NPS Redundancy / Failover Windows Server 2012r2 with MS CA issued Certs

I have a small - ish network / server deployment in my home office that is primarily for lab testing and learning new technologies before using them in the real world. I have been trying to figure this one out, but I'm kinda stumped now. Most of the articles I read about this reference Windows server 2008. I mean come on people its 2015! Anyway here is the crux of the matter:

MS AD with NPS running as Radius Server. Works great for all network devices, 802.1x WiFi devices and even VPN authentication. But when I take it offline  or I have to reboot it to make a change (it has several HyperV VM's running on it, I lose access to my WiFi, network devices,etc.  I have a second Domain Controller (also 2012r2) on a VM on VMSphere 6.0. I added NPS to it, copied all the policies from the original NPS to it, and the only thing I changed was the certificates because it complained of the certs not being valid on the box. I added the 2nd entry to all the clients (except for the individual workstations which get their info from a Cisco 2504 WLC).

If the primary DC goes down and I am not wired in, within minutes, I lose my WiFi as it connot authenticate and I cannot access and network devices or ASDM or VPN.

So, here are my possible solutions, in no particular order.....

1. Buy a cheap server that I can setup as the AD DC and put nothing but AD services and NPS on it.
2. Convert the existing AD DC to a secondary controller and remove NPS, then re-add NPS and use it strictly as a Proxy setting all the clients to point to it
3. Remove the NPS from the current Secondary controller and then re-add is strictly as an NPS server and use it as a Proxy.

Seems very expensive for a lab, but I cannot affect people who are in on line classes at the home office while I am "playing".

I have a (licensed) copy of Cisco ACS. But only 1 so I would be in the same situation.  Any thoughts? Help? Please?
Wyant NiswongerPresidentAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

kevinhsiehCommented:
What tou have should work. The wireless controllers need to be configured to use the second NPS server as well, and make sure that all your clients take recognize its certificate as valid.
Craig BeckCommented:
Kevin is right.

You should have 2 RADIUS servers configured in the WLC and your WLANs should be configured to use both.
Wyant NiswongerPresidentAuthor Commented:
ok, I am likely to accept this as multiple solutions. But I have the dumb "old" guy question....How do I get the certificate for each server onto the workstations? I think I can use a GPO, but when I run the GPO from the AD (lets call is JARVIS....yeah, I know. insert joke here) that certificate exists on Jarvis. But when I try to insert the cert from the BDC (I started Windows server back in 3.5) and just for the sake of argument we'll call the BDC FRIDAY (OK, more eye rolls here!!!) I cannot see Friday's certificate on Jarvis so I can't add it to the GPO. Thoughts?
David Johnson, CD, MVPOwnerCommented:
there is no such thing as a BDC any more. What you need to do is only use the ca root certificate without the private key in your group policy.

if you trust the root ca then you trust everything issued by that CA and below.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server Apps

From novice to tech pro — start learning today.