Configure a Secondary Internet Authentication Service Server on a Domain Controller

Install IAS

To install IAS:

1. Click Start, point to Settings, and then click Control Panel.
2. Double-click Add/Remove Programs, and then click Add/Remove Windows Components.
3. In the Components list, click Networking Services (but do not select or clear its check box), and then click Details.
4. Click to select the Internet Authentication Service check box, and then click OK.
5. Click Next, and then click Finish.
6. In the Add/Remove Programs dialog box, click Close.

To start IAS, click Start, point to Programs, point to Administrative Tools, and then click Internet Authentication Service.

Enable IAS to Authenticate Users in Active Directory To register the IAS service in Active Directory:

1. Start the IAS snap-in. To do this, click Start, point to Programs, point to Administrative Tools, and then click Internet Authentication Service.
2. On the Action menu, click Register Service in Active Directory.
3. Click OK to confirm the IAS registration in the local domain, and then click OK.

 

Copy Primary IAS Configuration Settings to the Secondary IAS Server

You can copy the configuration settings, including registry settings from another IAS server by using the netsh command. To do this:

NOTE: Both IAS servers must be running the same versions of Microsoft Windows 2000.

1. Log on to the primary IAS server.
2. Click Start, click Run, type cmd in the Open box, and then click OK.
3. Type the following command, and then press ENTER
   netsh aaaa show config > path\file.txt
   where path and file is the complete path and file name in which you want to save the policy settings. For example, type netsh aaaa show config > a:\policy.txt to save the policy settings on drive A with a file name of Policy.txt.
4. Copy the text file that contains the configuration settings to the secondary IAS server.
5. On the secondary IAS server, click Start, click Run, type cmd in the Open box, and then click OK.
6. Type the following command, and then press ENTER
   netsh exec path\file.txt
   where path and file are the path and file name of the configuration settings that you copied from the primary IAS server.
   
   The following message appears:
   aaaa server configuration successfully set.
7. Quit the Internet Authentication Service snap-in, if it is running.
8. Start the IAS snap-in. To do this, click Start, point to Programs, point to Administrative Tools, and then click Internet Authentication Service.
9. Verify that the configuration settings have been imported. Configuration settings, including IAS server properties, clients, and policies should be listed in the corresponding containers of the Internet Authentication Service (Local) tree.

Configure Remote Access Servers to Use the Secondary IAS Server

Configure each Routing and Remote Access Server (RRAS) with two RADIUS servers that correspond to the primary and secondary IAS servers. If one IAS server becomes unavailable, the RRAS server will automatically "fail over" to the other server.

1. Log on to the RRAS computer as an administrator.
2. Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.
3. Under Routing and Remote Access, right-click the server that you want, and then click Properties.
4. Click the Security tab, and then click the Configure button that is next to the Authentication provider list. The primary IAS server should be displayed in the Server list.
5. Click Add, type the Fully Qualified Domain Name (FQDN) name of the secondary IAS server in the Server name box, and then click Change.
6. In the New secret box, type the "shared secret" password that you configured on the primary IAS server computer.
7. Retype this password in the Confirm new secret box, and then click OK.
8. Click OK, and then click OK.
9. When you receive the notification message that states that you must restart the Routing and Remote Access service, click OK.
10. Click the Configure button that is next to the Accounting provider list.
11. Click Add, type the FQDN name of the secondary IAS server in the Server name box, and then click Change.
12. In the New secret box, type the "shared secret" password that you configured on the primary IAS server computer.
13. Retype this password in the Confirm new secret box, and then click OK.
14. Click OK, click OK, click OK on the message that states that you must restart the Routing and Remote Access service, and then click OK.
15. In the console tree, right-click the RRAS server that you want to restart, point to All Tasks, and then click Stop.
16. Right-click the same server, point to All Tasks, and then click Start.
17. Quit the Routing and Remote Access snap-in.