4

As our organization is slowly rolling out Windows 10, I made the observation of a DirectAccess GPO linked to the Windows 10 PCs OU (which contain internal desktops, laptops, and even VMs for VDI). This GPO was identical to our standard DA GPO, except it was scoped to Authenticated Users, instead of a "DA PCs" security group. I pointed out this oddity to our senior admin, and interestingly, he says that because Windows 10 supports DirectAccess, it should be enabled just because we already have it set up.

I see several problems with this, but the major one would be increased load on the DirectAccess server from clients who don't even need it. Is deploying DirectAccess to all clients a reasonable design choice, or is it bizarre? What are the benefits/drawbacks of doing so?

Bigbio2002
  • 2,763
  • 11
  • 34
  • 51

1 Answers1

2

If there are desktops and servers that communicate with each other and the network is not partitioned/no firewalls, DirectAccess serves no purpose. It may actually cause an outage if the Network Location Server (NLS) takes a hit.

"What happens when NLS is offline?
Let's start with one of the craziest situations that can happen in a DirectAccess environment. This one is particularly nutty because when it happens, the symptoms that you experience are for your computers INSIDE the office, while your remote workforce continues to function normally. The NLS is the mechanism by which all of your DirectAccess client computers validate when they are inside the network.

It is a very simple requirement (just a website), but if anything goes wrong with the validation of that website, crazy stuff happens. Any DirectAccess client computer that is sitting inside the office will not realize that it is inside the office, and will continue to leave the NRPT enabled, which results in all corporate DNS requests attempting to resolve themselves to the DirectAccess server's external interface, which isn't routable because the user is inside the network."

-- Microsoft DirectAccess Best Practices and Troubleshooting

(A book you may want to consider reading)

http://www.amazon.com/Microsoft-DirectAccess-Best-Practices-Troubleshooting/dp/1782171061

https://www.packtpub.com/virtualization-and-cloud/microsoft-directaccess-best-practices-and-troubleshooting

Greg Askew
  • 34,339
  • 3
  • 52
  • 81