Provides a step by step of how to migrate Windows NPS to a new server
Background Migrating NPS from one windows server to another is not a difficult process, but it is one that potentially needs to performed once every few years - and has some key points that can make your life easier. NPS is commonly used as a RADIUS server for a product within the environment which may require RADIUS.
Target audience This article is aimed at admins that want to migrate a single NPS server. Often NPS is co-located on Domain Controllers - and as part of a DC upgrade process - NPS must be migrated. This does not cover NPS with custom templates - These are pretty rare IMO.
Concepts IP Swap - Where you swap the IP addresses of a "old" and "new" server, so the new server "takes over" the IP address of the old server. This is commonly done where it makes life easier if the new server has the same IP address - such as DNS.
Device configuration - It is common that devices will allow an IP address only, or a DNS name only, or may allow both. Prior to completing this work, it is wise to have a quick look at each device and determine if they allow an IP/Name or they must be configured with an IP only.
NPS Migration
Logon to your source NPS server
Open the NPS admin console
Cleanup the existing NPS server. Over time, things tend to drift and it is likely you will have old, un-used policies etc. Remove these now so you are not bringing across extra rubbish that you don't need
Right click the NPS server and select "export configuration"
Tick "I am aware that i am exporting all shared secrets"
Enter a filename to export to - e.g. NPSExport.xml
Logon to the destination NPS server
Copy the NPSExport.xmlfile you created in step 4.2 to the local server
Right click the NPS server and select "import configuration"
Select the exported file - e.g. NPSExport.xml
Right click the NPS server and select "Register Server in Active Directory"
This does not migrate SQL logging settings. If you are using SQL for NPS logging, at this stage, you should manually copy over the settings from your source to destination server
When you are ready to migrate
If you are migrating to a completely new NPS server that will permanently be on a different IP address
Update one client device to use the new name or IP (depending on what the device allows - some will allow either, some won't)
Test
Once the first one is successful - migrate all remaining clients - use the "RADIUS client" tab as a reference for devices that you need to reconfigure
Once complete and verified working, stop and disable the NPS service on the "old" server
If you are performing an "IP Swap" - so the new NPS server will be on the same IP as it was originally
Update one client device to use the new name - if you have only have devices that use IP, you can skip this step
Test - if you only have devices that use IP - then these devices will start using the "new" NPS server as soon as the IP's are swapped
Once the first one is successful - migrate all remaining clients - use the "RADIUS client" tab as a reference
Once complete and verified working, stop and disable the NPS service on the "old" server
Thanks Hayes, much appreciated, this is very helpful. As new servers are DCs yes, changing IPs would not be ideal option as you mentioned. I guess there is nothing to configure on CA servers as that section do not need to touched? am I correct to say it? Or may be I should ask if I should check anything regards to CA servers and cert deployment?
Hey - its hard to know for sure without seeing your environment.... but if they are issued from an internal CA, that internal CA will likely (assuming its enterprise CA) still be trusted on the new NPS servers and therefore the new certs should work..... however, im making a number of assumptions there. It sounds like you may need some external help - so i would suggest engaging a local consultant if you have one you trust to help you check this stuff - and maybe pick up a few things along the way.`
Nice article, Thank you! My predecessor configured an NPS server at a DC for 802.1X. I exported and imported it to another DC to have two NPS servers. In case one fails, I can ask the network folks to switch to the other NPS. After the import, I do not see any reference to the old DC in the new DC in the RADIUS client. Will the new NPS work?
Comments (7)
Commented:
I guess there is nothing to configure on CA servers as that section do not need to touched? am I correct to say it? Or may be I should ask if I should check anything regards to CA servers and cert deployment?
thanks
Mess
Commented:
https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-manage-verify
This link does not talk about how to update clients. really stuck with it. thanks for your time and input
Author
Commented:It sounds like you may need some external help - so i would suggest engaging a local consultant if you have one you trust to help you check this stuff - and maybe pick up a few things along the way.`
Commented:
My predecessor configured an NPS server at a DC for 802.1X. I exported and imported it to another DC to have two NPS servers. In case one fails, I can ask the network folks to switch to the other NPS. After the import, I do not see any reference to the old DC in the new DC in the RADIUS client. Will the new NPS work?
Author
Commented:View More