Install the HRA Role Service
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
The Health Registration Authority (HRA) server is a NAP enforcement server for the IPsec enforcement method and the no enforcement method. To deploy an HRA server for NAP, you must install the HRA role service. For more information about HRA, see IPsec Enforcement Configuration.
Note
Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
This topic includes sample Windows PowerShell cmdlets that you can use to automate some of the procedures described. For more information, see How to Run a Windows PowerShell Cmdlet.
Installing the HRA role service
Use one of the following procedures to install the HRA role service:
To install the HRA role service in Windows Server 8 Beta by using Windows PowerShell
To install the HRA role service in Windows Server 8 Beta by using Server Manager
To install the HRA role service on Windows Server 2008 or Windows Server 2008 R2
To install the HRA role service in Windows Server 8 Beta by using Windows PowerShell
- Open a Windows PowerShell session with elevated rights. To do this, right-click the Windows PowerShell or Command Prompt Start menu object that you are using to start your Windows PowerShell sessions, and then click Run as administrator.
Note
Because of security restrictions imposed by User Account Control, you must use a Windows PowerShell session with elevated rights when adding server roles and role services.
Load the Server Manager module into the Windows PowerShell session before working with Server Manager cmdlets. Type the following, and then press Enter.
Import-Module Servermanager
Note
Windows PowerShell cmdlets are not case-sensitive.
Type the following to install the HRA role service:
Install-windowsfeature -name NPAS-Health -IncludeManagementTools
Note
The –IncludeManagementTools parameter installs the management console on the target server.
- Verify via the Windows PowerShell console that the installation succeeded. Under Success, the result should be True.
To install the HRA role service in Windows Server 8 Beta by using Server Manager
In Server Manager, click Manage and click Add Roles and Features.
On the Before you begin page, click Next.
On the Select installation type page, click Role/Feature Based Install and then click Next.
On the Select destination server page, click Select a server from the server pool, click the names of the servers where you want to install NPS and then click Next.
On the Select server roles page, click Network Policy and Access Services, and then click Next three times.
Note
If the Network Policy Server role service is already installed, expand the NPAS node and select Health Registration Authority. Click Next three times and continue with step 7 below.
- On the Select role services page, click Health Registration Authority, and in the Add Roles and Features Wizard dialog box, verify that Include management tools (if applicable) is selected, click Add Features, and then click Next.
Note
If not already installed, the Network Policy Services role service is automatically installed with HRA.
On the Certification Authority page, select one of the following based on your deployment, and then click Next.
If you want to install a NAP certification authority (CA) now on the local computer, choose Use the local CA to issue health certificates for this HRA server.
If you have already installed Active Directory Certificate Services (AD CS) on this computer and you will use it as a NAP CA, choose Use the local CA to issue health certificates for this HRA server.
If you have already installed a NAP CA on another computer, choose Use an existing remote CA.
If you will install a NAP CA later on this computer or another computer, choose Select a CA later using the HRA console.
Note
This procedure assumes a choice of Select a CA later using the HRA console. For more information about installing a NAP CA for use with HRA, see Deploying NAP Certification Authorities.
On the Authentication Requirements page, select one of the following based on your deployment, and then click Next.
If this HRA will supply health certificates to domain member computers only, choose Yes, require requestors to be authenticated as members of a domain.
If this HRA will supply health certificates to non-domain member computers, choose No, allow anonymous requests for health certificates.
On the Server Authentication Certificate page, select one of the following based on your deployment, and then click Next.
If you have already installed a certificate for Secure Sockets Layer (SSL) encryption on this server, choose Choose an existing certificate for SSL encryption.
If you will not use SSL with HRA, or if you will provision an SSL certificate later, choose Don't use SSL or choose a certificate for SSL encryption later.
Note
This procedure assumes a choice of Choose an existing certificate for SSL encryption. For more information about installing an SSL certificate for use with HRA, see Configure an SSL Certificate for HRA.
Under Choose an existing certificate for SSL encryption, click the certificate that you will use for SSL encryption, and then click Properties.
In the Certificate window, click the Details tab. Verify the following values, and then click OK.
The Issuer field has a value corresponding to a trusted CA in your domain.
The Valid to field has a value greater than the current date.
The Subject field has a value equal to the fully qualified domain name (FQDN) of the HRA server.
The Enhanced Key Usage field has a value that includes Server Authentication (1.3.6.1.5.5.7.3.1).
Click Next three times, and then click Install.
On the Results page, verify that all roles and features were installed successfully, and then click Close.
To install the HRA role service on Windows Server 2008 or Windows Server 2008 R2
In Server Manager, under Roles Summary, click Add Roles, and then click Next.
On the Select Server Roles page, select the Network Policy and Access Services check box, and then click Next twice.
On the Select Role Services page, select the Health Registration Authority check box. If you are prompted to install additional role services and features, click Add Required Role Services, and then click Next.
On the Choose the Certification Authority to use with the Health Registration Authority page, select one of the following based on your deployment, and then click Next.
If you want to install a NAP certification authority (CA) now on the local computer, choose Install a local CA to issue health certificates for this HRA server.
If you have already installed Active Directory Certificate Services (AD CS) on this computer and you will use it as a NAP CA, choose Use the local CA to issue health certificates for this HRA server.
If you have already installed a NAP CA on another computer, choose Use an existing remote CA.
If you will install a NAP CA later on this computer or another computer, choose Select a CA later using the HRA console.
Note
This procedure assumes a choice of Select a CA later using the HRA console. For more information about installing a NAP CA for use with HRA, see Deploying NAP Certification Authorities.
On the Choose Authentication Requirements for the Heatlh Registration Authority page, select one of the following based on your deployment, and then click Next.
If this HRA will supply health certificates to domain member computers only, choose Yes, require requestors to be authenticated as members of a domain.
If this HRA will supply health certificates to non-domain member computers, choose No, allow anonymous requests for health certificates.
On the Choose a Server Authentication Certificate for SSL Encryption page, select one of the following based on your deployment, and then click Next.
If you have already installed a certificate for Secure Sockets Layer (SSL) encryption on this server, choose Choose an existing certificate for SSL encryption.
If you want to create a self-signed certificate for SSL encryption, choose Create a self-signed certificate for SSL encryption.
If you will not use SSL with HRA, or if you will provision an SSL certificate later, choose Don't use SSL or choose a certificate for SSL encryption later.
Note
This procedure assumes a choice of Choose a Server Authentication Certificate for SSL Encryption. For more information about installing an SSL certificate for use with HRA, see Configure an SSL Certificate for HRA.
Under Choose a Server Authentication Certificate for SSL Encryption, click the certificate that you will use for SSL encryption, and then click Properties.
In the Certificate window, click the Details tab. Verify the following values, and then click OK.
The Issuer field has a value corresponding to a trusted CA in your domain.
The Valid to field has a value greater than the current date.
The Subject field has a value equal to the fully qualified domain name (FQDN) of the HRA server.
The Enhanced Key Usage field has a value that includes Server Authentication (1.3.6.1.5.5.7.3.1).
Click Next three times, and then click Install.
On the Installation Results page, verify that all roles and features were installed successfully, and then click Close.