This section provides troubleshooting information to help you identify and resolve why computers do not have full network access when they should when using Network Access Protection in Configuration Manager 2007.
The Configuration Manager Health
State Reference Has Not Completed Active Directory Replication
Network Access Protection relies on Active Directory Domain Services to publish and retrieve health state references.
When installing a new Configuration Manager site, wait until replication for the Configuration Manager site is complete before configuring Configuration Manager Network Access Protection (NAP) policies.
Solution
Wait for Active Directory replication to complete.
The System Health Validator Point
Cannot Retrieve the Configuration Manager Health State
Reference
Network Access Protection uses Active Directory Domain Services to publish and retrieve health state references. If this is not configured and operational, compliant clients might have limited network access.
Solution
First, ensure that the Active Directory schema has been extended with the Configuration Manager 2007 schema extensions and that the Configuration Manager site is publishing to Active Directory. For more information, see the following:
- How to Extend the Active
Directory Schema for Configuration Manager
- How to Publish
Configuration Manager Site Information to Active Directory Domain
Services
- How to Verify That Site
Information Is Published to Active Directory Domain
Services
Second, ensure that the Configuration Manager health state reference settings are configured appropriately for your environment. For more information, see the following:
An Error Condition Occurred
By default, a client that experiences an error condition during the Network Access Protection process will be deemed non-compliant. However, error conditions can be reconfigured to give clients a compliant status, which can then result in full network access. For more information, see Network Access Protection Failure Categories and Error Codes.
Solution
Locate the error by referencing the Network Access Protection logs, and then correct the error. For more information about the log files, see Log Files for Network Access Protection.
Alternatively, you can reconfigure the failure category on the Network Policy Server so that it maps to a compliant status. For more information, see Configuring Failure Categories for Configuration Manager Network Access Protection.
Another System Health Agent (Not
Configuration Manager) Is Responsible for a Non-Compliant
Status
When the Network Policy Server is checking the health state of multiple System Health Agents and not just Configuration Manager, a Configuration Manager client that is compliant with the configured software updates can be non-compliant for a different System Health Agent, and as such, have limited network access.
Solution
None. Logging on the Network Policy Server will identify which System Health Agent returned a non-compliant health state.
The Network Policy Server Has
Network Policies Configured Incorrectly for Configuration
Manager
Network Access Protection in Configuration Manager replies on the correct configuration of policies on the Network Policy Server.
Solution
Ensure that the policies are configured correctly on the Network Policy Server. For more information, see the following:
The Computer Sends Its Statement Of
Health to a System Health Validator Point Outside its Configuration
Manager Hierarchy
This scenario will result in the client having an unknown health state, which by default, maps to SHA vendor specific error code received on the Configuration Manager System Health Validator on the Network Policy Server. By default, the option SHA vendor specific error code received is configured for Non-compliant.
Solution
If this unwanted behavior, reconfigure SHA vendor specific error code received on the Configuration Manager System Health Validator from Non-compliant to Compliant. For more information, see Configuring Failure Categories for Configuration Manager Network Access Protection.
The Network Access Protection Agent
is Re-Enabled
If you enabled Network Access Protection, create some Configuration Manager NAP policies, and then disable Network Access Protection, this does not automatically delete the Configuration Manager NAP policies. Therefore, when you re-enable Network Access Protection on the same site, the old Configuration Manager NAP policies are also re-enabled.
For more information, see About Enabling and Disabling Network Access Protection.
Solution
Delete old Configuration Manager NAP policies you do not want. For more information, see How to Delete a Configuration Manager NAP Policy to Stop NAP Evaluation in Network Access Protection.