Install DirectAccess with Windows Server 2016-ganzy

dongfangho

　　Edge-facing deployments:

　　External interface connected to the public Internet using public IPv4 addressing
　　To configure the External interface, right-click the External adapter and choose
　　Properties. Highlight Internet Protocol Version 4 (TCP/IPv4) and then click
　　Properties. Provide an IPv4 address, subnet mask, and default gateway. DO NOT      
　　specify any DNS servers!

　　ClickAdvanced,Select theDNS tab and uncheck the box next toRegister this connection’s addresses in DNS

　　Select the WINS tab and uncheck the box next to Enable LMHOSTS lookup.
　　In addition, in the NetBIOS setting section select the option to Disable NetBIOS over TCP/IP

　　Internal interface connected to a perimeter or DMZ network or the LAN using private IPv4 addressing
　　To configure the Internal network interface, right-click the Internal network
　　connection and choose Properties. Highlight Internet Protocol Version 4 (TCP/IPv4)      
　　and then click Properties. Provide an IPv4 address and a subnet mask. DO NOT         
　　specify a default gateway! Provide the IP addresses for DNS servers on the corporate
　　LAN as necessary

　　2. Static Routes
　　As the Internal network interface does not have a default gateway, it will be necessary to configure static routes to remote internal subnets that will need to be reachable from the DirectAccess server and by DirectAccess clients. For example, if the DirectAccess server is on the 192.168.3.0/24 subnet, but there are systems on the192.168.10.0/24 subnet that must be accessible from the DirectAccess server, a static route will be defined by entering the following commands in an elevated PowerShell command window:
　　New-NetRoute -InterfaceAlias <Interface_Name> –DestinationPrefix <SubnetID/Mask>  -NextHop  <Gateway_Address>
　　Using the preceding example, the command to create the static route would look like this:
　　New-NetRoute -InterfaceAlias Internal -DestinationPrefix 192.168.10.0/24 -NextHop 192.168.3.254
　　3.Join Domain and Apply Updates
　　Using the Add-Computer PowerShell cmdlet, it is possible torename the computer, join it to the domain, and place the server in a specific Organizational Unit (OU) with a single command:
　　Add-Computer -NewName <new_computer_name> -OUPath <OU_Path> –DomainName  <domain_name>
　　For example:
　　Add-Computer –NewName SEN-DAS –OUPath "OU=DAS,DC=sen,DC=hi,DC=cn" –DomainName sen.hi.cn –Restart

　　Once the DirectAccess server has been joined to the domain, proceed with installing Windows operating updates as necessary using Windows Update (Window Key + I ?Update & Security ? Check for Updates)
　　4.Certificates
　　DirectAccess requires two different types of certificates—computer (machine) certificate and an SSL certificate.
　　computer certificates are used for IPsec authentication and encryption. They must be issued to the DirectAccess server by aninternal PKI. The certificate must include the Client Authentication Enhanced Key Usage (EKU) .
　　To create a certificate template, open the Certificate Services management console on the Active Directory Certificate Services (AD CS) server .
　　In the navigation tree, expand the server and then right-click Certificate Templates and choose Manage.
　　Optionally, you can press Windows Key + R and enter certtmpl.msc.

　　Right-click the Workstation Authentication template and choose Duplicate Template.

　　Select the General tab and provide a descriptive name[DirectAccess IPSec] for the new template.
　　Specify an appropriate validity and renewal period based on your organization’s security policy

　　Select the Subject Name tab and choose DNS name for the Subject name format

　　Select the Security tab and clickAdd. Specify the names of the DirectAccess client security group and the name of each DirectAccess server.
　　Optionally, a security group can be created for DirectAccess servers, and that group can be specified here.

　　For the DirectAccess client group and the DirectAccess servers (or DirectAccess server group),check the Allow box for bothEnroll and Autoenroll. Once complete, click OK

　　In the Certification Authority management console,

　　right-clickCertificate Templates and choose New and Certificate Template to Issue. Highlight the DirectAccess IPsec certificate template and choose OK

　　Computer certificates can be requested and installed manually on the DirectAccess server using the Certificates management console snap-in.
　　To request a computer certificate, press Window Key + R on the DirectAccess server to bring up the Run command box and enter certlm.msc
　　Expand Certificates (Local Computer), right-click Personal, and choose All Tasks and Request New Certificate. Click Next twice, select the DirectAccess IPsec certificate template, and clickEnroll

　　Automatic Enrollment
　　To the provisioning of certificates for DirectAccess servers and clients, and to ensure that certificates are automatically renewed before they expire it is recommended thatcertificate auto-enrollment be configured. This is accomplished by creating and deploying aGroup Policy Object (GPO) in Active Directory.
　　To create and deploy a computer certificate auto-enrollment GPO, open the Group Policy Management console, [Run gpmc.msc] Expand the Forest, Domains, and the domain where the DirectAccess server and clients are joined. Right-click Group Policy Objects and click New. Provide a descriptive name for the new GPO and click OK.

　　Right-click the newly created GPO and choose Edit. Expand Computer Configuration, Policies, Windows Settings, and Security Settings, and highlight Public Key Policies.
　　Double-click Certificate Services Client - Auto-Enrollment

　　and select Enabled for the Configuration Model. Select the option to Renew expired certificates,update pending certificates, and remove revoked certificates
　　and Update certificates that use certificate templates and click OK

　　In the Group Policy Management Console, select the GPO and clickAdd under Security Filtering. Remove Authenticated Users and specify the DirectAccess client security group and all DirectAccess servers (or the DirectAccess servers security group)

　　Finally, link the GPO to the domain. Optionally, the GPO can be linked directly to the DirectAccess servers and clients OU, if necessary.

　　SSL Certificate

　　An SSL certificate is required for the IP-HTTPS IPv6 transition protocol. It is recommended that the SSL certificate be obtained from a public certificate authority(CA),>　　The first step in requesting a public SSL certificate is to generate a Certificate Signing Request (CSR) . This can be accomplished in a variety of ways, including using the Microsoft Management Console (MMC) Certificates snap-in, the certutil.exe commandline tool, and even the Internet Information Services (IIS) management tool:

　　To obtain an additional certificate for IP-HTTPS

• 　　On the DirectAccess server, click Start,  click Run, type mmc, and then press ENTER. Click Yes at the User Account Control prompt.
  
  
  
  
• 　　Click File, and then click Add/Remove Snap-ins.
  
  
  
  
• 　　Click Certificates, click Add, click Computer account, click Next, select Local computer, click Finish, and then click OK.
  
  
  
  
  
  
  
  
  
  
• 　　In the console tree of the Certificates snap-in, open Certificates (Local Computer)\Personal\Certificates.
  
  
  
  
• 　　Right-click Certificates, point to All Tasks, and then click Request New Certificate.
  
  
  
  
• 　　Click Next twice.
  
  
  
  
  
  
  
• 　　On the Request Certificates page, click the Web Server certificate template, and then click More information is required to enroll for this certificate.
  
  
  
  　　If the Web Server certificate template does not appear, ensure that the DirectAccess server computer account has enroll permissions for the Web Server certificate template. For more information, see Configure Permissions on the Web Server Certificate Template.
  
  　　To configure permissions for the Web Server certificate template
  
  
  
  • 　　On the CA computer, click Start,click Run, type certtmpl.msc, and then press ENTER.
    
    
    
    
  • 　　In the contents pane, right-click the Web Server template, and then click Properties.
    
    
    
    
  • 　　Click the Security tab, and then click Add.
    
    
    
    
  • 　　In Enter the object names to select, type the name of the security group that contains the computers that are allowed to request customized certificates, and then click OK.
    　　This security group should contain, at least temporarily when requesting custom certificates, the computer accounts of the DirectAccess server and network location server. As a security best practice, do not use the Authenticated Users group.
    
    
    
    
  • 　　In Permissions, click Enroll under Allow, and then click OK.
    
    
    
    
  
  
• 　　On the Subject tab of the Certificate Properties dialog box, in Subject name, for Type, select Common name.
  
  
  
  
• 　　In Value, type the fully qualified domain name (FQDN) of the Internet name of the DirectAccess server (for example,da.sen.hi.cn), and then click Add.
  
  
  
  
  
  
  
• 　　Click OK, click Enroll, and then click Finish.
  
  
  
  
  
  
  
  
  
  
• 　　In the details pane of the Certificates snap-in, verify that a new certificate with the FQDN was enrolled with Intended Purposes of Server Authentication.
  
  
  
  
• 　　Right-click the certificate, and then click Properties.
  
  
  
  
• 　　In Friendly Name, type IP-HTTPS Certificate, and then click OK.
  
  
  
  

　　5. Installing the DirectAccess-*** Role
　　Installing the DirectAccess-*** role using PowerShell:
　　Install-WindowsFeature DirectAccess-*** -IncludeManagementTools

　　6. Configure DirectAccess with the Getting Started Wizard
　　To launch the Getting Started Wizard, open the Remote Access Management Console on the DirectAccess server.
　　The Remote Access Management Console can be found by clicking on the Start menu and navigating to All Apps ? Windows Administrative Tools ? Remote Access Management Conso le. Expand Configuration, highlight DirectAccess and ***, and then click Run the Getting Started Wizard:     

　　Step 1: Remote Clients

　　NCA settings apply only to Windows 8.x and Windows 10 clients. These settings are not used by Windows 7 clients.
　　The Resources that validate connectivity to the internal network field is initially blank. Intuitively, information should be supplied here. However, it is not necessary (or recommended) to do so at this time. Resource validation is performed by Windows 8.x and Windows 10 clients by checking connectivity to this URL after the DirectAccess connection is made. During initial configuration, the DirectAccess deployment wizard will automatically populate this field with the URLhttp://DirectAccess-WebProbeHost.sen.hi.cn, which is hosted on the DirectAccess server (a corresponding host record in DNS resolving to the internal IPv4 address of the DirectAccess server is also configured). This setting can later be changed after the initial configuration has been completed.

　　auto add dns to the DNS Server:

　　Step 2: Remote Access Server

　　Step 3: Infrastructure Servers

　　Step 4: Application Servers (Optional)
　　Step 4 of the Remote Access Setup Wizard is optional. By default, DirectAccess client communication is authenticated and encrypted only between the DirectAccess client and the server.
　　Communication between the DirectAccess server and hosts on the Internal network is not authenticated or encrypted.
　　If full end-to-end authentication—and, optionally, encryption—from the DirectAccess server to specific application servers is required, click Edit under Application Servers on Step 4.

　　Select the option toExtend authentication to selected application servers, click Add, and specify an Active Directory security group that includes servers requiring end-to-end authentication

　　7.Client Configure and test
　　Add to AD:
　　Add-Computer –NewName DA-Win10  –OUPath "OU=DAClients,OU=DAS,DC=sen,DC=hi,DC=cn" –DomainName sen.hi.cn –Restart