步骤1配置远程访问基础结构Step 1 Configure the Remote Access Infrastructure

适用于:Windows Server(半年频道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

注意: Windows Server 2012 将 DirectAccess 和路由和远程访问服务 (RRAS) 合并到了单个远程访问角色中。Note: Windows Server 2012 combines DirectAccess and Routing and Remote Access Service (RRAS) into a single Remote Access role.

本主题介绍如何使用混合的 IPv4 和 IPv6 环境中的单个远程访问服务器配置高级远程访问部署所需的基础结构。This topic describes how to configure the infrastructure that is required for an advanced Remote Access deployment using a single Remote Access server in a mixed IPv4 and IPv6 environment. 在开始执行部署步骤之前,请确保已完成步骤1:规划远程访问基础结构中所述的规划步骤。Before beginning the deployment steps, ensure that you have completed the planning steps described in Step 1: Plan the Remote Access Infrastructure.

任务Task 描述Description
配置服务器网络设置Configure server network settings 配置远程访问服务器上的服务器网络设置。Configure the server network settings on the Remote Access server.
配置企业网络中的路由Configure routing in the corporate network 配置企业网络中的路由以确保正确地路由通信。Configure routing in the corporate network to make sure traffic is appropriately routed.
配置防火墙Configure firewalls 根据需要配置其他防火墙。Configure additional firewalls, if required.
配置 CA 和证书Configure CAs and certificates (CA 配置证书颁发机构) (如果需要)以及部署中所需的任何其他证书模板。Configure a certification authority (CA), if required, and any other certificate templates required in the deployment.
配置 DNS 服务器Configure the DNS server 配置远程访问服务器的 DirectAccess 设置。Configure DNS settings for the Remote Access server.
配置 Active DirectoryConfigure Active Directory 将客户端计算机和远程访问服务器联接到 Active Directory 域。Join client computers and the Remote Access server to the Active Directory domain.
配置 GPOConfigure GPOs 如果需要,请为部署 (Gpo) 配置组策略对象。Configure Group Policy Objects (GPOs) for the deployment, if required.
配置安全组Configure security groups 配置将包含 DirectAccess 客户端计算机的安全组,以及部署中所需的任何其他安全组。Configure security groups that will contain DirectAccess client computers, and any other security groups that are required in the deployment.
配置网络位置服务器Configure the network location server 配置网络位置服务器,包括安装网络位置服务器网站证书。Configure the network location server, including installing the network location server website certificate.

备注

此主题将介绍一些 Windows PowerShell cmdlet 示例,你可以使用它们来自动执行所述的一些步骤。This topic includes sample Windows PowerShell cmdlets that you can use to automate some of the procedures described. 有关详细信息,请参阅 使用 cmdletFor more information, see Using Cmdlets.

配置服务器网络设置Configure server network settings

使用 IPv4 和 IPv6 的环境中的单个服务器部署需要以下网络接口地址设置,具体取决于是否决定将远程访问服务器放置在边缘或 (NAT) 设备的网络地址转换后面。Depending on if you decide to place the Remote Access server at the edge or behind a Network Address Translation (NAT) device, the following network interface address settings are required for a single server deployment in an environment with IPv4 and IPv6. 可使用****“Windows 网络和共享中心”中的****“更改适配器设置”配置所有 IP 地址。All IP addresses are configured by using Change adapter settings in the Windows Networking and Sharing Center.

边缘拓扑Edge topology:

需要以下项:Requires the following:

  • 两个面向 Internet 的连续公共静态 IPv4 或 IPv6 地址。Two Internet-facing consecutive public static IPv4 or IPv6 addresses.

    备注

    Teredo 需要两个连续的公用 IPv4 地址。Two consecutive public IPv4 addresses are required for Teredo. 如果你不使用 Teredo,则可以配置单个公用静态 IPv4 地址。If you are not using Teredo, you can configure a single public static IPv4 address.

  • 单个内部静态 IPv4 或 IPv6 地址。A single internal static IPv4 or IPv6 address.

在**NAT 设备后面 (两个网络适配器) **:Behind NAT device (two network adapters):

需要一个面向内部网络的静态 IPv4 或 IPv6 地址。Requires a single internal network-facing static IPv4 or IPv6 address.

在**NAT 设备后面 (一个网络适配器) **:Behind NAT device (one network adapter):

需要单个静态 IPv4 或 IPv6 地址。Requires a single static IPv4 or IPv6 address.

如果远程访问服务器具有两个网络适配器 (一个用于域配置文件,另一个用于公共或专用配置文件) ,但使用单个网络适配器拓扑,则建议如下所示:If the Remote Access server has two network adapters (one for the domain profile and the other for a public or private profile), but you are using a single network adapter topology, the recommendation is as follows:

  1. 确保第二个网络适配器也分类到域配置文件中。Ensure that the second network adapter is also classified in the domain profile.

  2. 如果由于任何原因无法为域配置文件配置第二个网络适配器,则必须使用以下 Windows PowerShell 命令手动将 DirectAccess IPsec 策略的作用域设置为所有配置文件:If the second network adapter cannot be configured for the domain profile for any reason, the DirectAccess IPsec policy must be manually scoped to all profiles by using the following Windows PowerShell command:

    $gposession = Open-NetGPO -PolicyStore <Name of the server GPO>
    Set-NetIPsecRule -DisplayName <Name of the IPsec policy> -GPOSession $gposession -Profile Any
    Save-NetGPO -GPOSession $gposession
    

    要在此命令中使用的 IPsec 策略的名称是DaServerToInfraDaServerToCorpThe names of the IPsec policies to use in this command are DirectAccess-DaServerToInfra and DirectAccess-DaServerToCorp.

配置企业网络中的路由Configure routing in the corporate network

在企业网络中配置路由,如下所示:Configure routing in the corporate network as follows:

  • 在组织中部署本机 IPv6 时,添加一个路由,以便内部网络上的路由器通过远程访问服务器将 IPv6 通信路由回来。When native IPv6 is deployed in the organization, add a route so that the routers on the internal network route IPv6 traffic back through the Remote Access server.

  • 在远程访问服务器上手动配置组织 IPv4 和 IPv6 路由。Manually configure organization IPv4 and IPv6 routes on the Remote Access servers. 添加已发布的路由,以便将 (/48) IPv6 前缀的所有流量转发到内部网络。Add a published route so that all traffic with an (/48) IPv6 prefix is forwarded to the internal network. 此外,对于 IPv4 通信,请添加显式路由,以便将 IPv4 通信转发到内部网络。In addition, for IPv4 traffic, add explicit routes so that IPv4 traffic is forwarded to the internal network.

配置防火墙Configure firewalls

根据你选择的网络设置,当你在部署中使用其他防火墙时,请为远程访问通信应用以下防火墙例外:Depending on the network settings you chose, when you use additional firewalls in your deployment, apply the following firewall exceptions for Remote Access traffic:

IPv4 Internet 上的远程访问服务器Remote Access server on IPv4 Internet

当远程访问服务器位于 IPv4 Internet 上时,为远程访问通信应用以下面向 Internet 的防火墙例外:Apply the following Internet-facing firewall exceptions for Remote Access traffic when the Remote Access server is on the IPv4 Internet:

  • Teredo 流量Teredo traffic

    用户数据报协议 (UDP) 目标端口3544入站,以及 UDP 源端口3544出站。User Datagram Protocol (UDP) destination port 3544 inbound, and UDP source port 3544 outbound. 为远程访问服务器上的两个面向 Internet 的连续公用 IPv4 地址应用此例外。Apply this exemption for both of the Internet-facing consecutive public IPv4 addresses on the Remote Access server.

  • 6to4 流量6to4 traffic

    IP 协议41入站和出站。IP Protocol 41 inbound and outbound. 为远程访问服务器上的两个面向 Internet 的连续公用 IPv4 地址应用此例外。Apply this exemption for both of the Internet-facing consecutive public IPv4 addresses on the Remote Access server.

  • Ip-https 流量IP-HTTPS traffic

    传输控制协议 (TCP) 目标端口443和 TCP 源端口443出站。Transmission Control Protocol (TCP) destination port 443, and TCP source port 443 outbound. 当远程访问服务器配有单一网络适配器,且网络位置服务器位于远程访问服务器上时,还需要 TCP 端口 62000。When the Remote Access server has a single network adapter, and the network location server is on the Remote Access server, then TCP port 62000 is also required. 仅将这些例外应用于服务器的外部名称解析的地址。Apply these exemptions only for the address to which the external name of the server resolves.

    备注

    此例外是在远程访问服务器上配置的。This exemption is configured on the Remote Access server. 在边缘防火墙上配置所有其他例外。All the other exemptions are configured on the edge firewall.

IPv6 Internet 上的远程访问服务器Remote Access server on IPv6 Internet

当远程访问服务器位于 IPv6 Internet 上时,为远程访问通信应用以下面向 Internet 的防火墙例外:Apply the following Internet-facing firewall exceptions for Remote Access traffic when the Remote Access server is on the IPv6 Internet:

  • IP 协议 50IP Protocol 50

  • UDP 目标端口 500 入站,以及 UDP 源端口 500 出站。UDP destination port 500 inbound, and UDP source port 500 outbound.

  • IPv6 (ICMPv6) 流量入站和出站的 Internet 控制消息协议仅适用于 Teredo 实现。Internet Control Message Protocol for IPv6 (ICMPv6) traffic inbound and outbound - for Teredo implementations only.

远程访问流量Remote Access traffic

为远程访问通信应用以下内部网络防火墙例外:Apply the following internal network firewall exceptions for Remote Access traffic:

  • ISATAP:协议41入站和出站ISATAP: Protocol 41 inbound and outbound

  • 所有 IPv4 或 IPv6 通信的 TCP/UDPTCP/UDP for all IPv4 or IPv6 traffic

  • 所有 IPv4 或 IPv6 通信的 ICMPICMP for all IPv4 or IPv6 traffic

配置 CA 和证书Configure CAs and certificates

使用 Windows Server 2012 中的远程访问,可以选择是使用证书进行计算机身份验证,还是使用使用用户名和密码的内置 Kerberos 身份验证。With Remote Access in Windows Server 2012 , you to choose between using certificates for computer authentication or using a built-in Kerberos authentication that uses user names and passwords. 还必须在远程访问服务器上配置 ip-https 证书。You must also configure an IP-HTTPS certificate on the Remote Access server. 本部分介绍如何配置这些证书。This section explains how to configure these certificates.

有关设置公钥基础结构 (PKI) 的信息,请参阅Active Directory 证书服务For information about setting up a public key infrastructure (PKI), see Active Directory Certificate Services.

配置 IPsec 身份验证Configure IPsec authentication

远程访问服务器和所有 DirectAccess 客户端上都需要一个证书,以便这些客户端可以使用 IPsec 身份验证。A certificate is required on the Remote Access server and all DirectAccess clients so that they can use IPsec authentication. 证书必须由内部证书颁发机构颁发 (CA) 。The certificate must be issued by an internal certification authority (CA). 远程访问服务器和 DirectAccess 客户端必须信任颁发根证书和中间证书的 CA。Remote Access servers and DirectAccess clients must trust the CA that issues the root and intermediate certificates.

配置 IPsec 身份验证To configure IPsec authentication
  1. 在内部 CA 上,决定是使用默认计算机证书模板,还是创建新的证书模板(如创建证书模板中所述)。On the internal CA, decide if you will use the default computer certificate template, or if you will create a new certificate template as described in Creating Certificate Templates.

    备注

    如果创建新模板,则必须将其配置为使用客户端身份验证。If you create a new template, it must be configured for client authentication.

  2. 如果需要,请部署证书模板。Deploy the certificate template if required. 有关详细信息,请参阅部署证书模板For more information, see Deploying Certificate Templates.

  3. 如果需要,为自动注册配置模板。Configure the template for autoenrollment if required.

  4. 如果需要,配置证书自动注册。Configure certificate autoenrollment if required. 有关详细信息,请参阅配置证书自动注册For more information, see Configure Certificate Autoenrollment.

配置证书模板Configure certificate templates

当你使用内部 CA 颁发证书时,必须为 IP-HTTPS 证书和网络位置服务器网站证书配置证书模板。When you use an internal CA to issue certificates, you must configure certificate templates for the IP-HTTPS certificate and the network location server website certificate.

配置证书模板的步骤To configure a certificate template
  1. 在内部 CA 中,根据 创建证书模板中所述创建一个证书模板。On the internal CA, create a certificate template as described in Creating Certificate Templates.

  2. 根据 部署证书模板中所述部署该证书模板。Deploy the certificate template as described in Deploying Certificate Templates.

准备好模板之后,可以使用它们来配置证书。After you prepare your templates, you can use them to configure the certificates. 有关详细信息,请参阅以下过程:See the following procedures for details:

配置 IP-HTTPS 证书Configure the IP-HTTPS certificate

远程访问需要使用 IP-HTTPS 证书对到远程访问服务器的 IP-HTTPS 连接进行身份验证。Remote Access requires an IP-HTTPS certificate to authenticate IP-HTTPS connections to the Remote Access server. 有三个 IP-HTTPS 证书的证书选项:There are three certificate options for the IP-HTTPS certificate:

  • 公共Public

    由第三方提供。Supplied by a third party.

  • 专用Private

    此证书基于你在配置证书模板中创建的证书模板。The certificate is based on the certificate template that you created in Configuring certificate templates. 它需要证书吊销列表, (可以从可公开解析的 FQDN 访问的 CRL) 分发点。It requires, a certificate revocation list (CRL) distribution point that is reachable from a publicly resolvable FQDN.

  • 自签名Self-signed

    此证书需要可从可公开解析的 FQDN 访问的 CRL 分发点。This certificate requires a CRL distribution point that is reachable from a publicly resolvable FQDN.

    备注

    无法在多站点部署中使用自签名证书。Self-signed certificates cannot be used in multisite deployments.

确保用于 IP-HTTPS 身份验证的网站证书符合以下要求:Make sure that the website certificate used for IP-HTTPS authentication meets the following requirements:

  • 证书使用者名称应该是可从外部解析的完全限定域名 (FQDN) ip-https URL (仅用于远程访问服务器 IP-HTTPS 连接的 ConnectTo 地址) 。The certificate subject name should be the externally resolvable fully qualified domain name (FQDN) of the IP-HTTPS URL (the ConnectTo address) that is used only for the Remote Access server IP-HTTPS connections.

  • 该证书的公用名应与 IP-HTTPS 站点的名称相匹配。The common name of the certificate should match the name of the IP-HTTPS site.

  • 在 "使用者" 字段中,指定远程访问服务器的面向外部的适配器的 IPv4 地址或 IP-HTTPS URL 的 FQDN。In the subject field, specify the IPv4 address of the external-facing adapter of the Remote Access server or the FQDN of the IP-HTTPS URL.

  • 对于 "增强型密钥用法" 字段,请使用服务器身份验证对象标识符 (OID) 。For the Enhanced Key Usage field, use the Server Authentication object identifier (OID).

  • 对于“CRL 分发点”**** 字段,请指定已连接到 Internet 的 DirectAccess 客户端可访问的 CRL 分发点。For the CRL Distribution Points field, specify a CRL distribution point that is accessible by DirectAccess clients that are connected to the Internet.

  • IP-HTTPS 证书必须包含私钥。The IP-HTTPS certificate must have a private key.

  • 必须直接将 IP-HTTPS 证书导入到个人存储中。The IP-HTTPS certificate must be imported directly into the personal store.

  • IP-HTTPS 证书可以在名称中包含通配符符。IP-HTTPS certificates can have wildcard characters in the name.

安装内部 CA 颁发的 IP-HTTPS 证书To install the IP-HTTPS certificate from an internal CA
  1. 在远程访问服务器上:在 "开始" 屏幕上,键入mmc.exe,然后按 enter。On the Remote Access server: On the Start screen, typemmc.exe, and then press ENTER.

  2. 在 MMC 控制台的“文件”菜单上,单击“添加/删除管理单元”。In the MMC console, on the File menu, click Add/Remove Snap-in.

  3. 在****“添加或删除管理单元”对话框中,依次单击****“证书”、****“添加”、****“计算机帐户”、****“下一步”、****“本地计算机”和****“完成”,然后单击****“确定”。In the Add or Remove Snap-ins dialog box, click Certificates, click Add, click Computer account, click Next, click Local computer, click Finish, and then click OK.

  4. 在证书管理单元的控制台树中,依次打开****“证书(本地计算机)\个人\证书”。In the console tree of the Certificates snap-in, open Certificates (Local Computer)\Personal\Certificates.

  5. 右键单击 "证书",指向 "所有任务",单击 "申请新证书",然后单击两次 "下一步"。Right-click Certificates, point to All Tasks, click Request New Certificate, and then click Next twice..

  6. 在 "申请证书" 页上,选中在配置证书模板中创建的证书模板的复选框,并根据需要单击 "注册此证书需要详细信息"。On the Request Certificates page, select the check box for the certificate template that you created in Configuring certificate templates, and if required, click More information is required to enroll for this certificate.

  7. 在****“证书属性”对话框的****“使用者”选项卡上,在****“使用者名称”区域的****“类型”中选择****“公用名”。In the Certificate Properties dialog box, on the Subject tab, in the Subject name area, in Type, select Common Name.

  8. 在 "" 中,指定远程访问服务器面向外部的适配器的 IPv4 地址,或 ip-https URL 的 FQDN,然后单击 "添加"。In Value, specify the IPv4 address of the external-facing adapter of the Remote Access server, or the FQDN of the IP-HTTPS URL, and then click Add.

  9. 在****“备用名称”区域的****“类型”中,选择****“DNS”。In the Alternative name area, in Type, select DNS.

  10. 在 "" 中,指定远程访问服务器面向外部的适配器的 IPv4 地址,或 ip-https URL 的 FQDN,然后单击 "添加"。In Value, specify the IPv4 address of the external-facing adapter of the Remote Access server, or the FQDN of the IP-HTTPS URL, and then click Add.

  11. 在****“常规”选项卡的****“友好名称”中,输入一个有助于标识证书的名称。On the General tab, in Friendly name, you can enter a name that will help you identify the certificate.

  12. 在“扩展”**** 选项卡上,单击“扩展密钥用法”**** 旁边的箭头,并确保“服务器身份验证”出现在“已选选项”**** 列表中。On the Extensions tab, next to Extended Key Usage, click the arrow, and make sure that Server Authentication is in the Selected options list.

  13. 依次单击****“确定”、****“注册”和****“完成”。Click OK, click Enroll, and then click Finish.

  14. 在 "证书" 管理单元的详细信息窗格中,验证是否已将新证书注册到服务器身份验证的预期目的。In the details pane of the Certificates snap-in, verify that the new certificate was enrolled with the intended purpose of server authentication.

配置 DNS 服务器Configure the DNS server

你必须为部署中的内部网络手动配置用于网络位置服务器网站的 DNS 条目。You must manually configure a DNS entry for the network location server website for the internal network in your deployment.

添加网络位置服务器和 web 探测To add the network location server and web probe

  1. 在 "内部网络 DNS 服务器:" 的 "开始" 屏幕上,键入dnsmgmt.msc,然后按 enter。On the internal network DNS server: On the Start screen, typednsmgmt.msc, and then press ENTER.

  2. 在****“DNS 管理器”控制台的左窗格中,展开域的前向查找区域。In the left pane of the DNS Manager console, expand the forward lookup zone for your domain. 右键单击该域,然后单击 "**新建主机 (A 或 AAAA) **。Right-click the domain, and click New Host (A or AAAA).

  3. 在 "新建主机" 对话框中的 "**名称 (使用父域名(如果为空) ** )" 框中,输入网络位置服务器网站的 DNS 名称 (这是 DirectAccess 客户端用于连接到网络位置服务器) 的名称。In the New Host dialog box, in the Name (uses parent domain name if blank) box, enter the DNS name for the network location server website (this is the name the DirectAccess clients use to connect to the network location server). 在 " IP 地址" 框中,输入网络位置服务器的 IPv4 地址,然后单击 "添加主机",然后单击 "确定"In the IP address box, enter the IPv4 address of the network location server, and click Add Host, and then click OK.

  4. 在 "新建主机" 对话框的 "**名称 (使用父域名(如果为空) ** )" 框中,输入 web 探测的 DNS 名称 (默认 web 探测的名称是 directaccess-webprobehost) 。In the New Host dialog box, in the Name (uses parent domain name if blank) box, enter the DNS name for the web probe (the name for the default web probe is directaccess-webprobehost). 在****“IP 地址”框中,输入 Web 探测的 IPv4 地址,然后单击“添加主机”****。In the IP address box, enter the IPv4 address of the web probe, and then click Add Host.

  5. 为 directaccess corpconnectivityhost 和任何手动创建的连接性验证程序重复此过程。Repeat this process for directaccess-corpconnectivityhost and any manually created connectivity verifiers. 在 " DNS " 对话框中,单击 "确定"In the DNS dialog box, click OK.

  6. 单击“Done”(完成) 。Click Done.

Windows PowerShellwindows powershell 等效命令Windows PowerShellWindows PowerShell equivalent commands

下面一个或多个 Windows PowerShell cmdlet 执行的功能与前面的过程相同。The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. 在同一行输入每个 cmdlet(即使此处可能因格式限制而出现多行换行)。Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

Add-DnsServerResourceRecordA -Name <network_location_server_name> -ZoneName <DNS_zone_name> -IPv4Address <network_location_server_IPv4_address>
Add-DnsServerResourceRecordAAAA -Name <network_location_server_name> -ZoneName <DNS_zone_name> -IPv6Address <network_location_server_IPv6_address>

还必须为以下内容配置 DNS 条目:You must also configure DNS entries for the following:

  • IP-HTTPS 服务器The IP-HTTPS server

    DirectAccess 客户端必须能够从 Internet 解析远程访问服务器的 DNS 名称。DirectAccess clients must be able to resolve the DNS name of the Remote Access server from the Internet.

  • CRL 吊销检查CRL revocation checking

    DirectAccess 使用证书吊销检查来检查 DirectAccess 客户端与远程访问服务器之间的 ip-https 连接,以及 DirectAccess 客户端和网络位置服务器之间基于 HTTPS 的连接。DirectAccess uses certificate revocation checking for the IP-HTTPS connection between DirectAccess clients and the Remote Access server, and for the HTTPS-based connection between the DirectAccess client and the network location server. 在这两种情况下,DirectAccess 客户端都必须能够解析和访问 CRL 分发点位置。In both cases, DirectAccess clients must be able to resolve and access the CRL distribution point location.

  • ISATAPISATAP

    站点内自动隧道寻址协议 (ISATAP) 使用隧道来使 DirectAccess 客户端能够通过 IPv4 Internet 连接到远程访问服务器,并在 IPv4 标头中封装 IPv6 包。Intrasite Automatic Tunnel Addressing Protocol (ISATAP) uses tunnels to enable DirectAccess clients to connect to the Remote Access server over the IPv4 Internet, encapsulating IPv6 packets within an IPv4 header. 远程访问使用它提供通过 Intranet 到 ISATAP 主机的 IPv6 连接。It is used by Remote Access to provide IPv6 connectivity to ISATAP hosts across an intranet. 在非本机 IPv6 网络环境中,远程访问服务器会自动将自身配置为 ISATAP 路由器。In a non-native IPv6 network environment, the Remote Access server configures itself automatically as an ISATAP router. 要求支持对 ISATAP 名称进行解析。Resolution support for the ISATAP name is required.

配置 Active DirectoryConfigure Active Directory

必须将远程访问服务器和所有 DirectAccess 客户端计算机都加入 Active Directory 域。The Remote Access server and all DirectAccess client computers must be joined to an Active Directory domain. DirectAccess 客户端计算机必须是以下域类型之一的成员:DirectAccess client computers must be a member of one of the following domain types:

  • 与远程访问服务器属于同一林的域。Domains that belong in the same forest as the Remote Access server.

  • 属于与远程访问服务器林具有双向信任关系的林的域。Domains that belong to forests with a two-way trust with the Remote Access server forest.

  • 与远程访问服务器域具有双向域信任的域。Domains that have a two-way domain trust to the Remote Access server domain.

将远程访问服务器加入域To join the Remote Access server to a domain

  1. 在服务器管理器中,单击 “本地服务器”In Server Manager, click Local Server. 在详细信息窗格中,单击“计算机名”旁边的链接****。In the details pane, click the link next to Computer name.

  2. 在“系统属性”**** 对话框中,单击“计算机名”**** 选项卡,然后单击“更改”****。In the System Properties dialog box, click the Computer Name tab, and then click Change.

  3. 如果在将服务器加入域时还要更改计算机名,请在 "计算机名" 框中键入计算机的名称。In the Computer Name box, type the name of the computer if you are also changing the computer name when joining the server to the domain. 在 "隶属于" 下,单击 "",然后键入要将服务器加入的域的名称, (例如 corp.contoso.com) ,然后单击 "确定"Under Member of, click Domain, and then type the name of the domain to which you want to join the server, (for example, corp.contoso.com), and then click OK.

  4. 当系统提示你输入用户名和密码时,请输入有权将计算机加入域的用户的用户名和密码,然后单击 "确定"When you are prompted for a user name and password, enter the user name and password of a user with permissions to join computers to the domain, and then click OK.

  5. 当你看到欢迎你进入域的对话框时,请单击“确定”****。When you see a dialog box welcoming you to the domain, click OK.

  6. 当系统提示你必须重新启动计算机时,请单击“确定”****。When you are prompted that you must restart the computer, click OK.

  7. “系统属性” 对话框中,单击 “关闭”In the System Properties dialog box, click Close.

  8. 当系统提示你重新启动计算机时,请单击“立即重新启动”****。When you are prompted to restart the computer, click Restart Now.

将客户端计算机加入域To join client computers to the domain

  1. 在 "开始" 屏幕上,键入explorer.exe,然后按 enter。On the Start screen, typeexplorer.exe, and then press ENTER.

  2. 右键单击计算机图标,然后单击“属性”****。Right-click the Computer icon, and then click Properties.

  3. 在****“系统”页上,单击****“高级系统设置”。On the System page, click Advanced system settings.

  4. “系统属性” 对话框中的 “计算机名” 选项卡上,单击 “更改”In the System Properties dialog box, on the Computer Name tab, click Change.

  5. 如果在将服务器加入域时还要更改计算机名,请在 "计算机名" 框中键入计算机的名称。In the Computer name box, type the name of the computer if you are also changing the computer name when joining the server to the domain. 在“隶属于”下面单击“域”,键入服务器要加入到的域的名称(例如 corp.contoso.com),然后单击“确定”************。Under Member of, click Domain, and then type the name of the domain to which you want to join the server (for example, corp.contoso.com), and then click OK.

  6. 当系统提示你输入用户名和密码时,请输入有权将计算机加入域的用户的用户名和密码,然后单击 "确定"When you are prompted for a user name and password, enter the user name and password of a user with permissions to join computers to the domain, and then click OK.

  7. 当你看到欢迎你进入域的对话框时,请单击“确定”****。When you see a dialog box welcoming you to the domain, click OK.

  8. 当系统提示你必须重新启动计算机时,请单击“确定”****。When you are prompted that you must restart the computer, click OK.

  9. 在 "系统属性" 对话框中,单击 "关闭"。In the System Properties dialog box, click Close.

  10. 出现提示时单击“立即重新启动”****。Click Restart Now when prompted.

Windows PowerShellwindows powershell 等效命令Windows PowerShellWindows PowerShell equivalent commands

下面一个或多个 Windows PowerShell cmdlet 执行的功能与前面的过程相同。The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. 在同一行输入每个 cmdlet(即使此处可能因格式限制而出现多行换行)。Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

备注

输入以下命令后,必须提供域凭据。You must supply domain credentials after you enter the following command.

Add-Computer -DomainName <domain_name>
Restart-Computer

配置 GPOConfigure GPOs

若要部署远程访问,需要至少两个组策略的对象。To deploy Remote Access, you require a minimum of two Group Policy Objects. 一个组策略对象包含远程访问服务器的设置,另一个包含 DirectAccess 客户端计算机的设置。One Group Policy Object contains settings for the Remote Access server, and one contains settings for DirectAccess client computers. 配置远程访问时,向导将自动创建所需的组策略对象。When you configure Remote Access, the wizard automatically creates the required Group Policy Objects. 但是,如果你的组织强制使用命名约定,或者你没有创建或编辑组策略对象所需的权限,则必须在配置远程访问之前创建它们。However, if your organization enforces a naming convention, or you do not have the required permissions to create or edit Group Policy Objects, they must be created prior to configuring Remote Access.

若要创建组策略对象,请参阅创建和编辑组策略对象To create Group Policy Objects, see Create and Edit a Group Policy Object.

管理员可以手动将 DirectAccess 组策略对象链接到 (OU) 的组织单位。An administrator can manually link the DirectAccess Group Policy Objects to an organizational unit (OU). 考虑以下情况:Consider the following:

  1. 在配置 DirectAccess 之前,请将已创建的 Gpo 链接到各自的 Ou。Link the created GPOs to the respective OUs before you configure DirectAccess.

  2. 在你配置 DirectAccess 时,请为客户端计算机指定安全组。When you configure DirectAccess, specify a security group for the client computers.

  3. 自动配置 Gpo,无论管理员是否有权限将 Gpo 链接到域。The GPOs are configured automatically, regardless of if the administrator has permissions to link the GPOs to the domain.

  4. 如果已将 Gpo 链接到 OU,则将不会删除这些链接,但这些链接不会链接到域。If the GPOs are already linked to an OU, the links will not be removed, but they are not linked to the domain.

  5. 对于服务器 Gpo,OU 必须包含服务器计算机对象,否则该 GPO 将链接到域的根。For server GPOs, the OU must contain the server computer object-otherwise, the GPO will be linked to the root of the domain.

  6. 如果之前未通过运行 DirectAccess 安装向导链接 OU,则在配置完成后,管理员可以将 DirectAccess Gpo 链接到所需的 Ou,并删除指向域的链接。If the OU has not been linked previously by running the DirectAccess Setup Wizard, after the configuration is complete, the administrator can link the DirectAccess GPOs to the required OUs, and remove the link to the domain.

    有关详细信息,请参阅链接组策略对象For more information, see Link a Group Policy Object.

备注

如果组策略对象手动创建,则在 DirectAccess 配置过程中可能无法使用组策略对象。If a Group Policy Object was created manually, it is possible that the Group Policy Object will not be available during the DirectAccess configuration. 可能没有将组策略对象复制到最接近管理计算机的域控制器。The Group Policy Object may not have been replicated to the domain controller closest to the management computer. 管理员可以等待复制完成,或强制进行复制。The administrator can wait for replication to complete or force the replication.

配置安全组Configure security groups

客户端计算机组策略对象中包含的 DirectAccess 设置仅应用于配置远程访问时指定的安全组成员的计算机。The DirectAccess settings that are contained in the client computer Group Policy Object are applied only to computers that are members of the security groups that you specify when configuring Remote Access.

为 DirectAccess 客户端创建安全组To create a security group for DirectAccess clients

  1. 在 "开始" 屏幕上,键入dsa.msc,然后按 enter。On the Start screen, typedsa.msc, and then press ENTER.

  2. 在****“Active Directory 用户和计算机”控制台的左窗格中,展开将包含安全组的域,右键单击****“用户”,指向****“新建”,然后单击****“组”。In the Active Directory Users and Computers console, in the left pane, expand the domain that will contain the security group, right-click Users, point to New, and then click Group.

  3. 在****“新建对象 – 组”对话框中的****“组名”下,输入该安全组的名称。In the New Object - Group dialog box, under Group name, enter the name for the security group.

  4. 在****“组范围”下单击****“全局”,并在****“组类型”下单击“安全”****,然后单击“确定”****。Under Group scope, click Global, and under Group type, click Security, and then click OK.

  5. 双击 "DirectAccess 客户端计算机" 安全组,然后在 "属性" 对话框中,单击 "成员" 选项卡。Double-click the DirectAccess client computers security group, and in the Properties dialog box, click the Members tab.

  6. 在“成员”**** 选项卡上,单击“添加”****。On the Members tab, click Add.

  7. 在****“选择用户、联系人、计算机或服务帐户”对话框中,选择你希望为 DirectAccess 启用的客户端计算机,然后单击****“确定”。In the Select Users, Contacts, Computers, or Service Accounts dialog box, select the client computers that you want to enable for DirectAccess, and then click OK.

Windows PowerShellWindows powershell 等效命令Windows PowerShellWindows PowerShell equivalent commands

下面一个或多个 Windows PowerShell cmdlet 执行的功能与前面的过程相同。The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. 在同一行输入每个 cmdlet(即使此处可能因格式限制而出现多行换行)。Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

New-ADGroup -GroupScope global -Name <DirectAccess_clients_group_name>
Add-ADGroupMember -Identity DirectAccess_clients_group_name -Members <computer_name>

配置网络位置服务器Configure the network location server

网络位置服务器应该在具有高可用性的服务器上,并且它需要一个有效的安全套接字层 (的 SSL) 证书,该证书受 DirectAccess 客户端信任。The network location server should be on a server with high availability, and it needs a valid Secure Sockets Layer (SSL) certificate that is trusted by the DirectAccess clients.

备注

如果网络位置服务器网站位于远程访问服务器上,则在你配置远程访问时将自动创建一个网站,并且该网站将绑定到你提供的服务器证书。If the network location server website is located on the Remote Access server, a website will be created automatically when you configure Remote Access and it is bound to the server certificate that you provide.

对于网络位置服务器证书而言,存在两种证书选择:There are two certificate options for the network location server certificate:

  • 专用Private

    备注

    此证书基于你在配置证书模板中创建的证书模板。The certificate is based on the certificate template that you created in Configuring certificate templates.

  • 自签名Self-signed

    备注

    无法在多站点部署中使用自签名证书。Self-signed certificates cannot be used in multisite deployments.

无论你使用的是专用证书还是自签名证书,它们都需要以下各项:Whether you use a private certificate or a self-signed certificate, they require the following:

  • 用于网络位置服务器的网站证书。A website certificate that is used for the network location server. 证书使用者应该是网络位置服务器的 URL。The certificate subject should be the URL of the network location server.

  • 在内部网络上具有高可用性的 CRL 分发点。A CRL distribution point that has high availability on the internal network.

安装内部 CA 颁发的网络位置服务器证书To install the network location server certificate from an internal CA

  1. 在将托管网络位置服务器网站的服务器上:在 "开始" 屏幕上,键入mmc.exe,然后按 enter。On the server that will host the network location server website: On the Start screen, typemmc.exe, and then press ENTER.

  2. 在 MMC 控制台的“文件”菜单上,单击“添加/删除管理单元”。In the MMC console, on the File menu, click Add/Remove Snap-in.

  3. 在****“添加或删除管理单元”对话框中,依次单击****“证书”、****“添加”、****“计算机帐户”、****“下一步”、****“本地计算机”和****“完成”,然后单击****“确定”。In the Add or Remove Snap-ins dialog box, click Certificates, click Add, click Computer account, click Next, click Local computer, click Finish, and then click OK.

  4. 在证书管理单元的控制台树中,依次打开****“证书(本地计算机)\个人\证书”。In the console tree of the Certificates snap-in, open Certificates (Local Computer)\Personal\Certificates.

  5. 右键单击 "证书",指向 "所有任务",单击 "申请新证书",然后单击 "下一步" 两次。Right-click Certificates, point to All Tasks, click Request New Certificate, and then click Next twice.

  6. 在 "申请证书" 页上,选中在配置证书模板中创建的证书模板的复选框,并根据需要单击 "注册此证书需要详细信息"。On the Request Certificates page, select the check box for the certificate template that you created in Configuring certificate templates, and if required, click More information is required to enroll for this certificate.

  7. 在****“证书属性”对话框的****“使用者”选项卡上,在****“使用者名称”区域的****“类型”中选择****“公用名”。In the Certificate Properties dialog box, on the Subject tab, in the Subject name area, in Type, select Common Name.

  8. 在****“值”中,输入网络位置服务器网站的 FQDN,然后单击****“添加”。In Value, enter the FQDN of the network location server website, and then click Add.

  9. 在****“备用名称”区域的****“类型”中,选择****“DNS”。In the Alternative name area, in Type, select DNS.

  10. 在****“值”中,输入网络位置服务器网站的 FQDN,然后单击****“添加”。In Value, enter the FQDN of the network location server website, and then click Add.

  11. 在****“常规”选项卡的****“友好名称”中,输入一个有助于标识证书的名称。On the General tab, in Friendly name, you can enter a name that will help you identify the certificate.

  12. 依次单击****“确定”、****“注册”和****“完成”。Click OK, click Enroll, and then click Finish.

  13. 在 "证书" 管理单元的详细信息窗格中,验证是否已为 "服务器身份验证" 的预期目的注册了新证书。In the details pane of the Certificates snap-in, verify that new certificate was enrolled with the intended purpose of server authentication.

要配置网络位置服务器,请执行以下操作:To configure the network location server

  1. 在高可用性服务器上设置网站。Set up a website on a high availability server. 该网站不需要任何内容,但是当你对它进行测试时,你可以定义客户端进行连接时提供消息的默认页面。The website does not require any content, but when you test it, you might define a default page that provides a message when clients connect.

    如果在远程访问服务器上托管网络位置服务器网站,则不需要执行此步骤。This step is not required if the network location server website is hosted on the Remote Access server.

  2. 将 HTTPS 服务器证书绑定到该网站。Bind an HTTPS server certificate to the website. 该证书的公用名应与网络位置服务器网站的名称相匹配。The common name of the certificate should match the name of the network location server site. 请确保 DirectAccess 客户端信任发证 CA。Ensure that DirectAccess clients trust the issuing CA.

    如果在远程访问服务器上托管网络位置服务器网站,则不需要执行此步骤。This step is not required if the network location server website is hosted on the Remote Access server.

  3. 设置在内部网络上 hass 高可用性的 CRL 站点。Set up a CRL site that hass high availability on the internal network.

    可以通过以下服务器访问 CRL 分发点:CRL distribution points can be accessed through:

    • 使用基于 HTTP 的 URL 的 Web 服务器,例如:https://crl.corp.contoso.com/crld/corp-APP1-CA.crlWeb servers that use an HTTP-based URL, such as: https://crl.corp.contoso.com/crld/corp-APP1-CA.crl

    • 通过通用命名约定访问的文件服务器 (UNC) 路径,例如 \ \crl.corp.contoso.com\crld\corp-APP1-CA.crlFile servers that are accessed through a universal naming convention (UNC) path, such as \\crl.corp.contoso.com\crld\corp-APP1-CA.crl

    如果内部 CRL 分发点只能通过 IPv6 访问,则必须配置具有高级安全性的 Windows 防火墙连接安全规则。If the internal CRL distribution point is reachable only over IPv6, you must configure a Windows Firewall with Advanced Security connection security rule. 此豁免 IPsec 保护从 intranet 的 IPv6 地址空间到 CRL 分发点的 IPv6 地址。This exempts IPsec protection from the IPv6 address space of your intranet to the IPv6 addresses of your CRL distribution points.

  4. 请确保内部网络上的 DirectAccess 客户端可以解析网络位置服务器的名称,并且 Internet 上的 DirectAccess 客户端无法解析该名称。Ensure that DirectAccess clients on the internal network can resolve the name of the network location server, and that DirectAccess clients on the Internet cannot resolve the name.

另请参阅See also