Migrate Health Registration Authority to Windows Server 2012
Updated: February 29, 2012
Applies To: Windows Server 2012
This document provides guidance for migrating the Health Registration Authority (HRA) role service from an x86-based or x64-based server running Windows Server® 2008, Windows Server® 2008 R2, or Windows Server® 2012 to a new Windows Server 2012 server.
Your detailed feedback is very important, and helps us to make Windows Server Migration Guides as reliable, complete, and easy to use as possible. Please take a moment to rate this topic by clicking the stars in the upper-right corner of the page (1=poor, 5=excellent), and then add comments that support your rating. Describe what you liked, did not like, or want to see in future versions of the topic. To submit additional suggestions about how to improve Migration guides or utilities, post on the Windows Server Migration forum.
This guide describes the steps for migrating existing HRA server settings to a server that is running Windows Server 2012. By using this documentation, you can simplify migration, reduce or eliminate server downtime, and help eliminate possible conflicts that might otherwise occur during HRA migration.
This guide is intended for information technology (ITOS) administrators, IT professionals, and other knowledge workers who are responsible for the operation and deployment of HRA servers in a managed environment.
This guide does not provide detailed steps to migrate the configuration of other services used with NAP, such as Network Policy Server (NPS) or Active Directory Certificate Services (AD CS). These procedures are found in the Migrate Network Policy Server to Windows Server 2012 and the Active Directory Certificate Services Migration Guide (http://go.microsoft.com/fwlink/p/?LinkID=156771). Instructions to perform specific procedures in these other guides are provided as necessary to complete migration of the HRA server.
This guide provides you with instructions for migrating an existing server that is running the HRA role service to a server that is running Windows Server 2012. This includes guidance for installing the prerequisite IIS server role and NPS role service. If your server is running additional services, it is recommended that you design a custom migration procedure specific to your server environment based on the information provided in other role migration guides. Migration guides for additional roles are available on the Windows Server 2008 R2 TechCenter (http://go.microsoft.com/fwlink/p/?LinkID=128554).
If your source server provides other roles and services in addition to HRA, migrating the computer name and IP configuration can cause these services to fail. You must verify the impact of these procedures before performing them during HRA migration.
The following table displays the minimum operating system requirements.
Source server processor
Source server operating system
Destination server operating system
Destination server processor
x86- or x64-based
Windows Server 2008
Windows Server 2012
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012
Windows Server 2012
The NPS and HRA roles services are not available in Server Core editions. Foundation, Standard, Enterprise, and Datacenter editions of Windows Server are supported as either source or destination servers. However, If you have configured AD CS on the source server as an enterprise certification authority (CA), the destination CA server must be running Enterprise or Datacenter editions of Windows Server 2012.
Migration from a source server to a destination server that is running an operating system with a different installed language is not supported. For example, migration of server roles from a computer that is running Windows Server 2008 with a system language of French to a computer that is running Windows Server 2012 with a system language of German is not supported. The system language is the language of the localized installation package that was used to set up the Windows operating system.
Both x86- and x64-based migrations are supported for Windows Server 2008. All editions of Windows Server 2008 R2 and Windows Server 2012 are x64-based.
This guide provides procedures to migrate all HRA server settings, including any custom CA and request policy settings. This guide also provides instructions for configuring minimum IIS role requirements on the destination server.
HRA is a role service under the Network Policy and Access Services (NPAS) server role. To install HRA, you must also install NPS and IIS on the same computer. If these services are not already installed, they will be added automatically by the Add Roles and Features Wizard when you choose to install HRA.
HRA also requires a connection to one or more servers running AD CS that are configured to provide NAP health certificates. AD CS can be installed on the same computer with HRA, or it can be installed on another computer. If any HRA severs in your organization are configured to use AD CS on the source server for health certificate requests, you must install AD CS on the destination HRA server and configure it to provide health certificates, or you can change the CA configuration of your HRA servers.
Consider the following information about prerequisite roles and required services on the destination HRA server.
NPS. The NPS role service must be migrated before you can test and verify the functionality of HRA on the destination server. If NPS on the source server is only used with HRA, either as a standalone NAP IPsec health policy server or as a RADIUS proxy for another health policy server, this guide provides references to specific procedures in the Migrate Network Policy Server to Windows Server 2012 that are required to migrate required NPS policies and settings. If the NPS role on the source server is used for purposes other than IPsec NAP, or if the source server is a member of RADIUS clients or remote RADIUS server groups on other servers in your organization, consult the Migrate Network Policy Server to Windows Server 2012 for detailed migration instructions prior to migrating HRA.
AD CS. During installation of HRA, you can choose to install AD CS on the same computer, to use an existing NAP CA on a different computer, or to select a CA later. You can also choose to install AD CS as an enterprise CA or a standalone CA.
After you install AD CS on the HRA server, you cannot change the name of the HRA server.
If you install AD CS on the same computer with HRA, you must configure AD CS on the destination HRA server to provide NAP health certificates.
If AD CS is installed as an enterprise CA, use procedures in this guide to configure permission settings for the NAP CA. See the Active Directory Certificate Services Migration Guide (http://go.microsoft.com/fwlink/p/?LinkID=156771) for procedures to migrate health certificate templates to the destination server.
If AD CS is installed as a standalone CA, this guide provides all permission setting procedures that are required to configure a NAP CA on the destination server. If you use the local CA for other purposes than issuing NAP health certificates, or you have a custom configuration, see the Active Directory Certificate Services Migration Guide (http://go.microsoft.com/fwlink/p/?LinkID=156771) for detailed instructions to migrate CA settings.
If you use an existing NAP CA on a different computer, you do not need to configure AD CS on the destination server.
If you choose to select a CA later, you do not need to configure AD CS on the destination server. If you choose to install AD CS on the destination HRA server later, see Deploying NAP Certification Authorities.
If AD CS on the source server is also used to issue certificates that are not health certificates, see the Active Directory Certificate Services Migration Guide (http://go.microsoft.com/fwlink/?LinkID=156771) for procedures to migrate AD CS.
IIS. If the prerequisite IIS server role is used for any purposes other than the HRA, or is run with customized settings beyond adding an SSL certificate, follow procedures in the Internet Information Services Migration Guide prior migrating the HRA. If the IIS server role is only used with HRA, use the procedures in this guide to migrate IIS.
To maintain HRA performance, the default IIS connection settings must be modified to increase the maximum number of concurrent connections. To perform this procedure, see the Configure IIS connection settings section in Configure an HRA server for NAP.
The following migration scenarios are not covered in this document:
Upgrade. Guidance is not provided for scenarios in which the new operating system is installed on existing server hardware by using the Upgrade option during setup.
Workgroup. Guidance is not provided for migration of HRA settings to or from a non-domain-joined server.
HRA server migration is divided into the following major sections:
The pre-migration process involves establishing a storage location for migration data, collection of information that will be used to perform the server migration, and operating system installation on the destination server. The HRA migration process includes using the Network Shell (netsh) utility from a command line on the source server to obtain the required HRA settings, and procedures on the destination server to install the required roles and migrate the HRA settings. Verification procedures include testing the destination server to ensure it works correctly. Post-migration procedures include retiring or repurposing the source server.
If your migration plan involves configuring the destination server with a different host name from the source server, the trusted server group settings on NAP client computers that use the source HRA server must be updated to use the destination HRA server. This approach has the advantage that it allows the source and destination HRA servers to run simultaneously until testing and verification is complete.
If your migration plan involves configuring the destination server with the same name as the source server, then the source server must be decommissioned and taken offline prior to joining the destination server to the same domain with the same host name. To eliminate downtime in this scenario, NAP client computers must have access to a secondary HRA server in addition to the source and destination servers. To eliminate short term name resolution issues, use the same IP address configuration on the source and destination server.
If the NPS role on the source server is used for purposes other than IPsec NAP, client computers might fail to access the network during the server migration process. For example, if the source server is used for VPN client authentication, consult the Migrate Network Policy Server to Windows Server 2012 for detailed migration instructions prior to migrating HRA.
When deploying the destination server with a different host name, there is no impact to the source server.
When deploying the destination server with the same host name, the source server must be decommissioned and taken offline prior to joining the destination server to the domain.
When deploying the destination server with a different host name, the NAP client settings for all machines configured to use the HRA must be updated. There is little to no downtime in this scenario if the procedures in this guide are followed.
When deploying the destination server with the same host name, clients will not be able to obtain a health certificate shortly after the source server is decommissioned, unless a secondary HRA server is deployed.
The following permissions are required on the source server and the destination server:
Domain administrative rights are required to configure and authorize the HRA server, and configure group policy settings for NAP clients.
Local administrative rights are required to install or manage the server running HRA.
The migration can take two to three hours, including testing.