“DirectAccess server GPO settings cannot be retrieved” received from Remote Access Management Console

Here is the scenario:  You logon to your shiny new DirectAccess server, launch the Remote Access Management Console and click CONFIGURATION from the action pane.  A few seconds later you are greeted by the following message

 

DirectAccess server GPO settings cannot be retrieved.  Ensure you have edit permissions for the GPO.
GPO Remote Access Error

 

You frantically review your group policies and find that the DirectAccess Server Settings policy is available and applied to your DirectAccess server.

What the? (head banging start here)

The Root Problem
The message is misleading.  The real problem is the DirectAccess Client Settings policy!

What is really happening (probably)
If you have an Organizational Unit (OU) based active directory system, you have probably moved the DirectAccess Client Settings policy to the appropriate OUs so the appropriate workstations and laptops receive the policy.
I.E. something like this (where the policy applies to the HQ/Remote OU):
OU Layout

 

In doing so, you very likely removed the security filtering group the policy was associated to. 
It turns out this is a very bad thing in the world of DirectAccess.  The DirectAccess Client Settings policy must be available to the DirectAccess server… but should never be applied to the DirectAccess server .  In short, DirectAccess computers can only be identified via security filtering and *not* by assigning the policy directly to OUs.

UGH!

So, how do I fix this?

  1. Link the DirectAccess Client Settings policy to the top level of active directory OUs and not to individual OUs
    GPO OU Setting
  2. Filter where the DirectAccess Client Settings policy gets applied via a security group.
    (Remember, you don’t want to apply this policy to your DirectAccess server… or any other servers for that mater!)
    GPO Filtering

3 thoughts on ““DirectAccess server GPO settings cannot be retrieved” received from Remote Access Management Console

  1. Jordan Krause

    Hey, great to see others spreading the word on DirectAccess! I just wanted to let you know that you don’t necessarily have to link your GPOs to the top level of the domain. If you let the DirectAccess wizards handle the creation, linking and filtering of your GPOs (which makes things nice and easy for the Admin) – then yes, they will be linked to the top of the domain and you should not change them. But a lot of companies don’t like them being linked there, even if they are security filtered, and so you can absolutely make use of your own GPOs and link them wherever you want. If you do this, you are then responsible for creating the GPOs, linking them yourself, and filtering them yourself, and the DA wizard will simply populate those GPOs with information. Once created, all you have to do on the DA side is specify your own GPO names after you click the “Finish” button when you are finishing up the DA wizards. Thanks!

  2. ArmgaSys Post author

    Jordan,

    We agree, you can place the GPOs anywhere you want (with our without security filtering)… but only if you are willing to forgo having the ability to change the configuration via the DirectAccess management console. I.E. you must then manage your DirectAccess GPOs manually (no more wizards).

  3. Diego Rios

    I had to add the user I created for monitoring Direct Access to the GPO DirectAccess Client Settings and the DirectAccess Server Settings, after that I restarted the SCOM service on Direct Access, and started to monitoring fine.

    Greetings.,

    Diego RIos.

Leave a Reply

Your email address will not be published. Required fields are marked *