I recently experienced an issue with enabling Direct Access for child domains. I have a root domain with several child domains. My Direct Access servers are located in one child domain, for sake of simplicity let’s call it DomainA.root.local and my new clients were in a separate domain, let’s call that DomainB.root.local. I have clients in DomainA as well who have been working just fine for quite some time. I recently took on the endeavor of enabling clients in DomainB.root.local. Since both domains have transitive, two-way trusts I assumed authentication between domains would not be an issue. We were already accessing shared resources from both domains with no issues.
I deployed the updated Direct Access group policy objects for both DomainA and DomainB following the correct procedures on Microsoft TechNet. I issued client certificates from my enterprise PKI in DomainB to all of my new clients however, I received repeated errors on my Direct Access servers when my test client in DomainB attempted to connect and form an intranet tunnel. The infrastructure tunnel established as expected, but the Intranet tunnel refused to form. It appeared the certificate was being flagged as invalid. On further inspection of the Windows firewall on the client, it was obvious the client was either unable to authenticate against the domain controllers in DomainB.root.local or the certificate being used was not setup properly. I opened a support case with Microsoft and ultimately it was determined that “shortcut trusts” needed to be created between DomainA and DomainB. Once the new shortcut trusts were put in place, my Direct Access clients in DomainB were able to successfully authenticate. Perhaps else can shed some light on why the shortcut trusts were necessary, but this resolved our issues. Hope this saves someone else troubleshooting time and perhaps a Microsoft support call!