HRA Server Migration: Migrating the HRA Server
Applies To: Windows Server 2012
This topic contains steps and procedures for migrating the Health Registration Authority (HRA) role service from a legacy source server to a new x64-based destination server running Windows Server® 2012.
The NPS role service must be installed before HRA can be configured on the destination server. If NPS on the destination server will only be used with HRA, you can use the Add Roles and Features Wizard in Server Manager to install both HRA and NPS role services together. Following service installation, see the Migrate Network Policy Server to Windows Server 2012 for procedures to migrate NPS settings to the destination server. When you have completed migration of NPS, continue performing the procedures in this guide to complete HRA migration.
This topic includes sample Windows PowerShell cmdlets that you can use to automate some of the procedures described. For more information, see Using Cmdlets.
Migrating settings from the source server
Use the following procedures to export the HRA settings from your x86-based or x64-based source HRA server prior to migrating to an x64-based server running Windows Server 2012.
If your migration plan involves configuring the destination server with the same host name as the source server, then the source server must be decommissioned and taken offline prior to joining the destination server to the domain. To eliminate downtime in this scenario, a secondary HRA server should already be deployed before proceeding. For information about deploying a new HRA server, see Install HRA using the Add Roles and Features Wizard.
To export settings from the source server
On the source HRA server, type the following command at an elevated command prompt, and then press ENTER:
netsh nap hra export filename=c:\hra_export.xml
Copy the hra_export.xml file from the c:\ directory to the migration file storage location you have chosen.
Configuration settings for the NPS role service must also be exported from the source server. Use the procedures provided in the Migrating settings from the source server section of the NPS Server Migration: Migrating the NPS Server topic to export these settings.
Copy the exported HRA configuration file to the migration file storage location you have chosen.
Configuring the destination server
Use the following procedures to configure the destination with the required identity, certificates, and services. If the destination server will have a different host name and IP address from the source server, then the source server can remain online and in service until testing and verification of the destination server is complete. When you have completed configuring the destination server’s identity, certificates, and services, you can begin migrating HRA settings from the source to destination server.
Some services and settings on the destination server might already be migrated due to the migration of prerequisite roles. Before you configure the destination HRA server, consult the Migrating prerequisite roles topic in this guide to determine the configuration settings for NPS, AD CS, and IIS that must be migrated first.
To configure the destination server
Add the destination server to the domain of the source server. If the destination server will use the same name as the source server, you must ensure the source server is decommissioned as described in the Impact of migration topic.
Add the destination server to all security groups and organizational units (OUs) of which the source HRA server is a member. In most cases, the HRA server is a member of the IPsec boundary OU. Members of the boundary OU typically have IPsec policies applied that allow communication with both compliant and noncompliant computers. For more information on OUs and required IPsec policy settings, see Checklist: Deploy IPsec Policies for NAP (http://go.microsoft.com/fwlink/p/?linkid=229649).
To update Group Policy settings on the destination server, run the following command at an elevated command prompt:
To apply new security group membership settings, you must restart the destination server.
If client computers will use SSL to request health certificates from HRA, you must provision the destination server with an SSL certificate. For more information, see Configure an SSL Certificate for HRA (http://go.microsoft.com/fwlink/p/?LinkId=229650), or use the process defined within your organization for provisioning an SSL certificate.
Install the HRA role service on the destination server.
Install HRA using the Add Roles and Features Wizard
In Server Manager, click Manage and click Add Roles and Features.
On the Before you begin page, click Next.
On the Select Installation Type page, click Role/Feature Based Install and then click Next.
On the Select destination server page, click Select a server from the server pool, click the names of the servers where you want to install HRA and then click Next.
On the Select server roles page, click Network Policy and Access Services, and then click Next three times.
If the Network Policy Server role service is already installed, expand the NPAS node and select Health Registration Authority. Click Next five times and continue with step g below.
On the Select Role Services page, click Health Registration Authority, and in the Add Roles and Features Wizard dialog box, verify that Include management tools (if applicable) is selected, click Add Features, and then click Next five times.
On the Certification Authority page, choose Select a CA later using the HRA console, and then click Next.
Certification Authority settings for HRA will be configured when you migrate settings from the source server.
On the Authentication Requirements page, choose No, allow anonymous requests for health certificates, if the destination HRA will provide health certificates to workgroup computers. If health certificates will be issued to domain-joined clients only, choose Yes, require requestors to be authenticated as members of a domain (recommended). Click Next to continue.
On the Server Authentication Certificate page, click Choose an existing certificate for SSL encryption (recommended), click the certificate displayed under this option, and then click Next. If multiple certificates are displayed, or you are not sure if the certificate displayed can be used for SSL encryption, see Install the HRA Role Service for more information.
Click Next, and then click Install.
On the Installation Results page, verify that installation was successful and then click Close.
The following Windows PowerShell command performs the same function:
Migrating settings to the destination server
Follow the procedure below to migrate HRA settings from the source to destination server.
To migrate the settings to the destination server
On the destination server, type the following command at an elevated command prompt, and then press ENTER:
netsh nap hra import filename = c:\hra_export.xml
Replace c:\hra_export.html with the path and file name of the HRA configuration file that you exported in the previous procedure: Migrating settings from the source server.
If you receive the error message “Cannot create a file when that file already exists,” reset the HRA configuration and then perform this procedure again. To reset the HRA configuration, type the following command at an elevated command prompt and then press ENTER: reg delete HKLM\Software\Microsoft\HCS\CAServers.
Verify that the settings have been imported successfully. To review HRA settings, type the following command at a command prompt and then press ENTER:
netsh nap hra show configuration
If the name of the certification authority will change as a result of the migration, type the following commands at an elevated command prompt to add the name of the correct CA and delete the name of the old CA. Replace \\srv1.woodgrovebank.com\woodgrovebank-srv1-CA and 1 with the name and processing order of the CA you wish to use.
netsh nap hra delete caserver name = "\\srv1.woodgrovebank.com\woodgrovebank-srv1-CA" netsh nap hra add caserver name = "\\srv2.woodgrovebank.com\woodgrovebank-srv2-CA" processingorder = "1"
You can use the output of the netsh nap hra show configuration command to view the name and processing order format for the previous CA. For more information, see HRA Certification Authority Commands.
Configuring the Certification Authority
The destination HRA server name must be given security permissions to request, issue, and manage certificates. It must also be granted permission to manage the CA so that it can periodically clear expired certificates from the certificate store.
If the host name of the destination server is different from the source server, then the certification authority for the NAP deployment must be configured with permissions settings for the new HRA. If the destination HRA server is already a member of an OU or group that has permissions to manage the NAP CA, then this procedure is not required.
To configure the Certification Authority with permissions for the destination HRA
On the Start screen, type certsrv.msc, and then press ENTER on the CA server.
In the Certification Authority console tree, right-click the CA name, and then click Properties.
Click the Security tab, and then click Add.
Click Object Types, click the Computers check box, and then click OK.
If the CA is located on a different computer than the destination HRA server, type the name of the destination HRA server under Enter the object names to select, and then click OK.
If the CA is installed on the same computer as the destination HRA server, type NETWORK SERVICE under Enter the object names to select, and then click OK.
Click the name of the destination server, or click NETWORK SERVICE, select Allow for the Issue and Manage Certificates, Manage CA, and Request Certificates check boxes, and then click OK.
Close the Certification Authority console.
Configuration tips for migrating the Certification Authority
If the HRA uses a CA that was recently migrated in parallel using the Active Directory Certificate Services Migration Guide (http://go.microsoft.com/fwlink/?LinkID=156771), consider the following:
If the HRA uses an Enterprise CA that was recently migrated, the template for the System Health Authentication certificate used by the HRA must be re-issued in Active Directory before it can be used. This procedure is described in the Restoring the certificate templates list section of the AD CS Migration: Migrating the Certification Authority topic and in the Backing up a CA templates list procedure of the AD CS Migration: Preparing to Migrate topic in the Active Directory Certificate Services Migration Guide (http://go.microsoft.com/fwlink/?LinkID=156771).
If the HRA uses a Root CA that was recently migrated, then all NAP IPsec policies configured in Group Policy need to be edited to use the correct Root CA. For more information, see Configure IPsec GPOs.
Migrate Health Registration Authority to Windows Server 2012
HRA Server Migration: Preparing to Migrate
HRA Server Migration: Verifying the Migration
HRA Server Migration: Post-migration Tasks
Network Access Protection Design Guide
Network Access Protection Deployment Guide