Microsoft KB Archive/317589

= HOW TO: Configure a Secondary Internet Authentication Service Server on a Domain Controller =

Article ID: 317589

Article Last Modified on 9/14/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server

-



This article was previously published under Q317589





IN THIS TASK
SUMMARY
 * Install IAS
 * Enable IAS to Authenticate Users in Active Directory
 * Copy Primary IAS Configuration Settings to the Secondary IAS Server
 * Configure Remote Access Servers to Use the Secondary IAS Server

REFERENCES



SUMMARY
This step-by-step article describes how to install and configure a secondary Microsoft Internet Authentication Service (IAS) server in a domain.

IAS performs the function of a Remote Authentication Dial-In User Service (RADIUS) server. You can use IAS for centralized authentication and accounting of multiple Routing and Remote Access Service (RRAS) servers. You can use a secondary IAS server to provide fault-tolerance and load balancing in your domain.

back to the top

Install IAS
To install IAS:
 * 1) Click Start, point to Settings, and then click Control Panel.
 * 2) Double-click Add/Remove Programs, and then click Add/Remove Windows Components.
 * 3) In the Components list, click Networking Services (but do not select or clear its check box), and then click Details.
 * 4) Click to select the Internet Authentication Service check box, and then click OK.
 * 5) Click Next, and then click Finish.
 * 6) In the Add/Remove Programs dialog box, click Close.
 * 7) To start IAS, click Start, point to Programs, point to Administrative Tools, and then click Internet Authentication Service.

back to the top

Enable IAS to Authenticate Users in Active Directory
To register the IAS service in Active Directory:
 * 1) Start the IAS snap-in. To do this, click Start, point to Programs, point to Administrative Tools, and then click Internet Authentication Service.
 * 2) On the Action menu, click Register Service in Active Directory.
 * 3) Click OK to confirm the IAS registration in the local domain, and then click OK.

back to the top

Copy Primary IAS Configuration Settings to the Secondary IAS Server
You can copy the configuration settings, including registry settings from another IAS server by using the netsh command. To do this:

NOTE: Both IAS servers must be running the same versions of Microsoft Windows 2000.  Log on to the primary IAS server. Click Start, click Run, type cmd in the Open box, and then click OK. Type the following command, and then press ENTER

netsh aaaa show config > \ .txt

where  and   is the complete path and file name in which you want to save the policy settings. For example, type netsh aaaa show config > a:\policy.txt to save the policy settings on drive A with a file name of Policy.txt. Copy the text file that contains the configuration settings to the secondary IAS server. On the secondary IAS server, click Start, click Run, type cmd in the Open box, and then click OK. Type the following command, and then press ENTER

netsh exec \ .txt

where  and   are the path and file name of the configuration settings that you copied from the primary IAS server.

The following message appears:

aaaa server configuration successfully set.

</li> Quit the Internet Authentication Service snap-in, if it is running.</li> Start the IAS snap-in. To do this, click Start, point to Programs, point to Administrative Tools, and then click Internet Authentication Service.</li> Verify that the configuration settings have been imported. Configuration settings, including IAS server properties, clients, and policies should be listed in the corresponding containers of the Internet Authentication Service (Local) tree.</li></ol>

back to the top

Configure Remote Access Servers to Use the Secondary IAS Server
Configure each Routing and Remote Access Server (RRAS) with two RADIUS servers that correspond to the primary and secondary IAS servers. If one IAS server becomes unavailable, the RRAS server will automatically &quot;fail over&quot; to the other server.
 * 1) Log on to the RRAS computer as an administrator.
 * 2) Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.
 * 3) Under Routing and Remote Access, right-click the server that you want, and then click Properties.
 * 4) Click the Security tab, and then click the Configure button that is next to the Authentication provider list. The primary IAS server should be displayed in the Server list.
 * 5) Click Add, type the Fully Qualified Domain Name (FQDN) name of the secondary IAS server in the Server name box, and then click Change.
 * 6) In the New secret box, type the &quot;shared secret&quot; password that you configured on the primary IAS server computer.
 * 7) Retype this password in the Confirm new secret box, and then click OK.
 * 8) Click OK, and then click OK.
 * 9) When you receive the notification message that states that you must restart the Routing and Remote Access service, click OK.
 * 10) Click the Configure button that is next to the Accounting provider list.
 * 11) Click Add, type the FQDN name of the secondary IAS server in the Server name box, and then click Change.
 * 12) In the New secret box, type the &quot;shared secret&quot; password that you configured on the primary IAS server computer.
 * 13) Retype this password in the Confirm new secret box, and then click OK.
 * 14) Click OK, click OK, click OK on the message that states that you must restart the Routing and Remote Access service, and then click OK.
 * 15) In the console tree, right-click the RRAS server that you want to restart, point to All Tasks, and then click Stop.
 * 16) Right-click the same server, point to All Tasks, and then click Start.
 * 17) Quit the Routing and Remote Access snap-in.

back to the top