none
IAS to NPS Migration Problems

    Question

  • I have a Windows 2000 domain controller that is running IAS. I'm preparing to upgrade our domain to Windows 2008 R2. We have policies on the IAS server configured for VPN users and WiFi authentication. I know the iasmigreader.exe utility can be used to migrate settings from a Windows 2003 IAS server to Windows 2008 R2, but it doesn't mention whether or not it can be used on a Windows 2000 server. I thought I'd give it a try anyways, and the tool did succesfully export the Ias.txt file. When I imported the Ias.txt file on a 2008 R2 server running NPS, it gave me an error that I don't recall what it said. However, I looked at the settings of the Radius Clients and Network Policies in NPS, and they all matched up with the 2000 IAS server.

    I had our network engineer reconfigure the VPN router to point to the NPS server, but clients could not authenticate. When I looke through the logs, it mentioned that there were no Connection Request Policies configured. I confirmed that there were no such policies configured, even though I thought one was supposed to have been created by default.

    IAS doesn't have Connection Request Policies, so I'm not really sure what I need to configure to get my imported settings to work. Does anyone have any suggestions as to what kind of Connection Request Policies I need to configure in order for authentication to work properly?

    Thanks.

    mardi 5 avril 2011 19:36

Réponses

  • Hi Marks70,

     

    Thanks for posting here.

     

    I’m afraid that iasmigreader.exe utility is not applied to Windows 2000 server.

    Consider that requirement right now, you may follow the migration roadmap form “Windows 2000 -> Windows server 2003 ->Windows server 2008” to achieve the goal.

     

    How to import and to export IAS configuration information from one Windows 2000 Server-based computer to another Windows 2000 Server-based computer or to another Windows 2003 Server-based computer

    http://support.microsoft.com/kb/883619

     

    NPS Migration Guide

    http://technet.microsoft.com/en-us/library/ee791849(WS.10).aspx

     

    Tool for migrating IAS configuration settings to NPS is now available!

    http://blogs.technet.com/b/nap/archive/2009/01/15/tool-for-migrating-ias-configuration-settings-to-nps-is-now-available.aspx

     

    Thanks.

     

    Tiger Li

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marqué comme réponse Tiger Li vendredi 8 avril 2011 09:36
    mercredi 6 avril 2011 02:16
  • Hi.

    I see to ways for you to go:

    1.  Restart with a clean NPS service
    • Stop the service
    • remove the %systemroot%\system32\ias\ias.xml file
    • start service
    2.  Recreate the "Use Windows authentication for all users" Connection request policy
    • Create a new Connection request policy
    • Name it something smart
    • Add Day and Time restrictions
    • Click Permit, so everything becomes selected
    • Then Next yourself through
    • If you really want it to get the same processing order also, you need to edit the ias.xml file, and edit "msNPSequence" for that policy.

    Oscar Virot
    • Marqué comme réponse Tiger Li vendredi 8 avril 2011 09:36
    mercredi 6 avril 2011 06:57

Toutes les réponses

  • Hi Marks70,

     

    Thanks for posting here.

     

    I’m afraid that iasmigreader.exe utility is not applied to Windows 2000 server.

    Consider that requirement right now, you may follow the migration roadmap form “Windows 2000 -> Windows server 2003 ->Windows server 2008” to achieve the goal.

     

    How to import and to export IAS configuration information from one Windows 2000 Server-based computer to another Windows 2000 Server-based computer or to another Windows 2003 Server-based computer

    http://support.microsoft.com/kb/883619

     

    NPS Migration Guide

    http://technet.microsoft.com/en-us/library/ee791849(WS.10).aspx

     

    Tool for migrating IAS configuration settings to NPS is now available!

    http://blogs.technet.com/b/nap/archive/2009/01/15/tool-for-migrating-ias-configuration-settings-to-nps-is-now-available.aspx

     

    Thanks.

     

    Tiger Li

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marqué comme réponse Tiger Li vendredi 8 avril 2011 09:36
    mercredi 6 avril 2011 02:16
  • Hi.

    I see to ways for you to go:

    1.  Restart with a clean NPS service
    • Stop the service
    • remove the %systemroot%\system32\ias\ias.xml file
    • start service
    2.  Recreate the "Use Windows authentication for all users" Connection request policy
    • Create a new Connection request policy
    • Name it something smart
    • Add Day and Time restrictions
    • Click Permit, so everything becomes selected
    • Then Next yourself through
    • If you really want it to get the same processing order also, you need to edit the ias.xml file, and edit "msNPSequence" for that policy.

    Oscar Virot
    • Marqué comme réponse Tiger Li vendredi 8 avril 2011 09:36
    mercredi 6 avril 2011 06:57
  • Thank you both. I will look into both of your suggestions and get back to you.
    mercredi 6 avril 2011 19:26
  • Hi Marks70,

    If there is any update on this issue, please feel free to let us know.

    We are looking forward to your reply.

    Tiger Li

    TechNet Subscriber Support in forum
    If you have any feedback on our support, please contact tngfb@microsoft.com

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    jeudi 7 avril 2011 12:43
  • Hello,

    I went with both of your suggestions. I first wiped out the existing ias.xml file. I then setup IAS on a Windows 2003 machine, exported the IAS config from the 2000 box, imported to the 2003 box, ran the Iasmigreader.exe utility to export it again, and finally imported it on the 2008 R2 machine. This time I didn't get the error when I tried it previously directly from the 2000 machine.

    I won't have a chance to see if the NPS server is now able to accept connections from clients until next week, when our network engineer comes back onsite.

    I still have a question regarding Connection Request Policies. Our NPS server now has the default Connection Request Policy. This server will be the one providing the authentication (won't be a proxy). Is this default Connection Request Policy sufficient for this, or do I need to create a new one? The configuration options for these policies seem similar to the other policies, and I'm not really sure what I might need to change.

    Thanks.

    vendredi 8 avril 2011 16:23