Configure HRA Automatic Discovery

Updated: February 29, 2012

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

The following procedures show how you can allow the discovery of HRA servers on a network using DNS service (SRV) records.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (

Perform the following procedures to configure HRA automatic discovery on NAP client computers.

The following requirements must be met in order to configure trusted server groups on NAP client computers using HRA automatic discovery:

  • Client computers must be running Windows Vista® with Service Pack 1 (SP1) or Windows XP with Service Pack 3 (SP3).

  • The HRA server must be configured with a Secure Sockets Layer (SSL) certificate.

  • The EnableDiscovery registry key must be configured on NAP client computers.

  • DNS SRV records must be configured.

  • The trusted server group configuration in either local policy or Group Policy must be cleared.

The following steps describe these procedures in detail.

First, configure the registry on client computers to use the EnableDiscovery registry key.

  1. On a client computer, click Start, click Run, type regedit, and then press ENTER.

  2. In Registry Editor, open HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\NetworkAccessProtection\ClientConfig\Enroll\HcsGroups.

  3. Right-click HcsGroups, point to New, and then click DWORD (32-bit) Value. For the new DWORD, type EnableDiscovery, and then press ENTER.

  4. Double-click EnableDiscovery, under Value data, type 1, and then click OK.

  5. Close the Registry Editor.

If NAP client settings are enabled in local policy instead of Group Policy, the EnableDiscovery registry key must be configured under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\napagent\LocalConfig\Enroll\HcsGroups.

Next, configure a DNS SRV record on a domain controller.

  1. On a DNS server, click Start, click Run, type dnsmgmt.msc, and then press ENTER.

  2. In the console tree, open Forward Lookup Zones\\_sites\Default-First-Site-Name\_tcp.

  3. Right-click _tcp, and then click Other New Records.

  4. In the Resource Record Type window, under Select a resource record type, click Service Location (SRV), and then click Create Record.

  5. In the New Resource Record window, next to Service, type _hra.

  6. Next to Protocol, type _tcp.

  7. Under Host offering this service, type, and then click OK.

The fully qualified domain name (FQDN) of the HRA server is required here to support SSL authentication. If more than one HRA SRV record is provisioned, next to Priority, you can type the processing order priority assigned to this HRA. Possible values are 0 through 65535, with lower numbers assigned a higher priority.

If a trusted server group configuration is found in policy settings used by the client computer, then the client computer will not attempt to discover HRA servers automatically. To enable automatic discovery, you must clear the trusted server group configuration from Group Policy.

  1. On a computer with the Group Policy Management feature installed, click Start, click Run, type gpme.msc, and then press ENTER.

  2. In the Browse for a Group Policy Object dialog box, click NAP client settings, and then click OK.

  3. The Group Policy Management Editor window will open. In the console tree, navigate to Computer Configuration/Policies/Windows Settings/Security Settings/Network Access Protection/NAP Client Configuration/Health Registration Settings/Trusted Server Groups.

  4. In the details pane, right-click Trusted HRA Server, and then click Delete.

  5. Verify that no groups are listed in the details pane under Trusted Server Groups.

  6. In the console tree, right-click NAP Client Configuration, and then click Apply.

  7. Close the Group Policy Management Editor window.

  8. If you are prompted to save settings, click Yes.

    To enable the new settings, refresh Group Policy on client computers, and then verify that no trusted server groups are configured.

When Group Policy is refreshed, computers will dynamically discover HRA servers on the network and acquire a health certificate using SSL. You can use Event Viewer to verify that client computers automatically discovered HRA servers.

  1. On a NAP client computer, click Start, click Run, type eventvwr.msc, and press ENTER.

  2. In the Event Viewer console tree, open Applications and Services Logs\Microsoft\Windows\Network Access Protection\Operational.

  3. In the details pane, click event 40. This event is related to the dynamic discovery of HRAs by the NAP Agent service.

Community Additions