Deploying Multiple NPS Servers

Even though your CA is AD-integrated and auto-enrollment works, DC2 must explicitly trust the issuing CA and have access to the full certificate chain. Here's what to check:

DC2 must have the CA certificate in its Trusted Root Certification Authorities store

• Open certlm.msc on DC2.
• Navigate to Trusted Root Certification Authorities > Certificates.
• Ensure your internal CA certificate is present.
• If missing, export it from DC1 and import it manually.

DC2 must have the Intermediate CA (if applicable)

• If your CA uses an intermediate certificate, make sure DC2 has it in Intermediate Certification Authorities.

DC2 must have a valid server certificate for EAP-TLS

• NPS uses a server certificate to identify itself during the TLS handshake.
• Confirm that DC2 has a certificate with:
• Server Authentication EKU
• Subject Name or SAN matching the server's name
• Issued by your internal CA
• You can use auto-enrollment or manually request it via MMC > Certificates (Computer) > Personal > Request New Certificate.

Check NPS Policy Conditions

Even if you exported the NPS config, double-check:

• Connection Request Policies and Network Policies on DC2.
• Ensure the NAS IP Address or NAS Identifier conditions match what the Cisco AP sends.
• If DC1 had a policy scoped to its own IP or hostname, DC2 might be rejecting requests.

Test with NPS Logging

Enable logging on DC2:

• Open NPS console > Accounting > Log File Properties
• Enable Log authentication requests
• Check logs under %SystemRoot%\System32\LogFiles

This will show whether DC2 is receiving requests and why it's rejecting them.