Migrate Network Policy Server (NPS) to a new server

Hayes JupeIT Director
CERTIFIED EXPERT
Microsoft infrastructure nerd with 20+ years experience. Australian based, but works worldwide.
Published:
Browse All Articles > Migrate Network Policy Server (NPS) to a new server
Provides a step by step of how to migrate Windows NPS to a new server
Background
Migrating NPS from one windows server to another is not a difficult process, but it is one that potentially needs to performed once every few years - and has some key points that can make your life easier. NPS is commonly used as a RADIUS server for a product within the environment which may require RADIUS.

Target audience
This article is aimed at admins that want to migrate a single NPS server. Often NPS is co-located on Domain Controllers - and as part of a DC upgrade process - NPS must be migrated. This does not cover NPS with custom templates - These are pretty rare IMO.

Concepts
IP Swap - Where you swap the IP addresses of a "old" and "new" server, so the new server "takes over" the IP address of the old server. This is commonly done where it makes life easier if the new server has the same IP address - such as DNS.

Device configuration - It is common that devices will allow an IP address only, or a DNS name only, or may allow both. Prior to completing this work, it is wise to have a quick look at each device and determine if they allow an IP/Name or they must be configured with an IP only.

NPS Migration 
  1. Logon to your source NPS server
  2. Open the NPS admin console
  3. Cleanup the existing NPS server. Over time, things tend to drift and it is likely you will have old, un-used policies etc. Remove these now so you are not bringing across extra rubbish that you don't need
  4. Right click the NPS server and select "export configuration"
    1. Tick "I am aware that i am exporting all shared secrets"
    2. Enter a filename to export to - e.g. NPSExport.xml
  5. Logon to the destination NPS server
  6. Copy the NPSExport.xmlfile you created in step 4.2 to the local server
    1. Right click the NPS server and select "import configuration"
      1. Select the exported file - e.g. NPSExport.xml
  7. Right click the NPS server and select "Register Server in Active Directory" 
  8. This does not migrate SQL logging settings. If you are using SQL for NPS logging, at this stage, you should manually copy over the settings from your source to destination server
  9. When you are ready to migrate
    1. If you are migrating to a completely new NPS server that will permanently be on a different IP address
      1. Update one client device to use the new name or IP (depending on what the device allows - some will allow either, some won't)
      2. Test
      3. Once the first one is successful - migrate all remaining clients - use the "RADIUS client" tab as a reference for devices that you need to reconfigure
      4. Once complete and verified working, stop and disable the NPS service on the "old" server
    2. If you are performing an "IP Swap" - so the new NPS server will be on the same IP as it was originally
      1. Update one client device to use the new name - if you have only have devices that use IP, you can skip this step
      2. Test - if you only have devices that use IP - then these devices will start using the "new" NPS server as soon as the IP's are swapped
      3. Once the first one is successful - migrate all remaining clients - use the "RADIUS client" tab as a reference
      4. Once complete and verified working, stop and disable the NPS service on the "old" server

References
https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-manage-export

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831346(v=ws.11)





0
11,598 Views
Hayes JupeIT Director
CERTIFIED EXPERT
Microsoft infrastructure nerd with 20+ years experience. Australian based, but works worldwide.
Ask a related question

Comments (7)

mezz Cimbom

Commented:
Thanks Hayes, much appreciated, this is very helpful. As new servers are DCs yes, changing IPs would not be ideal option as you mentioned.
I guess there is nothing to configure on CA servers as that section do not need to touched? am I correct to say it? Or may be I should ask if I should check anything regards to CA servers and cert deployment?

thanks
Mess
mezz Cimbom

Commented:
Hi Hayes, I have little understanding of my environment and see Wireless access points uses cert. in order to point them to new servers do I need to generate a new CERT?
https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-manage-verify

This link does not talk about how to update clients.  really stuck with it. thanks for your time and input
Hayes JupeIT Director
CERTIFIED EXPERT
Distinguished Expert 2021

Author

Commented:
Hey - its hard to know for sure without seeing your environment.... but if they are issued from an internal CA, that internal CA will likely (assuming its enterprise CA) still be trusted on the new NPS servers and therefore the new certs should work..... however, im making a number of assumptions there.
It sounds like you may need some external help - so i would suggest engaging a local consultant if you have one you trust to help you check this stuff - and maybe pick up a few things along the way.`
sara2000

Commented:
Nice article, Thank you!
My predecessor configured an NPS server at a DC for 802.1X. I exported and imported it to another DC to have two NPS servers. In case one fails, I can ask the network folks to switch to the other NPS. After the import, I do not see any reference to the old DC in the new DC in the RADIUS client. Will the new NPS work?
Hayes JupeIT Director
CERTIFIED EXPERT
Distinguished Expert 2021

Author

Commented:
Hi Sara... that's correct, you wont see any reference to the "old" or "new" DC as a radius... as its not a radius client.

View More

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.