What is going to happen to our DirectAccess clients if NLB will be disabled?

Two DirectAccess Servers (Windows 2012 R2) has been setup with load balancing in a cluster using Windows NLB. Everything work perfectly. All our remote client computers are always connected.

This is probably noob question but I need to know what is going to happen to our remote clients if I disable NLB (within the DirectAccess management console)? I am guessing that all current active connections will be terminated. Would remote clients be reconnect back again? Or, we need to ask our clients to bring their laptops back to the office so they can get new AD group policy?
LVL 1
OlevoAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
No HA obviously and it should fallback to the normal DNS resolution if the NLB does not respond or failed in DNS query. This is largely to do with the Network Location Awareness (NLA) service configured in DirectAccess setup. The article has the details - see the part on NLA https://technet.microsoft.com/en-us/library/ff576612.aspx

in short, there is DNS round robin but that is lower par compared to NLB. Eventually if all things falls out, the client will need some form of resolution to the DirectAccess server alive and have NLA.
An additional element of planning for network location detection is to ensure that DirectAccess clients can operate when failures occur through the following:

•Configure an appropriate fall back setting

The fall back setting is a balance between confidentiality and availability. Setting fall back to happen more easily can result in name resolution queries being leaked to a public subnet. However, blocking fall back or relying on the user to choose the Private profile for the intranet network can result in loss of intranet connectivity.


•Deploy the DirectAccess Connectivity Assistant (DCA)

The DCA is a Windows notification area status indicator for DirectAccess that allows you to enable local name resolution when network location detection fails. If the DCA indicates that there is a DirectAccess connectivity problem, right-click the DCA icon and click Prefer Local DNS Names. This removes the DirectAccess NRPT rules and the DirectAccess client performs normal name resolution.

Also see the "When Good Network Location Servers Go Bad – Preparing Against NLS Failure" (see also the additional measures you can take to make sure that NLS failure causes the least disruption as possible)
http://blogs.technet.com/b/tomshinder/archive/2010/04/06/when-good-network-location-servers-go-bad-preparing-against-nls-failure.aspx

Rightfully, the NLB has automatic recovery is supposedly to occur within 5 seconds, there is still a short non-availability though.
ChrisSenior Technical ArchitectCommented:
you would only cut them off if any of the external details change i.e. DNS name, probe addresses etc.

If you disable the external NLB then it will disconnect clients as there is nothing to respond to the load balanced address
If you disable the internal NLB then client will be able to partly connect but the service monitors will fail as DA can't connect to DNS and other internal services it relies on

If it comes back up then they should reconnect when they detect its available.

If you make a change to the service that means a change in group policy then they would need to connect to the network internally to pick up the change
OlevoAuthor Commented:
After removing NLB (within the DirectAccess management console) only one DirectAccess server became available to the remote clients. All current active connections stayed connected!!! Basically, we need to ask our clients to bring their laptops back to the office so they can get new AD group policy?
btanExec ConsultantCommented:
indeed need the latest GPO to be push down and verify this
Deploy the DirectAccess Group Policy Objects and settings only to computers that will act as DirectAccess clients. This is a critical point of distinction and worth repeating early and often. This means that you need to create custom groups to apply these Group Policy settings, or at least create custom OUs for the settings. Don’t apply the DA GPO settings to any of the default groups, and don’t apply them to machines that will never act as DA clients, such as servers and domain controllers.

•Train your users on what to do in the event that a DA failure occurs. The DirectAccess Connectivity Assistant (DCA) which you can download at http://www.microsoft.com/downloads/details.aspx?FamilyID=9A87EFE8-E254-4473-8A26-678ADEA6D9E9&displaylang=en will inform users when there is a problem with the DA connection. Users can then right click the DCA icon in the system tray (notification area) and click Prefer Local DNS Names. When the users select this option, the DA related entries in the NRPT are removed, and the DA client will then be able to resolve names using the the DNS server address configured on the DA client’s NIC, and will connect to resources using their IPv4 address. Note that when there’s a connectivity change (network status change) the normal DA client behavior will start again, and if the DCA continues to show connectivity issues, the user will need to enable the Prefer Local Names option again.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Remote Access

From novice to tech pro — start learning today.