The configuration steps that must be taken when deploying Configuration Manager 2007 Network Access Protection (NAP) across multiple Active Directory forests depend on the topography, the existing configuration, and your decision on where to publish the Configuration Manager health state references. If you need help with deciding where to publish the health state references, see Decide Which Forest Will Publish Health State References for Network Access Protection.

Use the following supported scenarios to select the appropriate configuration steps to deploy Network Access Protection in Configuration Manager across multiple Active Directory forests when site servers reside in one Active Directory forest, and all System Health Validator points reside in another Active Directory forest:

Deploying Configuration Manager Network Access Protection over two forests when the Configuration Manager health state references publish to the forest that contains the site servers

  1. If not already completed for other Configuration Manager features, complete the following steps:

  2. As part of the System Health Validator component configuration, complete the following steps:

    • Specify the option to Designate an Active Directory forest. For more information, see How to Specify the Location of the NAP Health State Reference.

    • Specify the fully qualified domain of the site server where you will create your NAP policies in the Domain suffix. This tells the System Health Validator points where they should retrieve Configuration Manager health state references. Because each domain writes the Configuration Manager health state references to the global catalog, the System Health Validator point queries the global catalog in the domain you specify, which means it can retrieve all the Configuration Manager health state references from all domains in that forest.

  3. If there is an outgoing trust relationship from the domain you have specified in the domain suffix and the domain(s) in which the System Health Validator points reside, no further configuration is required. The computer accounts of the System Health Validator points will be used and authenticated across the trust.

  4. If there is no outgoing trust relationship from the domain you have specified in the domain suffix and the domain(s) in which the System Health Validator points reside, the following additional steps must be performed:

    • Create a Microsoft Windows user account in the forest that contains the site servers, and configure this account with a password that never expires.

    • Specify this Windows user account as the Health state reference querying account in the System Health Validator Point Component Properties under the Component Configuration node. For more information, see How to Specify the Health State Reference Querying Account.

Deploying Configuration Manager Network Access Protection over two forests when the Configuration Manager health state references publish to the forest that contains the System Health Validator points

  1. In the forest that contains the System Health Validator points, complete the following steps:

    • Extend the Active Directory schema with the Configuration Manager 2007 extensions. For more information, see How to Extend the Active Directory Schema for Configuration Manager.

    • Create a System Management container in one domain to store the Configuration Manager health state references.

    • Create a domain local group, and grant it Full Control permissions (to this object and all child objects) to the System Management container.

  2. As part of the System Health Validator component configuration, complete the following steps:

    • Select the option to Designate an Active Directory forest. For more information, see How to Specify the Location of the NAP Health State Reference.

    • Specify the fully qualified domain where you created the System Management container in the Domain suffix. This tells the System Health Validator points where they should retrieve Configuration Manager health state references.

  3. If there is an outgoing trust relationship from the domain you have specified in the domain suffix and the domain(s) in which the site servers reside, add the computer accounts of each site server into the local domain group you created.

  4. If there is no outgoing trust relationship from the domain you have specified in the domain suffix and the domain(s) in which the site servers reside, the following additional steps must be performed:

    • Create a Microsoft Windows user account in the forest that contains the System Health Validator points, and configure this account with a password that never expires.

    • Specify this Windows user account as the Health state reference publishing account in the System Health Validator Point Component Properties under the Component Configuration node. For more information, see How to Specify the Health State Reference Publishing Account.

    • Ensure name resolution is configured so that site servers can resolve the forest namespace of the System Health Validator points (for example, with DNS forwarding or root hints).

Deploying Configuration Manager Network Access Protection over two forests when the Configuration Manager health state references publish to a third forest that has trust relationships with the other two forests (either a forest trust or external domain trusts)

  1. In the third Active Directory forest, complete the following steps:

    • Extend the Active Directory schema with the Configuration Manager 2007 extensions. For more information, see How to Extend the Active Directory Schema for Configuration Manager.

    • Create a System Management container in one domain to store the Configuration Manager health state references.

    • Create a domain local group, and grant it Full Control permissions (to this object and all child objects) to the System Management container.

  2. As part of the System Health Validator component configuration, complete the following steps:

    • Specify the option to Designate an Active Directory forest. For more information, see How to Specify the Location of the NAP Health State Reference.

    • Specify the fully qualified domain where you created the System Management container in the Domain suffix. This tells the site servers where to write the Configuration Manager NAP health state references and the System Health Validator points where they should retrieve Configuration Manager NAP health state references.

  3. If it is not already configured, enable the option Publish this site in Active Directory Domain Services on each site that will be enabled for Network Access Protection. For more information, see How to Publish Configuration Manager Site Information to Active Directory Domain Services.

  4. Using the outgoing trust relationship from the domain you have specified in the domain suffix and the domain(s) in which the site servers reside, add the computer accounts of each site server into the local domain group you created.

  5. The computer accounts of the System Health Validator points will be authenticated to retrieve the Configuration Manager health state references over the outgoing trust relationship between the domain you have specified in the domain suffix and the domain(s) in which the System Health Validator points reside, with no further configuration.

Deploying Configuration Manager Network Access Protection over two forests when the Configuration Manager health state references publish to a third forest that has no trust relationships with the other two forests

  1. In the third Active Directory forest, complete the following steps:

    • Extend the Active Directory schema with the Configuration Manager 2007 extensions. For more information, see How to Extend the Active Directory Schema for Configuration Manager.

    • Create a System Management container in one domain to store the Configuration Manager health state references.

    • Create a domain local group, and grant it Full Control permissions (to this object and all child objects) to the System Management container.

    • Create a Microsoft Windows user account to publish the Configuration Manager health state references. Configure this account with a password that never expires, and make it a member of the domain local group you created.

    • Create a Windows user account to retrieve the Configuration Manager health state references. Configure this account with a password that never expires.

  2. Configure the System Health Validator Point Component Properties under the Component Configuration node as follows:

    • Specify the option to Designate an Active Directory forest. For more information, see How to Specify the Location of the NAP Health State Reference.

    • Specify the fully qualified domain where you created the System Management container in the Domain suffix. This tells the site servers where to write the Configuration Manager health state references, and it tells the System Health Validator points where they should retrieve Configuration Manager health state references.

    • Specify the Windows user account you created to publish the Configuration Manager health state references in the health state reference publishing account. For more information, see How to Specify the Health State Reference Publishing Account.

    • Specify the Windows user account you created to read the Configuration Manager health state references in the Health state reference querying account. For more information, see How to Specify the Health State Reference Querying Account.

  3. If it is not already configured, enable the option Publish this site in Active Directory Domain Services on each site that will be enabled for Network Access Protection. For more information, see How to Publish Configuration Manager Site Information to Active Directory Domain Services.

  4. Using the outgoing trust relationship from the domain you have specified in the domain suffix and the domain(s) in which the site servers reside, add the computer accounts of each site server into the local domain group you created.

  5. Ensure name resolution is configured such that site servers and System Health Validator points can resolve the forest namespace of the third Active Directory forest (for example, with DNS forwarding or root hints).

See Also