Applying WPA2 via Group Policy in Windows Server 2003
[Updated 11/03/2010; fixed typos and clarified a few things]
[Updated 28/09/2012; yes, I've only just found out about the WPS problem - If you don't know about it yet, please read it as your wireless network might be completely insecure - link]
One of the things I get involved with at work is sorting auto-deployment of wireless profiles via Group Policy. In the past this has been great for configuring WPA/TKIP wireless profiles which are fine for most situations. However, most implementations of 802.11n require either no encryption or WPA2 before the advanced features of ‘n’ (eg. high speeds) are available.
Microsoft Server 2003 doesn’t support WPA2 in Group Policy, despite the fact it’s in XP Service Pack 3, and Windows Server 2008. It is also supported in Windows XP Service Pack 2 with update kb893357. After a lot of faffing around various forums it turns out there is a workaround to implement WPA2 in GPO on Server 2003.
WPA2 Option in Server 2003
Updating Active Directory for Group Policy Enhancements
Described in http://technet.microsoft.com/en-gb/library/bb727029.aspx.
This is just a howto so I won’t go into great detail, just how to quickly get it done.
Copy the file 802.11Schema.ldf onto the Active Directory server (the content of this file is listed at the end of this post in plaintext which you can cut n paste into a file if the link fails: KEEP THE ‘-’ AT THE END OF THE FILE, THIS IS IMPORTANT.
Open command prompt and run the following command on AD Server:
C:>ldifde -i -v -k -f 802.11Schema.ldf -c DC=X [Distinguished_Name_of_Domain]
I’ll paraphrase the M$ example at this point, if your domain is beans.com, the command you enter should be:
C:>ldifde -i -v -k -f 802.11Schema.ldf -c DC=X DC=beans,DC=com
It should respond that 6 items have been updated. It could probably benefit from a restart at this point, but other than that: That’s it for the Server!
Group Policy Update from Vista PC or Server 2008
Even though the Server 2003 box will support WPA2 now, you can’t set it up on the box itself. This needs to be done from either a Vista or Server 2008 machine (probably works with Windows 7 now – if anyone finds out can you pop me a comment please?). Join the PC to the domain if not already on it. Log onto the PC as Schema Administrator if possible – usually a Domain Admin account is fine.
Start, Run ‘gpmc.msc’ – If it’s not installed you need to install Microsoft Remote Server Administration Tools for Windows Vista (KB941314)
After the MRSAT have been installed you need to enable them. Go to:
Control Panel, Programs and Features, Turn Windows features on and off, Enable Tools.
From Group Policy Management you should now be able to select the Wireless Policy under:
Computer Config, Policies, Windows Settings, Security Settings, Wireless Network Policies, edit ‘XP’ policy, select Preferred Networks, and enter or edit the network profile. Change the authentication type to WPA2 and encryption to AES. Job done!
I’m always interested in feedback from this, if there’s anything I’ve missed or if things have moved on pop me a note and I’ll update.
The following is the content of the ldf file, you should just be able to download the file above though.
# -----------------------------------------------------------------------
# Copyright (c) 2006 Microsoft Corporation
#
# MODULE: 802.11Schema.ldf
# -----------------------------------------------------------------------# ———————————————————————–
# define schemas for these attributes:
#ms-net-ieee-80211-GP-PolicyGUID
#ms-net-ieee-80211-GP-PolicyData
#ms-net-ieee-80211-GP-PolicyReserved
# ———————————————————————–
dn: CN=ms-net-ieee-80211-GP-PolicyGUID,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: ms-net-ieee-80211-GP-PolicyGUID
adminDisplayName: ms-net-ieee-80211-GP-PolicyGUID
adminDescription: This attribute contains a GUID which identifies a specific 802.11 group policy object on the domain.
attributeId: 1.2.840.113556.1.4.1951
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 64
schemaIdGuid:: YnBpNa8ei0SsHjiOC+T97g==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-net-ieee-80211-GP-PolicyData,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: ms-net-ieee-80211-GP-PolicyData
adminDisplayName: ms-net-ieee-80211-GP-PolicyData
adminDescription: This attribute contains all of the settings and data which comprise a group policy configuration for 802.11 wireless networks.
attributeId: 1.2.840.113556.1.4.1952
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 4194304
schemaIdGuid:: pZUUnHZNjkaZHhQzsKZ4VQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-net-ieee-80211-GP-PolicyReserved,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: ms-net-ieee-80211-GP-PolicyReserved
adminDisplayName: ms-net-ieee-80211-GP-PolicyReserved
adminDescription: Reserved for future use
attributeId: 1.2.840.113556.1.4.1953
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 4194304
schemaIdGuid:: LsZpD44I9U+lOukjzsB8Cg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
# ———————————————————————–
# Reload the schema cache to pick up altered classes and attributes
# ———————————————————————–
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
# ———————————————————————–
# define schemas for the parent class:
#ms-net-ieee-80211-GroupPolicy
# ———————————————————————–
dn: CN=ms-net-ieee-80211-GroupPolicy,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: ms-net-ieee-80211-GroupPolicy
adminDisplayName: ms-net-ieee-80211-GroupPolicy
adminDescription: This class represents an 802.11 wireless network group policy object. This class contains identifiers and configuration data relevant to an 802.11 wireless network.
governsId: 1.2.840.113556.1.5.251
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.1953
systemMayContain: 1.2.840.113556.1.4.1952
systemMayContain: 1.2.840.113556.1.4.1951
systemPossSuperiors: 1.2.840.113556.1.3.30
systemPossSuperiors: 1.2.840.113556.1.3.23
systemPossSuperiors: 2.5.6.6
schemaIdGuid:: Yxi4HCK4eUOeol/3vcY4bQ==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-net-ieee-80211-GroupPolicy,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
# ———————————————————————–
# Reload the schema cache to pick up altered classes and attributes
# ———————————————————————–
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
Have been getting this error:Entry DN: CN=ms-net-ieee-80211-GP-PolicyGUID,CN=Schema,CN=Configuration,DC=Firets0,DC=FIRENOW,DC=NET
14: Object does not exist, entry skipped
Entry DN: CN=ms-net-ieee-80211-GroupPolicy,CN=Schema,CN=Configuration,DC=FIRENOW,DC=NET
Add error on line 80: Unwilling To Perform
The server side error is “Schema update failed: attribute in may-contain does not exist.”
An error has occurred in the program
Thanks for your time, Michael
Hi Michael,
No idea, but the error you’re getting is mentioned at Microsoft under kb276382 with the following explanation. Give their suggestions a go, I can’t be any more help as I never encountered this error.
Hello Guest,
Your problem is that your file doesn’t end with “-” char. I thougt the same “what a stupid way to end a file” and deleted the dash… though it seems it should end in a dash
Thanks for the tip, I’ve updated the post to point out the “-” character is required.
I’ve apparently updated the Active Directory schema successfully on a Win 2K3 server, as I received the 6 separate “success” command line entries. But, I still do not see WPA2 as an option in the drop down box of the wireless group policy. Thoughts? Does the Win 2K3 domain controller require a restart after this?
mlc9 – I didn’t think it needed the restart, but it might be a good idea anyway, it’s quite a fundamental change. Post if that fixes things.
Hi there, I’m having the same issue! I did this yesterday afternoon and let everything propogate overnight and upon discovering I still couldn’t access wpa2 I gave the server a reboot but to no avail.
if anyone has any ideas they would be greatly appreciated! Thanks.
Hello there
I had the same issue. Booting the server did not help. The only solution was to install a Vista Domain machine and run the management of the Active Directory GPO from it. Now the WPA2 and AES config was there! Thanks a lot!!
I don’t know if I made it clear but the GPO updates do have to be made from either a Vista or Server 2008 machine. Glad the info helped anyway.
The item that tripped me up was that while I am an Enterprise Admin and Domain admin, etc, I was not a “Schema Admin.” Adding myself to that group (and logging back in) made things work much better.
Also, while you say “[Distinguished_Name_of_domain_controller]“, I believe you mean “[Distinguished_Name_of_domain]“. Pointing to a specific controller was not effective.
Lastly, it might be worth adding a sample of a distinguished name. I haven’t done AD stuff in a long time, and trying to dig this back out was more effort than I want to admit.
It’s a good point – I don’t tend to get involved in AD stuff unless absolutely necessary, I’ll update the article when I get a moment. You’d think that a Domain Admin would have permissions for schema updates!? Thanks for the feedback.
Thanks for the Schema Admin tip
[...] I believe you can do it by integrating an update into the 2003 schema. [...]
Very Poor Documentation of providing a solution. Sorry, Its not documented properly.
Updated with a few points, this should make things a bit clearer now.
Thanks for the info, I tried to edit the GPO from a Win XPSP3 workstation and found initialy that there was no wireless policy listed even though it’s definately on the DC – did a bit of digging around and found this excellent article by Daniel Petri – http://www.petri.co.il/working_with_wireless_gpo_settings_from_xp_sp2.htm
I junped through the hoops and the wireless policy appeared, but unfortunately still did not list WPA2 et al. i guess I’ll have to find a Vista box to try it from.
Nice tip. Just to confirm it does work with Windows 7 too.
A point you might want to add also for those working with multiple DCs is the need to run the ldifde schema extension on the DC that is acting as the schema master, otherwise it generates referral errors.
Great, thanks for letting me know. I’ll add it in.
You must be use the new Gpmc with in new windows,just like Vista or windows 2008。The old gpmc have no wpa2 options!You will learn from here :http://technet.microsoft.com/en-us/library/cc749533(WS.10).aspx
Nice guide, the first that clearly explained that the ldifde tweak should be added to the Win2003DC and then you should be able to access the win2003DC-GPO from fx. a win7 with installed Microsoft Remote Server Administration Tools for Windows 7
http://www.microsoft.com/downloads/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d&displaylang=en
Took a short while to figure out this “After the MRSAT have been installed you need to enable them. Go to:
Control Panel, Programs and Features, Turn Windows features on and off, Enable Tools.”
Then I could enable WPA2 to my existing “Wireless Network” policy on the win2003DC. Last thing, I had to export our GoDaddy certificate from the win2003DC, and the import it to the win 7 pc, to use within the existing wlanGPO
Great, thanks for the comment.
ran schema upgrade & 6 updates came through. Downloaded & installed 2008 remote server admin tools. Removed my old wireless policy & created new policy from win 7 computer.
I can not connect to wireless, showing reason code 66 in system logs? I am using radius box for 802.1x. Wireless has been running on wpa / tkip for about 2 -3 yrs. After the upgrade can not connect clients? Any ideas
thanks
1 – Check the policy has been pushed out to clients
2 – Check for errors in the event log on the server side
Hi guys
I’m getting this error
Add error on line 14: Insufficient Rights
The server side error is “Access is denied.”
0 entries modified successfully.
An error has occurred in the program
No log files were written. In order to generate a log file, please
specify the log file path via the -j option.
Sounds like you might be running from a restricted account – have you tried as Administrator?
I had tried with a user part of the schema admins and administrators group. logged off and logged back on.
Think you may need to be a domain admin for this, not certain though. Give it a try.