HRA Server Migration: Post-migration Tasks
Updated: February 29, 2012
Applies To: Windows Server 2012
After all migration steps are complete and you have verified the migration of the Health Registration Authority (HRA) role service, perform the following post-migration tasks.
To finish deploying the destination server, all NAP clients must be updated to obtain a health certificate from the destination server URL instead of the source server URL (if different). These settings are typically configured using Group Policy. If the source and destination URLs are different, each GPO in your NAP deployment that uses the new trusted server group settings must be modified. If your organization uses other methods to push NAP client settings to clients, then you might also need to modify those procedures.
If you have configured HRA automatic discovery on your network and the name of your source and destination HRA servers are different, you must modify DNS service (SRV) records to deploy the new trusted server group setting to client computers. For more information, see Configure HRA Automatic Discovery.
To configure final NAP client settings in group policy
On a domain controller or member server with the Group Policy Management feature installed, click Start, click Run, type gpmc.msc, and then press ENTER.
In the Group Policy Management console tree, open Group Policy Objects, right-click the name of the GPO you want to edit, and then click Edit. The Group Policy Management Editor opens.
In the console tree, open Computer Configuration/Policies/Windows Settings/Security Settings/Network Access Protection/NAP Client Configuration/Health Registration Settings/Trusted Server Groups.
Delete the secondary trusted server group that was added for testing purposes. To delete this group, right-click the name of the trusted server group, and click Delete.
Double-click the name of the primary trusted server group you wish to edit.
Click the URL of the source server in the list, and then click Edit.
Replace the source server URL with the destination server URL.
In the console tree, right-click NAP Client Configuration, and then click Apply.
Close the Group Policy Management Editor window.
If you are prompted to apply settings, click Yes.
Repeat the testing procedure as described in HRA Server Migration: Verifying the Migration to verify that deployment of the destination server is successful.
If the destination server is deployed simultaneously with the source server using a different host name, then the configuration prior to migration can be restored by changing the NAP client settings to use the URL of the source HRA server. To restore the previous configuration, perform the steps described in the Deploying final client settings section of the HRA Server Migration: Verifying the Migration topic, replacing the destination server URL with the source server URL.
If the destination server replaced the source server using the same host name, then the destination server will need to be renamed, unjoined from the domain, or otherwise decommissioned in order to bring the source server back online.
Once the destination HRA has been configured, tested, and verified, and the URL of the source HRA has been removed from group policy, then the HRA role on the source server may be retired.
The source server can be taken offline and physically retired or repurposed. Follow your organization’s policy regarding server decommissioning.
To retire only the HRA role on the source server, in the Server Manager console tree, click Network Policy and Access Services. In the details pane, click Remove Role Services, and then use the Remove Role Services wizard to select and remove the HRA role service.
If the source server was configured to use a certification authority on a different machine, consider removing permissions for the source server from the certification authority.