Selecting client domains in SP1

This topic describes how to select client domains that are used for the following:

Client domains must be specified in the Forefront UAG DirectAccess Configuration Wizard, and must include the domains containing client computers that will be enabled for DirectAccess.

Client Domains are used as follows:

To act as a baseline for the selection of Organization Units (OU). OUs can only contain computers from the same domain where the OU exists. You can therefore only select OUs from domains that were specified as client domains. Client policy settings contained in the client Group Policy object (GPO) are applied to client computers belonging to OUs that are selected from the client domains.
Security groups can contain computers from any number of domains and can be selected from any domain. When the Client GPO is created, it is linked to all the specified client domains with additional security filtering of the specified security group. When security groups are used, DirectAccess clients must belong to the selected security group and to one of the specified client domains.
To generate the list of Domain Controllers that automatically populates the management servers list that can be viewed in the Management Servers page of the Infrastructure Servers Configuration section of the Forefront UAG DirectAccess Configuration Wizard.

Note:

Domain Controllers cannot be manually added as infrastructure servers. You must ensure that all domains containing DirectAccess client computers are included as client domains.
When using pre-created GPOs, client domains are used as containers for the client Group Policy objects. The Forefront UAG DirectAccess Configuration script searches for the identical pre-created client GPO name in all client domains, and copies the policy settings to the corresponding client GPO in each client domain.

Note:
Domain Controllers cannot be manually added as infrastructure servers. You must ensure that all domains containing DirectAccess client computers are included as client domains.

The following domains can be added as client domains in the Forefront UAG DirectAccess Wizard:

All domains that belong in the same forest that the Forefront UAG DirectAccess server belongs to.
All domains that belong to forests that have a two-way trust with the forest the Forefront UAG DirectAccess server belongs to.
Domains that have a two-way domain trust to the Forefront UAG DirectAccess server.

To add a client domain

In the Clients and GPOs section of the Forefront UAG DirectAccess Configuration Wizard, on the Client Domains page, to add additional client domains, click Add. The Specify a Domain window appears.

Note:

The domain the Forefront UAG DirectAccess server belongs to is automatically added to the list of domains.
Choose a domain from the domain tree and click Add. Repeat this operation for all the domains you want to add as client domains.

Note:
The domain the Forefront UAG DirectAccess server belongs to is automatically added to the list of domains.

To enter a domain that does not appear in the domain tree, under Type the domain name, type a domain name and click Add.

Note:
The Forefront UAG DirectAccess Configuration Wizard confirms that the domain exists before adding it to the list of client domains. Adding a client domain automatically adds it to the Authentication Domains list in the Infrastructure wizard. Removing a client domain automatically removes it from the Authentication domains list in the Infrastructure wizard.

When you have finished adding domains, click Close and then Next. The Policy Management page appears.