Network Access Protection

[luke.mccormick]

Hello all, I'm trying to grasp this whole NAP thing for Server 2008, and I'm starting to kinda get the hang of it and I can get clients denied, and computers with static IPs are fine. My question is, if my network has a DC, a file server, a web server, an RODC, and say a Novell Zenworks ZCM server for OS deployment, and WSUS.

I put the RODC and WSUS in the remediation network group, I'm using DHCP NAP. well if my clients aren't already in AD, they can't get the NAP policy. If they can't get the nap policy, they're denied network access. how then do I join the machines to the domain without setting a static IP on each one. Especially, if, say I sysprepped an image, and want to push it out to 30 workstations using ZENworks, even if I temporarily set a static IP on the image..those 30 workstations being deployed are going to attempt to join to the domain at the same time using the same IP?

Just looking for a bit of insight, and maybe I'm just too much of a n00b and am completely missing something?

[luke.mccormick]

bump

[fizban2]

Luke,

You are right, if the client is not in AD, then no GPO to turn on the NAP agents. If that is the case then the machine with be quarantined. The servers that are part of your remediation group will allow those machines to be joined to the domain (you have a RODC there) your DHCP server will still server the client an address, just will only allow routes to the servers in the remediation group. Once there you can join the machine to the domain and it can recieve the GPO. For future use, i would suggest turning on the NAP agents during an unattended build process, that way the GPO is only a fail back incase someone tries to turn of the agents.