NPS enhancements in Windows Server 2008 R2

As you are already aware, the beta version of Windows Server 2008 R2 is now available to the public for beta testing. See for more information and the link to download the beta.

Here is the section from the Windows Server 2008 R2 Reviewer's Guide that describes the changes to the Network Policy Server (NPS) service in the beta release of Windows Server 2008 R2:

Improved Protection of Intranet Resources

The Network Policy Server (NPS) is a Remote Authentication Dial-In User Service (RADIUS) server and proxy and Network Access Protection (NAP) health policy server. NPS evaluates system health for NAP clients, provides RADIUS authentication, authorization, and accounting (AAA), and provides RADIUS proxy functionality.

NAP is a platform that includes both client and server components to enable fully extensible system health evaluation and authorization for a number of network access and communication technologies, including:

· Internet Protocol security (IPsec)-protected communication

· 802.1X-authenticated access for wireless and wired connections

· Remote access virtual private network (VPN) connections

· Dynamic Host Configuration Protocol (DHCP) address allocation

· Terminal Service (TS) Gateway access

The improvements to NPS in Windows Server 2008 R2 include:

· Automated NPS SQL logging setup. This new feature automatically configures a SQL database, required tables, and store procedure for NPS accounting data, which significantly reduces the NPS deployment effort.

· NPS logging improvements. The logging improvements enable NPS to simultaneously log accounting data to both a file and a SQL database, support failover from SQL database logging to file logging, and support logging with an additional file format that is structured similar to SQL logging.

· NAP multiple configurations of a system health validator (SHV) , When you configure a health policy, you can select an SHV in a specific configuration. This allows you to specify different sets of health requirements based on a specific configuration of the SHV. For example, you can create a network policy that specifies that intranet-connected computers must have their anti-virus software enabled and a different network policy that specifies that VPN-connected computers must have their anti-virus software enabled and anti-malware installed.

· NPS templates. NPS templates separate common RADIUS configuration elements such as RADIUS shared secrets, IP filters, RADIUS clients, and others from the configuration that is running on the server. When referenced, the NPS setting inherits the values configured in the specified template. A change in the template changes the corresponding value in all of the places in which the template is referenced. For example, a single RADIUS shared secret template can be referenced for multiple RADIUS clients and servers. When you change the RADIUS shared secret template, the change is inherited by all of the RADIUS clients and servers in which that RADIUS shared secret template is referenced. NPS template settings can easily be synchronized across multiple NPS servers running Windows Server 2008 R2.

· Migration of Windows Server 2003 Internet Authentication Service (IAS) servers. This feature allows you to migrate the configuration settings of an IAS server running on Windows Server 2003 to an NPS server running on Windows Server 2008 R2.


The last bullet item is the same Iasmigreader.exe tool that I described in a previous NAP blog entry. I will publish more detailed descriptions of these features in future NAP blog posts.

Check out these new features. For ongoing beta support for NPS, post your question in the Windows Server 2008 R2 Networking TechNet forum.

Let the beta games begin!


Joe Davies
Senior Program Manager