1
00:00:01,540 --> 00:00:03,470
All right, let's get on to the first demonstration,

2
00:00:03,470 --> 00:00:08,040
and we'll configure our first NPS server.

3
00:00:08,040 --> 00:00:11,940
So here we are in our virtual machine that we've provisioned to support NPS.

4
00:00:11,940 --> 00:00:14,180
This server has been joined to the domain.

5
00:00:14,180 --> 00:00:15,650
It's been named accordingly.

6
00:00:15,650 --> 00:00:17,580
It's all configured and ready to go.

7
00:00:17,580 --> 00:00:19,460
And as I mentioned before,

8
00:00:19,460 --> 00:00:22,770
the first thing we need to do before we start doing any configuration here is

9
00:00:22,770 --> 00:00:24,860
just make sure that our certificates came over correctly.

10
00:00:24,860 --> 00:00:28,990
To do that, I'm going to open up the Local Computer Certificates store,

11
00:00:28,990 --> 00:00:31,060
and the best way to do that, honestly,

12
00:00:31,060 --> 00:00:34,460
is by just clicking on the Start button or even entering in

13
00:00:34,460 --> 00:00:43,760
the search field the phrase certlm.msc, and that will bring us to this shortcut.

14
00:00:43,760 --> 00:00:48,810
And there we have it.

15
00:00:48,810 --> 00:00:52,020
We are in the Local Computer Certificates store.

16
00:00:52,020 --> 00:00:54,790
We didn't have to do all of the add, remove, snap‑in stuff.

17
00:00:54,790 --> 00:00:58,410
So we're going to expand our Certificates,

18
00:00:58,410 --> 00:01:02,450
Personal, and here you'll notice that we do not have any certificates configured.

19
00:01:02,450 --> 00:01:05,220
Now, if you'll remember back to one of the previous modules,

20
00:01:05,220 --> 00:01:07,850
we did all the certificate template configuration.

21
00:01:07,850 --> 00:01:10,710
We defined our auto enrollment policy.

22
00:01:10,710 --> 00:01:12,480
This is a domain‑joined server.

23
00:01:12,480 --> 00:01:14,420
It should be here, but it is not,

24
00:01:14,420 --> 00:01:17,840
so let's do a quick bit of troubleshooting and find out what's up.

25
00:01:17,840 --> 00:01:20,560
First thing I'm going to do is I'm going to run a gpresult,

26
00:01:20,560 --> 00:01:23,210
so I'm going to open an elevated PowerShell command window,

27
00:01:23,210 --> 00:01:25,420
and you can do this from the command window as well.

28
00:01:25,420 --> 00:01:27,650
I prefer to do everything from PowerShell though.

29
00:01:27,650 --> 00:01:31,480
So I'm going to right‑click on the Start menu and then choose

30
00:01:31,480 --> 00:01:35,140
PowerShell (Admin) as it needs to be elevated.

31
00:01:35,140 --> 00:01:39,010
And the first thing I want to do here is run gpresult, and

32
00:01:39,010 --> 00:01:47,140
let's see what group policies we have.

33
00:01:47,140 --> 00:01:47,830
And once again,

34
00:01:47,830 --> 00:01:53,340
the command here is gpresult /r and then /scope computer because I'm not

35
00:01:53,340 --> 00:01:59,040
interested in any of the user Group Policy settings.

36
00:01:59,040 --> 00:01:59,740
So once that's done,

37
00:01:59,740 --> 00:02:03,340
I'm going to scroll up, and the first thing I'm looking for is my

38
00:02:03,340 --> 00:02:08,440
Certificate Auto Enrollment Group Policy has been applied. Interesting

39
00:02:08,440 --> 00:02:11,740
because I still don't have a certificate.

40
00:02:11,740 --> 00:02:15,790
If I look here in the computer is a part of the following security

41
00:02:15,790 --> 00:02:20,940
groups, what I am not seeing here is this NPS server being a member

42
00:02:20,940 --> 00:02:25,240
of the NPS Servers security group, which if you recall,

43
00:02:25,240 --> 00:02:28,880
is what we defined for the security ACL on the template

44
00:02:28,880 --> 00:02:31,630
for that certificate for NPS servers.

45
00:02:31,630 --> 00:02:36,020
So I'm going to run over to my domain controller, I'm

46
00:02:36,020 --> 00:02:38,900
going to add this server to the group, and then we'll

47
00:02:38,900 --> 00:02:40,830
reboot this server because, again,

48
00:02:40,830 --> 00:02:43,840
its security group membership changed, so it has to restart.

49
00:02:43,840 --> 00:02:45,380
Once I've rebooted the server,

50
00:02:45,380 --> 00:02:48,100
I'm going to come back in here and look at this and make sure that my

51
00:02:48,100 --> 00:02:56,950
certificate gets installed correctly. And just like that, we're back.

52
00:02:56,950 --> 00:03:00,930
So I've added this server to the NPS Servers security group in

53
00:03:00,930 --> 00:03:04,020
Active Directory and restarted, so now let's take a look at our

54
00:03:04,020 --> 00:03:06,030
settings and see if we've got this certificate.

55
00:03:06,030 --> 00:03:13,740
So once again, I'm going to open up the PowerShell command window.

56
00:03:13,740 --> 00:03:27,840
So I'm going to run gpresult again, and let's see what the output is.

57
00:03:27,840 --> 00:03:31,900
And here you'll see that the NPS server is now a member of the NPS

58
00:03:31,900 --> 00:03:34,190
Servers group, so I should have a certificate.

59
00:03:34,190 --> 00:03:37,200
Let's open up the Local Computer Certificates store again, and you can just run

60
00:03:37,200 --> 00:03:44,940
this command right from the command window if you'd like.

61
00:03:44,940 --> 00:03:49,990
We'll expand our Personal store, and lo and behold we have a certificate.

62
00:03:49,990 --> 00:03:53,540
Let's take a quick look at it.

63
00:03:53,540 --> 00:03:58,040
So here's our certificate, correct hostname, private key.

64
00:03:58,040 --> 00:04:00,300
No issues with the certification path.

65
00:04:00,300 --> 00:04:08,000
Everything looks fantastic. We are now good to go, and we can start to install the NPS Roll