This checklist provides the tasks needed to ensure that your internal network meets the requirements for a DirectAccess deployment.

Task Reference

Deploy an Active Directory Domain Services (AD DS) domain on your internal network and ensure that at least one domain controller in the domain containing user accounts is running Windows Server 2008 or later.

Active Directory Domain Services Home page on Microsoft Technet (

Deploy a public key infrastructure (PKI) with Active Directory Certificate Services (AD CS) and configure autoenrollment for computer certificates.

Active Directory Certificate Services Home page on Microsoft Technet (

Configure a certificate revocation list (CRL) distribution point that is reachable from the Internet.

Specify CRL Distribution Points (

Install Windows 7 on your DirectAccess clients and join them to your AD DS domain.

Understanding DirectAccess Components

Create AD DS security groups that contain the computer accounts of your DirectAccess clients.

Create a New Group (

Configure your Internet firewall to allow DirectAccess traffic.

Understanding DirectAccess Components

Configure and deploy Windows Firewall settings for Teredo traffic.

Understanding DirectAccess Components

If your DirectAccess server is not acting as the network location server, determine or create an HTTPS-based uniform resource locator (URL) on a highly available Web server on your internal network. DirectAccess clients use this URL to determine whether they are located on the Internet or the internal network.

Identify Infrastructure Servers for DirectAccess

For each of your Domain Name System (DNS) servers that are running Windows Server 2008 or later, remove the ISATAP name from the global query block list.

Update the Global Query Block List (