Migrating the NPS Server
Applies To: Windows Server 2012 R2
This topic contains steps and procedures for migrating the Network Policy Server (NPS) role service from a legacy source server to a new x64-based destination server running Windows Server 2012 R2.
This topic includes sample Windows PowerShell cmdlets that you can use to automate some of the procedures described. For more information, see Using Cmdlets.
Known issues
If you previously created conditional attributes for your remote access policy using Called Station ID and Calling Station ID, the comparison of these attributes in Windows Server 2012 R2 uses a regular expression instead of matching the exact string. For a description of these attributes, see Remote Access Policy Conditions in the IAS Authorization section.
Exporting settings from the source server
Use the following procedures to export the NPS settings from your x86-based or x64-based source server prior to migrating to an x64-based server running Windows Server 2012. Follow the steps in the appropriate section based on the version of Windows Server that is running on the source server:
Warning
When you use the following procedures to export configuration settings, apply appropriate precautions when moving these files from the source server to destination servers. NPS server configurations are not encrypted in the exported XML file, and contain shared secrets for RADIUS clients and members of remote RADIUS server groups. Therefore, sending these files over a network connection might pose a security risk. You can add the file to an encrypted, password protected archive file before moving the file to provide greater security. In addition, store the file in a secure location to prevent access by unauthorized users.
Exporting settings from Windows Server 2003
Configuration settings for Internet Authentication Service (IAS) in Windows Server 2003 are stored in .MDB files. Configuration settings for Network Policy Server (NPS) in Windows Server 2012 are stored in .XML files. Iasmigreader.exe is a command-line tool that exports the configuration settings of IAS on a computer running Windows Server 2003 to a text file. You can obtain the iasmigreader.exe command line migration tool for migrating Windows Server 2003 IAS settings to Windows Server 2012 from the following locations:
Windows Server 2012 installation media provides a copy of the migration tool in the \sources\dlmanifests\microsoft-windows-iasserver-migplugin\ directory.
The migration tool is available in the %windir%\syswow64\ directory on a server running Windows Server 2012.
To export settings from a source server running Windows Server 2003
Copy iasmigreader.exe to the source server into a directory configured in the %path% environment variable.
Tip
To review the source server’s %path% configuration, type echo %path% at a command prompt and press Enter.
At an elevated command prompt, type iasmigreader.exe, and then press Enter. The migration tool will automatically export settings to a text file.
Important
Configuration changes made to IAS will take at least one minute to be available for export.
IAS settings are stored in the file ias.txt located in the %windir%\system32\ias directory on the source server. If you are running a 64-bit version of Windows Server 2003, the ias.txt file is located in the %windir%\syswow64\ias directory.
You must manually copy SQL log configuration settings on the source server to a file (example: sql.txt).
To record these settings:
At an elevated command prompt, type ias.msc, and then press Enter.
In the IAS console tree, click Remote Access Logging, right-click SQL Server, and then click Properties.
Record the configuration settings on the Settings tab, and then click Configure.
Manually record all configuration settings from the Connection and Advanced tabs by copying them into the sql.txt file. Alternatively, you can click the All tab and enter Name and Value settings displayed on each line into the sql.txt file. For a list of text logging and SQL configuration settings that you need to record manually, see Appendix A - Data Collection Worksheet.
Copy the ias.txt and sql.txt files to the migration store file location.
Warning
Store the ias.txt and sql.txt files in a secure location. These files contain shared secret information and SQL connection strings.
Important
When you migrate the configuration settings of the IAS role service that is running on a 32-bit or a 64-bit Windows Server 2003–based source server to the NPS role service that is running on a Windows Server 2012 R2–based destination server, the import procedure seems to complete successfully. However, the Extensible Authentication Protocol (EAP) method is misconfigured. This occurs because the migration tool generates a faulty parameter that is stored in the configuration text file (ias.txt). For more information about this issue and for a workaround, see The EAP method is configured incorrectly during the migration process from Windows Server 2003 32-bit or a 64-bit to Windows Server 2008 R2 (https://go.microsoft.com/fwlink/?LinkID=181982).
Exporting settings from Windows Server 2008
Configuration settings for NPS in Windows Server 2008 are stored in .XML files that can be directly imported to the destination server. The Network Shell (NetSh) command line utility can be used to export and import these settings. You can also use the Windows interface to import and export these settings.
Warning
You cannot use the Windows interface or a command line to export or import detailed SQL configuration settings. For a list of text logging and SQL configuration settings that you need to record manually, see Appendix A - Data Collection Worksheet.
To export settings from a source server running Windows Server 2008 using a command line
On the source NPS server, open an elevated command prompt, type the following command and then press Enter:
netsh nps export filename="path\file.xml" exportPSK=YES
Replace path with the directory location where you want to save the source server configuration file, and replace file with the name of the .XML file that you want to save.
Confirm that a message appears indicating that the export to file was successful.
On the source server, type the following command and then press Enter:
netsh nps show sqllog > path\sql.txt
Replace path with the directory location where you want to save the source server SQL configuration file, and replace sql with the name of the .TXT file that you want to save. This file contains the basic configuration for SQL logging that is found on the Settings tab in SQL logging properties. For a list of text logging and SQL configuration settings that you need to record manually, see Appendix A - Data Collection Worksheet.
Copy the file.xml and sql.txt files to the migration store file location. This information will be required for configuration of the destination server.
To export settings from a source server running Windows Server 2008 using the Windows interface
On the source server, open Server Manager.
In the Server Manager console tree, open Roles\Network Policy and Access Services\NPS.
Right click NPS, and then click Export Configuration.
In the dialog box that appears, select the check box next to I am aware that I am exporting all shared secrets, and then click OK.
Next to File name, type file.xml, navigate to the migration store file location, and then click Save.
If you have configured SQL logging, you must manually record detailed SQL configuration settings.
To record these settings:
In the NPS console tree, click Accounting and then click Change SQL Server Logging Properties.
Record the configuration settings on the Settings tab, and then click Configure.
Manually record all configuration settings from the Connection and Advanced tabs by copying them into the sql.txt file. Alternatively, you can click the All tab and enter Name and Value settings displayed on each line into the sql.txt file. For a list of text logging and SQL configuration settings that you need to record manually, see Appendix A - Data Collection Worksheet.
Copy the ias.txt and sql.txt files to the migration store file location.
Exporting settings from Windows Server 2008 R2
Configuration settings for NPS in Windows Server 2008 R2 are stored in .XML files that can be directly imported to the destination server. The Network Shell (NetSh) command line utility can be used to export and import these settings. You can also use the Windows interface to import and export settings.
Warning
You cannot use the Windows interface or a command line to export or import detailed SQL configuration settings. For a list of text logging and SQL configuration settings that you need to record manually, see Appendix A - Data Collection Worksheet.
Important
The netsh utility does not support migration of template configuration settings. To migrate these settings, you must use the Windows interface.
To export settings from a source server running Windows Server 2008 R2 using a command line
On the source NPS server, open an elevated command prompt, type the following command and then press Enter:
netsh nps export filename="path\file.xml" exportPSK=YES
Replace path with the directory location where you want to save the source server configuration file, and replace file with the name of the .XML file that you want to save.
Confirm that a message appears indicating that the export to file was successful.
On the source server, type the following command and then press Enter:
netsh nps show sqllog > path\sql.txt
Replace path with the directory location where you want to save the source server SQL configuration file, and replace sql with the name of the .TXT file that you want to save. This file contains the basic configuration for SQL logging that is found on the Settings tab in SQL logging properties. For a list of text logging and SQL configuration settings that you need to record manually, see Appendix A - Data Collection Worksheet.
Copy the file.xml and sql.txt files to the migration store file location. This information will be required for configuration of the destination server.
To export settings from a source server running Windows Server 2008 R2 using the Windows interface
On the source server, open Server Manager.
In the Server Manager console tree, open Roles\Network Policy and Access Services\NPS.
Right click NPS, and then click Export Configuration.
In the dialog box that appears, select the check box next to I am aware that I am exporting all shared secrets, and then click OK.
Next to File name, type file.xml, navigate to the migration store file location, and then click Save.
In the console tree, right-click Templates Management and then click Export Templates to a file.
Next to File name, type iastemplates.xml, navigate to the migration store file location, and then click Save.
If you have configured SQL logging, you must manually record detailed SQL configuration settings.
To record these settings:
In the NPS console tree, click Accounting and then click Change SQL Server Logging Properties.
Record the configuration settings on the Settings tab, and then click Configure.
Manually record all configuration settings from the Connection and Advanced tabs by copying them into the sql.txt file. Alternatively, you can click the All tab and enter Name and Value settings displayed on each line into the sql.txt file. For a list of text logging and SQL configuration settings that you need to record manually, see Appendix A - Data Collection Worksheet.
Copy the file.xml, iastemplates.xml, and sql.txt files to the migration store file location. This information will be required for configuration of the destination server.
Exporting settings from Windows Server 2012 or Windows Server 2012 R2
Configuration settings for NPS in Windows Server 2012 R2 are stored in .XML files that can be directly imported to the destination server. You can use the following methods to export and import these settings:
The Network Shell (NetSh) command line utility
The Windows interface
Windows PowerShell cmdlets
Warning
You cannot use Windows PowerShell, the Windows interface or a command line to export or import detailed SQL configuration settings. For a list of text logging and SQL configuration settings that you need to record manually, see Appendix A - Data Collection Worksheet.
Important
The netsh utility and Windows PowerShell do not support migration of template configuration settings. To migrate these settings, you must use the Windows interface.
To export settings from a source server using Windows PowerShell
On the source server, create a new folder for your settings (for example: C:\ConfigSettings).
Export your configuration settings to an .xml file in that folder, by following these steps.
On the Start screen, type PowerShell, and then click Enter.
To switch to the NPS context enter the following Windows PowerShell command and then press Enter:
Import-Module NPS
To export the configuration file to an .xml file, enter the following Windows PowerShell command, using the -path parameter to identify the name of the .xml file to be created and the folder into which it should be placed:
Export-NpsConfiguration [-Path] <String>
Tip
For example: Export-NpsConfiguration –Path C:\ConfigSettings -Path nps01.xml
Warning
The exported file contains unencrypted shared secrets for RADIUS clients and members of remote RADIUS server groups. Because of this, you should ensure that the file is stored in a secure location to prevent malicious users from accessing the file.
Confirm that no errors were reported by Windows PowerShell.
If you have configured SQL logging, you must manually record detailed SQL configuration settings.
To record these settings:
In the NPS console tree, click Accounting and then click Change SQL Server Logging Properties.
Record the configuration settings on the Settings tab, and then click Configure.
Manually record all configuration settings from the Connection and Advanced tabs by copying them into the sql.txt file. Alternatively, you can click the All tab and enter Name and Value settings displayed on each line into the sql.txt file. For a list of text logging and SQL configuration settings that you need to record manually, see Appendix A - Data Collection Worksheet.
Copy the file.xml, iastemplates.xml, and sql.txt files to the migration store file location. This information will be required for configuration of the destination server.
To export settings from a source server using the Netsh utility
On the source NPS server, open an elevated command prompt, type the following command and then press Enter:
netsh nps export filename="path\file.xml" exportPSK=YES
Replace path with the directory location where you want to save the source server configuration file, and replace file with the name of the .XML file that you want to save.
Confirm that a message appears indicating that the export to file was successful.
On the source server, type the following command and then press Enter:
netsh nps show sqllog > path\sql.txt
Replace path with the directory location where you want to save the source server SQL configuration file, and replace sql with the name of the .TXT file that you want to save. This file contains the basic configuration for SQL logging that is found on the Settings tab in SQL logging properties. For a list of text logging and SQL configuration settings that you need to record manually, see Appendix A - Data Collection Worksheet.
Copy the file.xml and sql.txt files to the migration store file location. This information will be required for configuration of the destination server.
To export settings from a source server using the Windows interface
On the source server, open Server Manager.
In the Server Manager console tree, click ALL SERVERS, then from the list of servers in the right pane, right-click the relevant server and select Network Policy Server.
Right click the root node NPS, and then click Export Configuration.
In the dialog box that appears, select the check box next to I am aware that I am exporting all shared secrets, and then click OK.
Next to File name, type file.xml, navigate to the migration store file location, and then click Save.
In the console tree, right-click Templates Management and then click Export Templates to a file.
Next to File name, type iastemplates.xml, navigate to the migration store file location, and then click Save.
If you have configured SQL logging, you must manually record detailed SQL configuration settings.
To record these settings:
In the NPS console tree, click Accounting and then click Change SQL Server Logging Properties.
Record the configuration settings on the Settings tab, and then click Configure.
Manually record all configuration settings from the Connection and Advanced tabs by copying them into the sql.txt file. Alternatively, you can click the All tab and enter Name and Value settings displayed on each line into the sql.txt file. For a list of text logging and SQL configuration settings that you need to record manually, see Appendix A - Data Collection Worksheet.
Copy the file.xml, iastemplates.xml, and sql.txt files to the migration store file location. This information will be required for configuration of the destination server.
Importing settings to the destination server
Use the following procedures to import the NPS settings from your x86-based or x64-based source server to an x64-based destination server running Windows Server 2012 R2.
Importing settings from Windows Server 2008 or Windows Server 2008 R2
Importing settings from Windows Server 2012 or Windows Server 2012 R2
Importing settings from Windows Server 2003
The configuration file ias.txt that was exported from the source server is in a format that can be imported to a destination server running Windows Server 2012 or Windows Server 2012 R2. If SQL accounting settings were saved, these settings are recorded manually in the sql.txt file.
Important
When you migrate the configuration settings of the IAS role service that is running on a 32-bit or a 64-bit Windows Server 2003–based source server to the NPS role service that is running on a Windows Server 2012 R2–based destination server, the import procedure seems to complete successfully. However, the Extensible Authentication Protocol (EAP) method is misconfigured. This occurs because the migration tool generates a faulty parameter that is stored in the configuration text file (ias.txt). For more information about this issue and for a workaround, see The EAP method is configured incorrectly during the migration process from Windows Server 2003 32-bit or a 64-bit to Windows Server 2008 R2 (https://go.microsoft.com/fwlink/?LinkID=181982).
To import settings from a source server running Windows Server 2003
Copy the configuration file ias.txt that was exported to the migration store file location to the destination NPS server. Alternatively you can import configuration settings directly from the migration store file location by supplying the appropriate path to the file in the import command.
On the destination server, use either netsh or Windows PowerShell to import the configuration.
To use netsh, do the following:
Open an elevated command prompt, type the following command and then press Enter:
netsh nps import filename="path\ias.txt"
Replace path with the directory where the ias.txt file is located. Verify that a message appears indicating that the import process was successful.
Tip
If the configuration file is located on a network share, provide full path to the file. For example: netsh nps import filename = “\fileserver1\Data\ias.txt”.
To use Windows PowerShell, do the following:
On the Start screen, type PowerShell, and then click Enter.
Switch to the NPS context, enter the following Windows PowerShell command:
Import-Module NPS
To import the configuration, enter the following:
Import-NpsConfiguration [-Path] <String>
Replace String with the directory where the ias.txt file is located. Verify that a message appears indicating that the import process was successful.
Tip
For example: Import-NpsConfiguration –Path c:\temp\ias.txt
If required, configure SQL accounting. To configure SQL accounting:
In the Server Manager console tree, click ALL SERVERS, then from the list of servers in the right pane, right-click the relevant server and select Network Policy Server.
Click Accounting and then click Change SQL Server Logging Properties.
Manually enter SQL settings from the sql.txt file that you created.
Importing settings from Windows Server 2008 or Windows Server 2008 R2
The configuration file file.xml that was exported from the source server is in a format that can be imported to a destination server running Windows Server 2012. SQL accounting settings are saved in the sql.txt file.
Note
For source servers running Windows Server 2008 R2: If you saved a templates configuration file, iastemplates.xml, you must use the Windows interface to import these settings.
To import settings from a source server running Windows Server 2008 or Windows Server 2008 R2
Copy the configuration files file.xml and sql.txt that were exported to the migration store file location to the destination NPS server. Alternatively you can import configuration settings directly from the migration store file location by supplying the appropriate path to the file in the import command.
On the destination server, use either netsh or Windows PowerShell to import the configuration.
To use netsh, do the following:
Open an elevated command prompt, type the following command and then press Enter:
netsh nps import filename="path\file.xml"
Replace path with the directory where the file.xml file is located. Verify that a message appears indicating that the import process was successful.
Tip
If the configuration file is located on a network share, provide full path to the file. For example: netsh nps import filename = “\fileserver1\Data\file.xml”.
To use Windows PowerShell, do the following:
On the Start screen, type PowerShell, and then click Enter.
Switch to the NPS context, enter the following Windows PowerShell command:
Import-Module NPS
To import the configuration, enter the following:
Import-NpsConfiguration [-Path] <String>
Replace <String> with the directory where the file.xml file is located.
Tip
For example: Import-NpsConfiguration –Path c:\temp\file.xml
Confirm that no errors were reported by Windows PowerShell.
If required, configure SQL accounting. To configure SQL accounting:
In the Server Manager console tree, click ALL SERVERS, then from the list of servers in the right pane, right-click the relevant server and select Network Policy Server.
Click Accounting and then click Change SQL Server Logging Properties.
Manually enter SQL settings from the sql.txt file.
Importing settings from Windows Server 2012 or Windows Server 2012 R2
The configuration file file.xml that was exported from the source server is in a format that can be imported to a destination server running Windows Server 2012 or Windows Server 2012 R2. SQL accounting settings are saved in the sql.txt file. If you saved a templates configuration file, iastemplates.xml, you must use the Windows interface to import these settings.
To import settings from a source server
Copy the configuration files file.xml and sql.txt that were exported to the migration store file location to the destination NPS server. Alternatively you can import configuration settings directly from the migration store file location by supplying the appropriate path to the file in the import command.
On the destination server, open an elevated command prompt, type the following command and then press Enter:
netsh nps import filename="path\file.xml"
Replace path with the directory where the file.xml file is located. Verify that a message appears indicating that the import process was successful.
Tip
If the configuration file is located on a network share, provide full path to the file. For example: netsh nps import filename = “\fileserver1\Data\file.xml”.
The following Windows PowerShell command performs the same function:
Import-NpsConfiguration –Path c:\temp\file.xml
If required, configure SQL accounting. To configure SQL accounting:
In the Server Manager console tree, click ALL SERVERS, then from the list of servers in the right pane, right-click the relevant server and select Network Policy Server.
Click Accounting and then click Change SQL Server Logging Properties.
Manually enter SQL settings from the sql.txt file.
Using the NPS console to migrate NPS settings
You can also use the Windows interface on the destination server to import configuration settings.
To import settings from a source server using the Windows interface
Copy the configuration files file.xml, iastemplates.xml, and sql.txt that were exported to the migration store file location to the destination NPS server. Alternatively you can import configuration settings directly from the migration store file location by supplying the appropriate path to the file in the import command. If you have custom settings that were recorded using the Appendix A - Data Collection Worksheet, these must be configured manually on the destination server.
On the destination server, open Server Manager.
In the Server Manager console tree, click ALL SERVERS, and then from the list of servers in the right pane, right-click the relevant server and select Network Policy Server.
To import template configuration settings, follow steps 5 to 13. If you do not have template settings, skip to step 7.
In the console tree, right-click Templates Management and then click Import Templates from a file.
Select the template configuration file iastemplates.xml that you copied from the source server and then click Open.
In the console tree, right-click NPS and then click Import Configuration.
Select the configuration file file.xml or ias.txt that you copied from the source server and then click Open.
Verify that a message appears indicating the import was successful.
Configure SQL accounting if required using the sql.txt file and the data collection worksheet. To configure SQL accounting, follow steps 11 to 13.
In the NPS console tree, click Accounting and then click Change SQL Server Logging Properties in the details pane.
Modify the properties on the Settings tab if required, and then click Configure to enter detailed settings.
Using information recorded in the sql.txt file, enter the required settings on the Connection and Advanced tabs, and then click OK.