Things NOT TO DO on DirectAccess, and what the consequenses are if you do… ;)

When using Direct Access; it is best practice to harden your Direct access server.
You can find them here via this link.

Watch out when disabling transition techniques

One of them is to disable transition techniques that you are not using; for example 6to4 tunneling and Teredo tunneling.

Only I found out you should do this only on your Clients, not your Direct Access servers. This because it will raise errors in your event log on the DA servers about disabled transition technologies and will show an error in the remote dashboard.

It is OK to disable unused transition technologies via a separate group policy, but not by altering the Direct Access Client policy that was created during the installation of Direct Access. This is because your adjustments are overwritten when you alter your direct access configuration when you change it via the Remote Access snap -in on of your Direct Access servers.

The below figure you can see that an error on one of my direct access servers. The error states that the retrieved configuration for server <server name> could not be applied. It suggests that the Direct Access policy cannot be applied. In my case, the policy actually did apply, but not fully apply. So there is no problem with ACL rights or what so ever on the GPO.

The problem lies in the fact that the direct access GPO tried to do something with a transition technique, like 6to4 or Teredo tunneling. But it couldn't do that, because I disabled it via another policy, thus getting this error.

On the following TechNet article you can find all the configuration statusses that are available. 
If you look at the table, you can find the one that describes my problem.


 Configuration for server [server name] retrieved from the domain controller cannot be applied.

The configuration in the GPO reached the server but is not successfully applied, and more than 15 minutes have passed since the configuration was changed.

This could happen in one of the following scenarios:
1. The configuration is currently in the process of being applied. This is shown as an error because it may have taken a long time to retrieve the configuration from the GPO. To verify whether this is the reason, use Task Scheduler and navigate to Microsoft\Windows\RemoteAccess to verify that RAConfigTask is currently running.
2. If RAConfigTask is not currently running, it may have failed to apply the configuration on the server. Check for errors in Event Viewer under the Remote Access server operations channel, which is located at \Applications and Services Logs\Microsoft\Windows\RemoteAccess-RemoteAccessServer. Check for errors in OPERATIONS STATUS in the Remote Access Management Console. For more information, see Monitor the operations status of the Remote Access server and its components.

From <> 

Looking at the task sequence like the TechNet article suggested. It is important to notice that the return code (check the figure below) is 0. That means no error was found and everything is honky dorry.