Windows

Achieving Highly Available DirectAccess (HA DA) with Windows Server 2012

John Joyner demonstrates how to deploy two Windows Server 2012 VMs in a high available DA server configuration.

DirectAccess (DA) is one of Microsoft's best technologies for remote access in some scenarios. DA was introduced with Window Server 2008 R2 and the Forefront Unified Access Gateway (UAG) products. DA is an IPV6-based technology that allows for remote worker computers appear to be "always on" the network, even as users roam in and out of corporate networks and the Internet.

High Availability (HA) describes the business need for continuously available services that are not vulnerable to a single point of failure. HA DA (Highly Available DirectAccess) is now much easier to achieve than in previous versions of DA. Window Server 2012 released an updated version of DA that includes native Windows network load balancing (NLB) support that is comparatively much simpler to set up and get working.

In this article, the goal is to deploy two Windows Server 2012 virtual machines (VMs) in a highly-available (HA) DA server configuration. We want to load-balance the DA computers and allow for redundancy and fail-over to achieve HA DA service for remote users. We also want to use the "one NIC" model of Windows Server 2012 DA and load balance the DA computers on a virtual IP (VIP).

Deploying the DA role and NLB feature on multiple computers

After deploying two Windows Server 2012 VMs and joining them to the domain, create a Server Group in Windows 2012 Server Manager on the first DA computer named "DA Server Group" and add the second DA computer to the group. This will make management of both DA computers easier in the future. Enabling the performance counters on each computer changes the Manageability status to Online as seen in Figure A.

A Windows Server 2012 Server Group makes administration of multiple servers running the same role easier.

The DA server role must be added to each computer one at a time; unfortunately, Server Manager does not allow for multi-select when installing roles! To add the DA server role and the NLB feature to the two DA computers, follow these steps:

  1. Right-click the server name in Server Manager and select Add Roles and Features.
  2. Select to perform a role-based installation to the first server in the group and click Next.
  3. At the Select server roles page, click Remote Access, then Add Features (notice the IIS web server role is also installed).
  4. Select the Network Load Balancing feature to install as well, and then click Next to configure Remote Access role services.
  5. At Role Services, select DirectAccess and VPN (RAS), then click Next.
  6. Click Next to configure the Web Server Role (IIS), select no additional features to install, and then click Next
  7. Click Install and wait until the Remote Access role is installed on the first DA computer.
  8. When installation is complete on the first DA computer, click Close.
  9. Repeats steps 1 to 8 for the second DA computer.
  10. Issue a domain web certificate in IIS to the first DA computer in the DNS name you will use for the DA IP-HTTPS certificate. Export the certificate with private key and import the same certificate to the second DA computer.

Install DA on both computers and configure the first DA computer

After installing the DA role on the two computers, Server Manager will pop up a warning sign in the top ribbon. Clicking the warning flag shows the details as seen in Figure B, which are reminders with action links to complete post-deployment configuration on both computers.

Figure B

Server Manager reminds you with a warning icon when post-configuration steps are needed.

Clicking on the Open the Getting Started Wizard link in Server Manager for the first DA computer launches the Configure Remote Access Getting Started Wizard. Here are the steps to complete the wizard to support DA:

1.      At the Configure Remote Access, Getting Started Wizard, Welcome to Remote Access page, select Deploy DirectAccess only. 2.      At the Configure DirectAccess and VPN settings page, select  Behind an edge device (with a single network adapter), then type the public name used by DA clients to connect, this is the IP-HTTPS certificate name, for example, edge1.techrepublic.com as shown in Figure C.

Selecting the DA server topology and IP-HTTPS certificate name.

3.      The wizard will be ready after that to deploy DA with default settings--however you want to review the settings and make changes before applying.

a.      As shown in Figure D, you will want to review the Active Directory (AD) domain security group to which the DA wizard is about to link a new domain group policy object (GPO).

Figure D

Verify the default security group assignment for the DirectAccess GPO.

b.      In a large domain, you will want to change the default Active Directory (AD) domain security group to a group with more limited scope. The default is mobile computers in the Domain Computers security group.

c.      Also in the Remote Clients details you may want to specify a different internal network connectivity probe.

d.      In the Remote Access Server details, you will need to modify the IP-HTTPS certificate settings to use the domain web certificate you placed on each DA computer.

4.      Click Finish when you have verified the DA deployment settings. The DA Getting Started Wizard will apply settings and report complete, then press Close.

Completely new in Windows Server 2012 is the Remote Access Management Console with an integrated DirectAccess management pane. Figure E shows the health indicators of the many DA connectivity services. This makes it easy to spot what's not working and fix each issue one at a time.

Figure E

Windows Server 2012 Remote Access Management Console showing DA Operations Status.

Enable load balancing

If the DA computers are Windows Hyper-V guest VMs and you are using native Windows NLB, it is necessary to shut each VM down and select the Enable Spoofing Of MAC Addresses setting on the virtual NIC of each VM configuration. After verifying this setting and powering up the VMs; on the first DA computer, open the Remote Access Management Console from the Start screen.

  1. Select the DA computer name in the left column, and then click the Load Balanced Cluster -> Enable Load Balancing task.
  2. Select to use Windows Network Load Balancing (NLB), and click Next.
  3. Enter an IPV4 and IPV6 address to use for the dedicated IP addresses that will be used as virtual IP addresses (VIPs) for the NLB cluster.
    • The former primary IP of the first DA computer becomes the VIP of the DA HA cluster.
    • The specified dedicated IP (DIP) becomes the primary IP of the first DA computer.
  4. Follow the steps at this link to complete the NLB install: http://technet.microsoft.com/en-us/library/hh831830.aspx
  5. Wait a few minutes, then proceed to add the second DA server to the array.
  6. Select the Load Balanced Cluster in the Remote Access Management Console and click the Add or Remove Servers task.
  7. Click Add, then Select server and enter the name of the second DA computer, click Next.
  8. On the Network Adapters screen, see the domain web certificate for IP-HTTPS connections and click Next.
  9. Select to use a self-signed NLS certificate, click Add, then Close, then Commit.

After a few moments, both DA servers will appear in the Load Balanced Cluster list of the Remote Access Management Console with a healthy configuration status as seen in Figure F. The ability to build and configure both nodes of the DA array from the first node was a great timesaver. The only occasion to log onto the second DA computer was to copy and install the IP-HTTPS web certificate exported from the first DA computer.

Figure F

Two-node HA DA array deployment completed and working properly.

About

John Joyner, MCSE, CMSP, MVP Cloud and Datacenter Management, is senior architect at ClearPointe, a cloud provider of systems management services. He is co-author of the "System Center Operations Manager: Unleashed" book series from Sams Publishing, ...

1 comments
judge_wolf
judge_wolf

What is domain web certificate?! You mean Web Server certificate!?