PowerShell Logo Small

Get-DAPolicyChange



This is the built-in help made by Microsoft for the command 'Get-DAPolicyChange', in PowerShell version 5 - as retrieved from Windows version 'Microsoft Windows Server 2012 R2 Standard' PowerShell help files on 2016-06-23.

For PowerShell version 3 and up, where you have Update-Help, this command was run just before creating the web pages from the help files.

SYNOPSIS

Gets a list of IP addresses that need to be added and deleted to an IPsec rule based on the differences detected between the IP addresses for the existing rule and the IP addresses derived from the input parameters, and creates a Windows PowerShell® script (.ps1) that updates the IPsec rule in the appropriate policy stores.

SYNTAX


Get-DAPolicyChange [[-Servers] <String[]>] [[-Domains] <String[]>] [-DisplayName] <String> [[-PolicyStore] <String>] [-PSLocation] <String> [-EndpointType] <String>
[[-DnsServers] <String[]>] [<CommonParameters>]



Search powershellhelp.space

DESCRIPTION


The Get-DAPolicyChange cmdlet returns the detected differences between the IP addresses (remote and local addresses) of an existing IPsec rule, and the IP addresses derived
by the input parameters. This cmdlet also creates a Windows PowerShell® script (.ps1) that updates the IPsec rule end points with the retrieved IP addresses. The created
script contains instances of the Update-NetIPsecRule cmdlet, that adds or deletes IP addresses to or from IPsec rules.


This cmdlet is used to keep the IPsec policies for client and server refreshed in DirectAccess (DA) deployments in a double tunnel model. The DA first tunnel policy is
defined by IP addresses that are derived from domain names and servers. A list of IP addresses is retrieved based on the derived values from the Domains or Servers
parameter. This cmdlet outputs DeltaCollection objects that contain the following: the actual list of address changes detected, whether to add or delete the change in IP
addresses, and a list of fully qualified domain names (FQDNs) that did not resolve. If there are multiple rules that match the same name, then this cmdlet fails with an
error.


Running the output script for this cmdlet (located at PSLocation) resolves the IP addresses for the DA first tunnel and updates the Group Policy Objects (GPOs)
appropriately. The DNS server specified in the DnsServers parameter will be used to resolve the domain name and server names.


By generating a Windows PowerShell script, this cmdlet allows administrators to have greater control over policy synchronization. The Sync-NetIPsecRule cmdlet also detects
the IP address changes, but immediately updates the rules instead of returning the deviations and a .ps1 script.



<

RELATED LINKS

Online Version: http://go.microsoft.com/fwlink/?LinkId=232917
Sync-NetIPsecRule
Update-NetIPsecRule

REMARKS

<

Examples


EXAMPLE 1

PS C:\>Get-DAPolicyChange -DisplayName "TunnelPolicy1" -EndpointType Endpoint1 -PSLocation "C:\Update.ps1" -Servers "server1.corp.contoso.com", "server2.corp.contoso.com",
"server3.corp.contoso.com"
IPsec Rule name : TunnelPolicy1
Action : Add
IPv6addresses : 2001:4829:3243::100:1
: 2001:4829:3243::100:1
GPO : contoso\DAClientPolicy

IPsec Rule name : TunnelPolicy1
Action : Delete
IPv6addresses : 2001:4829:3243::100:3
: 2001:4829:3243::100:4
GPO : contoso\DAClientPolicy

FQDN’s that did not resolve into IP address:
server1.corp.contoso.com
server3.corp.contoso.com



This example gets the list of IP addresses that need to be added and deleted to an IPsec rule based on the differences detected between the existing rule IP addresses and
the IP addresses derived from the input parameters and returns a .ps1 file that updates the local end point for the rule.




EXAMPLE 2

PS C:\>$serverPolicyStore = domain.contoso.com/server_GPO



PS C:\>$serverRuleDisplayName = "Any-Traffic-Win8DA-Rule"



PS C:\>$domains = "corp.contoso.com", "corp.contoso2.com"



PS C:\>$servers = "server2.corp.contoso.com"



PS C:\>$primaryDns64 = 1.2.2.1



PS C:\>Get-DAPolicyChange -PolicyStore $serverPolicyStore -DisplayName $serverRuleDisplayName -EndpointType Endpoint1 -Domains $domains -Servers $servers -DNSServers
$primaryDns64 -AddressType IPv6 –PSLocation C:\Users\Administrator\Documents\PSscripts\dapolicychange.ps1



This example gets the list of IP addresses that need to be added and deleted to an IPsec rule based on the differences detected between the existing rule IP addresses and
the IP addresses derived from the input parameters and returns a .ps1 file that updates the end points.