locked
NAP on Domain Controller RRS feed

  • Question

  • Is it possible to have one server running as a Domain Controller, DNS etc along with providing NAP services for clients?

     

    I would prefer this server to also issue certificates etc but i guess this server would have to be excempted from having this certificate due to NAP restrictions? This is a test environment so any thoughts on this would be great.

     

    Thanks

    Thursday, March 13, 2008 5:28 PM

Answers

  • Hi,

     

    Yes, you can run everything on one server.

     

    When you exempt a server, you enroll it with a long-lived health certificate, called an "exemption certificate." This will allow the server to participate in IPsec. If the server is functioning as an HRA, then it will need to be in the boundary zone with a policy to request (not require) authentication. Since boundary servers are accessible by noncompliant and non-NAP capable devices, if the server is a domain controller you should make it read-only.

     

    -Greg

    Friday, March 14, 2008 5:42 AM