once again I would love to participate from your knowledge.
I inherited an old 2008R2 DC with a CA and NPS running on it which serves as an RADIUS Server for a firewall/ wifi management. All NPS settings are a bit messy as there are old, unused settings in it as well and on top no ones knows the private key passphrase for the CA.
This is my last 2008R2 DC and I want to get rid of it and use the opportunity to clean up the mess.
My plan is to build up a new server which only purpose shall be to be a NPS/ Radius Server as I like to have my DCs clean of any other services. That server will be a domain member.
The NPS part is actually straight forward for me and I watched your 2012 videos about it which look like they transfer pretty well to 2016. But one question bugs me..
At "Policies - Connection Request Policies - Use Windows authentication for all users - Properties - Settings - Authentication" it says "Authenticate requests on this server".. Does this mean, that all authentication requests are only checked against the local user information or, as it is a domain member server, requests are checked against the domain user database? Or does this mean there always has to be a NPS on a domain controller? I am a bit confused by this…
I addition I have a question about the CA stuff.
I plan to build a new, local CA on the new server. So when users authenticate against the NPS they do need the cert of that NPS server, right? That is the cert I have to deploy so that no one gets an error message?!