HRA Server Migration: Verifying the Migration
Applies To: Windows Server 2012
After the migration of your Health Registration Authority (HRA) server is complete, you can perform some tasks to verify that the migration was successful.
Verifying HRA Functionality
In order to verify the HRA functionality, the URL of the destination server must be configured in the NAP client trusted server group settings. This is typically done using Group Policy.
To test the destination server with minimal impact to your current NAP deployment, you can add a secondary trusted server group to NAP client settings. The new trusted server group can contain the URL of the newly migrated destination server. When a secondary trusted server group is configured, compliant client computers will receive a health certificate from both the source HRA and the destination HRA. Once you have verified that client computers are successfully receiving health certificates from the destination server, the new trusted server group can be removed, and the original trusted server group can be updated to use the destination server instead of the source server.
Adding a new trusted server group for testing
To add a new trusted server group in group policy that will be used to test the destination HRA, see Configure Trusted Server Groups in Group Policy.
The new trusted server group should be ordered below any other groups configured, and only the URL of the destination server (for example: https://destination.contoso.com/domainhra/hcsrvext.dll) should be added.
If there are multiple GPOs for NAP clients in your organization, you can make these changes to one GPO that applies to a group of clients you wish to test.
Testing the HRA with a NAP client
Use the following procedure to test the functionality of the destination server using a domain-joined NAP client in your deployment.
To test the HRA functionality using a NAP client
On the client computer, On the Start screen, type gpupdate /force, and then press ENTER. This updates the Group Policy configuration for the client.
On the Start screen, type cmd, type netsh nap client show grouppolicy, and then press ENTER.
In the command output, under Enforcement clients, verify that the Admin status of the IPSec Relying Party is Enabled.
In the command output, under Trusted server group configuration, verify that the trusted server group and destination server URL you configured previously are displayed.
Next, the NAP Agent service will be restarted to verify that the client computer successfully receives a health certificate from the new destination HRA.
To restart the NAP Agent service, at the command prompt, type net stop napagent && net start napagent, and then press ENTER. Verify that the commands completed successfully.
At the command prompt, type eventvwr.msc, and then press ENTER. This launches the Event Viewer.
In Event Viewer, browse to Windows Logs /Application and Services Logs/Microsoft/Windows/Network Access Protection/Operational.
In the details pane, under Event ID, locate the most recent occurrences of event 22. Event 22 is displayed each time a client computer acquires a health certificate from HRA. Double-click these events to review detailed information about the certificate acquisition. Verify that the URL of the destination server is displayed in at least one event as the source of the certificate.
Close Event Viewer.
Migrate Health Registration Authority to Windows Server 2012
HRA Server Migration: Preparing to Migrate
HRA Server Migration: Migrating the HRA Server
HRA Server Migration: Post-migration Tasks
Network Access Protection Design Guide
Network Access Protection Deployment Guide