Cannot create NAP policies on child site
** cross posting from NAP forum ** Is it a requirement to enable NAP from top down in configmgr hierarchy or is it a recommendation? We have no need whatsoever for NAP on the parent site, but I need it on the child site. I cannot create NAP policies on my child server that has NAP enabled. I have installed the System Health Validation role in my configmgr infrastructure and now trying to make the configmgr remediation part work. It is a primary child site. The parent site is not NAP enabled. When I right click on an update in an update list, I can see that the NAP Evaluation tab is available, but all options on this tab are disabled, including "Enable NAP Evaluation checkbox". When I try to run a New Policies Wizard, the wizard fails a with "The New Policies Wizard completed with errors. For more information about the tasks that were not completed, see Details." In the Details box, all I have is "Error: Security Update for Windows Server 2003 (KBxxxxxx)" I looked around the logs to see any errors but didnt find any leads. Mayur
September 24th, 2009 2:07am

Thanks Carol. I checked the permissions on NAP and Policies nodes, I do have full rights on them, so that does not seem like the cause. It is very unlikely that NAP was enabled on the parent site since it requires significant planning and could not go unnoticed. But I still dont want to rule this point out. We have had issues with orphaned child site and data corruption between the sites. What will be the best way to test if the child site thinks NAP is enabled on the parent? Mayur
Free Windows Admin Tool Kit Click here and download it now
September 24th, 2009 4:38pm

Normally, you wouldn't have to check to Active Directory attributes, but we do have the following documentation for how to verify that Active Directory has been provisioned for NAP in Configuration Manager: http://technet.microsoft.com/en-us/library/bb681047.aspxIn the meantime I'll try to find out some more about this scenario from one of our NAP experts.-CarolThis posting is provided AS IS with no warranties and confers no rights
October 1st, 2009 1:57am

I came across that documentation while trying to troubleshoot the issue. From my research, I have established that the schema has been extended for NAP and msSMSHealthState attribute has also been defined in the site objects. However, this attribute is defined for both, the child as well as the parent sites' objects. I dont know how that happened since NAP was never enabled on the parent site. I think this is what is confusing the child site to think that NAP is enabled on the parent site and that's the reason why its not letting me create new policies. If my theory is true, I need to find out how to resolve the issue. I can go ahead and delete the msSMSHealthState attribute defined on the parent site's, but I am not sure if thats enough or what the implications are. Your help will be very much appreciated. Thanks. Mayur
Free Windows Admin Tool Kit Click here and download it now
October 1st, 2009 2:36am

It's looking like my hunch is right - the logs show that NAP was enabled on the parent site 2008-06-04 18:59:03.000 and when this replicates down to the child site it then prevents the admin on the child site from selecting software updates for NAP, even if NAP is now disabled on the parent site. Because NAP was designed to be enabled top-down, this is unchartered territory which is why there is no set procedure to resolve this scenario. But I quite see why a change of mind (or mistake) shouldn't be terminal. We're looking into it, but if it's urgent I suggest you open a case with CSS. - CarolThis posting is provided “AS IS” with no warranties and confers no rights
October 3rd, 2009 1:58am

Update: I have a case open with MS. We have tried deleting the parent sites object from SM container and also editing the parent site's control file to remove references to the SHV role with no success. Something writes back a value for mSSMSHealthState attribute after the site is restarted or automatically after some time has passed. I dont know where it is coming from. I have stopped working on this project for now since there is no documentation on how to correct this issue at all. Mayur
Free Windows Admin Tool Kit Click here and download it now
October 7th, 2009 12:30am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics