I have been working with a client recently to uplift their Active Directory from Windows Server 2003 to Windows Server 2008R2.
As part of this project I have had to migrate various services onto new servers such as Certificate Services, Terminal Services Licensing and IAS. It was this final service that gave me a little problem that I though I’d share with you.
I followed the excellent TechNet article at http://technet.microsoft.com/en-us/library/ee791819(v=ws.10).aspx which details exactly what to do:-
- Installed the NPS role
- Copied IASMigReader.exe to the 2003 ISA server
- Ran IASMigReader to generate the IAS.txt file
- Copied IAS.txt to the 2008R2 Server
- Ran netsh nps import ias.txt
- Registered Server in AD
This all went to plan, when I checked the Network Policies and Clients on the NPS server they were all present and correct as they had been on the 2003 server.
But, when we re-pointed one of the client devices to use the new server authentication was denied.
On checking the event log on the NPS server I found some very helpful, detailed logs that showed that the correct policy had been triggered and the client was verified but the authentication had been discarded:-
Reason Code: 80
Reason: The authentication or accounting record could not be written to the log file location. Ensure that the log file location is accessible, has available space, can be written to, and that the directory or SQL server name is valid.
This seemed pretty clear – the log file couldn’t be written to, all I needed to do was work out where this option was set!
The settings are under the Accounting node in the NPS console.
I noticed straight away that the path was C:\WINNT\System32\Logfiles – this had obviously been imported from the old server and was never going to work!
Under Log File Properties, click Change Log File Properties and set the correct path.
The reason the connections were being denied was because of the option If logging fails, discard connection requests.
Once I had Updated the Accounting Log File location we re-tried authentication and all was working as it had been using IAS on the 2003 server.
Hopefully this may save you some time if you import settings from an old server.