Which settings should you configure in a Group Policy object (GPO)?

Your network contains an Active Directory domain named contoso.com. The domain contains a Web server
named www.contoso.com. The Web server is available on the Internet.
You implement DirectAccess by using the default configuration.
You need to ensure that users never attempt to connect to www.contoso.com by using DirectAccess. The
solution must not prevent the users from using DirectAccess to access other resources in contoso.com.
Which settings should you configure in a Group Policy object (GPO)?

Your network contains an Active Directory domain named contoso.com. The domain contains a Web server
named www.contoso.com. The Web server is available on the Internet.
You implement DirectAccess by using the default configuration.
You need to ensure that users never attempt to connect to www.contoso.com by using DirectAccess. The
solution must not prevent the users from using DirectAccess to access other resources in contoso.com.
Which settings should you configure in a Group Policy object (GPO)?

A.
DirectAccess Client Experience Settings

B.
DNS Client

C.
Name Resolution Policy

D.
Network Connections

Explanation:

For DirectAccess, the NRPT must be configured with the namespaces of your intranet with a leading dot (for
example, . internal.contoso.com or . corp.contoso.com). For a DirectAccess client, any name request that
matches one of these namespaces will be sent to the specified intranet Domain Name System (DNS) servers.
Include all intranet DNS namespaces that you want DirectAccess client computers to access.
There are no command line methods for configuring NRPT rules. You must use Group Policy settings. To
configure the NRPT through Group Policy, use the Group Policy add-in at Computer Configuration
\Policies\Windows Settings\Name Resolution Policy in the Group Policy object for DirectAccess clients. You can

create a new NRPT rule and edit or delete existing rules. For more information, see Configure the NRPT with
Group Policy.

Show Hint

Leave a Reply 5

Your email address will not be published. Required fields are marked *

Massimo

Massimo

“The solution must not prevent the users from using DirectAccess to access other resources in contoso.com”

Force Tunneling is an all or nothing solution; instead, you have to use Name Resolution Policies to force specific DNS server with specific suffixes.

Reply

kurt

kurt

We are trying to understand what traffic is directed to direct accesss servers and what is not.

Direct access clients are configured through GPOs. the configuration is automatically created through the directaccess setup process. in step 3 of the remote access wizard you inlcude dns suffix that direct access clients access b4 connecting to internal network.

it isnt force tunneling as all clients connect through the remote access server for internet and internal.

Reply

kurt

kurt

but the specific group policy that holds the DA setting is DirectAccess Client Settings

Reply

kurt

kurt

Massimo is spot on here. in step 3 of the direct access setup. you can enter suffix and dns servers. direct access client queries that match a suffix use the specified dns server. where no dns server is given, the dns settings on the client computer are used which would effectively bypass the direct access server

Reply