1

I started a new company that is all remote. They have never had a true IT person, and I am coming to realize what a challenge full-remote is for things like GPOs, internal DNS, and basic management.

I setup DirectAccess and people are now at least getting GPOs, can actually update their passwords and authenticate against the domain.

But, I cannot connect to them with my usual set of tools. They get an IPv6 address instead of an IPv4 address, which ping or nslookup dont like. Is there anyway that I can give them an IPv4 address so their IP can be found in DNS and no matter if they are on the VPN, Internet, or what few are in the office, I can connect to them via the standard tools?

alexander7567
  • 541
  • 2
  • 6
  • 18
  • Why did you select DirectAccess? Microsoft recommended many years ago to use the Always On VPN. DirectAccess always was complicated and quirky, and now there is almost no public body of knowledge except for the few large customers that did implement it. The recommendation to not use DirectAccess is even baked into the Windows 10 UI. – Greg Askew Dec 16 '22 at 21:39
  • Why did you choose to create an on premises Active Directory domain for fully remote employees? Why not use a cloud based solution like Intune? – joeqwerty Dec 17 '22 at 02:52
  • @joeqwerty, we also have several Azure VMs that needs to be on the domain. Also, the goal of the company is to not be locked into just Azure. I would assume intune isn't meant to replace active directory for servers too are they? I have personally never used it. – alexander7567 Dec 17 '22 at 22:24

1 Answers1

2

Unfortunately, no. DirectAccess is IPv6-only. You deploy IPv6 on your internal network, but that's not exactly trivial. :) Another option would be to leverage an IPv6 transition technology like ISATAP. That would allow you to selectively use IPv6 internally for hosts that require outbound management.

Another option is to move to a mobility solution that uses IPv4 such as Always On VPN or any number of third-party providers.

Richard M. Hicks
  • 136
  • 3
  • Thank you. That does answer my question. But a note about always on VPN.. I tried working out device tunnels and there seems to be a big in windows 11 for the last 7 months where the wmi command that installs device tunnels errors out. What would you recommend as the VPN server? Rras seems like a horrible solution (and surprisingly not supported in Azure) and Cisco any connect seems to be the only other real option, but it seems so convoluted for a company that has no Cisco equipment or experience. – alexander7567 Dec 17 '22 at 22:26
  • **(Typo) there seems to be a BUG in windows 11 for the last 7 month – alexander7567 Dec 18 '22 at 01:30
  • 1
    Indeed, the WMI bug has been a problem with Windows 11 for a while now. Microsoft has fixed this and will be releasing it in February 2023. As for the VPN server, RRAS is an excellent choice and is quite popular. You'll need additional firewalls to provide security, so think of RRAS as just a router. :) RRAS does work well in Azure, also. Just not formally supported. – Richard M. Hicks Dec 18 '22 at 23:49
  • Woah.. Ater talking with you, I went to Pluralsight and watched some VPN videos.. You don't happen to be Richard Hicks from Pluralsight do you :) If so, those videos answered a lot of my questions! But thanks for letting me know its supposed to be fixed in Feb 2023! I hadn't seen a date. Does this also effect InTune or just via Powershell/WMI? – alexander7567 Dec 19 '22 at 14:07
  • That's me. :) The WMI issue seems to be affecting Intune as well. You can still deploy Always On VPN to Windows 11 using Intune, but it seems to cause a problem that results in Intune removing and replacing the profiles on each device sync. This is quite disruptive for users who are connected that the time, obviously. Initial testing indicates the fix for WMI also seems to correct this issue too. – Richard M. Hicks Dec 20 '22 at 20:44