This topic describes how to select client domains that are used for the following:
Client domains must be specified in the Forefront UAG DirectAccess Configuration Wizard, and must include the domains containing client computers that will be enabled for DirectAccess.
Client Domains are used as follows:
- To act as a baseline for the selection of
Organization Units (OU). OUs can only contain computers from the
same domain where the OU exists. You can therefore only select OUs
from domains that were specified as client domains. Client policy
settings contained in the client Group Policy object (GPO) are
applied to client computers belonging to OUs that are selected from
the client domains.
- Security groups can contain computers from
any number of domains and can be selected from any domain. When the
Client GPO is created, it is linked to all the specified client
domains with additional security filtering of the specified
security group. When security groups are used, DirectAccess clients
must belong to the selected security group and to one of the
specified client domains.
- To generate the list of Domain Controllers
that automatically populates the management servers list that can
be viewed in the Management Servers page of the
Infrastructure Servers Configuration section of the Forefront UAG
DirectAccess Configuration Wizard.
Note: Domain Controllers cannot be manually added as infrastructure servers. You must ensure that all domains containing DirectAccess client computers are included as client domains.
- When using pre-created GPOs, client domains
are used as containers for the client Group Policy objects. The
Forefront UAG DirectAccess Configuration script searches for the
identical pre-created client GPO name in all client domains, and
copies the policy settings to the corresponding client GPO in each
The following domains can be added as client domains in the Forefront UAG DirectAccess Wizard:
- All domains that belong in the same forest
that the Forefront UAG DirectAccess server belongs to.
- All domains that belong to forests that have
a two-way trust with the forest the Forefront UAG DirectAccess
server belongs to.
- Domains that have a two-way domain trust to
the Forefront UAG DirectAccess server.
To add a client domain
In the Clients and GPOs section of the Forefront UAG DirectAccess Configuration Wizard, on the Client Domains page, to add additional client domains, click Add. The Specify a Domain window appears.
Note: The domain the Forefront UAG DirectAccess server belongs to is automatically added to the list of domains.
Choose a domain from the domain tree and click Add. Repeat this operation for all the domains you want to add as client domains.
To enter a domain that does not appear in the domain tree, under Type the domain name, type a domain name and click Add.
- The Forefront UAG DirectAccess Configuration
Wizard confirms that the domain exists before adding it to the list
of client domains.
- Adding a client domain automatically adds it
to the Authentication Domains list in the Infrastructure
- Removing a client domain automatically
removes it from the Authentication domains list in the
- The Forefront UAG DirectAccess Configuration Wizard confirms that the domain exists before adding it to the list of client domains.
When you have finished adding domains, click Close and then Next. The Policy Management page appears.