Guide to Setting Up a RADIUS Authentication Server for Unifi Wireless Network

Overview

This guide will walk you through setting up a RADIUS authentication server on your Windows Active Directory domain to allow staff to log in to your Unifi wireless network using their AD credentials. Additionally, we will configure certificate-based authentication for staff laptops to enable automatic WiFi logins. We will also configure VLAN assignments so that students using RADIUS authentication are assigned a different VLAN than staff.

Step 1: Install and Configure Network Policy Server (NPS) on Windows Server

1. Install NPS
   • Open Server Manager on your Windows Server.
   • Click Manage > Add Roles and Features.
   • Select Network Policy and Access Services and then Network Policy Server (NPS).
   • Complete the installation.
2. Register NPS with Active Directory
   • Open NPS via Server Manager > Tools > Network Policy Server.
   • Right-click NPS (Local) and select Register Server in Active Directory.
   • Confirm the registration.
3. Add a RADIUS Client (Unifi Controller)
   • Expand RADIUS Clients and Servers in NPS.
   • Right-click RADIUS Clients, select New.
   • Set a Friendly Name (e.g., “Unifi Controller”).
   • Enter the IP address of your Unifi AP Range. (e.g, 10.66.4.1/22)
   • Set a Shared Secret (you’ll need this later in Unifi settings).
   • Click OK.

Step 2: Configure Network Policy for Staff and Student Authentication with VLAN Assignments

1. Create a New Network Policy for Staff
   • Expand Policies, right-click Network Policies, and select New.
   • Name the policy (e.g., “Staff WiFi Authentication”).
   • Click Next.
2. Specify Conditions
   • Click Add and select User Groups.
   • Choose Domain Users or a specific AD security group (e.g., “Employees”).
   • Click Next.
3. Configure Authentication Methods
   • Select Microsoft: Protected EAP (PEAP).
   • Click Edit and select a valid certificate (see Step 3 for issuing a certificate).
   • Ensure EAP-MSCHAPv2 is checked.
   • Check Wireless – IEEE 802.11 in the NAS Port Type

• • Click Next.

1. Configure VLAN Assignment for Staff
   • Under Settings > Standard RADIUS Attributes, add:
     • Tunnel-Medium-Type: Set to 802 (Wireless).
     • Tunnel-Pvt-Group-ID: Enter the VLAN ID for staff (e.g., “50”).
     • Tunnel-Tupe: Set to Virtual LANs (VLAN)
   • Click Next and Finish.
2. Create a New Network Policy for Students
   • Follow the same above but changing the AD group and VLAN.

Step 3: Set Up a Certificate Authority for Device Authentication

1. Install Certificate Services on Windows Server
   • Open Server Manager > Add Roles and Features.
   • Select Active Directory Certificate Services.
   • Install Certificate Authority (CA) and Network Device Enrollment Service (NDES).
2. Create a Server Certificate for NPS
   • Open Certification Authority.
   • Right-click Certificate Templates, select Manage.
   • Duplicate the RAS and IAS Server template.
   • Name it “NPS Certificate”, enable Server Authentication.
   • Issue the certificate for the NPS server.
3. Enroll Certificates for Staff Laptops
   • Open Group Policy Management.
   • Create a new GPO (e.g., “WiFi Cert Deployment”).
   • Navigate to Computer Configuration > Policies > Windows Settings > Public Key Policies > Automatic Certificate Request Settings.
   • Add Computer Certificate Enrollment Policy and apply it to staff laptops.

Step 4: Configure Unifi Controller for RADIUS Authentication

1. Access Unifi Network Controller
   • Open the Unifi Controller.
   • Navigate to Settings > Profiles > RADIUS.
   • Click Create New RADIUS Profile.
2. Add RADIUS Server Details
   • Set Authentication Server to your NPS server’s IP.
     • Set Port 1812 and enter the Shared Secret
   • Set Authentication Server to your NPS server’s IP.
     • Set Port 1813 and enter the Shared Secret
   • Set Accounting Server to your NPS server’s IP.
     • Set Port 1645 and enter the Shared Secret
   • Set Accounting Server to your NPS server’s IP.
     • Set Port 1646 and enter the Shared Secret
   • Click Save.
3. Assign RADIUS Authentication to WiFi
   • Go to Settings > WiFi.
   • Create a new WiFi network.
   • Set Security to WPA2-Enterprise.
   • Choose the RADIUS Profile created earlier.
   • Save and apply settings.
   • The clients will now connect with their AD Username and Password to the VLAN specified in the NPS Policy.

Step 5: Test and Deploy

1. Test AD Authentication
   • Connect a device to the WiFi.
   • Enter an AD username and password. (try staff or student)
   • Check NPS logs for authentication success and correct VLAN assignment.
2. Test Certificate Authentication
   • Ensure a staff laptop with a certificate automatically connects.
   • Verify in the Unifi Controller that authentication was seamless.
3. Monitor and Troubleshoot
   • Check Event Viewer > NPS Logs for errors.
   • Verify RADIUS settings in Unifi.
   • Ensure Group Policy is applied correctly.

Conclusion

You have successfully configured a RADIUS authentication server with Active Directory integration and certificate-based authentication for staff laptops. Additionally, VLAN assignments allow staff and students to be placed on separate networks automatically based on their authentication group.

<![CDATA[
As IT professionals we know that server backups are our sole responsibility.  There is no one else in the building worrying about it (until they lose stuff) and no one is looking over your shoulder.  But when the crypto-virus hits, when a catastrophic power event kills your servers, when your boss deletes the same folder for the tenth time…can you get it back?
All the training in the world will not prevent every user from clicking on that download.  I do training, I tell users not to click on unexpected attachments, but it happens.  Are you ready?  FYI, not selling anything.
Backups are easy.  In fact, with Server 2016, they are easier than easy.  In each of my VMWare machines there exists and “extra” 6TB drive.  On this drive I added an extra drive to each virtual server and setup automatic daily backups.  In general, this has been a flawless technique.  I can restore files in minutes.  Users do not have access (so the crytovirus doesn’t touch them) and they can be archived.  I use a daily batch to copy these backups weeks to another backup server, giving me redundancy.  I also have a copy in the vault that I remake every once in while.
“The cloud is better!”  I have heard that alot, but I don’t think so.  If all our user documents are on Google we are a slave to the internet.  Yes, an IT guy just said that!  Our internet goes down every single year!  There has not been a single year since I became Technology Coordinator that it hasn’t happened!  Does teaching stop when the internet goes down?  It might, if everything a teacher uses is in the cloud.  Instead, we keep most things internal.  Our LMS (Moodle,)  file servers, web servers, you name it.  If the internet goes down, we lose the internet.  Most teachers can continue without it.  Maybe a lesson is altered for the day, maybe not.  But teaching still happens.  In districts where everything is in the cloud, it comes to a standstill.
Consider monthly or weekly archival moves to the cloud, not all.  With the low cost of 6-8TB drives these days I would far rather have all these files local, and save my bandwidth for what isn’t our content.]]>

<![CDATA[Is this a strange question?  Some would think so.  I have known  a local IT shop that had only one.  They lost it in a storm, had no backup, and paid $35K to have an IT company make a new one.  After that, they still only had one!  Later the local IT company was hired to augment the IT shop, and they immediately put in a BDC.  Theirs actually became the PDC (yes those term still exist in FSMO) and then it was later removed when their contract ended, leaving not PDC.  So, is it a bad question?  I think not.
Now the most basic answer, for a single location situation, is 2.  Just not 1!   If you have multiple locations I would have 1 at each location.  For a school district (or business) with multiple complexes, a Domain Controller at each complex location would be optimal.  Each DC should handle DHCP and DNS as well.  This allows for local logons to be optimal, with little or no delay.  Additionally I would recommend file servers per complex so that the user files are as local as possible.  A single VMWare (or Hyper-V) machine can handle these various servers (I still make separate role servers) easily.

Server 2016 lets you split DHCP ranges.  As I have different VLANs and ranges per building, I can give the building primary (the close one) most of the range.  I do this by making the VLAN on the machine at the location have no delay, and then put in a delay in that VLAN for the other DCs.  Even in a single location situation I would recommend a delay on the BDC.  This allow one machine to handle normal logons, and allows you a way to gauge your network.  I have a 1ms delay on the BDC and it gets about 5% of the logons.  This is excellent feedback that the network is running well, and is healthy.  If I had a 1ms delay and 40-60% of the logons were on the BDC, I could have an issue.
I have a 10G network with all workstations on 1G connections, including the wireless APs.  The APs are AC and can handle 200 clients, with an AP in every room.  I also have a single location situation with 1200 devices (plus student and staff BYOD connecting as well.)
Back to logon delay.  I would highly recommend playing with this to find your network sweet spot.  Find the __ms setting that results in a 10% or lower fallback to the DC that is secondary (or tertiary).  If every DC is primary on a different VLAN (the primary VLAN for the physical location) then you have fallback for heavy logon times while maintaining the fastest speeds.
With network bandwidth becoming more an issue every day, it is our responsibility as IT professionals to make the user experience and fast and flawless as possible.  We impact the business at hand, and possible loss of production, more than some realize.  Finding the sweet spot for network logons, file access, and internet access, is one the primary ways we can make the things we do in the background obvious to those we support.]]>

<![CDATA[
Let me start this post by ensuring you that I am on a limited budget trying to effectively manage a 1:1.  I am sure there are paid alternatives, and possibly better free ones, that accomplishes this in other ways.  But it works!
Students lose laptops, forget where they put them, have them stolen, leave them on the bus for a 3rd grader to find (kept it for 2 weeks before his parents found it) and so forth.  They usually come crying to us a few days (sometimes weeks) later and don’t have a clue where it is.  How can we find it?
I have taken a tracking approach to simply let the laptop tell me where its is, who is using it, and what wifi it is on.  I do this through a logon batch script that simply sends a email to a tracking email account on each logon.  Yep, that is a lot of emails, but it is going to an account I only logon to when I need to find one.  I use gmail filters to put them in nice little folders by class, staff…
I use SendEmail (written by Brandon Zehm http://caspian.dotconf.net/)  This is in a folder on the C drive of my student laptops, and I added a logon script to execute logon.bat each logon.  I could do it on power on, timed, whenever.  Obviously task scheduler is used to execute the task as system.  All the information on how to use his code is in a text file in his download.
To make my batch file work simply replace:

1. gmailsmtp@gmail.com with your gmail account it is coming from in SMTP
2. gmpassword with the password for the account above.  Assuming GMAIL SMTP
3. trackingemail@gmail.com with the email you want to be receiving these notices.
4. @yourdomain.com with your actual domain.  It will then be sending the email from the user email address (in the from field.)

I am using netsh wlan show interface > c:\users\%username%\profile.txt to dump information to attach.  You could do ipconfig /all > profile.txt in the section for non-wifi users to try and find where it is plugged in as well.  I found this to not be very useful, but you might.
The end result.  If a student leaves his laptop lying around.  Someone else could pick it up and take it home.  But it will be of no use since they have no logon account on that laptop.  They would have to logon to it, at school, to accomplish that.  Then they are the last logon to the laptop.  I have had a student drive in at midnight, sit in the parking lot, and logon.  Yes, that has happened.  The point is that to make it usable, they have to logon.  And  I instantly know who did it.  If I am tracking a particular laptop I can have a gmail forwarded to me the instant it is used.
I have also had a student clean one all up and sell it to another student (like I didn’t have the motherboard serial numbers) and think I wouldn’t notice.  Is this worth the time?  It certainly is to the student that doesn’t want to pay for the lost laptop!

ECHO OFF
REM Who is logging on?
set str=%username%
REM What class is the user (for GMail filtering into folders)
set str=%str:~0,2%
REM Dump the current WIFI SSID information into a file
netsh wlan show interface > c:\users\%username%\profile.txt
REM Student account start with the grad year (last 2) and if this is true…it is a student
If %str% LSS 100 goto studentlogons
REM If a non-student account is logging on, it is an “other” logon.
:otherlogons
C:\sendmail\sendEmail.exe -f %username%@yourdomain.com -t trackingemail@gmail.com -u %username% just logged to %computername% -m %computername% was logged on by User:%username% at %time% on %date% -a c:\users\%username%\profile.txt -s smtp.gmail.com:587 -xu gmailsmtp@gmail.com -xp gmpassword -o tls=yes
REM  It sent, goto end
If %errorlevel% == 0 goto end
REM If the laptop is not on WIFI, it errors, so send it without WIFI SSID Info
C:\sendmail\sendEmail.exe -f %username%@yourdomain.com -t trackingemail@gmail.com -u %username% just logged to %computername% -m %computername% was logged on by User:%username% at %time% on %date% -s smtp.gmail.com:587 -xu gmailsmtp@gmail.com -xp gmpassword -o tls=yes
goto end
:studentlogons
C:\sendmail\sendEmail.exe -f %username%@yourdomain.com -t trackingemail@gmail.com -u %username% just logged to %computername% Class:%str% -m %computername% was logged on by User:%username% at %time% on %date% -a c:\users\%username%\profile.txt -s smtp.gmail.com:587 -xu gmailsmtp@gmail.com -xp gmpassword -o tls=yes
REM  It sent, goto end
If %errorlevel% == 0 goto end
REM If the laptop is not on WIFI, it errors, so send it without WIFI SSID Info
C:\sendmail\sendEmail.exe -f %username%@yourdomain.com -t trackingemail@gmail.com -u %username% just logged to %computername% Class:%str% -m %computername% was logged on by User:%username% at %time% on %date% -s smtp.gmail.com:587 -xu gmailsmtp@gmail.com -xp gmpassword -o tls=yes
goto end
:end]]>

<![CDATA[Okay, so you are a 1:1 school like us.  You get all the laptops back every summer, update and clean them, and reissue them the first week of school…in August.  2 weeks later, ODE finally releases the updated version of the Ohio Secure Browser for state Air testing.  Yes, we curse and swear and wish they had given it to us in June.  How do they think we are going to get all those devices back?  Oh, they gave us an MSI to GPO install it?  Great!  Sarcasm abounds here although it is difficult to hear.
The problem with a GPO/MSI install is that the thing will take forever, and possibly fail when users simply shut the laptop off, via wifi with hundreds of devices.  Oh, it works fine on the wired devices, especially if you roll out the GPO a container at a time.  WIFI MSI installs, not so much.
So we get to why am I writing this post at all.  No not to complain (well maybe a little) but to share how I get the new software out to laptops without a ridiculous delay.  I use a shutdown script that has it copy the software in pieces.  In this case, 5 pieces.  If you have a slow network, or experience issues, you could break it down to 20, realizing that it will take 20 shutdowns to complete.  The setup is predicated on making a network share with the contents of the OHSecureBrowser folder broken into distinct parts for the install steps.  You can break this batch file down even further if needed.  I have commented the basic stages of the process as much as possible.  Below is a screenshot of my folders and the contents of stage3.

Each text file is copied into OHSecureBrowser after that step is complete.  Stage0.txt denotes that it is complete.  The batch file (below) must be in the GPO (not linked) or it will not execute since it is making administrative level changes to the file system.  Also \\server\share in the code denotes where you are sharing the OH10 folder which includes the stage files above.
Why go to all this trouble?  Network installs can really slow you down, irritate users, and obviously fail.  Breaking an install like this into little parts makes it manageable, if you have the time to do it (assume a few weeks for all the parts.)  By copying the text file last it will simply keep doing that stage until it finally finished it.  This process has worked like a charm for me and I apply this frequently with items I want to happen seamlessly in the background.

IF EXIST “c:\Program Files\OHSecureBrowser\stage0.txt” (
goto end
)
IF EXIST “c:\Program Files (x86)\OHSecureBrowser\stage0.txt” (
goto end
)
IF EXIST “c:\Program Files\OHSecureBrowser\stage5.txt” (
C:
cd \Program Files\OHSecureBrowser
copy \\server\share\OH10\stage0.txt
goto end
)
IF EXIST “c:\Program Files (x86)\OHSecureBrowser\stage5.txt” (
c:
cd “\Program Files (x86)\OHSecureBrowser”
copy \\server\share\OH10\stage0.txt
goto end
)
IF NOT EXIST “C:\Users\Public\Desktop\OHSecureBrowser.lnk” (
goto Stage1
)
:Check86
IF EXIST “C:\Program Files\OHSecureBrowser\api-ms-win-core-console-l1-1-0.dll” (
c:
cd \Program Files\OHSecureBrowser
copy \\server\share\OH10\stage0.txt
copy \\server\share\OH10\stage5.txt
goto end
)
:Check64
IF EXIST “C:\Program Files (x86)\OHSecureBrowser\api-ms-win-core-console-l1-1-0.dll” (
c:
cd “\Program Files (x86)\OHSecureBrowser”
copy \\server\share\OH10\stage0.txt
copy \\server\share\OH10\stage5.txt
goto end
)
:Stage1
del “C:\Users\Public\Desktop\OHSecureBrowser.lnk”
IF NOT EXIST “c:\Program Files\OHSecureBrowser\stage1.txt” (
C:
cd \Program Files
md OHSecureBrowser
cd OHSecureBrowser
copy \\server\share\OH10\stage1\*.*
copy \\server\share\OH10\stage1.txt
goto end
)
:Stage2
IF NOT EXIST “c:\Program Files\OHSecureBrowser\stage2.txt” (
C:
cd \Program Files\OHSecureBrowser
copy \\server\share\OH10\stage2\*.*
copy \\server\share\OH10\stage2.txt
goto end
)
:Stage3
IF NOT EXIST “c:\Program Files\OHSecureBrowser\stage3.txt” (
C:
cd \Program Files\OHSecureBrowser
md defaults
cd defaults
md pref
cd pref
copy \\server\share\OH10\stage3\defaults\pref\*.*
cd \Program Files\OHSecureBrowser
md dictionaries
cd dictionaries
copy \\server\share\OH10\stage3\dictionaries\*.*
cd \Program Files\OHSecureBrowser
md fonts
cd fonts
copy \\server\share\OH10\stage3\fonts\*.*
cd \Program Files\OHSecureBrowser
md gmp-clearkey
cd gmp-clearkey
md 0.1
cd 0.1
copy \\server\share\OH10\stage3\gmp-clearkey\0.1\*.*
cd \Program Files\OHSecureBrowser
copy \\server\share\OH10\stage3.txt
goto end
)
:Stage4
IF NOT EXIST “c:\Program Files\OHSecureBrowser\stage4.txt” (
C:
cd \Program Files\OHSecureBrowser
md securebrowser
cd securebrowser
copy \\server\share\OH10\stage4\securebrowser\*.*
cd \Program Files\OHSecureBrowser\securebrowser
md components
cd components
copy \\server\share\OH10\stage4\securebrowser\components\*.*
cd \Program Files\OHSecureBrowser\securebrowser
md extensions
cd extensions
copy \\server\share\OH10\stage4\securebrowser\extensions\*.*
cd \Program Files\OHSecureBrowser\securebrowser
md features
cd features
copy \\server\share\OH10\stage4\securebrowser\features\*.*
cd \Program Files\OHSecureBrowser\securebrowser
md VisualElements
cd VisualElements
copy \\server\share\OH10\stage4\securebrowser\VisualElements\*.*
cd \Program Files\OHSecureBrowser
md uninstall
cd uninstall
copy \\server\share\OH10\stage4\uninstall\*.*
cd \Program Files\OHSecureBrowser
copy \\server\share\OH10\stage4.txt
goto end
)
:Stage5
IF NOT EXIST “c:\Program Files\OHSecureBrowser\stage5.txt” (
xcopy “\\server\share\OH10\stage5\*.*” “C:\Users\Public\Desktop\*.*” /d /y
C:
cd \Program Files\OHSecureBrowser
copy \\server\share\OH10\stage5.txt
copy \\server\share\OH10\stage0.txt
goto end
)
:end
 ]]>

<![CDATA[Okay, I am am a rogue.  My instructions are for those admins that want to use Ubuntu 16.04 as a server, but want to be able to use root when I want and the GUI when I want.  Both of these are not recommended, but in the first sentence I did say I was a rogue.  For the following, italics items are command line commands that can be copied directly into the terminal.

1.  Install Ubuntu 16.04 desktop.
2. Logon as your admin user.
3. Open a Terminal.
4. Enable root access.
   • sudo -i passwd root
   • sudo passwd -u root
5. Enable command line login.
   • gpedit /etc/default/grub
   • Change appropriate lines to
     • GRUB_CMDLINE_LINUX_DEFAULT=”text”
     • GRUB_CMDLINE_LINUX=”text”
     • GRUB_TERMINAL=console
   • sudo update-grub
   • sudo systemctl set-default multi-user.target
   • shutdown -r now
6. You will now be starting into command line like a normal server.  This minimizes background processes and maximizes server utilizaiton.  But you might want to use the GUI.  So logon and…
   • startx
   • You will need a new terminal window to start unity by right clicking and starting a terminal, then.
   • setsid unity
   • To log out you can use the collowing command.
   • gnome-session-quit

]]>

<![CDATA[You can do a GPO to force default applications for computers in a given AD container.
The GPO is in Computer Configuration->Policies->Administrative Templates->Windows Components->File Explorer.
Turn on "Set a default associations configuration file" and point it to the xml file containing your default setting.
To create the XML file the easiest way is to simply set your defaults on a system and then export them.  Use the exported file (delete what you don't want to force) to set the new GPO defaults.  Open an elevated command prompt and run

dism /online /Export-DefaultAppAssociations:"c:\DefaultAppAssociations.xml"

This will make the file you will then point to in your GPO.  Make sure to put it in a location your users can access.
Examples for Chrome and Firefox.
Forcing Google Chrome
<?xml version=”1.0″ encoding=”UTF-8″?>
<DefaultAssociations>
<Association Identifier=”.3gp2″ ProgId=”WMP11.AssocFile.3G2″ ApplicationName=”Windows Media Player” />
<Association Identifier=”.htm” ProgId=”ChromeHTML” ApplicationName=”Google Chrome” />
<Association Identifier=”.html” ProgId=”ChromeHTML” ApplicationName=”Google Chrome” />
<Association Identifier=”.MP2″ ProgId=”WMP11.AssocFile.MP3″ ApplicationName=”Windows Media Player” />
<Association Identifier=”.mpeg” ProgId=”WMP11.AssocFile.mpeg” ApplicationName=”Windows Media Player” />
<Association Identifier=”.oxps” ProgId=”Windows.XPSReachViewer” ApplicationName=”XPS Viewer” />
<Association Identifier=”.tif” ProgId=”PhotoViewer.FileAssoc.Tiff” ApplicationName=”Windows Photo Viewer” />
<Association Identifier=”.tiff” ProgId=”PhotoViewer.FileAssoc.Tiff” ApplicationName=”Windows Photo Viewer” />
<Association Identifier=”.txt” ProgId=”txtfile” ApplicationName=”Notepad” />
<Association Identifier=”.url” ProgId=”IE.AssocFile.URL” ApplicationName=”Internet Browser” />
<Association Identifier=”.website” ProgId=”IE.AssocFile.WEBSITE” ApplicationName=”Internet Explorer” />
<Association Identifier=”.xps” ProgId=”Windows.XPSReachViewer” ApplicationName=”XPS Viewer” />
<Association Identifier=”.htm” ProgId=”ChromeHTML” ApplicationName=”Google Chrome” />
<Association Identifier=”.html” ProgId=”ChromeHTML” ApplicationName=”Google Chrome” />
<Association Identifier=”http” ProgId=”ChromeHTML” ApplicationName=”Google Chrome” />
<Association Identifier=”https” ProgId=”ChromeHTML” ApplicationName=”Google Chrome” />
</DefaultAssociations>
Forcing Mozilla Firefox
<?xml version=”1.0″ encoding=”UTF-8″?>
<DefaultAssociations>
<Association Identifier=”.3gp2″ ProgId=”WMP11.AssocFile.3G2″ ApplicationName=”Windows Media Player” />
<Association Identifier=”.MP2″ ProgId=”WMP11.AssocFile.MP3″ ApplicationName=”Windows Media Player” />
<Association Identifier=”.mpeg” ProgId=”WMP11.AssocFile.mpeg” ApplicationName=”Windows Media Player” />
<Association Identifier=”.oxps” ProgId=”Windows.XPSReachViewer” ApplicationName=”XPS Viewer” />
<Association Identifier=”.tif” ProgId=”PhotoViewer.FileAssoc.Tiff” ApplicationName=”Windows Photo Viewer” />
<Association Identifier=”.tiff” ProgId=”PhotoViewer.FileAssoc.Tiff” ApplicationName=”Windows Photo Viewer” />
<Association Identifier=”.txt” ProgId=”txtfile” ApplicationName=”Notepad” />
<Association Identifier=”.url” ProgId=”IE.AssocFile.URL” ApplicationName=”Internet Browser” />
<Association Identifier=”.website” ProgId=”IE.AssocFile.WEBSITE” ApplicationName=”Internet Explorer” />
<Association Identifier=”.xps” ProgId=”Windows.XPSReachViewer” ApplicationName=”XPS Viewer” />
<Association Identifier=”.htm” ProgId=”FirefoxURL” ApplicationName=”Firefox” />
<Association Identifier=”.html” ProgId=”FirefoxURL” ApplicationName=”Firefox” />
<Association Identifier=”.htm” ProgId=”FirefoxURL” ApplicationName=”Firefox” />
<Association Identifier=”.html” ProgId=”FirefoxURL” ApplicationName=”Firefox” />
<Association Identifier=”http” ProgId=”FirefoxURL” ApplicationName=”Firefox” />
<Association Identifier=”https” ProgId=”FirefoxURL” ApplicationName=”Firefox” />
</DefaultAssociations>]]>

<![CDATA[There are a lot of reasons to consider virtualizing your servers.  Here is a short list.

1. A virtualized server is easier to backup.
   • You can export, snapshort, image, or use a vendor provided backup option.
2. A virtualized server is easier to move to new hardware when needed.
   • Easier hardware upgrades!
   • Backup and restore to the new machine with increased capability.
   • Add virtual drives, NICs, on the fly and they just appear on the server.
3. You can separate server roles so that if you are upgrading a single role, only one server is affected.
   • I can’t oversell separating roles!  If you have an AD, DNS, DHCP, File Server, Print server…you need to separate some things!  While AD, DNS, DHCP may go together, print and file servers do not, they belong on their own servers.
4. You maximize your computing resources.
   • You can afford a better machine if it is running 5 VMs on it, and when it needs power, it is there.  Sharing 8 cores and 32Gb of RAM is cheap and runs 4 VMs easy.
5. It is more energy efficient (Go Green!)
   • One PSU running those 4 VMs is 1/4 the power, enough said.
6. You can extend the life of old applications.  If you have a piece of software that only works on an old OS, you can move that machine to a VM and have it rock on the new hardware.  I hate keeping 2003 around, but the software only works on that OS, so we stripped everything else off of the server, virtualized, and can keep it running until the new software comes out.
7. Fast deployment.
   • When I was asked if we could make a 2012R2 system for the new video surveillance system in a meeting I had the new server up before the meeting was over.  (I have a 2012R2, 208R2, 2016 Sysprep and can make a server in 6 minutes)
   • Did that impress my administrative team and the vendor?  You bet.  Be a IT superhero!  🙂
   • I have a separate VM with no active machines on it for these fast requests and immediate needs.  I move them later to the “right” place.
8. It is FREE!  While there are obviously versions that do cost.  VMWare ESXi is free and HyperV comes with your copy of Windows Server.

Our current VMWare servers are 20 core i7s with128Gb of DDR4 RAM.  We use a 2Tb M2 SSD as well as additional 2Tb 850 Pros as needed.  The server can maintain 10+ servers without seeming to be running more than 1.  The cost per server are around 4000.  We reuse the server cases but include new gold rated PSUs with a new build.]]>