Managing multiple IAS servers

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Managing multiple IAS servers

To prevent a single IAS server from becoming a single point of failure for authentication, authorization, and accounting, IAS servers are often deployed either in pairs (a primary and a backup) to provide fault tolerance, or in multiples to balance the load of large numbers of authentication and accounting requests.

When you deploy more than one IAS server computer to provide the same authentication, authorization, and accounting service to RADIUS clients and proxies, you must synchronize the configuration of the IAS server computers. You can do this through the following:

  • Internet Authentication Service snap-in

    You can use the Internet Authentication Service snap-in to manage both local and remote IAS server computers. If you make a configuration change to one IAS server, you must make the same configuration change to all of the IAS servers that provide the same service. For information about managing a remote IAS server computer, see Manage a remote IAS server. This method might be acceptable for a small number of servers and minor configuration changes.

  • Copying the configuration of one IAS server computer to another

    With this method, you can use the netsh aaaa show config to export the configuration of one IAS server to a Netsh script file. Next, you can use the netsh exec command to import the IAS server configuration on another IAS server. For more information, see Copy the IAS configuration to another server. This method is recommended for a large number of configuration changes or a larger number of servers. You can use this method to centrally manage RADIUS and remote access policy configuration in a large enterprise network.

When you type netsh aaaa show config, it creates a Netsh script file that is designed to be used with the netsh exec command. The contents of the display of the netsh aaaa show config command includes:

  • IAS settings

  • RADIUS clients

  • Remote access policies

  • Connection request policies

  • Remote access logging settings

For more information, see Netsh commands for AAAA.

The Routing and Remote Access service uses the same database as IAS. There are no settings, however, for IAS, RADIUS clients, or connection request policies. If settings are present, they are ignored by the Routing and Remote Access service. Because of this, it is possible to copy the configuration of an IAS server computer to a Routing and Remote Access server. For example, you can update the remote access policies of a branch office demand-dial router computer.

Notes

  • The netsh aaaa show config and netsh exec commands can be run without stopping the Internet Authentication Service or the Routing and Remote Access service.

  • The version number of the IAS database from which the configuration was exported, should be less than or equal to the version of the IAS database to which the configuration is being imported. To view the version of the IAS database from which the configuration was exported, view the Netsh command script file, which is created with the netsh aaaa show config command. To view the version of the IAS database on the IAS server computer on which the Netsh script is being run, use the netsh aaaa show version command.

  • The netsh aaaa show config and netsh exec commands are used to export and import the entire database. You cannot specify which elements of the IAS database to export or import.

  • Do not copy the configuration from a Routing and Remote Access server to an IAS server. By default, the Routing and Remote Access service version of the IAS database does not contain all of the configuration items contained in the full IAS database.

  • You can configure IAS in Windows Server 2003, Standard Edition, with a maximum of 50 RADIUS clients and a maximum of 2 remote RADIUS server groups. You can define a RADIUS client using a fully qualified domain name or an IP address, but you cannot define groups of RADIUS clients by specifying an IP address range. If the fully qualified domain name of a RADIUS client resolves to multiple IP addresses, the IAS server uses the first IP address returned in the DNS query. With IAS in Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition, you can configure an unlimited number of RADIUS clients and remote RADIUS server groups. In addition, you can configure RADIUS clients by specifying an IP address range.