HRA Server Migration: Migrating the HRA Server
Updated: November 11, 2009
Applies To: Windows Server 2008, Windows Server 2008 R2
This topic contains steps and procedures for migrating the Health Registration Authority (HRA) role service from a legacy source server to a new x64-based destination server running Windows Server® 2008 R2.
Important
The NPS role service must be installed before HRA can be configured on the destination server. If NPS on the destination server will only be used with HRA, you can use the Add Roles Wizard in Server Manager to install both HRA and NPS role services together. Following service installation, see the NPS Migration Guide for procedures to migrate NPS settings to the destination server. When you have completed migration of NPS, continue performing the procedures in this guide to complete HRA migration.
Migrating settings from the source server
Use the following procedures to export the HRA settings from your x86-based or x64-based source HRA server prior to migrating to an x64-based server running Windows Server 2008 R2.
Important
If your migration plan involves configuring the destination server with the same host name as the source server, then the source server must be decommissioned and taken offline prior to joining the destination server to the domain. To eliminate downtime in this scenario, a secondary HRA server should already be deployed before proceeding. For information about deploying a new HRA server, see Install HRA using the Add Roles Wizard or Install HRA using Add Role Services.
To export settings from the source server
On the source HRA server, type the following command at an elevated command prompt, and then press ENTER:
netsh nap hra export filename=c:\hra_export.xml
Copy the hra_export.xml file from the c:\ directory to the migration file storage location you have chosen.
Configuration settings for the NPS role service must also be exported from the source server. Use the procedures provided in the Migrating settings from the source server section of the NPS Server Migration: Migrating the NPS Server topic to export these settings.
Copy the exported HRA configuration file to the migration file storage location you have chosen.
Configuring the destination server
Use the following procedures to configure the destination with the required identity, certificates, and services. If the destination server will have a different host name and IP address from the source server, then the source server can remain online and in service until testing and verification of the destination server is complete. When you have completed configuring the destination server’s identity, certificates, and services, you can begin migrating HRA settings from the source to destination server.
Important
Some services and settings on the destination server might already be migrated due to the migration of prerequisite roles. Before you configure the destination HRA server, consult the Migrating prerequisite roles topic in this guide to determine the configuration settings for NPS, AD CS, and IIS that must be migrated first.
To configure the destination server
Add the destination server to the domain of the source server. If the destination server will use the same name as the source server, you must ensure the source server is decommissioned as described in the Impact of migration topic.
Add the destination server to all security groups and organizational units (OUs) of which the source HRA server is a member. In most cases, the HRA server is a member of the IPsec boundary OU. Members of the boundary OU typically have IPsec policies applied that allow communication with both compliant and noncompliant computers. For more information on OUs and required IPsec policy settings, see Checklist: Deploy IPsec Policies for NAP.
To update Group Policy settings on the destination server, run the following command at an elevated command prompt:
gpupdate /force
Note
To apply new security group membership settings, you must restart the destination server.
If client computers will use SSL to request health certificates from HRA, you must provision the destination server with an SSL certificate. For more information, see Configure an SSL Certificate for HRA, or use the process defined within your organization for provisioning an SSL certificate.
Install the HRA role service on the destination server. If the Network Policy and Access Services (NPAS) role has not been installed on the destination server, you can Install HRA using the Add Roles Wizard. If NPS or another NPAS role service has already been installed on the destination server, you must Install HRA using Add Role Services.
Install HRA using the Add Roles Wizard
In the Server Manager console tree, right-click Roles, click Add Roles, and then click Next.
On the Select Server Roles page, select the Network Policy and Access Services check box, and then click Next twice.
On the Select Role Services page, select the Health Registration Authority check box. Click Add Required Role Services in the popup window that appears, and then click Next.
On the Choose the Certification Authority to use with the Health Registration Authority page, choose Select a CA later using the HRA console, and then click Next.
Note
Certification authority settings for HRA will be configured when you migrate settings from the source server.
5. On the **Choose Authentication Requirements for the Health Registration Authority** page, choose **No, allow anonymous requests for health certificates**, if the destination HRA will provide health certificates to workgroup computers. If health certificates will be issued to domain-joined clients only, choose **Yes, require requestors to be authenticated as members of a domain (recommended)**. Click **Next** to continue.
6. On the **Choose a Server Authentication Certificate for SSL Encryption** page, choose **Choose an existing certificate for SSL encryption (recommended)**, click the certificate displayed under this option, and then click **Next**. If multiple certificates are displayed, or you are not sure if the certificate displayed can be used for SSL encryption, see [Install the HRA Role Service](https://go.microsoft.com/fwlink/?linkid=164269) for more information.
7. Click **Next** three times, and then click **Install**.
8. On the **Installation Results** page, verify that installation was successful and then click **Close**.
## Install HRA using Add Role Services
1. In the Server Manager console tree, right-click **Network Policy and Access Services** and then click **Add Role Services**.
2. On the **Select Role Services** page, select the **Health Registration Authority** check box. Click **Add Required Role Services** in the popup window that appears, and then click **Next**.
3. On the **Choose the Certification Authority to use with the Health Registration Authority** page, choose **Select a CA later using the HRA console**, and then click **Next**.
Note
Certification authority settings for HRA will be configured when you migrate settings from the source server.
4. On the **Choose Authentication Requirements for the Health Registration Authority** page, choose **No, allow anonymous requests for health certificates**, if the destination HRA will provide health certificates to workgroup computers. If health certificates will be issued to domain-joined clients only, choose **Yes, require requestors to be authenticated as members of a domain (recommended)**. Click **Next** to continue.
5. On the **Choose a Server Authentication Certificate for SSL Encryption** page, choose **Choose an existing certificate for SSL encryption (recommended)**, click the certificate displayed under this option, and then click **Next**. If multiple certificates are displayed, or you are not sure if the certificate displayed can be used for SSL encryption, see [Install the HRA Role Service](https://go.microsoft.com/fwlink/?linkid=164269) for more information.
6. Click **Next** three times, and then click **Install**.
7. On the **Installation Results** page, verify that installation was successful and then click **Close**.
Migrating settings to the destination server
Follow the procedure below to migrate HRA settings from the source to destination server.
To migrate the settings to the destination server
On the destination server, type the following command at an elevated command prompt, and then press ENTER:
netsh nap hra import filename = c:\hra_export.xml
Replace c:\hra_export.html with the path and file name of the HRA configuration file that you exported in the previous procedure: Migrating settings from the source server.
Note
If you receive the error message “Cannot create a file when that file already exists,” reset the HRA configuration and then perform this procedure again. To reset the HRA configuration, type the following command at an elevated command prompt and then press ENTER: reg delete HKLM\Software\Microsoft\HCS\CAServers.
Verify that the settings have been imported successfully. To review HRA settings, type the following command at a command prompt and then press ENTER:
netsh nap hra show configuration
If the name of the certification authority will change as a result of the migration, type the following commands at an elevated command prompt to add the name of the correct CA and delete the name of the old CA. Replace \\srv1.woodgrovebank.com\woodgrovebank-srv1-CA and 1 with the name and processing order of the CA you wish to use.
netsh nap hra delete caserver name = "\\srv1.woodgrovebank.com\woodgrovebank-srv1-CA" netsh nap hra add caserver name = "\\srv2.woodgrovebank.com\woodgrovebank-srv2-CA" processingorder = "1"
You can use the output of the netsh nap hra show configuration command to view the name and processing order format for the previous CA. For more information, see HRA Certification Authority Commands.
Configuring the certification authority
The destination HRA server name must be given security permissions to request, issue, and manage certificates. It must also be granted permission to manage the CA so that it can periodically clear expired certificates from the certificate store.
If the host name of the destination server is different from the source server, then the certification authority for the NAP deployment must be configured with permissions settings for the new HRA. If the destination HRA server is already a member of an OU or group that has permissions to manage the NAP CA, then this procedure is not required.
To configure the certification authority with permissions for the destination HRA
On the CA server, click Start, click Run, type certsrv.msc, and then press ENTER.
In the certification authority console tree, right-click the CA name, and then click Properties.
Click the Security tab, and then click Add.
Click Object Types, click the Computers check box, and then click OK.
If the CA is located on a different computer than the destination HRA server, type the name of the destination HRA server under Enter the object names to select, and then click OK.
Note
If the CA is installed on the same computer as the destination HRA server, type NETWORK SERVICE under Enter the object names to select, and then click OK.
Click the name of the destination server, or click NETWORK SERVICE, select Allow for the Issue and Manage Certificates, Manage CA, and Request Certificates check boxes, and then click OK.
Close the Certification Authority console.
Configuration tips for migrating the certification authority
If the HRA uses a CA that was recently migrated in parallel using the Active Directory Certificate Services Migration Guide (https://go.microsoft.com/fwlink/?LinkID=156771), consider the following:
If the HRA uses an Enterprise CA that was recently migrated, the template for the System Health Authentication certificate used by the HRA must be re-issued in Active Directory before it can be used. This procedure is described in the Restoring the certificate templates list section of the AD CS Migration: Migrating the Certification Authority topic and in the Backing up a CA templates list procedure of the AD CS Migration: Preparing to Migrate topic in the Active Directory Certificate Services Migration Guide (https://go.microsoft.com/fwlink/?LinkID=156771).
If the HRA uses a Root CA that was recently migrated, then all NAP IPsec policies configured in Group Policy need to be edited to use the correct Root CA. For more information, see Configure IPsec GPOs.
See Also
Concepts
HRA Migration Guide
HRA Server Migration: Preparing to Migrate
HRA Server Migration: Verifying the Migration
HRA Server Migration: Post-migration Tasks
Network Access Protection Design Guide
Network Access Protection Deployment Guide