How to Deploy Network Access Protection For a Single Forest
When all your site servers that are enabled for Network Access Protection (NAP) and System Health Validator points reside in the same Active Directory forest, no additional Network Access Protection configuration is required to support Network Access Protection in Configuration Manager 2007. However, Active Directory Domain Services must be extended with the Configuration Manager 2007 schema extensions and the site servers must be publishing to Active Directory Domain Services.
Network Access Protection is one of many Configuration Manager features that integrate with Active Directory Domain Services, so these configuration procedures might have already been performed.
注意
If your Network Access Protection implementation in Configuration Manager spans multiple forests, you will have additional configuration steps to perform forConfiguration Manager and Active Directory Domain Services. See the following for more information: About Network Access Protection and Multiple Active Directory Forests.
When your Configuration Manager hierarchy is entirely in one Active Directory forest, there are fewer configuration tasks you must perform to support Network Access Protection in Configuration Manager and the following default values will be used:
The site server computer account is used to install the System Health Validator Point.
The site server computer account is used to publish the Configuration Manager health state reference to Active Directory.
The site server will publish the Configuration Manager health state reference to its Active Directory forest.
The System Health Validator point will query its Active Directory forest for the Configuration Manager health state references.
The computer account of the System Health Validator point will be used to query Active Directory for the Configuration Manager health state references.
However, if you have not already done so for other Configuration Manager features, you must provision Active Directory and configure Configuration Manager to publish to Active Directory Domain Services.
To deploy Network Access Protection in Configuration Manager for a single forest, the following steps must be completed:
The Active Directory schema must be extended with the Configuration Manager 2007 schema extensions.
A System Management container must be created in each domain for each primary site that will be enabled for Network Access Protection.
Permissions must be set appropriately on the System Management container for each site server.
Each primary site in Configuration Manager enabled for Network Access Protection must be configured to publish to Active Directory Directory Domain Services.
For procedural information on completing steps 1 through to 3, see How to Extend the Active Directory Schema for Configuration Manager.
For procedural information on completing step 4, see How to Publish Configuration Manager Site Information to Active Directory Domain Services.
See Also
Concepts
How to Deploy Network Access Protection Across Multiple Forests
About Network Access Protection and Multiple Active Directory Forests
About System Health Validator Points in Network Access Protection
About NAP Health State References in Network Access Protection