Always On VPN Technology Overviews
When performing the steps in this blog series, following technologies will be installed and configured in Windows Server 2016.
Following are brief overviews of these technologies and links to
In Windows Server 2016, the Remote Access server role is a
multifaceted gateway and router that provides centralized administration,
configuration, and monitoring of Virtual Private Network (VPN) remote access
You can manage Remote Access Service (RAS) Gateways by using
Windows PowerShell commands and the Remote Access Microsoft Management Console
For more information, see Remote Access.
Windows 10 VPN Clients
Remote client computers must be running the Windows 10
Anniversary Update (version 1803) or later operating system, and must be joined
to your Active Directory domain.
For detailed feature descriptions and a full list of the VPN
capabilities in Windows 10, see the Windows 10 VPN Technical
AD DS provides a distributed database that stores and manages
information about network resources and application-specific data from
directory-enabled applications. Administrators can use AD DS to organize
elements of a network, such as users, computers, and other devices, into a
hierarchical containment structure. The hierarchical containment structure
includes the Active Directory forest, domains in the forest, and Organizational
units (OUs) in each domain. A server that is running AD DS is called a domain
AD DS contains the user accounts, computer accounts, and account
properties that are required by Protected Extensible Authentication Protocol
(PEAP) to authenticate user credentials and to evaluate authorization for VPN
For information about deploying AD DS, see the Windows Server
2016 Core Network Document.
Users and Computers
Active Directory Users and Computers is a component of AD DS
that contains accounts that represent physical entities, such as a computer, a
person, or a security group. A security group is a collection of user or
computer accounts that administrators can manage as a single unit. User and
computer accounts that belong to a particular group are referred to as group
Group Policy Management enables directory-based change and
configuration management of user and computer settings, including security and
user information. You use Group Policy to define configurations for groups of
users and computers.
With Group Policy, you can specify settings for registry
entries, security, software installation, scripts, folder redirection, remote
installation services, and Internet Explorer maintenance. The Group Policy
settings that you create are contained in a Group Policy object (GPO). By
associating a GPO with selected Active Directory system containers — sites,
domains, and OUs — you can apply the GPO’s settings to the users and computers
in those Active Directory containers. To manage Group Policy objects across an
enterprise, you can use the Group Policy Management Editor Microsoft Management
DNS is a name resolution protocol for TCP/IP networks, such as the Internet or your network. A DNS server hosts the information that enables client computers and services to resolve easily recognized, alphanumeric DNS names to the IP addresses that computers use to communicate with each other.
For more overview information about DNS, see Domain Name System (DNS).
For information about deploying AD DS with DNS, see the Windows
Server 2016 Core Network Document.
AD CS in Windows Server 2016 provides customizable services for creating and managing the X.509 certificates that are used in software security systems that employ public key technologies. You can use AD CS to enhance security by binding the identity of a person, device, or service to a corresponding public key. AD CS also includes features that allow you to manage certificate enrollment and revocation in a variety of scalable environments.
Certificate templates can greatly simplify the task of
administering a certification authority (CA) by allowing you to issue
certificates that are preconfigured for selected tasks. The Certificate
Templates MMC snap-in allows you to perform the following tasks.
- View properties for each certificate template.
- Copy and modify certificate templates.
- Control which users and computers can read templates and enroll
- Perform other administrative tasks relating to certificate
Certificate templates are an integral part of an enterprise
certification authority (CA). They are an important element of the certificate
policy for an environment, which is the set of rules and formats for
certificate enrollment, use, and management.
For more information, see Certificate Templates.
This document provides instructions for using Active Directory Certificate Services (AD CS) to both enroll and automatically enroll certificates to Remote Access and NPS infrastructure servers. AD CS allows you to build public key infrastructure (PKI) and provide public key cryptography, digital certificates, and digital signature capabilities.
When you use digital server certificates for authentication
between computers on your network, the certificates provide:
- Confidentiality through
- Integrity through
- Authentication by
associating certificate keys with computer, user, or device accounts on a
For more information, see AD CS Step by Step
Document: Two Tier PKI Hierarchy Deployment.
NPS allows you to create and enforce Organization-wide network
access policies for connection request authentication and authorization. When
you use NPS as a Remote Authentication Dial-In User Service (RADIUS) server,
you configure network access servers, such as VPN servers, as RADIUS clients in
You also configure network policies that NPS uses to authorize
connection requests, and you can configure RADIUS accounting so that NPS logs
accounting information to log files on the local hard disk or in a Microsoft
SQL Server database.+
For more information, see Network Policy Server (NPS).
Previous Post – Always On VPN – Design
Next Post – RRAS overview