As explained earlier in our DirectAccess tutorial, this technology allows you to securely connect to your company's network from outside (Internet) and access its resources as if you were there.
In a previous article, we also talked about Microsoft's Windows To Go (WTG) technology that allows you to create a portable Windows 8 environment on a special USB 3.0 key (it must be compatible with Windows To Go ).
Because Windows To Go is a Windows 8 Enterprise environment and enterprise edition is required for DirectAccess clients, it's therefore possible to use this environment as a DirectAccess client.
If you are using your Windows To Go workspace in your organization's network, simply join it to your domain and then add the WTG computer account to the previously created group of DirectAccess clients.
However, if you want to configure a Windows To Go workspace as a DirectAccess client without once connecting it to your organization's network (for example, over the Internet), then you will need to join it to the domain in offline mode (Offline Domain Join).
To join this Windows To Go workspace to the domain in offline mode and configure it as a DirectAccess client, you will need several information :
In the English version of Windows Server 2012/2012 R2, the group policy created for DirectAccess clients is called : DirectAccess Client Settings.
For the certificate template to use for client-server authentication, in our case it's called "ClientServerAuthentication".
Note that the name you need is the template name (so without spaces) and not the template display name.
Once you have all the necessary information, use the djoin command on the Active Directory server like this :
Djoin /provision /domain corp.informatiweb-tuto.net /machine win-to-go-pc /policynames "DirectAccess Client Settings" /certtemplate "ClientServerAuthentication" /savefile c:\WTG-blob.txt
Note : as stated by Microsoft, the policynames and certtemplate options are used in particular to join and configure DirectAccess clients that would never have contacted the company network beforehand.
Executing the above command will have created a computer account in the Active Directory.
However, for this client to be allowed to automatically connect to the corporate network via DirectAccess, you will need to add this computer account to the group that you authorized in DirectAccess.
In our case, this group is named "DAclients".
Now, to join your Windows To Go PC to your domain, you will need to transfer the generated blob file on the PC to be linked to the Active Directory.
As you can see, our Windows To Go PC is not connected to the network at this time.
To join it to the domain in offline mode, you will need to use the djoin command again like this :
Djoin /requestODJ /loadfile c:\WTG-blob.txt /windowspath %systemroot% /localos
Restart the computer as required by the djoin command.
When you restart, log on with a domain account.
If the connection to the DirectAccess server was established in the background by Windows, you will be able to connect with an Active Directory account.
If this is not the case, refer to the "Verify Windows client configuration" section of our DirectAccess tutorial.
Once you arrive on the desktop, click the network icon in the taskbar.
As you can see, our Windows To Go workspace is connected :
If you view the properties of the workspace connection, you will see that you are connected remotely.
Try to access a local site in your company's network.
If this client computer and the server are configured correctly, you can access your company's resources from the outside.
On the server, you will see that there is currently an active DirectAccess client.
Click the "Remote Client Status page" link.
As you can see, our Windows To Go PC is connected to the DirectAccess server with the "CORP\Administrateur" Active Directory account.
Windows Server 9/12/2017
Windows Server 10/15/2017
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.