How to Set Up Windows Server 2016 DirectAccess
DirectAccess is a seamless always-on VPN-like technology built into Windows Server 2016 that allows domain-joined Windows clients to connect to the corporate network automatically whenever they have internet access, without requiring users to manually initiate a VPN connection. Unlike traditional VPN, DirectAccess uses IPv6 and IPsec tunnels, making remote clients feel as though they are physically on the corporate LAN. This guide covers the complete deployment of DirectAccess on Windows Server 2016, including role installation, configuration wizard, and client verification.
Prerequisites
DirectAccess has specific infrastructure requirements. Your environment needs an Active Directory domain with at least Windows Server 2008 R2 domain functional level, a public IPv4 address (or two consecutive public IPs for full edge deployment), a valid SSL certificate for the network location server, and domain-joined Windows 10 Enterprise or Professional clients. The DirectAccess server must have two network adapters — one external and one internal.
Check current network adapter configuration before proceeding:
Get-NetAdapter | Select Name, InterfaceDescription, Status, MacAddress
Get-NetIPAddress | Where-Object { $_.AddressFamily -eq "IPv4" } | Select InterfaceAlias, IPAddress, PrefixLengthStep 1: Install the DirectAccess and VPN Role
Install the Remote Access role with DirectAccess-VPN and the required management tools:
Install-WindowsFeature -Name DirectAccess-VPN -IncludeAllSubFeature -IncludeManagementTools
Install-WindowsFeature -Name Routing -IncludeManagementToolsVerify the installation:
Get-WindowsFeature DirectAccess-VPN | Select Name, InstallState, DisplayNameStep 2: Configure DirectAccess Using the Getting Started Wizard
For a simplified deployment in a single-site environment with no existing PKI, use the Getting Started Wizard. Launch the Remote Access Management console and click “Run the Getting Started Wizard”. For scripted deployment, use PowerShell:
Install-RemoteAccess -VpnType DirectAccess -DAInstallType GettingStarted -ConnectToAddress "vpn.yourdomain.com"The Getting Started Wizard uses a self-signed Kerberos proxy, eliminating the need for PKI during initial setup. This is suitable for lab or small business scenarios.
Step 3: Advanced Configuration — Define Client and Server Settings
For production deployments, use the full Remote Access Setup Wizard. Configure the DirectAccess server with specific client groups and server topology. First, create an Active Directory security group to contain DirectAccess client computers:
New-ADGroup -Name "DirectAccess-Clients" -GroupScope Global -GroupCategory Security -Path "OU=Groups,DC=corp,DC=local"
Add-ADGroupMember -Identity "DirectAccess-Clients" -Members (Get-ADComputer -Filter {OperatingSystem -like "*Windows 10*"} | Select -ExpandProperty SamAccountName)Configure DirectAccess with the advanced setup specifying your client group, server adapters, and network location server:
$ExternalAdapter = (Get-NetAdapter | Where-Object { $_.Name -eq "External" }).Name
$InternalAdapter = (Get-NetAdapter | Where-Object { $_.Name -eq "Internal" }).Name
Install-RemoteAccess -VpnType DirectAccess `
-DAInstallType FullInstall `
-ConnectToAddress "da.yourdomain.com" `
-DeployNat:$falseStep 4: Configure Network Location Server
The Network Location Server (NLS) is a web server that DirectAccess clients probe to determine whether they are inside or outside the corporate network. If the NLS is reachable, clients know they are on the internal network and do not use DirectAccess. Configure the NLS URL:
Set-DAServer -NlsUrl "https://nls.corp.local/"The NLS must use HTTPS with a certificate trusted by all domain clients. It should only be accessible from inside the corporate network — never from the internet.
Step 5: Configure DNS for DirectAccess
DirectAccess uses the Name Resolution Policy Table (NRPT) to direct DNS queries. Internal domain names are resolved using internal DNS servers, while other names go through external DNS. Review and configure the NRPT:
Get-DnsClientNrptPolicy
Add-DnsClientNrptRule -Namespace ".corp.local" -NameServers "10.0.0.1" -Comment "Internal domain" -DisplayName "Corp Internal"View the current DirectAccess DNS configuration:
Get-DAClientDnsConfigurationStep 6: Configure Group Policy for DirectAccess Clients
DirectAccess automatically creates Group Policy Objects (GPOs) during setup. Verify the GPOs were created and are linked correctly:
Get-GPO -All | Where-Object { $_.DisplayName -like "*DirectAccess*" } | Select DisplayName, GpoStatus, CreationTimeForce a Group Policy update on client machines to apply DirectAccess settings:
Invoke-GPUpdate -Computer "CLIENT01" -Force -RandomDelayInMinutes 0Step 7: Verify DirectAccess Status on the Server
After configuration, verify the DirectAccess server is operational:
Get-RemoteAccess
Get-DAServer
netsh advfirewall monitor show mmsa
Get-DAConnectionStatisticsCheck the operational status of all DirectAccess components:
Get-RemoteAccessHealth
Get-DAMultiSiteStep 8: Test DirectAccess from a Client
On a domain-joined Windows 10 client outside the corporate network, verify DirectAccess connectivity using the built-in diagnostics tool:
Get-DAConnectionStatus
Get-NetIPHttpsState
netsh interface httpstunnel show interfacesCheck which transition technology is being used (6to4, Teredo, or IP-HTTPS):
netsh interface 6to4 show state
netsh interface teredo show state
Get-NetIPHttpsConfigurationMonitoring Active Connections
The Remote Access Management console provides a real-time dashboard of connected clients. Via PowerShell:
Get-RemoteAccessConnectionStatistics
Get-RemoteAccessUserActivity -ComputerName "CLIENT01"DirectAccess transforms the remote access experience by eliminating the need for manual VPN connections while maintaining full domain management capabilities. Administrators can push policies, run software deployments, and manage remote machines as if they were on the LAN, making it a powerful tool for organizations with a mobile or remote workforce.
