Use the following information to understand the implications of implementing Network Access Protection (NAP) in Configuration Manager 2007 when your Configuration Manager hierarchy spans more than one Active Directory forest, and identify the supported scenarios for this environment.

Why Multiple Forests Affect Network Access Protection in Configuration Manager

When you are using Network Access Protection (NAP) in Configuration Manager 2007 and your Configuration Manager hierarchy spans more than one Active Directory forest, there are additional configuration requirements. This is because Network Access Protection in Configuration Manager stores health state references in Active Directory. When you create or modify a Configuration Manager NAP policy, the site server publishes or publishes updates to Configuration Manager health state reference in Active Directory.

When a child site inherits Configuration Manager NAP policies from a parent site, that child site's site server also publishes its health state reference to Active Directory. These health state references are then retrieved from Active Directory by the System Health Validator points querying a global catalog server.

By default, site servers publish to their own Active Directory forest and System Health Validator points retrieve the health state references from their own Active Directory forest. So if your site servers and System Health Validator points are not in the same Active Directory forest, you must designate the Active Directory forest and domain that will store the health state references. This designation can even be a completely different forest than both the site servers and System Health Validator points.

The Active Directory forest that stores the Configuration Manager health state references must have been extended with the Configuration Manager 2007 schema extensions; site servers must be configured to publish identity data to Active Directory if their site is enabled for Network Access Protection; and there must be a System Management container in the designated forest that has the appropriate permissions needed by the site servers and System Health Validator points.

Note
For information about how to extend the schema and enable publishing for Configuration Manager 2007 , see How to Extend the Active Directory Schema for Configuration Manager) and How to Publish Configuration Manager Site Information to Active Directory Domain Services.

Supported Scenarios for Multiple Forests

The configuration steps that must be taken for multiple Active Directory forests depend on the topography, the existing configuration, and the decision on where to publish the Configuration Manager 2007 health state references. The following lists four basic scenarios that are supported in Configuration Manager when site servers reside in one Active Directory forest, and all System Health Validator points reside in another Active Directory forest:

  • The Configuration Manager health state references are published to the forest that contains the site servers.

  • The Configuration Manager health state references are published to the forest that contains the System Health Validator points.

  • The Configuration Manager health state references are published to a third Active Directory forest that has trust relationships with the other two forests (either a forest trust or external domain trusts).

  • The Configuration Manager health state references are published to a third Active Directory forest that has no trust relationships with the other two forests (neither a forest trust nor external domain trusts).

To help you decide which forest will publish the health state references, see Decide Which Forest Will Publish Health State References for Network Access Protection.

For procedural steps on how to provision Active Directory and the additional configuration steps required in Configuration Manager when using Network Access Protection across multiple forests, see How to Deploy Network Access Protection Across Multiple Forests.

See Also