Designing Active Directory for Forefront UAG DirectAccess

This topic describes the Active Directory requirements when designing a Forefront UAG DirectAccess deployment.

DirectAccess clients and Forefront UAG DirectAccess servers must be members of an Active Directory Domain Services (AD DS) domain. Forefront UAG DirectAccess also uses Active Directory security groups and Group Policy objects (GPOs) to identify sets of computers, and the sets of settings that are applied to them.

The Forefront UAG DirectAccess Configuration Wizard uses security groups to identify the computer accounts of DirectAccess clients (required), and the computer accounts of application servers for end-to-end server access (optional).

Note:
It is recommended that you create and populate the DirectAccess clients group with at least one client from every domain on which Forefront UAG DirectAccess will be enabled (except for the domain to which the Forefront UAG DirectAccess server is joined). After completing the Forefront UAG DirectAccess Configuration Wizard, if you add another application server to the application server group, you must reenter the Application server section of the Forefront UAG DirectAccess Configuration Wizard, click Generate Policies, and then click Apply Now or Export script. For more information, see Applying or exporting the Forefront UAG DirectAccess configuration.

Note:

It is recommended that you create and populate the DirectAccess clients group with at least one client from every domain on which Forefront UAG DirectAccess will be enabled (except for the domain to which the Forefront UAG DirectAccess server is joined).
After completing the Forefront UAG DirectAccess Configuration Wizard, if you add another application server to the application server group, you must reenter the Application server section of the Forefront UAG DirectAccess Configuration Wizard, click Generate Policies, and then click Apply Now or Export script. For more information, see Applying or exporting the Forefront UAG DirectAccess configuration.

The Forefront UAG DirectAccess Configuration Wizard creates the following Group Policy objects (GPOs):

A GPO for DirectAccess clients—Contains settings for IPv6 transition technologies, NRPT entries, and Windows Firewall with Advanced Security connection security rules (required).
A GPO for the Forefront UAG DirectAccess server—Contains IPsec settings, and Windows Firewall with Advanced Security connection security rules (required).
A GPO for selected application servers—Contains settings for Windows Firewall with Advanced Security connection security rules (optional).

Warning:
When you remove a computer from a DirectAccess client or specified server security group, the next update of Group Policy removes the DirectAccess settings from the computer.

If you want to deploy multiple Forefront UAG DirectAccess deployments in the same domain, you must change the following Group Policy object names so that they are unique in each deployment (In multiple domains this is optional):

UAG DirectAccess: AppServer{f7b77f47-7c33-4d8c-bb9a-a913c5675d8d}
UAG DirectAccess: DaServer{ab991ef0-6fa9-4bd9-bc42-3c397e8ad300}
UAG DirectAccess: Client{3491980e-ef3c-4ed3-b176-a4420a810f12}

You can do this by modifying the UAGDA_POLICY parameters in the export script that you should create after running the Forefront UAG Configuration Wizard. See, Modifying the Forefront UAG DirectAccess export script.

Active Directory and the Forefront UAG DirectAccess server

The Forefront UAG DirectAccess server must be a domain member and cannot be a domain controller. Additionally, an Active Directory domain controller cannot be reachable from the Internet interface of the Forefront UAG DirectAccess server (the Internet interface cannot be in the domain profile of Windows Firewall). If either of these is true, the Forefront UAG DirectAccess Configuration Wizard cannot run.

If you must have an Active Directory domain controller that is on the perimeter network, and therefore reachable from the Internet-facing interface of Forefront UAG DirectAccess server, you can prevent the Forefront UAG DirectAccess server from reaching it, by adding packet filters on the domain controller in the perimeter network that prevents connectivity to the IP address of the Internet-facing interface of the Forefront UAG DirectAccess server.

Using Multiple Domains

Forefront UAG DirectAccess allows you to specify within the security groups, clients and application servers from single or multiple domains, as follows:

Client computers—The client GPO is created at the end of the Forefront UAG DirectAccess Configuration Wizard, when the configuration script is applied, or the exported script is run. If at a later time, a client is added from a domain that was not present as a client domain when the GPO was created, it is not automatically linked to the GPO, and the client does not automatically receive GPO settings. For more information on how to link new client domains to the GPO, see Configuring clients for Forefront UAG DirectAccess.
Application servers—The application server GPO is created at the end of the Forefront UAG DirectAccess Configuration Wizard, when the configuration script is applied, or the exported script is run. Applications servers that were added to security groups after the GPO was generated, or application servers whose IP addresses changed, are not automatically updated in the DirectAccess client application server list. This means that any new application server added to the security group, or any application server whose IP address was changed after the GPO was generated, will be inaccessible to the DirectAccess client in both clear and encrypted modes, until manual changes are performed. For more information on how to add application servers after the GPO has been generated, see Identifying and configuring application servers.

When using multiple domains the following should be noted:

When configuring management servers in the Forefront UAG DirectAccess Configuration Wizard you should:
- Include all domain controllers, from all the domains that have client computers contained in the security groups specified in the Client Configuration section of the wizard.
- Include all domain controllers from all domains which contain users that may use client computers enabled for Forefront UAG DirectAccess use. This enables a user from another domain using a client computer enabled for Forefront UAG DirectAccess use on the local domain, to be authenticated with a domain controller in the user’s domain.
Where possible, common domain name suffixes should be added to the NRPT in the DNS suffixes section of the Wizard. For example, if you have two domains, domain1.corp.contoso.com and domain2.corp.contoso.com, instead of adding two entries into the NRPT, you can add a common DNS suffix entry, where the domain name suffix is corp.contoso.com.
The export script generated at the end of the Forefront UAG DirectAccess Wizard, can only be applied by a domain administrator. If clients from additional domains (in which the domain administrator who generated the script does not have domain administrator permissions) are included in the client computer security groups, the domain administrator must be granted link permissions to the additional domains.
To create link permissions for additional domains in multiple domain environments, see Linking to the Group Policy objects (GPOs).
The export script can be modified to include additional domains. See, Modifying the Forefront UAG DirectAccess export script.
When WINS is deployed in a multiple domain environment, you must configure a WINS forward lookup zone in the DNS. For more information, see Unqualified, single-label names and DNS search suffixes.