gopher_49
asked on
moving CA from Windows 2003 server to Windows 2012
I use a CA for 802.1x EAP TLS authentication.. I also used it to PEAP.. Can I just move my CA to a Windows 2012 server and then use NPS instead of IAS like I am now? If so.. Someone just give me an overview of the process...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Jakob Digranes
and from this forum: https://www.experts-exchange.com/questions/28304968/Move-Certificate-Authority-from-2008-to-2012-R2.html
what about IAS, you are also planning to move IAS to NPS, right?
For that you do need to register all your access points (Wi-Fi devices) with new NPS server as radius clients and also you need to point these acces points to new NPS server
Also you need to configure network policies and connection policies in order to your wi-fi users get authenticated before they get valid IP address from DHCP
If you want to move IAS from 2003 to 2008 r2, follow teps in below article:
https://blogs.technet.microsoft.com/omers/2012/11/04/windows-2003-ias-radius-migration-to-windows-2008-r2-nps/
If you have 2008 server, then you already have NPS, its not IAS, IAS ends with 2003
If you want to migrate IAS or NPS from 2003 \ 2008 \ 2008 R2 to 2012 R2, follow steps in below article
https://technet.microsoft.com/en-us/library/hh831652(v=ws.11).aspx
The article written for 2012, but will be applicable to 2012 R2 as well
Only IASMigreader.exe location is changed on window 2012 R2 server, you can search 2012 R2 at "C:\windows\winsxs\some folder" for that file
Maheh.
For that you do need to register all your access points (Wi-Fi devices) with new NPS server as radius clients and also you need to point these acces points to new NPS server
Also you need to configure network policies and connection policies in order to your wi-fi users get authenticated before they get valid IP address from DHCP
If you want to move IAS from 2003 to 2008 r2, follow teps in below article:
https://blogs.technet.microsoft.com/omers/2012/11/04/windows-2003-ias-radius-migration-to-windows-2008-r2-nps/
If you have 2008 server, then you already have NPS, its not IAS, IAS ends with 2003
If you want to migrate IAS or NPS from 2003 \ 2008 \ 2008 R2 to 2012 R2, follow steps in below article
https://technet.microsoft.com/en-us/library/hh831652(v=ws.11).aspx
The article written for 2012, but will be applicable to 2012 R2 as well
Only IASMigreader.exe location is changed on window 2012 R2 server, you can search 2012 R2 at "C:\windows\winsxs\some folder" for that file
Maheh.
ASKER
Jakob Digranes,
I have a DirectAccess server that is not in a DMZ. It's on my LAN. I just port forward to it.. Is it okay to install DPS and CA on this same server? Or should my DPS/CA be on a dedicated server? I would imagine that's a much easier config...
I have a DirectAccess server that is not in a DMZ. It's on my LAN. I just port forward to it.. Is it okay to install DPS and CA on this same server? Or should my DPS/CA be on a dedicated server? I would imagine that's a much easier config...
I'd generally recommend separating roles, at least for CA services. I've billed many hours to customers collocating DC and PKIs
ASKER
Can I install DPS on my DirecAccess server and then have my CA on a dedicated VM? Currently my CA is on a DC.
When you talk aboud DPS, do you mean policy server (NPS)?
You could have CA and DPS collocated - I'd never collocate Direct Access with anything.
How many users?
You could have CA and DPS collocated - I'd never collocate Direct Access with anything.
How many users?
ASKER
Yes.. Sorry... I meant NPS.. So.. I can put CA and DPS on the same server.. Then I'll the freedom of putting DA in a DMZ one day... Correct?
yes :)
ASKER
Jakob,
I'll start the install this week and will update you ASAP.
I'll start the install this week and will update you ASAP.