If you want to be redundant, you need a second server running NPS with all the settings you need to handle requests of your Radius Clients. Network devices typically allow you to specify multiple Radius Servers in their configuration using a shell or web interface. If you have two servers, you have to define a "Master Radius Server", so you can use this server to do all configuration changes and these changes have to be imported to a second server. You can sync your NPS configuration, manually via GUI or using a PowerShell script that running in a schedule task. Find attached a picture that show this process.
The following script could be used to sync your NPS configuration between two servers. This path C:\admin\NPS\Backup\ must be available on both servers. Just create them or add it to the sript.
# Get date
$date = get-date -Format yyyy_MM_dd
# Export NPS config
Export-NpsConfiguration -Path C:\admin\NPS\Backup\NPSConfig_$date.xml
Export-NpsConfiguration -Path C:\admin\NPS\Backup\NPSConfig.xml
# Destination Server
$NPSDestServer = "SecondRadius"
# Copy config to destination server
Copy-Item -path C:\admin\NPS\Backup\NPSConfig.xml -destination \\$NPSDestServer\C$\admin\NPS\NPSConfig.xml
# Export current config
Invoke-Command -ComputerName $NPSDestServer -ScriptBlock {Export-NPSConfiguration -Path C:\admin\NPS\BackupNPSConfig.xml}
# Import new config
Invoke-Command -ComputerName $NPSDestServer -ScriptBlock {Import-NPSConfiguration -Path C:\admin\NPS\NPSConfig.xml}
Just copy this script to your Master Radius, change $NPSDestServer = "SecondRadius" to match to your second NPS server name and create a schedule task that execute this script.
Worked great on 2 new 2019 servers! A couple notes - you do need to quote the second Radius in the script. Also if using this as a scheduled task I had to use this as the command to get it to work: powershell.exe -NoProfile -NoLogo -NonInteractive -ExecutionPolicy Bypass -File \\path\to\script.ps1. Credit to: https://stackoverflow.com/questions/13015245/powershell-script-wont-execute-as-a-windows-scheduled-task
ReplyDeleteAnother helpful article to get an existing scheduled task to run under a GMSA: https://anotheritguy.com/index.php/2018/04/running-scheduled-task-with-group-managed-service-account/
Thanks for the interesting article! One additional thing: in some Microsoft articles about exporting the NPS settings (just one of which is here: https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-manage-export), Microsoft warns that the resulting XML file export might/likely contains sensitive data (passwords or encryption key, etc.). If so, admins will want to be sure that the network share they create for this purpose is only accessible by other admins, or perhaps the script could be added onto, to automatically delete the xml file when done? Of course, that xml file deletion could always be done manually too. Then again, the article warns that just sending the xml file across the network in an unencrypted form could be a risk....just FYIs. Thanks again for the article!
ReplyDelete