/x86) install respective MSI file. Installer will download Windows Update KB2666914
    from internet and install on the Windows 7 machine. Need internet connection.
  • After DCA 2.0 installation, Existing Network Connectivity Assistant GPO settings will not get applied to it & it will still give error saying Corporate Connectivity is not working. Even inside the corporate network it will throw the same error. If we generate diagnostic logs it will say it is not configured correctly.
  • So Copy GPO ADML & ADMX files as per below in the machine where you configure GPO – may be a domain controller or same DA Server.
    • Copy the DirectAccess_Connectivity_Assistant_2_0_ GP.admx file to the folder %systemroot%\PolicyDefinitions.
    • Copy the DirectAccess_Connectivity_Assistant_2_0_ GP.adml file to the folder %systemroot%\PolicyDefinitions\language. For example, for US English, copy the file to %systemroot%\PolicyDefinitions\en-us.
  • Open Group Policy Management Console & copy respective settings from DirectAccess Client Experience Settings
    to DirectAccess Connectivity Assistant. In below picture from Green to Red.

  • Connect the Win 7 client to corporate network & Gpupdate. After Gpupdate you should able to see DCA is working fine.

  • Reconnect the Win 7 client to Internet & make sure client is getting IPV6 address on IP-HTTPS interface & Direct Access connection is working fine.
  • As you updated the GPO, make sure you Gpupdate the Windows 8 clients too

9 Responses to “Windows 2012 Direct Access – Windows 7 Client Testing”

  1. Tommi K said


    Open Group Policy Management Console & copy respective settings from DirectAccess Client Experience Settings
    to DirectAccess Connectivity Assistant. In below picture from Green to Red.

    How can I actually copy the settings using Group Policy Management? I haven’t found anyway to do that. All tips are highly appreciated!

    BR, TommiK

    • you just open the settings and copy parameters 😉

      • jeff said

        I’ve added the Templates to the local store as indicated and I see the Red copy to location(DirectAccess Connectivity Assistant) but under network I do not see the green copy from location(Direct Access Client Experience settings) Any ideas? Thanks in advance!

      • Hi Jeff

        You wont see the (Direct Access Client Experience settings) if you aren’t editing the policy that the DA server created for you during initial deployment.

    • Arjan said

      Hi Norm.

      Are you sure? I just opened the GPO created by the wizard and for me too the “Direct Access Client Experience settings” are not visible.
      Sidenote: Our domain is in Windows 2008 mode, not in Windows 2012 mode..


      • Arjan said

        So I went ahead and found a fix for that. Turns out our domain had a Group Policy Central Store. I made a backup of C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions and copied the C:\Windows\PolicyDefinitions from a Windows 2012 machine to C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions.
        I now see what is described in the screenshots here.
        Hope that helps.



    • Arjan said

      If I connect the Windows 7 client to corporate network DAC says everything is fine. If I connect to the internet it says it is unable to contact some corporate content. If I check the Remote Access on the DA server I see the Windows 7 client connecting. It says the Computer account authenticated using Computer Cert, and the user is blank. Checking the FW rules on the Windows 7 client shows primary auth as Computer Cert, and secondary as User NTLM..
      Windows 8 clients work like a charm..
      Any ideas as to why the user cannot authenticate on the Windows 7 machines?



      • As you said your DA statistics shows you are connected. All okay here. May be your DCA is not able to verify any probe you defined in DCA config. Generate diagnostic log & see if there are failure is getting reported.

  2. Hi guys I have DirectAccess on WS2012 full patched and win8 and 7 clientes, win8 are going well but win7 are only getting 6to4 2002: ip address IP-https interface exist on OS but it can’t ip address, regards

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: