Best Practice for SHV placement

System Health Validator Placement

I'm writing this post in response to some Configuration Manager 2007 Network Access Protection questions I received during the MMS 2008 conference.

"Where to place the System Health Validator Point Role (SHV) be in the ConfigMgr 2007 hierarchy? " The quick simple answer is at the Central Site in the hierarchy, or at the Site where your ConfigMgr administrators will perform daily administrative duties on. Some companies may have a Site or Reporting Site setting on top on the Central Site of the hierarchy, as shown below.

image

For the above design, you will want to install a System Health Validator Point Role (SHV) from the Central Site just the same as if you do not have a Reporting Site setting over the Central Site of the hierarchy.
Installing a SHV and all subsequent additional SHV’s from the Central Site is recommended and provides centralized management of all SHV settings and configurations for System Health Validator. Below is a list of reasons to install all SHV’s from one Site or the Central Site server.
All SHV settings and configurations are set by modifying the Systems Health Validator Point Component from the Components Configurations Node under Site Settings from within the ConfigMgr Console. Settings and configurations set here applies to all SHV’s that are installed from the same site.
Note: The SHV and the Site server have no bi-directional communication with the Site server it is installed from. So the SHV can actually be installed on any Site within the hierarchy, but will have no benefit or additional functionality by doing so. Please don’t make the mistake in thinking that you will need a SHV per Site. One SHV can facilitate one hierarchy.
You can stage up to 4 NPS/SHV servers that clients can communicate with. Clients will use the first NPS/SHV server in the clients Trusted Server Group. Below shows the configuration settings of the SHV/NPS URL’s that clients will communicate with when send NAP SOH requests.
To see the below list on a client, run the below command line in an elevated command prompt on a Vista system:
C:\> netsh nap client show group

Names have been changed to protect the innocent…


Trusted server group configuration:
----------------------------------------------------
Group            = MSIT
Require Https    = Enabled
URL              = https://NPSServer1.widget.contoso.com/domainHRA/hcsrvext.dll
Processing order = 1
Group            = MSIT
Require Https    = Enabled
URL              = https://NPSServer2.widget.contoso.com/domainHRA/hcsrvext.dll
Processing order = 2
Group            = MSIT
Require Https    = Enabled
URL              = https://NPSServer3.widget.contoso.com/domainHRA/hcsrvext.dll
Processing order = 3
Group            = MSIT
Require Https    = Enabled
URL              = https://NPSServer4.widget.contoso.com/domainHRA/hcsrvext.dll
Processing order = 4


The System Health Validator can be installed on to a Windows Server 2008 running the Network Policy Server service (NPS) that is joined to any domain or forest other than the domain the Site server is joined to. In the case where the NPS server is joined to separate domain forest than the Site server is joined to, the NPS servers, by default the NPS servers will query for client health state reference in the forest the server is joined to.
This means if you have a Site server joined to forest A, and one NPS server joined to forest A, and another NPS server joined to forest B. The NPS/SHV servers will query and validate client’s health state from the domain the NPS server is joined to. The picture below shows this representation.

image

This can cause your Windows NAP infrastructure to validate only a subset of your clients and will only validate client’s compliance that is in the same forest as the NPS/SHV server. Previously I mentioned modifying SHV properties for the Systems Health Validator Point Component from the Components Configurations Node under Site Settings. On the Health State Reference Tab, you have the option to specify a Domain suffix where you want the SHV/NPS servers to query for client health state reference. When this option is set to a specific Active Directory forest FQDN example: corp.contoso.com, this tells all SHV’s installed from the Site to publish to the same domain forest root.
This provides centralized management of all SHV’s and its settings. And you will want all your SHV’s configured with the same setting and configurations. As clients hit the first SHV/NPS server when sending SOH requests (SOH = Statement of health), they will be validated by the first SHV in the list, and will fail over to the next SHV/NPS in the list with the first NPS server in the list hits maximum connections, and you will want the next SHV/NPS to validate clients with the same validation settings and configurations.
If you setup a SHV at each Site in a hierarchy, you will be actually duplicate administrative work that is not required. You will have to go to each Site and configure the properties for the Systems Health Validator Point Component from the Components Configurations Node under Site Settings.

 

Technorati Tags: SHV,SCCM,Configuration Manager 2007,NAP,Network Access Protection