Workaround for the DirectAccess "The adapter configured as external-facing is connected to a domain" Problem

  • Article

When configuring DirectAccess, the external interface of the DirectAccess server must not be able to contact a domain controller. If the external interface is able to contact a domain controller, the administrator will receive an error similar to the following:

The UAG DirectAccess configuration cannot be activated.
The adapter configured as external-facing is connected to a domain.  This interface cannot be used with UAG DirectAccess.

This might happen if there is a domain controller on the same link as the external interface of the DirectAccess Server, such as the case when there is a read-only domain controller in a DMZ segment. This might also happen if the external interface is not isolated from all segments that would enable the external interface to directly connect to a domain controller located behind the DirectAccess server.

However, there are some circumstances, which are yet to be defined, where the external interface appears to not have direct access to a link behind the DirectAccess server, but is still able to establish a connection to a domain controller located behind the DirectAccess server. Until we are able to define the situation better and determine a root cause, you can use the following to configure packet filtering on the DirectAccess server to block these communications:

To add packet filters to prevent access to domain controllers from the Internet interface

  1. On the DirectAccess server, click Start, click Run, type wf.msc, and then press ENTER.

  2. In the console tree, right-click Outbound Rules, and then click New Rule.

  3. On the Rule Type page, click Custom, and then click Next.

  4. On the Program page, click Next.

  5. On the Protocol and Ports page, click Next.

  6. On the Scope page, in Which local IP addresses does this rule apply to?, click These IP addresses, and then click Add. In IP Address, specify the Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) addresses of the Internet interface of the DirectAccess server, and then click OK.

  7. In Which remote IP addresses does this rule apply to?, click These IP addresses, and then click Add. In IP Address, specify the IPv4 or IPv6 addresses of the domain controllers that are reachable from the Internet interface of the DirectAccess server, and then click OK.

  8. Click Next.

  9. On the Action page, click Next.

  10. On the Profile page, clear Domain, and then click Next.

  11. On the Name page, specify a name for the rule, and then click Finish.

If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to return to the checklist

For the original TechNet page listing this procedure, please see:

http://technet.microsoft.com/en-us/library/ee649272(WS.10).aspx