Export (0) Print
Expand All

HRA Server Migration: Migrating the HRA Server

Published: November 11, 2009

Updated: November 11, 2009

Applies To: Windows Server 2008, Windows Server 2008 R2

This topic contains steps and procedures for migrating the Health Registration Authority (HRA) role service from a legacy source server to a new x64-based destination server running Windows Server® 2008 R2.

ImportantImportant
The NPS role service must be installed before HRA can be configured on the destination server. If NPS on the destination server will only be used with HRA, you can use the Add Roles Wizard in Server Manager to install both HRA and NPS role services together. Following service installation, see the NPS Migration Guide for procedures to migrate NPS settings to the destination server. When you have completed migration of NPS, continue performing the procedures in this guide to complete HRA migration.

Use the following procedures to export the HRA settings from your x86-based or x64-based source HRA server prior to migrating to an x64-based server running Windows Server 2008 R2.

ImportantImportant
If your migration plan involves configuring the destination server with the same host name as the source server, then the source server must be decommissioned and taken offline prior to joining the destination server to the domain. To eliminate downtime in this scenario, a secondary HRA server should already be deployed before proceeding. For information about deploying a new HRA server, see Install HRA using the Add Roles Wizard or Install HRA using Add Role Services.

  1. On the source HRA server, type the following command at an elevated command prompt, and then press ENTER:

    netsh nap hra export filename=c:\hra_export.xml
    
  2. Copy the hra_export.xml file from the c:\ directory to the migration file storage location you have chosen.

  3. Configuration settings for the NPS role service must also be exported from the source server. Use the procedures provided in the Migrating settings from the source server section of the NPS Server Migration: Migrating the NPS Server topic to export these settings.

  4. Copy the exported HRA configuration file to the migration file storage location you have chosen.

Use the following procedures to configure the destination with the required identity, certificates, and services. If the destination server will have a different host name and IP address from the source server, then the source server can remain online and in service until testing and verification of the destination server is complete. When you have completed configuring the destination server’s identity, certificates, and services, you can begin migrating HRA settings from the source to destination server.

ImportantImportant
Some services and settings on the destination server might already be migrated due to the migration of prerequisite roles. Before you configure the destination HRA server, consult the Migrating prerequisite roles topic in this guide to determine the configuration settings for NPS, AD CS, and IIS that must be migrated first.

  1. Add the destination server to the domain of the source server. If the destination server will use the same name as the source server, you must ensure the source server is decommissioned as described in the Impact of migration topic.

  2. Add the destination server to all security groups and organizational units (OUs) of which the source HRA server is a member. In most cases, the HRA server is a member of the IPsec boundary OU. Members of the boundary OU typically have IPsec policies applied that allow communication with both compliant and noncompliant computers. For more information on OUs and required IPsec policy settings, see Checklist: Deploy IPsec Policies for NAP.

  3. To update Group Policy settings on the destination server, run the following command at an elevated command prompt:

    gpupdate /force
    
    noteNote
    To apply new security group membership settings, you must restart the destination server.

  4. If client computers will use SSL to request health certificates from HRA, you must provision the destination server with an SSL certificate. For more information, see Configure an SSL Certificate for HRA, or use the process defined within your organization for provisioning an SSL certificate.

  5. Install the HRA role service on the destination server. If the Network Policy and Access Services (NPAS) role has not been installed on the destination server, you can Install HRA using the Add Roles Wizard. If NPS or another NPAS role service has already been installed on the destination server, you must Install HRA using Add Role Services.

    1. In the Server Manager console tree, right-click Roles, click Add Roles, and then click Next.

    2. On the Select Server Roles page, select the Network Policy and Access Services check box, and then click Next twice.

    3. On the Select Role Services page, select the Health Registration Authority check box. Click Add Required Role Services in the popup window that appears, and then click Next.

    4. On the Choose the Certification Authority to use with the Health Registration Authority page, choose Select a CA later using the HRA console, and then click Next.

      noteNote
      Certification authority settings for HRA will be configured when you migrate settings from the source server.

    5. On the Choose Authentication Requirements for the Health Registration Authority page, choose No, allow anonymous requests for health certificates, if the destination HRA will provide health certificates to workgroup computers. If health certificates will be issued to domain-joined clients only, choose Yes, require requestors to be authenticated as members of a domain (recommended). Click Next to continue.

    6. On the Choose a Server Authentication Certificate for SSL Encryption page, choose Choose an existing certificate for SSL encryption (recommended), click the certificate displayed under this option, and then click Next. If multiple certificates are displayed, or you are not sure if the certificate displayed can be used for SSL encryption, see Install the HRA Role Service for more information.

    7. Click Next three times, and then click Install.

    8. On the Installation Results page, verify that installation was successful and then click Close.

    1. In the Server Manager console tree, right-click Network Policy and Access Services and then click Add Role Services.

    2. On the Select Role Services page, select the Health Registration Authority check box. Click Add Required Role Services in the popup window that appears, and then click Next.

    3. On the Choose the Certification Authority to use with the Health Registration Authority page, choose Select a CA later using the HRA console, and then click Next.

      noteNote
      Certification authority settings for HRA will be configured when you migrate settings from the source server.

    4. On the Choose Authentication Requirements for the Health Registration Authority page, choose No, allow anonymous requests for health certificates, if the destination HRA will provide health certificates to workgroup computers. If health certificates will be issued to domain-joined clients only, choose Yes, require requestors to be authenticated as members of a domain (recommended). Click Next to continue.

    5. On the Choose a Server Authentication Certificate for SSL Encryption page, choose Choose an existing certificate for SSL encryption (recommended), click the certificate displayed under this option, and then click Next. If multiple certificates are displayed, or you are not sure if the certificate displayed can be used for SSL encryption, see Install the HRA Role Service for more information.

    6. Click Next three times, and then click Install.

    7. On the Installation Results page, verify that installation was successful and then click Close.

Follow the procedure below to migrate HRA settings from the source to destination server.

  1. On the destination server, type the following command at an elevated command prompt, and then press ENTER:

    netsh nap hra import filename = c:\hra_export.xml
    

    Replace c:\hra_export.html with the path and file name of the HRA configuration file that you exported in the previous procedure: Migrating settings from the source server.

    noteNote
    If you receive the error message “Cannot create a file when that file already exists,” reset the HRA configuration and then perform this procedure again. To reset the HRA configuration, type the following command at an elevated command prompt and then press ENTER: reg delete HKLM\Software\Microsoft\HCS\CAServers.

  2. Verify that the settings have been imported successfully. To review HRA settings, type the following command at a command prompt and then press ENTER:

    netsh nap hra show configuration
    
  3. If the name of the certification authority will change as a result of the migration, type the following commands at an elevated command prompt to add the name of the correct CA and delete the name of the old CA. Replace \\srv1.woodgrovebank.com\woodgrovebank-srv1-CA and 1 with the name and processing order of the CA you wish to use.

    netsh nap hra delete caserver name = "\\srv1.woodgrovebank.com\woodgrovebank-srv1-CA"
    
    netsh nap hra add caserver name = "\\srv2.woodgrovebank.com\woodgrovebank-srv2-CA"  processingorder = "1"
    

    You can use the output of the netsh nap hra show configuration command to view the name and processing order format for the previous CA. For more information, see HRA Certification Authority Commands.

The destination HRA server name must be given security permissions to request, issue, and manage certificates. It must also be granted permission to manage the CA so that it can periodically clear expired certificates from the certificate store.

If the host name of the destination server is different from the source server, then the certification authority for the NAP deployment must be configured with permissions settings for the new HRA. If the destination HRA server is already a member of an OU or group that has permissions to manage the NAP CA, then this procedure is not required.

  1. On the CA server, click Start, click Run, type certsrv.msc, and then press ENTER.

  2. In the certification authority console tree, right-click the CA name, and then click Properties.

  3. Click the Security tab, and then click Add.

  4. Click Object Types, click the Computers check box, and then click OK.

  5. If the CA is located on a different computer than the destination HRA server, type the name of the destination HRA server under Enter the object names to select, and then click OK.

    noteNote
    If the CA is installed on the same computer as the destination HRA server, type NETWORK SERVICE under Enter the object names to select, and then click OK.

  6. Click the name of the destination server, or click NETWORK SERVICE, select Allow for the Issue and Manage Certificates, Manage CA, and Request Certificates check boxes, and then click OK.

  7. Close the Certification Authority console.

If the HRA uses a CA that was recently migrated in parallel using the Active Directory Certificate Services Migration Guide (http://go.microsoft.com/fwlink/?LinkID=156771), consider the following:

  1. If the HRA uses an Enterprise CA that was recently migrated, the template for the System Health Authentication certificate used by the HRA must be re-issued in Active Directory before it can be used. This procedure is described in the Restoring the certificate templates list section of the AD CS Migration: Migrating the Certification Authority topic and in the Backing up a CA templates list procedure of the AD CS Migration: Preparing to Migrate topic in the Active Directory Certificate Services Migration Guide (http://go.microsoft.com/fwlink/?LinkID=156771).

  2. If the HRA uses a Root CA that was recently migrated, then all NAP IPsec policies configured in Group Policy need to be edited to use the correct Root CA. For more information, see Configure IPsec GPOs.

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft