none
Configuring Radius in a new forest

    Question

  • Hello,

    At the moment, I'm working on cross forest migration for some users and computers to a new forest with External trust. However, the source forest has a Radius for authentication. That's why when I migrate a computer to the other forest, the users cannot logon their machines.

    As a result, I got to build a new Radius in the new forest and a CA. The new forest should have a computers running Windows7/8/10, so I wonder if I can done the compatibility settings for Windows 7 and it would work for Windows 8/10 or I've to create another templates for every Windows version.

    Thanks in advance.

    Wednesday, April 18, 2018 11:50 AM

All replies

  • Hi,

    Thanks for your question.

    Joining the a new domain which is already trusted by the old domain has no effect on the functionality of the NPS server, as long as you are authenticating the correct sec groups from AD in your old and new domains, clients are still authenticated.

    You may export the templates which are applicable to windows versions from original Radius in to the new Radius.  

    Please follow the article to see if it helps.

    https://araihan.wordpress.com/2015/01/07/migrate-network-policy-server-nps-from-windows-server-2008-r2-to-windows-server-2012-r2/

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Hope above information can help you.

    Highly appreciate your effort and time. If you have any questions and concerns, please feel free to let me know.

    Best regards, 

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, April 19, 2018 7:31 AM
  • Thank you for your response, but I got to build a new Radius at the new domain because the new forest is going to be fully isolated from the old one. That's why I need to know about the certificates.
    Thursday, April 19, 2018 8:06 AM
  • Hi Mohamed,

    Thanks for your update.

    The Cert template properties’ Compatibility tab helps to configure the options that are available in the certificate template. The options available in the certificate template properties change depending upon the operating system versions that are selected for the certification authority (CA) and certificate recipient.

    The settings that you configure on the Compatibility tab and in the certificate template properties determine the certificate template schema version that is created when the template is saved. The logic for determining the certificate template schema version that is created is as follows:

    1)If the CA operating system is Windows Server 2012 and the certificate recipient operating system is Windows 8, then a version 4 certificate template schema version is created.

    2)If the CA operating system is earlier than Windows Server 2012 or the certificate recipient is earlier than Windows 8, then a certificate template schema version 4 template is not created. The type of template created depends upon the cryptographic provider that is selected:

    If a cryptographic service provider (CSP) is selected, then a certificate template schema version 2 is created

    If a key storage provider (KSP) is selected, then a certificate template schema version 3 is created.

    In addition, if the configured CA is Windows Server 2008 R2 and the configured certificate recipient is Windows 7 / Server 2008 R2, the option to Renew with the same key would be unavailable.

    Please follow the thread for detailed information:

    https://social.technet.microsoft.com/wiki/contents/articles/13303.windows-server-2012-certificate-template-versions-and-options.aspx

    Certificate Template Versions

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725838(v=ws.11)

    Hope above information can help you.

    Highly appreciate your effort and time. If you have any questions and concerns, please feel free to let me know.

    Best regards, 

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Thursday, April 19, 2018 9:05 AM
  • Hi,

    How are things going on? Was your issue resolved?

    Please let me know if you would like further assistance.

    Wish you have a nice day!

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, April 23, 2018 12:30 PM
  • Hi,

    How are things going on? Was your issue resolved?

    Please let me know if you would like further assistance.

    Wish you have a nice day!

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, April 26, 2018 12:42 PM