Configure HRA Automatic Discovery

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

The following procedures show how you can allow the discovery of HRA servers on a network using DNS service (SRV) records.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

Configure HRA automatic discovery

Perform the following procedures to configure HRA automatic discovery on NAP client computers.

Requirements for HRA automatic discovery

The following requirements must be met in order to configure trusted server groups on NAP client computers using HRA automatic discovery:

  • Client computers must be running Windows Vista® with Service Pack 1 (SP1) or Windows XP with Service Pack 3 (SP3).

  • The HRA server must be configured with a Secure Sockets Layer (SSL) certificate.

  • The EnableDiscovery registry key must be configured on NAP client computers.

  • DNS SRV records must be configured.

  • The trusted server group configuration in either local policy or Group Policy must be cleared.

The following steps describe these procedures in detail.

Configure the EnableDiscovery registry key

First, configure the registry on client computers to use the EnableDiscovery registry key.

To configure the EnableDiscovery registry key on a client computer

  1. On a client computer, click Start, click Run, type regedit, and then press ENTER.

  2. In Registry Editor, open HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\NetworkAccessProtection\ClientConfig\Enroll\HcsGroups.

  3. Right-click HcsGroups, point to New, and then click DWORD (32-bit) Value. For the new DWORD, type EnableDiscovery, and then press ENTER.

  4. Double-click EnableDiscovery, under Value data, type 1, and then click OK.

  5. Close the Registry Editor.

Note

If NAP client settings are enabled in local policy instead of Group Policy, the EnableDiscovery registry key must be configured under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\napagent\LocalConfig\Enroll\HcsGroups.

Configure DNS SRV records

Next, configure a DNS SRV record on a domain controller.

To configure DNS SRV records

  1. On a DNS server, click Start, click Run, type dnsmgmt.msc, and then press ENTER.

  2. In the console tree, open Forward Lookup Zones\contoso.com\_sites\Default-First-Site-Name\_tcp.

  3. Right-click _tcp, and then click Other New Records.

  4. In the Resource Record Type window, under Select a resource record type, click Service Location (SRV), and then click Create Record.

  5. In the New Resource Record window, next to Service, type _hra.

  6. Next to Protocol, type _tcp.

  7. Under Host offering this service, type nps1.contoso.com, and then click OK.

Note

The fully qualified domain name (FQDN) of the HRA server is required here to support SSL authentication. If more than one HRA SRV record is provisioned, next to Priority, you can type the processing order priority assigned to this HRA. Possible values are 0 through 65535, with lower numbers assigned a higher priority.

Clear the trusted server group configuration

If a trusted server group configuration is found in policy settings used by the client computer, then the client computer will not attempt to discover HRA servers automatically. To enable automatic discovery, you must clear the trusted server group configuration from Group Policy.

To clear the trusted server group configuration

  1. On a computer with the Group Policy Management feature installed, click Start, click Run, type gpme.msc, and then press ENTER.

  2. In the Browse for a Group Policy Object dialog box, click NAP client settings, and then click OK.

  3. The Group Policy Management Editor window will open. In the console tree, navigate to Computer Configuration/Policies/Windows Settings/Security Settings/Network Access Protection/NAP Client Configuration/Health Registration Settings/Trusted Server Groups.

  4. In the details pane, right-click Trusted HRA Server, and then click Delete.

  5. Verify that no groups are listed in the details pane under Trusted Server Groups.

  6. In the console tree, right-click NAP Client Configuration, and then click Apply.

  7. Close the Group Policy Management Editor window.

  8. If you are prompted to save settings, click Yes.

Note

To enable the new settings, refresh Group Policy on client computers, and then verify that no trusted server groups are configured.

Verify HRA automatic discovery

When Group Policy is refreshed, computers will dynamically discover HRA servers on the network and acquire a health certificate using SSL. You can use Event Viewer to verify that client computers automatically discovered HRA servers.

To verify that client computers automatically discovered HRA servers

  1. On a NAP client computer, click Start, click Run, type eventvwr.msc, and press ENTER.

  2. In the Event Viewer console tree, open Applications and Services Logs\Microsoft\Windows\Network Access Protection\Operational.

  3. In the details pane, click event 40. This event is related to the dynamic discovery of HRAs by the NAP Agent service.