This role is used to validate what we define as good or bad system health when working with Microsoft Network Access Protection. This is similar to the commonly known Network Access Control, where devices are initially hosted on a remediation network to update any software, such as antivirus or operating system patches, before they are allowed onto the production or corporate network. Generally speaking, this is seldom used in Configuration Manager implementations for various reasons; however, those that do have the role installed should know where to go when trouble ensues. There are a number of prerequisites required outside Configuration Manager to run this solution, so the first check is to make sure that the network switches are configured correctly and functioning, the DHCP options are configured and functioning, and that your Microsoft Network Policy Server and Active Directory forest are in good health. A good source of information for the prerequisites and installation of this role is this Microsoft blog post: http://blogs.technet.com/b/pauljones/archive/2013/06/02/network-access-protection-nap-with-system-center-2012-configuration-manager.aspx.
There is actually nothing to configure within the site system role itself; however, there are a small amount of settings available in the System Health Validator Point component properties, which can be found in the Configuration Manager console by browsing to the Administration workspace and looking at Overview | Site Configuration | Sites. Now select the relevant site from the list and select Configure Site Components | System Health Validator Point. Here, we can verify settings are as expected and check cross forest health state accounts are present and correct:
As there is so much infrastructure outside Configuration Manager for this role, the only other place we can troubleshoot within the console is by using the status message queries. If we browse to Overview | System Status | Component Status and look up SMS_STATE_MIGRATION_POINT, we can use the health indicator and open up the status messages for more specific information. A status message 1016 will signify a failed installation of the role, at which point we should start to look at the relevant log files. It should be noted that this role must be installed on the same server as the Microsoft Network Policy Server, and an inability to configure this will result in a status message code 4965, which should be investigated further either in the log files or on the Network Policy Server itself. It is also worth noting that there are thirteen reports available by default, which includes information specific to Network Access Protection, including remediation failures, non-compliant computers, and computers where the NAP service could not be detected. These reports can be found through reporting in the Monitoring workspace by browsing to the category
Network Access Protection (NAP).
As there are several moving parts to this role there are a number of log files too. The default location for these is %ProgramFiles%Microsoft Configuration ManagerLogs:
SmsSHVSetup.logSmsSHV.logSmsSHVADCacheClient.logSmsSHVCacheStore.logSmsSHVQuarValidator.logSmsSHVRegistrySettings.log
On the client, we can find the following log file in %WINDIR%CCMLogs by default: Smssha.log.
The SmsshvSetup.log file, which is a small log file, details the installation and simply outputs a fairly descriptive installation code. For example, if the installation is performed on a server without the NPS Service installed, then the following will be shown in the log file:
Error - NPS Service is not installed on the Machine - SMSSHV Installation cannot continue. Installation Failed. Error Code: 131
Smsshv.log: This file is considered to be the main log file for the daily activities of the system health validator point.Smsshvadcacheclient.log: This file details the information received about health state references from Active Directory.smsshvcachestore.log: This file holds information about the cache store and is used to store health state references that are sent from Active Directory.SmsSHVQuarValidator.log: This file contains information about the state of health from clients and how these are processed.smsshvregistrysettings.log: This file contains details of any changes that are made to the system health validator point while the service is actively running.
On the client, the log file to check is smssha.log, which contains lots of information, including the statement of health and exchanges with the Configuration Manager Health Agent and the Network Access Policy agent on the client operating system, as the two work together. Any failures to either validate or remediate a client's health can be checked here for errors and then investigated further in the applicable server-based log file.