HOW TO: Configure a Secondary Internet Authentication Service Server on a Domain Controller (317589)

SUMMARY

This step-by-step article describes how to install and configure a secondary Microsoft Internet Authentication Service (IAS) server in a domain.

IAS performs the function of a Remote Authentication Dial-In User Service (RADIUS) server. You can use IAS for centralized authentication and accounting of multiple Routing and Remote Access Service (RRAS) servers. You can use a secondary IAS server to provide fault-tolerance and load balancing in your domain.

back to the top

Install IAS

To install IAS:

1. Click Start, point to Settings, and then click Control Panel.
2. Double-click Add/Remove Programs, and then click Add/Remove Windows Components.
3. In the Components list, click Networking Services (but do not select or clear its check box), and then click Details.
4. Click to select the Internet Authentication Service check box, and then click OK.
5. Click Next, and then click Finish.
6. In the Add/Remove Programs dialog box, click Close.
7. To start IAS, click Start, point to Programs, point to Administrative Tools, and then click Internet Authentication Service.

back to the top

Enable IAS to Authenticate Users in Active Directory

To register the IAS service in Active Directory:

1. Start the IAS snap-in. To do this, click Start, point to Programs, point to Administrative Tools, and then click Internet Authentication Service.
2. On the Action menu, click Register Service in Active Directory.
3. Click OK to confirm the IAS registration in the local domain, and then click OK.

back to the top

Copy Primary IAS Configuration Settings to the Secondary IAS Server

You can copy the configuration settings, including registry settings from another IAS server by using the netsh command. To do this:

NOTE: Both IAS servers must be running the same versions of Microsoft Windows 2000.

1. Log on to the primary IAS server.
2. Click Start, click Run, type cmd in the Open box, and then click OK.
3. Type the following command, and then press ENTER

   netsh aaaa show config > path\file.txt

   where path and file is the complete path and file name in which you want to save the policy settings. For example, type netsh aaaa show config > a:\policy.txt to save the policy settings on drive A with a file name of Policy.txt.
4. Copy the text file that contains the configuration settings to the secondary IAS server.
5. On the secondary IAS server, click Start, click Run, type cmd in the Open box, and then click OK.
6. Type the following command, and then press ENTER

   netsh exec path\file.txt

   where path and file are the path and file name of the configuration settings that you copied from the primary IAS server.
   
   The following message appears:

   aaaa server configuration successfully set.

7. Quit the Internet Authentication Service snap-in, if it is running.
8. Start the IAS snap-in. To do this, click Start, point to Programs, point to Administrative Tools, and then click Internet Authentication Service.
9. Verify that the configuration settings have been imported. Configuration settings, including IAS server properties, clients, and policies should be listed in the corresponding containers of the Internet Authentication Service (Local) tree.

back to the top

Configure Remote Access Servers to Use the Secondary IAS Server

Configure each Routing and Remote Access Server (RRAS) with two RADIUS servers that correspond to the primary and secondary IAS servers. If one IAS server becomes unavailable, the RRAS server will automatically "fail over" to the other server.

1. Log on to the RRAS computer as an administrator.
2. Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.
3. Under Routing and Remote Access, right-click the server that you want, and then click Properties.
4. Click the Security tab, and then click the Configure button that is next to the Authentication provider list. The primary IAS server should be displayed in the Server list.
5. Click Add, type the Fully Qualified Domain Name (FQDN) name of the secondary IAS server in the Server name box, and then click Change.
6. In the New secret box, type the "shared secret" password that you configured on the primary IAS server computer.
7. Retype this password in the Confirm new secret box, and then click OK.
8. Click OK, and then click OK.
9. When you receive the notification message that states that you must restart the Routing and Remote Access service, click OK.
10. Click the Configure button that is next to the Accounting provider list.
11. Click Add, type the FQDN name of the secondary IAS server in the Server name box, and then click Change.
12. In the New secret box, type the "shared secret" password that you configured on the primary IAS server computer.
13. Retype this password in the Confirm new secret box, and then click OK.
14. Click OK, click OK, click OK on the message that states that you must restart the Routing and Remote Access service, and then click OK.
15. In the console tree, right-click the RRAS server that you want to restart, point to All Tasks, and then click Stop.
16. Right-click the same server, point to All Tasks, and then click Start.
17. Quit the Routing and Remote Access snap-in.

back to the top

REFERENCES

For additional information about how to configure a primary IAS server, click the article number below to view the article in the Microsoft Knowledge Base: For additional information about IAS, click Help on the Start menu, click the Search tab, type IAS, and then click List Topics.

For more information about IAS, view the following Microsoft Web site: Additional information about RADIUS is contained in the following Request for Comment documents: To view these documents, view the following Web sites: back to the top