Windows Server 2008 NAP (Part 2)

by Marin Franković on 17 December, 2008

Configuring DHCP NAP enforcement

In this article I will describe how to configure DHCP NAP enforcement for DHCP clinets. There are couple of prequisites that I will presume you allready have implemented:

  • One domain controller (Windows Server 2008),?in text reffered as?DC
  • One member server (Windows Server 2008), in text reffered as SRV
  • One client computer (Windows Vista), in text refferd as CL


First we must install NAP and DHCP server roles on SRV member server.

  • Start Server Manager Console on SRV
  • Add NPS and DHCP roles


Configure DHCP as follows:

  • “Parent domain” is your domain name, eg. yourdomainname.local
  • Enter prefered DNS server IP address, eg. IP address od DC as it will probably be configured as DNS
  • Add new DHCP scope and activate it
  • Select “Dissable DHCPv6 stateless mode for this server”
  • Authorize DHCP server with enterprise admin credentials


At the end select “Install” and that is it.

On SRV computer start Network Policy Server administration tool:

  • Expand Network Access Protection, select System Health Validators (SHV)
  • Configure SHV, on Windowv Vista tab remove checkmark from everything except “A firewall is enabled for all netwok connections”
  • Right click on “Remediation Server Groups” and select New
  • Name the group Rem1 and add IP address of DC



Now we will configure Healt policies:

  • Expand Policies
  • Right click Health policies and select New
  • Create policy named Compliant and select “Client passes all SHV checks” and use “Windows Security Health Validator”
  • Create another policy, name it NonCompliant and select “Client?fails?one or more?SHV checks” and use “Windows Security Health Validator”


Lets create new Netwok Policy for compliant computers:

  • Under Policies select Network policies
  • Disable two default policies (right click on them and select disable)
  • Create new policy and name it “Compliant Full Access”
  • Add a new Condition, doble click at Health Policies and select Compliant
  • Select option “Access is granted”
  • On Authentication Methods remove all checks and select “Performe machine health check only”
  • In the Configure settings select NAP Enforcement and verify that “Allow full network access” is selected


For creating policy for Non Compliant computers folow the procedure above with these changes:


  • Name policy “Non Compliant Restricted Access”
  • Select NonCompliant when adding Conditions
  • In the Configure settings select NAP Enforcement and verify that “Enable auto-remediation of client computers” is selected


?… to be continued

{ 0 comments… add one now }

Leave a Reply

Previous post:

Next post: