How to Configure DirectAccess on Windows Server 2012 R2

DirectAccess provides always-on, seamless remote access for domain-joined Windows clients without requiring user-initiated VPN connections. When a DirectAccess-configured client is outside the corporate network, it automatically establishes an encrypted tunnel to the DirectAccess server using IPv6 over HTTPS (IP-HTTPS) or other transition technologies, giving users transparent access to internal resources as if they were in the office. Unlike traditional VPN, DirectAccess connections are established before user logon, allowing Group Policy to apply and IT to manage the device at all times. This guide covers deploying DirectAccess on Windows Server 2012 R2 in the most common single-server configuration.

Prerequisites

DirectAccess requires specific infrastructure: the DirectAccess server must have two network interfaces — one connected to the internal network and one with a public IP address (or behind NAT). The server must be domain-joined and running Windows Server 2012 R2 Standard or Datacenter. DirectAccess clients must be running Windows 7 Enterprise/Ultimate or Windows 8/8.1 Enterprise and be domain-joined. An SSL certificate is required for the IP-HTTPS interface, with a subject name matching the public DNS entry for the DirectAccess server. An internal PKI (AD CS) is required for machine certificate authentication. Active Directory with Windows Server 2008 or higher functional level is needed.

Planning the DirectAccess Deployment

Before installation, plan the key parameters:

# Infrastructure checklist:
# 1. Network topology: Edge (two NICs, public IP) or behind NAT (one NIC)
# 2. External DNS name: da.contoso.com (public DNS record)
# 3. SSL certificate for IP-HTTPS: CN=da.contoso.com
# 4. Network Location Server (NLS): Internal HTTPS URL used by clients to detect inside/outside
#    Recommended: https://directaccess-nls.contoso.com (on a highly available internal server)
# 5. Client security group: "DirectAccess Clients" in AD
# 6. IPv6 addressing: Server 2012 R2 handles this automatically with NAT64/DNS64

# Create the DirectAccess client security group in AD
New-ADGroup -Name "DirectAccess Clients" `
    -SamAccountName "DA-Clients" `
    -GroupScope Global `
    -GroupCategory Security `
    -Path "OU=Groups,DC=contoso,DC=com" `
    -Description "DirectAccess enabled client computers"

# Add client computers to the group
Add-ADGroupMember -Identity "DA-Clients" -Members "Laptop01$","Laptop02$"

Installing the Remote Access Role

# Install Remote Access role for DirectAccess
Install-WindowsFeature RemoteAccess -IncludeManagementTools
Install-WindowsFeature DirectAccess-VPN -IncludeManagementTools
Install-WindowsFeature Routing -IncludeManagementTools

# Verify installation
Get-WindowsFeature RemoteAccess, DirectAccess-VPN, Routing | 
    Format-Table Name, InstallState

Obtaining the SSL Certificate for IP-HTTPS

The IP-HTTPS interface requires an SSL certificate from a trusted CA:

# Request certificate from internal CA for the public DA name
# The certificate must be trusted by external clients (use a commercial CA or 
# ensure your internal root CA cert is distributed via MDM/GPO to client devices)

# For internal CA request using certreq:
# Create request.inf:
$RequestINF = @"
[Version]
Signature="$Windows NT$"

[NewRequest]
Subject = "CN=da.contoso.com"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
HashAlgorithm = SHA256

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication

[Extensions]
2.5.29.17 = "{text}"
_continue_ = "dns=da.contoso.com&"
"@
$RequestINF | Out-File "C:CertRequestda-request.inf" -Encoding UTF8

# Submit request
certreq -new "C:CertRequestda-request.inf" "C:CertRequestda.csr"
# Submit da.csr to your CA and install the returned certificate

Configuring DirectAccess with the Getting Started Wizard

The Remote Access Management Console provides a wizard for initial DirectAccess configuration. Launch it and configure using the simplified setup:

# Open Remote Access Management Console
# remotemgmt.msc or: Get-DAServer for cmdlet-based management

# Configure DirectAccess using PowerShell after initial wizard run
# First, run the Setup Wizard: Server Manager > Tools > Remote Access Management
# Select "DirectAccess and VPN (RA)" configuration
# Use "Deploy DirectAccess only" option

# After wizard completes, verify basic configuration
Get-DAServer | Select-Object Status, IPv6Prefix, ClientIPv6Prefix | Format-List

For command-line deployment, use the Remote Access PowerShell module:

# Configure DirectAccess programmatically
# Set up basic DirectAccess configuration
Install-RemoteAccess -DAInstallType FullInstall `
    -InternetInterface "External" `
    -InternalInterface "Internal" `
    -ConnectToAddress "da.contoso.com" `
    -DeployNat $false

# Configure the DirectAccess client group
Add-DAClient -SecurityGroupNameList "contosoDA-Clients"

# Configure the Network Location Server URL
Set-DANetworkLocationServer -Url "https://directaccess-nls.contoso.com"

Configuring Network Location Server

The Network Location Server (NLS) is an HTTPS website that DirectAccess clients use to determine if they are inside or outside the corporate network. It must be on a highly available internal server (not the DirectAccess server itself):

# Install IIS on a separate internal server for NLS
Install-WindowsFeature Web-Server -ComputerName InternalServer01

# Create an empty HTTPS website for NLS
# The site just needs to return HTTP 200 - no actual content required
# Certificate CN must match the NLS URL

# Configure NLS on the DA server to point to the internal server
Set-DANetworkLocationServer -Url "https://nls.contoso.com" -CheckReachability

# Verify NLS configuration
Get-DANetworkLocationServer

Configuring Infrastructure Servers (DNS and Management)

DirectAccess clients connect to infrastructure servers via the first tunnel (infrastructure tunnel). Configure which DNS servers and management servers are reachable through the tunnel:

# Configure DNS suffix to internal DNS server mapping
# DirectAccess uses NRPT (Name Resolution Policy Table) for DNS routing
Add-DAClientDnsConfiguration -DnsSuffix "contoso.com" `
    -DnsIPAddress "192.168.1.10","192.168.1.11"

# Configure management servers accessible via infrastructure tunnel
# (DCs, SCCM, WSUS, antivirus update servers)
Set-DAMgmtServer -MgmtServer "192.168.1.10","192.168.1.11","192.168.1.20"

# View the Name Resolution Policy Table
Get-DAClientDnsConfiguration | Format-Table DnsSuffix, DnsIPAddress

Configuring OTP Authentication (Optional)

For higher security, configure two-factor authentication using OTP (RADIUS-based) for DirectAccess connections:

# Enable OTP authentication (requires RSA SecurID or similar RADIUS OTP server)
Enable-DAOtpAuthentication -RadiusPort 1812 `
    -SharedSecret "OTPRadiusSecret123!" `
    -RadiusServer "otp-server.contoso.com" `
    -UserSecurityGroupName "contosoDA-OTP-Users" `
    -CAServer "ca.contoso.comContosCA" `
    -CertificateTemplateName "DAOTPLogon"

Monitoring DirectAccess Connections

Monitor active DirectAccess client connections and their tunnel status:

# View currently connected DirectAccess clients
Get-DAConnectionStatistics | Select-Object UserName, ComputerName, 
    HostName, TransportTunnel, InfrastructureTunnel | Format-Table

# View aggregated connection statistics
Get-DAConnectionStatistics -Aggregated | Format-List

# Check DirectAccess server status
Get-DAServer | Select-Object Status, ComputerName | Format-List

# Check the Remote Access Management Console dashboard
# Remote Access Management Console > Dashboard provides real-time status

Check client-side status on a DA client machine:

# On the DA client machine
# Check connection status
Get-DAConnectionStatus

# Output should show:
# Status           : ConnectedRemotely
# SubStatus        : NoSubStatus
# ConnectionError  : 0x0

# Force reconnection
Disconnect-DAConnection
Connect-DAConnection

Verification

# Verify DirectAccess server configuration summary
Get-RemoteAccess | Select-Object DAStatus, VpnStatus | Format-List

# Verify client is receiving DA GPO settings
# On client machine:
gpresult /h C:GPOReport.html /f
# Check for "DirectAccess Client Settings" policy

# Verify IP-HTTPS interface is up on the server
Get-NetIPInterface -InterfaceAlias "IPHTTPS Tunneling Pseudo-Interface" | 
    Select-Object ConnectionState

Summary

DirectAccess on Windows Server 2012 R2 provides always-on, transparent remote connectivity for domain-joined Windows clients. The key components are: a server with two network interfaces (internal and external), an SSL certificate for IP-HTTPS, a Network Location Server on a highly available internal server, an AD security group containing client computers, and configured DNS suffixes for internal name resolution. Once deployed, DirectAccess clients automatically connect when outside the corporate network, receive Group Policy updates, and have full access to internal resources without any user interaction — a significant improvement in both security posture and user experience compared to traditional VPN.