Specify Alternate Text

Install and configure Direct Access on a Windows Server 2016 Essentials for hassle-free remote access

Did you ever troubleshoot VPN problems between Windows 10 and a Windows Server 2016 deployment? Get disconnects every now and then but you have no idea why that happens? Do you get 'error 720 a connection to the remote computer could not be established'? Use Direct Access instead of the old VPN solution.

One of the many advantages over ‘ordinary’ VPN is that Direct Access is fully transparent to the end-user. Direct Access connects automatically if the client finds it is ‘outside’ of your corporate network making resources available as if you are connected inside your corporate network. Mapped drives and local applications hosted on your server act as if you are inside your corporate Lan and the connection from your client to your server is secure. Clients without a proper certificate from your own PKI infrastructure, that runs by default on a Windows Server 2016 Essentials, cannot connect to Direct Access.

Deploying Direct Access on a server that runs the ‘Essentials Experience’ role on a Windows Server 2016 Standard/Datacenter or on a Windows Server Essentials 2016 SKU requires more 'tuning' then when it is installed on a separate member server in your domain. This simplified deployment is meant for SMB’s who only have one server and that server will be configured as a Direct Access server using the same certificate that is used for Anywhere Access. Deploying Direct Access on a Domain Controller (supported by Microsoft) is not considered ‘the most secure way’ but most of the SMB’s I know come from a Small Business Server and as we know that had everything on one box. In another guide, I will write about deploying Direct Access and the NLA (Network Location Server) on separate servers but for now, we focus on the smallest business.

For DirectAccess to work you need a Windows 10 Enterprise license.

The ‘Numinous Travel Company’ has such a server in their office, it is a Windows Server 2016 Standard with the Essentials Experience role and DHCP installed. It is the only server they have because ‘Numinous Travel Company’ has only 7 employees. They already configured Anywhere Access through the Windows Server Essentials Dashboard with a free Lets Encrypt certificate. More information on this can be found here Get a free Let’s Encrypt SSL certificate for Access Anywhere and automatically renew it. This is a prerequisite for installing Direct Access so if you have not yet configured Anywhere Access on your server it is now the time to do that.

  1. Open Server Manager
  2. Choose to add roles and features.
  3. Click Next
  4. Click Next
  5. Click Next
  6. Click Next
  7. Check Remote Access GUI and Command Line tools
  8. Click Add Features.
  9. Click Next
  10. Click Install
  11. Click close.
  1. From Server Manager click your Network Adapter
  2. Right-click and choose properties
  3. Highlight IPv4 and click properties
  4. Set Preferred DNS to the IP address of your server. In my case that is
  1. Open Active Directory Users and Computers
  2. Right-click and choose New –> Group
  3. Give it a name and click OK
  1. Open Certification Authority from Server Manager
  2. Right-click Certificate Template and choose Manage
  3. Right-click Web Server and choose Properties
  4. Highlight Authenticated Users and set to allow Full Control, click OK and close the Certification Authority.
  5. From an elevated Powershell prompt type Restart-Service certsvc to restart Active Directory Certificate Services.
  1. Type ‘certi’ and choose to Manage computer certificates from the Start Menu
  2. Right-click Certificates in Personal and choose Request New Certificate
  3. Click Next
  4. Click Next
  5. Click ‘More information is required’ and check ‘Web Server’.
  6. From the dropdown choose Common Name and in value type ‘DirectAccess-NLS.domain.local’ and click Add.
  7. Common name should now be listed on the right side and click OK
  8. Click Enroll
  9. Click Finish
  10. Our new certificate is listed.
  1. Open DNS Manager from Server Manager
  2. Right-click your local domain and choose New Host A
  3. In name type DirectAccess-NLS and the IP address of your server. Click Add Host
  4. Click OK and close DNS Manager
  1. Open Remote Access Management
  2. If you open Operations Status you will see an error. This can be ignored and do not try to start or restart Rasman.
  3. On the configuration tab choose ‘Enable DirectAccess’.
  4. Click Next
  5. Click Add
  6. Click Advanced
  7. Click Find Now
  8. Highlight the Direct Access Computers group and click OK
  9. Click OK
  10. Check ‘Enable DirectAccess for mobile computers only’.
  11. Choose ‘Behind an edge device (with a single network adapter) and choose Next.
  12. Click Next
  13. Click Next
  14. Click Finish
  15. Click on Dashboard and monitor Configuration Status. It is normal that it takes awhile to become active
  16. Hit refresh and check again. After some time all but one should be green. Again ignore the red warning.
  1. Click Edit in step 2
  2. Click Next
  3. Click Next
  4. Check Use Computer certificates and browse
  5. Click OK and if that does not work hit enter. I had some trouble with this window acting weird if you click OK
  6. Click Next
  7. Click New
  8. Fill in the range and click OK
  9. Click Finish
  1. Click Edit in Step 3
  2. Click Browse
  3. Sometimes this acts really weird. You cannot click anything in that Windows but if you hit enter it works. Make sure the certificate is chosen that ends with CA
  4. Click Next
  5. Click Next
  6. Click Next
  7. Click Finish
  8. Click Finish
  9. Click Apply
  10. Click Close
  1. Open Registry editor from the Start Menu
  2. Open the hive HKLM:\SYSTEM\CurrentControlSet\Services\IKEEXT\Parameters
  3. Add a new Dword value
  4. Name it ikeflags
  5. Right-click Modify
  6. Set the hexadecimal value to 8000
  1. From an elevated Powershell prompt type (Get-NetIPInterface -InterfaceAlias IPHTTPSInterface | Get-NetIPAddress -PrefixLength 128)[1].IPAddress
    (Get-NetIPInterface -InterfaceAlias IPHTTPSInterface | Get-NetIPAddress -PrefixLength 128)[1].IPAddress
  2. Open Group Policy Management from the Start Menu
  3. Right-click the DirectAccess Client settings policy and choose edit
  4. Click Edit rule
  5. Choose the tab DNS settings for Direct and click Add
  6. Enter the IP address that you got in step 1 and click Add
  7. Click Update
  8. Click Apply
  9. Close DirectAccess Client Settings
  1. From within Group Policy Manager right click DirectAccess Server Settings and choose Edit
  2. Double click Domain Name Server (TCP-In)
  3. Choose the tab Scope and add the IPv6 address you got from the previous step and add it
  4. Enter the IPv6 address and click OK
  5. Do the same for Domain Name Server (UDP-In) and close Group Policy Manager
  1. From an elevated Powershell prompt type Set-NetDnsTransitionConfiguration  -AcceptInterface IPHTTPSInterface
    Set-NetDnsTransitionConfiguration  -AcceptInterface IPHTTPSInterface
  2. From an elevated Powershell prompt type Set-NetNatTransitionConfiguration -IPv4AddressPortPool @(", 10000-47000") . Replace with the IP address of your own server.
    Set-NetNatTransitionConfiguration -IPv4AddressPortPool @(", 10000-47000") 
  3. Type Restart-Computer to reboot your server

One of the problems I saw during testing this deployment is that Windows 10 is actually connected to the server through DirectAccess but the status kept saying ‘Connecting’. It seems that this really is a quirk in the way the default has been set up on a typical Windows Server 2016 + Essentials Experience role. The DirectAccess-WebProbeHost is just a switch that tells the client ‘if you can resolve this DNS record I will set my status to Connected’. I decided to add the IPv6 address to the DirectAccess-WebProbeHost Host A Record and immediately all clients flipped to ‘Connected’.

  1. Open a Command Prompt and type ipconfig. Copy the IPv6 address as in the screenshot
  2. From DNS Manager right-click your local domain name and choose New Host (A or AAAA)…
  3. Type in the name of your Network Connectivity Assistant host ‘directaccess-WebProbeHost’ and fill in the IPv6 address fro earlier and click add host.
  4. Click OK and close DNS Manager.

Remember that we checked ‘Enable DirectAccess for mobile computers only’ when we ran the Direct Access setup wizard? What this means is that Computer accounts that are in the Direct Access Computers security group AND have a Mobile Processor will be able to connect to DirectAccess, all others will not be able to connect.

When you configure DirectAccess clients in the Getting Started Wizard, you can choose to allow only mobile computers in the specified security groups to connect using DirectAccess. If you restrict access to mobile computers, DirectAccess automatically configures a WMI filter to ensure that the DirectAccess client GPO is applied only to mobile computers in the specified security groups.

For testing purposes, it is a good idea to turn that off because you possibly want to test this from a Desktop computer or Virtual Machine.

Now did we have changed the setting above we can start testing the configuration with client computers connected inside your Lan. We do this to make sure the configuration is correct. Start a Windows 10 client computer that is joined to the domain and is a member of the Direct Access Client computers security group.

Test from inside your Lan

  1. From within ‘Settings’ we see that the computer is connected Locally or through Lan. Now, this the result of unchecking ‘Enable DirectAccess for mobile computers only’. In production, this will not be the case obviously but it is good to check if your policies are applied correctly.
  2. Type Get-DaConnectionStatus and see the result is that we are connected Locally.
  3. Open Windows Defender Firewall with Advanced Security and check if you see the Connection Security rules as in the screenshot. If you do not see those policies are not applied. Maybe you forgot to add the computer account to the Direct Access Computers group or check the Event log for policy related errors.

Test from a remote location

  1. Check Connectivity from a location outside your Lan. I do that with my phone. I set it up with Connection sharing so I can hook up my laptop to the 4G connection.
  2. Type Get-DaConnectionStatus. It should now tell you ‘ConnectedRemotely’.
  3. In the Windows Firewall check that we have a security association with the server. This means we are connected to the server.
  4. But the easiest way to see if you are connected is to type \\wse2016\sysvol into the explorer address bar. If that resolves it works.

About www.server-essentials.com 

www.server-essentials.com is founded by Mariette Knap, a Dutch Microsoft MVP. www.server-essentials.com is a community for IT Consultants and Business Owners who, themselves, take care of the IT infrastructure and Employees who do that little extra in the company to keep things running. Our forum is for discussing all things ‘IT’ and more.  Our documentation is top notch and written by and for the community.

Change your cookie settings

Contact Us

Concentrix BV

C. de Rijcklaan 1

3723 PM Bilthoven

The Netherlands

KvK 30202318

VAT Id 814036739B01

The layout of this page is made to be viewed online.