Friday, January 13, 2017

Microsoft Direct Access Failed After Migration, V2V,P2V or changing nic adapter

To make long story short.
This happense because the Network Adapter (NIC) GUID in the GPO is not exist in the server.
Backup the DirectAccess Server GPO.
Edit the registry.pol (using 3rd party software)
Import it again to the server.
Enjoy your weekend

Full Story.
You are using MS DA (Microsoft Direct Access) and users are happy (as well as you hopefully).
But in some cases were you have to perform V2V or P2V or what ever kind of migration from one server to another, or from one hypervisor to anohter.
After the a successful VM migration, you start with the hypervisor tools install/upgrade.
Add the IP address to the nics and the server seems to be OK.
But DA failed and client are stucked in Connecting... state. 

So whats going on.
- DA Store its configuration as a GPO and link it with the top level domain, and use Security Filter to apply the settings to the DA Server.
All DA settings are stored in the GPO and so the IP Addresses and GUID for the network interface used.
As new drivers are presented to the server DA Server, a new Network Drivers are also presented with new GUID, which simply dont match the one in the GPO.
The Server will try to apply the GPO setting and will find a mismatch and will failed to apply the policy.
So if you open DA console > Operations Status

Click on DirectAccess and VPN

Click on Remote Access Server
You may find the configuration mismatching with the correct configuration and also you cannot change any option, its all grayed out.

Continuing the wizard and trying to apply the policy will failed.

How to Fix
As I mention earlier, the Network GUID stored in the GPO are for the old NIC which are no longer exist.
Open the DA GPO > Settings > Policies > Administrative Templates > Extra Registry Settings.
and write down the following 

This is the GUID for the old NIC and we need to update these value with GUID for the new NIC 
To Get the Current GUID that are assigned with each network interface, use the following powershell command

Get-WmiObject -Query "select * from win32_networkadapter" | select GUID,NetConnectionID | where {$_.GUID -notlike $null} | ft -AutoSize

The return result are something like:
GUID                                   NetConnectionID
----                                           ---------------
{3DD2D838-35A2-4E05-8A4A-364F8801FCA5} External (The External Interface)
{5D946A6A-63A5-4FFA-951D-A7421EA2068D} Internal (The Internal Interface)

These GUID should be updated in the GPO, and as I did not find a way to directly edit (Extra Registry Settings), I backup DA GPO, and save it some where.
To update these value we need to download and install the following application Registry Workshop
Run the application and open the location you stored the backup GUID\ Domainsysvol\GPO\Machine\Registry.pol
Expand the tree to the following directory

double click on InternalInterface and replace it with the new GUID you get from the powershell script, and same for the InternetInterface, save the file and close the application.
make sure that the replication is finished.
Run Gpupdate /force /target:computer
Open again Remote Access Management (DA Console) > DirectAccess and VPN > Remote Access Server and you will see the configuration are now correct
Click next and update with the correct values

happy working Direct Access
You may get a DNS Warning, just simple remove the DNS Servers from the Infrastructure Server and re-add them.

1 comment:

Anonymous said...

What's up, of course this paragraph is in fact nice and I have learned lot
of things from it on the topic of blogging.