Share via


Updated: Can I Migrate My Windows DirectAccess Configuration to UAG DirectAccess?

(Updated Oct 5, 2010)

I’ve seen a number of questions asking if there was a method you could use to migrate your Windows DirectAccess configuration to a UAG DirectAccess deployment.

The answer to this question is that there is no automated method to do this. However, the manual steps aren’t very difficult. Here’s what you need to do:

  • Open the Windows DirectAccess console and turn off the DirectAccess configuration. This will disable the DirectAccess server side configuration on the Windows DirectAccess server.
  • Open the Group Policy Management console and delete the two or three Group Policy Objects created by the Windows DirectAccess wizard. If you didn’t create any end-to-end security connections, then there will be two. If you did configure some end-to-end security connections, then there will be three.
  • Change the ISATAP DNS record if you are going to use a different IP address for the internal interface of the UAG DirectAccess server
  • UPDATE: If you set up Active Directory subnets corresponding to your ISATAP prefix, you might want to consider removing them to keep things well organized
  • UPDATE: If you are not going to reuse the certificates you used for the IP-HTTPS listener and the machine certificate for the former DirectAccess server’s computer account, you might want to revoke those.

That’s all there is to it!

Now you can install UAG on the server that you had configured as the Windows DirectAccess server, or you can install UAG on a completely different server.

Let me know if you run into any issues with your migration from Windows DirectAccess to UAG DirectAccess. If this scenario is popular enough, I’ll put together a Test Lab Guide that demonstrates the process!

(Thanks to Yaniv Naor for the heads up on this)

(Thanks to Pat Telford for the information included in the update)

HTH,

Tom

Tom Shinder
tomsh@microsoft.com
Microsoft DAIP iX/SCD iX
UAG Direct Access/Anywhere Access Group (AAG)
The “Edge Man” blog (DA all the time):
https://blogs.technet.com/tomshinder/default.aspx
Follow me on Twitter: https://twitter.com/tshinder
Facebook: https://www.facebook.com/tshinder

Comments

  • Anonymous
    January 01, 2003
    The comment has been removed
  • Anonymous
    October 05, 2010
    ...and if you went far enough along in your WIndows DirectAccess deployment that you set up Active Directory subnets corresponding to your previous ISATAP prefix, you should probably remove those IPv6 subnets from AD in teh name of tidiness. If you are not going to re-use them, you might want to revoke the certificates on the server you used for IP-HTTPS and IPsec too.