Step 4: Configuring The Secondary Ias Server (If Applicable) - Extreme Networks Summit WM Technical Reference Manual

Creating the Windows Security Infrastructure
Step 4: Configuring the secondary IAS server (if
applicable)
To configure the secondary IAS server on another computer, do the following:
1 If you are using computer certificate autoenrollment and Windows 2000 IAS, force a refresh of
computer Group Policy by typing secedit /refreshpolicy machine_policy from a command prompt.
If you are using computer certificate autoenrollment and Windows Server 2003 IAS, force a refresh of
computer Group Policy by typing gpupdate /target:computer from a command prompt.
2 If you are using PEAP-MS-CHAP v2 authentication and have obtained a computer certificate from a
commercial CA, use the Certificates snap-in to import it into the Certificates (Local Computer)\
Personal\Certificates folder.
3 Install IAS as an optional networking component.
4 If you are using Windows 2000 IAS, install Windows 2000 SP4.
5 The secondary IAS server computer must be able to access account properties in the appropriate
domains. If IAS is being installed on a domain controller, no additional configuration is required in
order for IAS to access account properties in the domain of the domain controller.
If IAS is not installed on a domain controller, you must configure the secondary IAS server computer
to read the properties of user accounts in the domain. For more information, see the "Enable the IAS
server to read user accounts in Active Directory" procedure previously described.
If the secondary IAS server authenticates and authorizes connection attempts for user accounts in
other domains, verify that the other domains have a two-way trust with the domain in which the
secondary IAS server computer is a member. Next, configure the secondary IAS server computer to
read the properties of user accounts in other domains. For more information, see the "Enable the IAS
server to read user objects in Active Directory" procedure previously described.
accounts in other domains, and those domains do not have a two-way trust with the domain in
which the secondary IAS server computer is a member, you must configure a RADIUS proxy
between the two untrusted domains. If there are accounts in other Active Directory forests, you must
configure a RADIUS proxy between the forests. For more information, see "Cross-Forest
Authentication" in this article.
6 To copy the configuration of the primary IAS server to the secondary IAS server, type netsh aaaa
show config > path\file.txt at a command prompt on the primary IAS server. This stores the
configuration settings, including registry settings, in a text file. The path can be relative, absolute, or
a network path.
7 Copy the file created in step 7 to the secondary IAS server. At a command prompt on the secondary
IAS server, type netsh exec path\file.txt. This command imports all the settings configured on the
primary IAS server to the secondary IAS server.
NOTE
You cannot copy the IAS settings from an IAS server running Windows Server 2003 to an IAS server running
Windows 2000 Server.
Best Practice
If you change the IAS server configuration in any way, use the Internet Authentication Service snap-in
to change the configuration of the primary IAS server and then use steps 7 and 8 above to synchronize
those changes on the secondary IAS server
46
Summit WM Technical Reference Guide, Software Version 5.1