2 DA access server in 1 domain (Full Version)

All Forums >> [Forefront Unified Access Gateway 2010] >> DirectAccess



Message


salb -> 2 DA access server in 1 domain (16.Mar.2011 12:35:03 PM)

Hello:

Here is my scenario.  I have 1 domain but we have 2 global head quarters, 1 in the US and 1in the UK.  The problem is we want a DA server in both locations not clustered but want the US employees to connect to the US DA server and the UK employees to connect to the UK DA server.  With what I have read so far I cannot see how this can be done as I would need to create 2 DNS entries, 1 for ISATAP and 1 for NLS but they can only point to 1 location.  Also when DA is implemented it creates the GP on the default domain policy which is shared between the sites just like DNS. The US and UK sites are connected via a ISA 2006 VPN so we can get to each other.

What can I do to resolve this issue?




Gabe E -> RE: 2 DA access server in 1 domain (22.Mar.2011 12:26:02 AM)

With UAG SP1, you have flexibility to use pre-created GPOs. If your OUs are designed based on location, you can have an US DA GPO targeting the US OU and an UK DA GPO targeting the UK OU. This is doable with SP1

Gabe




salb -> RE: 2 DA access server in 1 domain (22.Mar.2011 8:57:02 AM)

Gabe, thanks for the reply.  I understand the separate GPO but what about the DNS entries for ISATAP and NLS.  Since the ISATAP has to point at the UAG server and there can only be 1 entry how do I resolve this?  Keep in mind we have 1 domain and 1 forest for the company such a contoso.com and not us.contoso.com and uk.contoso.com.




Gabe E -> RE: 2 DA access server in 1 domain (22.Mar.2011 11:11:58 PM)

NLS is not an issue. You can either use the same highly available site for NLS (if both locations route to each other) OR you can use separate highly available sites for each location with a different NLS DNS entry.

ISATAP is trickier and has to do more with manage out capabilities. But if you read Tom's post at (http://blogs.technet.com/b/tomshinder/archive/2011/02/21/clearing-the-air-on-isatap.aspx), you can see there are work arounds using local host files for those few machines that need to have the manage out access.

I don't think its a show stopper.

Gabe




Gabe E -> RE: 2 DA access server in 1 domain (23.Mar.2011 9:33:25 AM)

In my earlier reply, I neglected to mention that multi-site ISATAP configuration has been addressed by Tom at http://blogs.technet.com/b/tomshinder/archive/2011/02/08/why-you-need-an-external-isatap-router-for-a-multi-site-uag-directaccess-deployment.aspx

Gabe




Page: [1]