Windows 7 DirectAccess overview May 31, 2009
Posted by Steve in Networking, windows 2008.Tags: network, Windows 2008 R2, Windows 7
comments closed
Windows 7 clients can gain remote access to network resources using a feature called DirectAccess. Microsoft see this as a game breaking technology that will change the way we work remotely. A Windows 2008R2 server acts as a gateway for DirectAccess clients providing access to servers on the internal LAN.
DirectAccess does away with the need for third party VPN clients or access gateways on client devices and simplifies data access from the end user.The end user experience is seamless and simple. The user simply turns on and connects to the internet, no additional user actions required. DirectAccess will automatically reconnect if the internet connection is dropped for any reason.
DirectAccess removes some of the more frustrating issues end users have when working remotely. Connections are over port 443 (a standard port) removing connection issues due to firewall rules on remote networks and routing issues due to subnet clashes. Intelligent routing means users can access internet services at the same time as company resources.
For Network Administrators the ability to manage computers outside the firewall will be a key driver for using this technology. NAP can be used to audit clients before allowing network access. Group Policy can be applied over the DirectAccess connection before the user gains full network access.
One of the biggest difference between DirectAccess and traditional VPN solutions is that the DirectAccess connection can be initiated from either end where VPN’s are initiated from the client only. The connection is established when the client device starts up and doesn’t require the end user to login and initiate a connection.
DirectAccess Requirements:
- Windows 2008R2 Server Active Directory Domain Controller Role
- Windows 2008R2 Server DirectAccess Role
- 2 Network cards configured
- 2 consecutive public static IPv4 addresses with public DNS names
- Digital Certificates with CRL attributes
- Windows 7 client joined to the domain
Firewall configuration details can be found on technet – DirectAccess requirements article.
DirectAccess really is in my opinion one of the best reasons to move to Windows 7 when it is released later this year. End users will love seamless access to company resources while Network Administrators will see real value in the management capabilities. Download the RC’s now and give it a go!
DNS Aliasing April 30, 2009
Posted by Steve in Networking.Tags: DNS, network, SQL, TCP/IP
comments closed
How many times have you had to upgrade a server and run around making changes to login scripts and group policies. How about migrating users to a new terminal server or migrating applications to a new SQL server. DNS aliases can be used to simplify these tasks and with a little bit of thought prevent the need to ever make those changes again.
File Server example
In this example we have a existing file server FS-1 and a new file server FS-2. We will create an alias called FILESERVER
Disable Strict Name checking on both file servers (needed to allow connection to SMB shares):
- Edit HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
- Add a REG_DWORD DisableStrictNameChecking = 1
- Restart the server so the setting takes affect
In DNS create a CNAME record called FILESERVER and point the CNAME at the DNS A record for FS-1.
You can now change login scripts and GPO’s to connect to FS-1 in two ways. Note this works for file shares and shared printers too:
- \\FS-1\share
- \\FILESERVER\share
Now lets assume you want to replace FS-1 with a new server FS-2. Simply move the data and create shares on FS-2 and when your’re ready to swap servers change the FILESERVER CNAME to point to FS-2. No changes to login scripts or GPO’s.
Tips:
Before cutting over to FS-2 you can use a hosts file on a PC to connect to shares and test your shares.
The same concept can be used in many places including aliases for SQL databases, Sharepoint, mail servers, web servers and many applications that use TCP/IP to communicate.
This is a good way to present “friendly” server names to users while maintaining names that are meaningful to the IT team.
You can have multiple CNAME records pointing to the same server. Useful for application specific DNS aliases e.g. a SQL server running several databases could have CNAME for each databases so that if one is moved to another server in the future the CNAME can follow.
