In Place Upgrade of Window Server

 In Place Upgrade KB ID 0001895

Problem

An in-place upgrade of a Windows Server, where you update an existing server installation to a newer version without reinstalling from scratch, can be a powerful way to bring older infrastructure up to date without the lengthy process of rebuilding a system and restoring data. The allure of this method lies in its simplicity and time efficiency; theoretically, you can go from, say, Windows Server 2016 to Windows Server 2022 with much less downtime, keeping configurations, applications, and user data intact. This can be especially appealing in scenarios where budget or time constraints make a full migration impractical, or for environments where a server holds critical roles that are complex to reconfigure from scratch.

However, while in-place upgrades have their perks, they aren’t without pitfalls. For starters, there’s always a risk of compatibility issues, especially if the server runs legacy software that might not play nicely with the new OS version. Performance problems can also arise, as remnants of old files and configurations may lead to a less than optimised system, compared to a clean installation. Additionally, any existing issues on the server, such as misconfigurations, registry bloat, or malware, can carry over to the new version, potentially causing instability. Therefore, before deciding on an in-place upgrade, it’s essential to weigh these pros and cons carefully, considering both the potential gains and risks based on your environment and long-term plans.

As I’ve previously stated, I prefer to do in place upgrades, If you have less than 50 servers and an IT support team, you may want to plan a clean install and data migration, but there comes a point where that’s simply not practical. My firm looks after more than 10 thousand Windows servers, and when a ‘wave’ of them goes outside of supportability – We either stop supporting them or offer and in-place upgrade.

Windows Server In Place Upgrade Paths

Current OS Upgrade Path to Windows Server 2022 Upgrade Path to Windows Server 2025
Windows Server 2008 Upgrade to Windows Server 2008 R2 → Upgrade to Windows Server 2012 R2 → Upgrade to Windows Server 2019 → Upgrade to Windows Server 2022 Upgrade to Windows Server 2008 R2 → Upgrade to Windows Server 2012 R2 → Upgrade to Windows Server 2019 → Upgrade to Windows Server 2025
Windows Server 2008 R2 Upgrade to Windows Server 2012 R2 → Upgrade to Windows Server 2019 → Upgrade to Windows Server 2022 Upgrade to Windows Server 2012 R2 → Upgrade to Windows Server 2019 → Upgrade to Windows Server 2025
Windows Server 2012 Upgrade to Windows Server 2012 R2 → Upgrade to Windows Server 2019 → Upgrade to Windows Server 2022 Upgrade to Windows Server 2012 R2 → Upgrade to Windows Server 2019 → Upgrade to Windows Server 2025
Windows Server 2012 R2 Upgrade to Windows Server 2019 → Upgrade to Windows Server 2022 Upgrade to Windows Server 2019 → Upgrade to Windows Server 2025
Windows Server 2016 Direct upgrade to Windows Server 2022 Direct upgrade to Windows Server 2025
Windows Server 2019 Direct upgrade to Windows Server 2022 Direct upgrade to Windows Server 2025
Windows Server 2022 NA Direct upgrade to Windows Server 2025

Note: Server 2025 information is not official at time of writing, information was provided my Microsoft Copilot.

Solution : In Place Upgrade

In Place Upgrade Planning and Pre Upgrade Steps

As well as making sure you have the compute and storage requirements (of the OS that you are upgrading to), make sure your hardware and/or Hypervisor supports the target OS. Then you have things to consider.

  • Roles And Features.
  • Microsoft Applications.
  • Third Party Applications.

Roles and Features: these are add-on components to the OS that you can enable (add) or disable (remove). Some common ones like DNS server or DHCP server, we just accept and don’t even worry about, but what about roles like certificate services? or a feature like NDES? What if the server is a domain controller? I’ll attempt to answer SOME of those questions below, but this is another reason why you should check, research, and test before upgrading

Show all Roles and Features With PowerShell

[box]

Get-WindowsFeature

[/box]

Microsoft Applications: Here I’m talking about things like Microsoft Exchange, Microsoft SQL, Microsoft Teams etc. Each one of those have their own dependancies OS requirements an upgrade paths that you may need to take into consideration. My personal preference is to migrate these applications onto new clean servers rather than in-place upgrade. I’ve done two in place upgrades of Exchange on the test bench and both of those were 100% successful, I’d be less happy doing them in production, and I’ve got a lot of articles showing you how to upgrade and migrate Exchange, I suggest you look there first! 

Third Party Applications: This will vary from use case to use case, but consider your AV and security products, do they support the new OS? Does you backup and replication software support the new OS. That’s before you look at you line of business or back office applications like print management software, or the software that controls your building access for example.

Show all Installed Software With PowerShell

[box]

Get-WmiObject -Class Win32_Product

[/box]

In Place Upgrade ‘Pre-flight checks’

Most servers these days are virtualised, and time spent on reconnaissance is seldom wasted, If you are considering in place upgrading anything, I would urge you to clone those machines, sandbox them, and perform the in place upgrade in isolation, this will give you a change to do some functional (post upgrade) testing of both the server OS, its installed roles and any third pert applications.

As with all things infrastructure, you’re only as good as your last backup, before doing anything MAKE SURE you have a reliable (tested!) backup. Not just for the server you intend to upgrade but for any server that has a service or software dependency on the server you intend to upgrade.

Ensure the upgrade server is FULLY UPDATED before proceeding.

If the server is virtual, we also have the advantage, to take a snapshot prior to upgrade. (You can even clone a copy and keep it on standby) .

In Place Upgrade Process

Well it’s 95& preparation and 5% execution, the actual upgrade process is alarmingly simple. Present the installation media ISO to the source server, (or copy the files to the server and run setup.exe)

At the welcome screen > Next > At this point the system may take some down getting update’s > Enter the Windows activation code for the new server OS > Next > Select the version you want to install, remember if you want a server with a GUI interface, select the Desktop Experience option > Next.

At the EULA screen > Accept > Select “Keep files settings and apps” > Next > Install.

At this point the upgrade will take place, the server may reboot, but the upgrade process will continue.

When complete, you will be looking at a login screen, simply authenticate with the same credentials as before.

In Place Upgrade of Domain Controllers

Yes it’s possible, yes I’ve done it multiple times, if all the server is doing is performing Active Directory domain services and other common roles like DNS and DHCP, then I would not bother in place upgrading a domain controller, I’d simply build a fresh one, then decommission the old one (possibly needing to migrate FSMO roles)

But I’ve said its possible, just beware you may come across this error during the upgrade.

Active Directory on this domain controller does not contain Windows Server {version} ADPREP / FORESTPREP updates

This one is pretty much self-explanatory, and makes complete sense if you’ve spent any time deploying domains controllers! Well of course it doesn’t! Think about it if this is the first domain controller with the new OS in the domain, the schema has not been updated for that version of domain controller, which would happen if you were installing a DC from scratch. Here there’s only one server in the domain, and I’m on it. DON’T CLOSE THE UPGRADE WINDOW.

Open a administrative command window and change to the D:\Support\Adprep directory, run adprep.exe /forestprep and when prompted press C {Enter} to continue.

I prefer to also perform a adprep.exe /domainprep  also, but you can progress in the upgrade without doing this, below I’m performing the command within PowerShell so I’m using ./adprep.exe /domainprep.

In Place Upgrade of Servers Running Certificate Services

Can you do this? Yes – Even if you have a multi-tier PKI deployment. see here I’ve personally done this twice (Server 2016 > Server 2022 and Server 2019 > Server 2022) and both were 100% successful. You can of course perform a traditional migration of Certificate Services to another server.

In Place Upgrade of Servers Running DHCP

I would not even worry about this, if you wanted to migrate a DHCP scope to another server it’s easy as peas. But in place upgrade of a DHCP server is not a concern. Even if they are performing DHCP HA

In Place Upgrade of Servers Running NPS (Network Policy Server)

I’ve done this successfully, if you wanted to migrate this role manually then simply see the following article Migrate NPS Server.

In Place Upgrade of Servers Running RDS (Remote Desktop  Services)

Whilst supported be aware that if you upgrade you RDS licensing server, ensure you have CALs/Licenses (or SALS if you’re SPLA licensed) that support the new version of Windows. e.g. 2016 RDS CALs will work with Server 2019 but will not with Server 2022. If you have problems ‘post upgrade‘ delete the following folder “\windows\system32\lserver ” then relicense correctly with new CALs/SALs.

Invitation

If you’re reading this and considering an in place upgrade there may be a role or feature, or piece of software your server is running I’ve not covered. If so please bookmark this article, and return later, then post below what OS you upgraded from and to, and what Role/Feature/Software you were running. Was it a seamless procedure, or did you encounter a problem, error message, of complete failure? Please post your follow ups below to help the next person.

Related Articles, References, Credits, or External Links

In Place Upgrade Windows 2016 to Windows 2019

Upgrade Server 2012 (In Place)

Migrate NPS Server

Migrate NPS Server KB ID 0001841

Problem

If you have deployed an NPS Server on your network, there may be a time when you want to replace that server – if all its doing is NPS and its 2012 or newer I’d be tempted to simply in-place upgrade it, but some people are rigid in their beliefs that that is not a good idea. So in that case you need to migrate to a new server.

Solution : Migrate NPS Server

Locate NPS Server

Just in case you know you have an NPS server, but you don’t know what server it’s on, (or how many you have!) The simplest way to find out is to look in the RAS and IAS Servers group in AD.

You can use the following procedure on Server 2012 (and newer) If your source server is Server 2008 then you need to use the netsh method I’ll outline below.

Migrate NPS Server : Export NPS Settings PowerShell

On the OLD (source) server,

 

[box]

Export-NpsConfiguration -Path C:\NPS-PS-Exported.xml

[/box]

Then simply copy that exported XML file to the new NPS server.

Migrate NPS Server : Import NPS Settings PowerShell

At this point I’ll assume that your target server is built, updated and domain joined. So we have three tasks, install NPS, authorise the NPS server in AD, then import the settings from the file you exported above. Note: There is no direct PowerShell command to authorise the new server in AD (at time of writing) So we need to use the netsh command to do that.

[box]

Install-WindowsFeature NPAS -IncludeManagementTools

netsh ras add registeredserver

Import-NpsConfiguration -Path C:\NPS-PS-Exported.xml

[/box]

Then at this point I’d stop and disable NPS services on the old server and give everything a test. REMEMBER if you have RADIUS clients you may need to change the IP address that THEY are set to to the new NPS Server.

WARNING: If you are using authentication protocols that need certification like PEAPMS-CHAP v2, PEAPTLS, or EAPTLSAND your client are set to check the server’s identification (this is optional usually). Then check the new server has the correct certificates.

Migrate NPS Server (Server 2008)

On older OSs you don’t have the Export-NpsConfiguration and Import-NpsConfiguration PowerShell commandlets to use, so you have to use the netsh command instead.

Export NPS with Netsh

[box]

netsh

nps

export filename="C:\NPS-Exported-NETSH.xml" exportPSK=YES

[/box]

Import NPS with Netsh

[box]

netsh

nps

import filename="C:\NPS-Exported-NETSH.xml"

[/box]

Remove NPS

Once you’ve waited long enough to be sure you no longer need the old NPS server you can remove it with the following commands.

[box]

netsh ras delete registeredserver

Uninstall-WindowsFeature NPAS

Restart-Computer

[/box]

Note: If you are removing from Server 2008 you may need to use Remove-WindowsFeature NPAS instead!

Related Articles, References, Credits, or External Links

NA

Use Azure MFA With Microsoft NPS (RADIUS) Server

 

KB ID 0001759

Problem

I was in a forum last week and someone asked, “Can I enable Azure MFA, on my RADIUS server, to secure access to my switches and routers etc”. It turns out if you want to enable Azure MFA with Microsoft NPS it’s actually quite  simple.

So, I’m using RADIUS auth (above) on my NPS server, and it’s simply checking the authenticating user is a member of a domain security group. Once it has satisfied that requirement, it will authenticate against my Azure AD, which will trigger an MFA event, (in my case send a request to the Microsoft Authenticator Application on my Android Phone).

Azure MFA With Microsoft NPS Pre-Requisites

The remote user needs EITHER an Azure P1 License, or a Microsoft 365 license. 

“But I can use the Authenticator App with my Office 365 subscription?”

Well yes you can, but we are not authenticating to office 365 are we?

Below you can prove the licence is allocated in Office 365

And the same in Azure AD.

Now your user needs to have MFA enabled, (this should be pretty obvious), to use the Microsoft authenticator application the USER chooses that method of authentication, when you enable MFA for them (the first time they login). You can re-force that, from the following screen if you wish.

Azure MFA With Microsoft NPS: Deploying NPS

So I’ve pretty much covered this half a dozen times before, but for completeness I’ll quickly run though setting up NPS / NPAS. The quickest simplest method is to use PowerShell.

[box]

Install-WindowsFeature NPAS -IncludeManagmentTools

[/box]

From administrative tools open > Network Policy Server >Right click (Top Level) > Register Server in Active Directory  > OK > OK

Execute the following PowerShell command to create a registry key

[box]

New-Item 'HKLM:\SOFTWARE\Microsoft\AzureMfa' -Force | New-ItemProperty -Name REQUIRE_USER_MATCH -Value TRUE -Force | Out-Null

[/box]

Enable NPS RADIUS on Windows Firewall

Now for some reason installing NPS does not open the correct ports on the Windows Firewall? So issue the following command;

[box]

Get-NetFirewallRule -DisplayGroup "Network Policy Server" | where DisplayName -like "*RADIUS*" | Set-NetFirewallRule -Service Any

[/box]

Azure MFA With Microsoft NPS: Domain (on Premises and Azure AD)

You will need to know what your Azure Tenant ID is, keep a copy of this handy either in notepad or on the clipboard because you will need it in a minute.

Below you can see I’ve got my domain user, their remote access (Dial In Tab) is set to control access though policy, and I’ve placed them in a security group called SG-Azure-MFA.

Configure NPS for RADIUS Access

Note: You may already have this configured, if so please skip to the next section.

The first task is to define the RADIUS CLIENT, in my case it will be a Cisco firewall, yours could be any device that requires RADIUS authentication. Locate REDIUS Clients  > New > Provide a ‘Friendly Name’ (REMEMBER WHAT IT IS) > Enter its IP address > Then provide and confirm a shared secret (think of it like a password, you will need to add this to the radius clients config) > OK

Policies > Network Policies > New > Give it a sensible name > Next.

Add in a ‘Condition‘ for User Group, then add in the user group you created/used above.

Add in another ‘Condition‘ > Set the friendly name to the one you used when you created your RADIUS client.

Accepts all the defaults until you get to Configure Authentication Methods > Tick ‘Unencrypted Authentication (PAP, SPAP)’> Click yes if you want to read the warning > Next > Accept all the defaults from this point forward.

Enable Azure MFA With Microsoft NPS

Download the ‘NPS Extension For Azure MFA‘ software form Microsoft, and install it on your NPS server.

To actually enable it against your Azure AD, Execute the following PowerShell commands;

[box]

cd "c:\Program Files\Microsoft\AzureMfa\Config"
.\AzureMfaNpsExtnConfigSetup.ps1

[/box]

Eventually you will be asked to authenticate to Azure, do so with an administrative account.

You will be asked to provide your Azure Tennant ID.

When complete REBOOT THE NPS SERVER!

Testing Azure MFA With NPS

Again for Cisco ASA I’ve already blogged about this, but for completeness here’s me making sure it works;

Remember to RAISE the RADIUS timeout, by default its 10 seconds, I raised it to 30 seconds.

And on my phone I get prompted to allow

 

Authentication successful!

Troubleshooting (NPS Azure MFA Not Working)

Event ID 6274: The Request Was Discarded by a third-party extension DLL file. 

This happens when the user you are authenticating does not have the correct license in Azure (or you have just allocated the license and have not waited for a while).

Full Error

[box]

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          15/07/2021 16:42:58
Event ID:      6274
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      PKI-02.pnl.com
Description:
Network Policy Server discarded the request for a user.

Contact the Network Policy Server administrator for more information.

User:
	Security ID:			PNL\tanya.long
	Account Name:			tanya.long
	Account Domain:			PNL
	Fully Qualified Account Name:	pnl.com/PNL/Users/Tanya Long

Client Machine:
	Security ID:			NULL SID
	Account Name:			-
	Fully Qualified Account Name:	-
	Called Station Identifier:		-
	Calling Station Identifier:		-

NAS:
	NAS IPv4 Address:		192.168.254.254
	NAS IPv6 Address:		-
	NAS Identifier:			-
	NAS Port-Type:			Virtual
	NAS Port:			6

RADIUS Client:
	Client Friendly Name:		Firewall
	Client IP Address:			192.168.254.254

Authentication Details:
	Connection Request Policy Name:	Use Windows authentication for all users
	Network Policy Name:		NP-Azure-MFA
	Authentication Provider:		Windows
	Authentication Server:		PKI-02.pnl.com
	Authentication Type:		PAP
	EAP Type:			-
	Account Session Identifier:		-
	Reason Code:			9
	Reason:				The request was discarded by a third-party extension DLL file.

[/box]

Event ID 6273: An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection

In my case I had re-install the NPS Azure extension.

Full Error

[box]

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          15/07/2021 17:24:39
Event ID:      6273
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      PKI-02.pnl.com
Description:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
	Security ID:			NULL SID
	Account Name:			tanya.long
	Account Domain:			PNL
	Fully Qualified Account Name:	PNL\tanya.long

Client Machine:
	Security ID:			NULL SID
	Account Name:			-
	Fully Qualified Account Name:	-
	Called Station Identifier:		-
	Calling Station Identifier:		-

NAS:
	NAS IPv4 Address:		192.168.254.254
	NAS IPv6 Address:		-
	NAS Identifier:			-
	NAS Port-Type:			Virtual
	NAS Port:			10

RADIUS Client:
	Client Friendly Name:		Firewall
	Client IP Address:			192.168.254.254

Authentication Details:
	Connection Request Policy Name:	Use Windows authentication for all users
	Network Policy Name:		-
	Authentication Provider:		Windows
	Authentication Server:		PKI-02.pnl.com
	Authentication Type:		Extension
	EAP Type:			-
	Account Session Identifier:		-
	Logging Results:			Accounting information was written to the local log file.
	Reason Code:			21
	Reason:				An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection request.

[/box]

 

Related Articles, References, Credits, or External Links

NA

Windows ‘Always On’ VPN Part 2 (NPS, RAS, and Clients)

KB ID 0001403

Problem

Back in Part One, we setup the AD (Groups,) and the Certificate services that will knit everything together. Now we need to configure an NPS server that acts as a RADIUS server for our remote clients, And a RAS Server that our remote clients will connect to.

Step1: Network Setup

Microsoft have an alarming habit of telling you to connect DMZ assets to the LAN. In their defence I’ve seen some documentation where theres is a firewall in front and behind their RAS/VPN server, but then you keep reading and they refer to the NIC on the LAN and the NIC in the DMZ. As you can tell I’m not a fan, I prefer to have an un-authenticated and an authenticated DMZ, and neither of them are connected to the LAN, So then I can control what can, and cannot flow between the DMZs and the LAN.

My way means I have to allow more ports for domain membership etc, but, if you have a Cisco ASA I’ve covered that in the following article,

Cisco ASA – Allowing Domain Trusts, and Authentication

As for the VPNs and RADIUS you need to allow the following;

From Outside to the RAS Server

  • UDP 500 (ISAKMP)
  • UDP 4500 (NAT Traversal)

From the RAS Server to the NPS/NAP Server

  • UDP 1812 (RADIUS Authentication)
  • UDP 1813 (RADIUS Accounting)
  • UDP 1645 (RADIUS Authentication)
  • UDP 1646 (RADIUS Accounting)

Quite why it needs both pairs or RADIUS ports I’m unsure, I’ve not scanned or packet captured the traffic, but I’m wiling to bet it really only needs 1812/1813 or 1645/1646.

Step2: Install NPS

Server Manager > Manage > Add Roles and Features > Network Policy and Access Services > Complete the wizard accepting the defaults.

Administrative tools > Network Policy Server > Right click NPS (Local) > Register in Active Directory > OK.

Even though its not setup yet, we need to create our RAS server as a RADIUS client > RADIUS Clients > New.

Friendly Name: A sensible name that identifies the RAS server

IP: IP of the RAS server (On the LAN segment)

Shared Secret: Generate a new one and copy it to the clipboard, (you will need it in a minute.)

On the main page, ensure ‘RADIUS server for Dial-Up or VPN Connections’ is selected‘ > Configure VPN or Dial-Up.

Select ‘Virtual Private Network (NPS) Connections > Next > Ensure the RADIUS server you have just created is listed > Next > Ensure ONLY ‘Extensible Authentication protocol’ is ticked > Change its value to Microsoft Protected EAP (PEAP) > Configure.

EAP Types: Remove the one that is listed by default > Add in ‘Smart card or other certificate’ > OK > Under Groups make sure sure you have ONLY added the group you created back in part one > Next > Next.

Next > Next > Finish.

Your connection request policies should look like this.

Your network policies should look like this.

Step 3: Setup RAS

Server Manager > Manage > Add roles and Features > Next > Next > Next > Remote Access > Next.

Select DirectAccess and RAS > Finish the wizard accepting the defaults.

Open the Getting Started Wizard > Select VPN Only.

Administrative Tools > Routing and Remote Access > Right click {server-name} > Configure and enable Routing and Remote Access > Next  > Custom configuration.

VPN Access > Next > Finish > Start service.

Once again right click {server-name} > Properties > IPv4 > Note: If you are not going to use your internal DHCP server/scope, then you can set one up manually (as shown) > Ensure ‘Enable broadcast name resolution’ is selected, and the RAS servers internal/LAN interface is selected > Apply.

Security Tab:  Authentication provider  = RADIUS Authentication  > Configure > Add > Enter the IP of the NPS server > Change > Paste in the shared secret you copied, (above) > OK > OK. 

Repeat the same procedure for Accounting provider, (below).

Drill down to ‘Ports’ > Right Click  > Properties > Select SSTP > Configure > Remove the tick from ‘Remote access connections (inbound only) > OK. Repeat this procedure for ALL the protocols EXCEPT IKEv2, (So when finished, only IKEv2 is set to accept incoming requests).

Step 4: Configure Reference Windows 10 Machine

On a Windows 10 machine* Launch the ‘Change virtual private networks.

*Note: Your logged on user, must have a certificate issued to them, and be a member of the AD group we created earlier. 

Add a VPN Connector.

  • VPN Provider: Windows (Built-in).
  • Connection Name: Connection-Template.
  • Server Name or address: (The ‘public’ name we put on the certificate on the RAS server).

Change Adapter options.

Right click the VPN connection > Properties.

Security Tab:

  • Type of VPN: IKEv2
  • Data Encryption: Maximum
  • Use Extensible Authentication Protocol (EAP)
  • Properties > Enter the name on the certificate on your NAP Server, (I know that does not make sense trust me!)
  • Tick your Root CA Cert for the domain.
  • Select ‘Don’t prompt user to authorise new servers or new authorities’.

Connect your VPN to test it.

Make sure everything works.

Note: I had some DNS resolution problems, see the post below to find out how I fixed them;

Windows 10: Remote VPN Client Cannot Resolve Domain DNS

Now you need to ‘capture’ all those settings so you can give them to your other clients. To do that you need a copy of the PowerShell script MakeProfile.ps1 You will need to edit the script a little, see the example below. Running the script will output two files to the desktop, an PowerShell Script and an XML file

Step 5: Deploying the Settings

At the time of writing you can deploy these settings via three methods, PowerShell Script, SCCM, or Microsoft Intune. I’m simply going to run the PowerShell Script, there are a few restrictions though, you have to be logged on as the particular user. They need administrative rights to run the script, which is a bit of a pain, you can use restricted groups and set the powershell to run at logon with group policy, then remove the policy when configured, but it’s still a bit of a drama. Below I’m simply running the VPN_Profile.ps1 file I generated above.

Now once the user logs in, (and has a valid remote internet connection.) The remote client will auto-connect.


That covers USER tunnels, you can also, (Post 1709 Windows 10 Builds,) have DEVICE tunnels. Which I would write a part three about, but I simply cannot get them to work, so I’m waiting for the bugs to be ironed out, and I will revisit it at some point in the future.

Related Articles, References, Credits, or External Links

NA

Windows ‘Always On’ VPN Part 1 (Domain and PKI)

KB ID 0001399

Problem

Always On VPN was a bit of a misnomer when it was released, as it was only really ‘on’ when a user logged on. So when comparing it with ‘Direct Access‘ it didn’t have the capacity to ‘Manage Out’. With the release of Windows 10 (1709) this has been rectified with ‘Device Tunnels’, (more on that later).

The solution uses RAS, NAP (NPS), and PKI (Certificate Services). Obviously Active Directory is a requirement, and in addition I’ve also got a file server setup just for ‘testing’ access to domain resources.

Note: The VPN setup, (on everything, apart from the Windows 10 clients), is just the same as it ever was. This technology is for copying VPN settings from a Windows 10 client, and then being able to put those settings on other Windows 10 clients, so that when a user logs on, the VPN connects (User Tunnels), or when a machine gets a network connection it connects (Device tunnels).

Step 1: Active Directory Work

You will need to setup some security groups in AD, I’m going to use;

  • VPN-NPS-Servers
  • VPN-RAS-Servers
  • VPN-Users

Note: You can of course use ‘domain users’ if you are rolling this out domain wide.

Add your NAP/NPS server(s) to the VPN-NPS-Servers group, (remember you need to add computers to the search criteria, or you wont find them).

Add your RAS server(s) to the VPN-RAS-Servers group.

Add your domain users(s) to the VPN-Users group.

Step 2: PKI (Certificate Services)

PLEASE: Don’t just race forward and install Certificate Services. Every domain certificate problem I’ve ever had to worked on has been the result of someone ‘just lashing it in’. Take the time to do it properly, and think about your domain PKI design, consider things like, Offline Root CA’s, Multi-Tier Sub CA’s, CRL, and OCSP.

Luckily, I’ve spent a ton of time already on Certificate services, look though the following article;

Microsoft PKI Planning and Deploying Certificate Services

If you are simply setting this up on the test bench, or for a POC, (in a non-production domain). Then add the role from Server Manager.

These are the roles I deploy, but for this solution you only really need the Certification Authority, role.

Note: If you are interested what the other roles do, then search for them above, (I’ve blogged about NDES, and the Enrollment Web Services before).

Step 3: Certificate Templates

You will need to create and publish three certificate templates;

  • VPN-User (Based on the User Template)
  • NPS-Servers (Based on the RAS and IAS Template)
  • VPN-Servers (Based on the RAS and IAS Template)

VPN-User Certificate: Open the certificate services management console > Certificate Teplates > Manage > User > Duplicate Template.

General Tab

  • Template Display Name: VPN-User
  • Publish certificate in Active Directory UNTICK.

Compatibility Tab:

  • Certification Authority: Windows Server 2016 (Though 2012 R2 will work)
  • Certificate Recipient: Windows 10 (Though Windows 8.1 will work)

Request Handling Tab:

Allow private key to be exported: UNTICK

Cryptography Tab:

  • Provider Category: Key Storage Provider
  • Providers: First: Microsoft Platform Crypto Provider, Second: Microsoft Software Key Storage Provider.

Note: Theres two because the first one requires a TPM chip, if the client machine does not have one the procedure fails. By allowing ‘Microsoft Software Key Storage Provider’ if will ‘fall-back’ to that option, if there is not TPM chip.

Security Tab:

  • ADD: VPN-users: GRANT: Read, Enrol, and Autoenroll.
  • DELETE: Domain Users

Note: In a test environment, you may also want to UNTICK the option ‘Include e-mail name in subject name‘ on the Subject Name tab or you may see this problem.

Issue the certificate template.

Repeat the procedure but this time make a duplicate of the RAS and IAS template.

General Tab:

  • Template Display Name: NPS-Servers.

Compatibility Tab:

  • Certification Authority: Windows Server 2016 (Though 2012 R2 will work).
  • Certificate Recipient: Windows 10 (Though Windows 8.1 will work).

Security Tab:

  • ADD: VPN-NPS-Servers: GRANT: Read, Enrol, and Autoenroll.
  • DELETE: RAS and IAS Servers.

Apply > OK > Now make a second duplicate of the RAS and IAS certificate template.

General Tab:

  • Template Display Name: VPN-Servers.

Extensions Tab:

  • Edit > Add > IP Security IKE Intermediate > OK > OK.

Security Tab:

  • ADD: VPN-RAS-Servers: GRANT: Read and Enrol ONLY.
  • DELETE: RAS and IAS Servers.

Subject Name Tab:

Supply In the Request: TICK (Accept the warning).

Compatibility Tab:

  • Certification Authority: Windows Server 2016 (Though 2012 R2 will work).
  • Certificate Recipient: Windows 10 (Though Windows 8.1 will work).

Issue Both of the server certificate templates.

Step 4: Group Policies Auto-Enrolment

Again, I’ve written about this before, so for some extra reading on the subject, see the following article;

Deploying Certificates via ‘Auto Enrollment’

In the’ Group Policy Management Console’ create a new GPO, I’m simply linking it to the root of the domain, you can of course link it to the OUs that your RAS and NPS servers live in.

Edit the policy.

Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client – Auto-Enrolment > Properties.

  1. Configuration Model: Enabled.
  2. Renew expired certificates, update pending certificates, and remove revoked certificates: TICK.
  3. Update certificates that use certificate templates: TICK.

Close and exit the policy editor.

Now Im creating another policy for my USER auto enrolment, (I could have used the same policy above, that’s linked to the root of the domain, but I like to keep them separate, it’s your choice). Anyway just ensure the policy is linked to your USERS.

Edit the policy.

Navigate to: User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client – Auto-Enrolment > Properties.

  1. Configuration Model: Enabled.
  2. Renew expired certificates, update pending certificates, and remove revoked certificates: TICK.
  3. Update certificates that use certificate templates: TICK.

Step 5: Testing CertificateDeployment

Remember we are deploying two computer certificates and one user certificate, and they are all based on group membership, so your servers need to be rebooted before they will get their group membership, and your user(s) need to log off and log on. Also bear in mind you might want to force group policy, see the following article;

Windows – Forcing Domain Group Policy

NPS-Servers Certificate: Windows Key+R > certlm.msc > Personal > Certificates > You should have a certificate based on the NPS-Server template.

VPN-Server Certificate: Windows Key+R > certlm.msc > Personal > Certificates > All Tasks > Request New Certificate > Next.

Note: You are doing this one manually, because this certificate does not auto-enrol, that’s because the certificate will need a different common name on it, (the public DNS name of the RAS server).

Next > Click the ‘More information…’ link > In the Subject Name Section, Set the Common name to the private DNS name of the RAS server. In the Alternative name section set the DNS value to the public name  the server > Apply > OK.

 

Enroll > Finish.

You now have a certificate based on the VPN-Server template.

 

VPN-User Certificate: Just a quick note, on the Windows 10 client, run certlm.msc again but this time ensure you have your domain CA server certificate listed in the ‘Trusted Root Certification Authorities’ folder.

Now this console lists computer certificates, and we need to look at user certificates (I could just run certmgr.msc instead), but old habits die hard, so I’ll launch an mmc console > and add a snap-in.

And add ‘certificates’ (Note: If I were an administrator I would be prompted to choose computer or user certificates, as I’m just a user, then current user is selected by default). > OK.

And there’s my certificate based on the VPN-User template.

If you’re struggling, and the user certificate refuses to appear, read my note (above) about e-mail addresses (that’s a very common error that causes auto-enrollment to fail). For troubleshooting look in the Event logs and in the ‘Failed Requests’ Section on your CA server. For all certificates, if something isn’t working then either somethings in the wrong group, the wrong group has been given permissions on the certificate template, or the GPO is linked to the wrong location.

That’s it for Part One, in Part Two I will look at deploying my RAS/VPN server into my DMZ, and having a rant/sneer at Microsofts continuing policy of trying  to bypass my firewall. 

Related Articles, References, Credits, or External Links

A massive thank you to Joseph Moody, and Kevin Kaminski, fellow MVP’s who took the time to reply to my Always On VPN queries.

Windows Server 2008 R2 – Configure RADIUS for Cisco ASA 5500 Authentication

KB ID 0000688

Problem

Last week I was configuring some 2008 R2 RADIUS authentication, for authenticating remote VPN clients to a Cisco ASA Firewall.

I will say that Kerberos Authentication is a LOT easier to configure, so you might want to check that first.

Solution

Step 1 Configure the ASA for AAA RADIUS Authentication

1. Connect to your ASDM, > Configuration > Remote Access VPN. > AAA Local Users > AAA Server Groups.

2. In the Server group section > Add.

3. Give the group a name and accept the defaults > OK.

4. Now (with the group selected) > In the bottom (Server) section > Add.

5. Specify the IP address, and a shared secret that the ASA will use with the 2008 R2 Server performing RADIUS > OK.

6. Apply.

Configure AAA RADIUS from command line;

[box]

aaa-server PNL-RADIUS protocol radius
aaa-server PNL-RADIUS (inside) host 172.16.254.223
  key 123456
  radius-common-pw 123456
  exit

[/box]

Step 2 Configure Windows 2012 Server to allow RADIUS

7. On the Windows 2008 Server > Launch Server Manager > Roles > Add Role.

8. If you get a welcome page > Next > Select Network Policy and Access Server > Next >Next.

9. Select ‘Network Policy Server’ > Next > Install.

10. Close, when complete.

11. Whilst still in Server Manager > Network Policy and Access Server > NPS (Local).

12. Register Server in Active Directory >OK > OK.

13. Expand RADIUS Clients and Servers > Right click RADIUS Clients > New.

14. Give the firewall a friendly name, (take note of what this is, you will need it again) > Specify its IP > Enter the shared secret you setup above (number 5) > OK.

15. Expand policies > right click ‘Connection Request Policies’ > New > Give the policy a name > Next.

16. Add a condition > Set the condition to ‘Client Friendly Name’ > Add.

17. Specify the name you set up above (number 14) > OK > Next > Next > Next.

18. Change the attribute to User-Name > Next > Finish.

19. Now right click ‘Network Policies’ > New > Give the policy a name> Next.

20. Add a condition > User Groups > Add.

21. Add in the AD security group you want to allow access to > OK > Next > Next.

22. Select ‘Unencrypted Authentication PAP SPAP” > Next > No > Next > Next > Finish.

Step 3 Test RADIUS Authentication

23. Back at the ASDM, in the same page you were in previously, select your server and then click ‘Test’.

24. Change the selection to Authentication > Enter your domain credentials > OK.

25. You are looking for a successful outcome.

Note: if it fails check there is physical connectivity between the two devices, the shared secrets match. Also ensure UDP ports 1645 and 1646 are not being blocked.

To Test AAA RADIUS Authentication from Command Line

[box]

test aaa-server authentication PNL-RADIUS host 172.16.254.223 username petelong password password123

[/box]

26. Finally, save the firewall changes > File > Save running configuration to flash.

Related Articles, References, Credits, or External Links

Windows Server 2003 – Configure RADIUS for Cisco ASA 5500 Authentication

Windows Server 2012 – Configure RADIUS for Cisco ASA 5500 Authentication