Issue with accessing the DirectAccess console after removing a Domain Controller

Most people don't know that the DirectAccess servers are tied together with a specific domain controller. In case you decommission the specific domain controller due to upgrade or other reasons the Direct Access console will become inaccessiable.

Symptom:
Unable to open the DirectAccess configuration in the “Remote Access Management Console”
Error message unable to load configuration from “Server.domain.tld”
Error message about missing access permission on the GPO object.

Cause:
DirectAccess server has a specific EntryPointDc that is used for reading/writing GPO and AD settings.
You can see the settings using the Get-DAEntryPointDC cmdlet on DirectAccess servers.

Use get-DAEntryPointDC

EntryPointName       : DirectAccess-AU.domain.com
DomainControllerName : Server.domain.tld

EntryPointName       : DirectAccess-CN.domain.com
DomainControllerName : Server.domain.tld

EntryPointName       : DirectAccess-DK.domain.com
DomainControllerName : Server.domain.tld

EntryPointName       : DirectAccess-US.domain.com
DomainControllerName : Server.domain.tld

Fix:
This powershell will change any Entrypoint domain controllers that has “ExisitingDC” name:
Set-DAEntryPointDC –ExistingDC "Server.domain.tld" -NewDC "Server.domain.tld" –Force -PassThru
 

More information

Set-DAEntryPointDC: http://technet.microsoft.com/en-us/library/hh918412.aspx

Troubleshooting Setting the Entry Point Domain Controller: http://technet.microsoft.com/en-us/library/jj591656.aspx

 

Tags:

Microsoft Windows DirectAccess Client Troubleshooting Tool

I'm pleased to announce that Microsoft have just released an awesome troubleshooting tool for DirectAccess clients called "Microsoft Windows DirectAccess Client Troubleshooting Tool".

 

Get the tool here: http://www.microsoft.com/en-us/download/details.aspx?id=41938

 

 

Tags: