The mystery about the failing DirectAccess wizard

Some weeks ago, I visted a new customer to perform a deployment of a very simple Microsoft DirectAccess deployment. Everything seemed fine before I started the deployment. The PKI was in place and I though that it would only take a couple of hours to perform the deploy and do some testing. I was so wrong….. 🙁

I completed the DirectAccess configuration using the Remote Access Management console for Windows 2012 (MMC) and kicked off the deployment. The deployment keeps failing with the description:

“Security Group domain\SecurityGroup cannot be found”

“The operation failled. All of the specified security groups are invalid”

After a lot of troubleshooting, I found that the FRS didn’t replicated the newly created Group Policy. When the wizard got to the section where it should add the security Group with the computer objects, It couldn’t add the security group to the GPO. For that reason it seems to be performing a rollback. I just spend a lot of time on troubleshooting this issue, so I though I would share it my finding here.

The GPO may appear in the Group Policy Management console for a short time before it disappears again due to the rollback

Check the FRS:

http://support.microsoft.com/kb/272279

Another thing that might be causing this issue is possible name lookup issue.

Recovering from a deleted GPO

You will find a similar error description when some have deleted the GPO.

Remote Access Management will display the following error message: GPO <GPO name> cannot be found. To remove the configuration settings, take the following steps

Source: http://technet.microsoft.com/en-us/library/jj134148.aspx#bkmk_1_7_GPOs