Score:1

Can I give DirectAccess clients IPv4 addresses instead of or along with IPv6?

id flag

I started a new company that is all remote. They have never had a true IT person, and I am coming to realize what a challenge full-remote is for things like GPOs, internal DNS, and basic management.

I setup DirectAccess and people are now at least getting GPOs, can actually update their passwords and authenticate against the domain.

But, I cannot connect to them with my usual set of tools. They get an IPv6 address instead of an IPv4 address, which ping or nslookup dont like. Is there anyway that I can give them an IPv4 address so their IP can be found in DNS and no matter if they are on the VPN, Internet, or what few are in the office, I can connect to them via the standard tools?

cn flag
Why did you select DirectAccess? Microsoft recommended many years ago to use the Always On VPN. DirectAccess always was complicated and quirky, and now there is almost no public body of knowledge except for the few large customers that did implement it. The recommendation to not use DirectAccess is even baked into the Windows 10 UI.
joeqwerty avatar
cv flag
Why did you choose to create an on premises Active Directory domain for fully remote employees? Why not use a cloud based solution like Intune?
alexander7567 avatar
id flag
@joeqwerty, we also have several Azure VMs that needs to be on the domain. Also, the goal of the company is to not be locked into just Azure. I would assume intune isn't meant to replace active directory for servers too are they? I have personally never used it.
Score:2
il flag

Unfortunately, no. DirectAccess is IPv6-only. You deploy IPv6 on your internal network, but that's not exactly trivial. :) Another option would be to leverage an IPv6 transition technology like ISATAP. That would allow you to selectively use IPv6 internally for hosts that require outbound management.

Another option is to move to a mobility solution that uses IPv4 such as Always On VPN or any number of third-party providers.

alexander7567 avatar
id flag
Thank you. That does answer my question. But a note about always on VPN.. I tried working out device tunnels and there seems to be a big in windows 11 for the last 7 months where the wmi command that installs device tunnels errors out. What would you recommend as the VPN server? Rras seems like a horrible solution (and surprisingly not supported in Azure) and Cisco any connect seems to be the only other real option, but it seems so convoluted for a company that has no Cisco equipment or experience.
alexander7567 avatar
id flag
**(Typo) there seems to be a BUG in windows 11 for the last 7 month
Richard M. Hicks avatar
il flag
Indeed, the WMI bug has been a problem with Windows 11 for a while now. Microsoft has fixed this and will be releasing it in February 2023. As for the VPN server, RRAS is an excellent choice and is quite popular. You'll need additional firewalls to provide security, so think of RRAS as just a router. :) RRAS does work well in Azure, also. Just not formally supported.
alexander7567 avatar
id flag
Woah.. Ater talking with you, I went to Pluralsight and watched some VPN videos.. You don't happen to be Richard Hicks from Pluralsight do you :) If so, those videos answered a lot of my questions! But thanks for letting me know its supposed to be fixed in Feb 2023! I hadn't seen a date. Does this also effect InTune or just via Powershell/WMI?
Richard M. Hicks avatar
il flag
That's me. :) The WMI issue seems to be affecting Intune as well. You can still deploy Always On VPN to Windows 11 using Intune, but it seems to cause a problem that results in Intune removing and replacing the profiles on each device sync. This is quite disruptive for users who are connected that the time, obviously. Initial testing indicates the fix for WMI also seems to correct this issue too.
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.