Scenario:
- Migrate to a new server with new NetBIOS Name and New IP Address
- Migrate to a new server retaining NetBIOS Name and IP Address
Step1: Backup NPS Server, NPS Policy & certificate
- Open NPS Policy Server from Server Manager>Right Click on NPS(Local)>Export Configuration.
- Select I am aware that I am exporting all shared secret. Click Ok>Export as a XML File into a UNC path accessible to new server.
- right Click on Template Management>Export Template to a File. Export as a XML File into a UNC path accessible to new server.
- Open MMC>Add Certificate Snap-in>Computer Account>Select Personal>Certificate>Export Certificate with Private Key.
- Use Windows Backup to backup NPS server. If NPS server is virtualized, then simply right click the virtual machine from Hyper-v manager and rename the machine. Now Power of the VM.
Step2: Build a new Server.
- Build a new server. Activate Windows. Assign TCP/IP and join to the domain.
- Open MMC>Add Certificate Snap-in>Computer Account>Select Personal>Certificate>Import Certificate with Private Key.
- From Roles and Feature Wizard>add network Policy and Services>Select NPS, NAP and Health registration services, Click Next>Select Certificate Authority>Select Certificate>Select Finish Installation.
Step3: Register NPS.
- If you have retained NetBIOS Name and IP Address mentioned in scenario 2 then you don’t need to re-register. It’s already registered.
- If you have a different NetBIOS Name and IP address then Right Click NPS(Local)>Register NPS Server to Active Directory.
Step4: Import NPS Policies
- Open NPS Policy Server>right Click on NPS(Local)>Import Configuration. Point to the XML file you have exported in step1 and import the file.
- Right Click on Template Management>Import template from a File. Point to the XML file you have exported in step1 and import the file.
Step5: Test Client
- Connect a client using WIFI or VPN whichever purpose you have configured NPS.
- Open Event Viewer in NPS Server and Check Security log. You will see clients are connected successfully.
Relevant Articles:
hi Raihan- Just wondering if you come across this issue on a NPS server which does wireless authentication via certs
The problem I’m having is:
On the NPS server, the computer certificate container has three certificates (RAS Certificate, computer & Domain Controller Auth cert). When we open the NPS policy and drill down to the list of available certificates, it picks up all the certificates from the computer store and select’s the certificate with the longest lifetime (regardless of the cert type) I wanted to know how we can set the NPS server to pick-up only the “RAS certificate” with subject information. NPS server role is running on the same server as the RODC on WIN2012 R2.
LikeLike
Even though NPS can be configured in a RODC I would recommend isolating two roles in two servers. By default RODC is locked down for authentication purpose. What is experiencing is real. My suggestion would be Remove all certificates installed on NPS server. Then re-issue and reinstall certificate on NPS server. Test again to see how it behaves.
LikeLike