|
Version(s): Connected DataProtector/PC 7.x - 8.x, Connected DataProtector/SV 2.5
Component(s): Data Center Server
Last Updated: July 2, 2008
Document number: 567
In Support Center, you can create a new community and associate an Enterprise Directory with that community. However, Support Center does not allow you to associate Enterprise Directory that has user accounts and technicians that already exist in a community. This document describes how to manually associate Enterprise Directory with an existing Support Center community.
Concepts
To complete the procedures in this document, you must run SQL queries directly on the Data Center server. If you have manually added a password to associate with your Connected Backup 7.x Accounts, you must remove the passwords from the Data Center Server. Your Connected Backup 8.x Accounts require passwords and therefore you do not need to remove them.
Note: Do not use the procedures described in this document to convert the Root community in Support Center. The community you convert must be an existing sub-community. Configuring LDAP at the root level of the Data Center server is not supported.
This article contains six procedures. You must perform these procedures in the order they are presented, unless otherwise noted.
1: Check for Connected Backup/PC Account Passwords (7x Accounts only)
2: Update Logon Information
3: Remove existing Connected Backup passwords (7.x Accounts only)
4: Configure Enterprise Directory in Support Center
5: Create LDAP Technicians in Support Center
6: Verify LDAP Changes
Before You Begin
Before you begin, you must consider the following items:
-
If your 7.x Accounts have Connected Backup passwords, you must download three files to each account in the community. This process can take several days to perform because it is not complete until all accounts in the community complete a successful backup to the Data Center.
-
You must repeat each procedure for each community with existing accounts and technicians that you want to associate with Enterprise Directory.
-
When you perform the procedures in this article to a community, its subcommunities inherit the settings that you specify. To set the subcommunity to use different settings use Support Center.
-
In Step 3. Remove existing Connected Backup passwords, some executables have to run in the user context of the BackupServer service account (CNTD_DCServices). To gain the level of permission required to access the data base, use the RunAs command. To view the syntax and use for this command, enter RunAs at the command line.
You must have the following files only for Connected Backup 7.x Accounts with a Password:
Step1: Check for Connected Backup/PC Account Passwords (7x Accounts only)
Perform this step procedure only if you use 7.x Accounts. If you use 8.x Accounts, continue to Step 2: Update Logon Information.
To check for Account passwords, complete the following steps:
-
Use SQL Query Analyzer or SQL Server Management Studio to run UpdateAccountPasswordSetup.sql to create a temporary table called TempAccountPassword and a trigger on the DownloadTrail table.
The UpdateAccountPasswordSetup.sql script populates the TempAccountPassword table with a list of accounts that need to have their password updated.
IMPORTANT: If you run a mirrored data center, you must run the UpdateAccountPasswordSetup.sql script on both servers.
-
Use Query Analyzer or SQL Server Management Studio to run the following SQL script:
Use registry
select * from TempAccountPassword
-
Do one of the following tasks:
Step 2: Update Logon Information
To update your logon information for Accounts without passwords, complete the following steps:
-
Use Support Center to disable new account registration for the community.
-
Use SQL Query Analyzer or SQL Server Management Studio to run the following script for each account in the community and any subcommunities.
This script updates the Customer table with correct logon ID information for each account. You must repeat this step for every account in the community and subcommunities.
Note: The accounts in the community you are updating may experience problems with backups until you complete this procedure.
Use registry
UPDATE Customer
SET LoginID = '<login id>'
where Account = <account number>
where:
After the query completes, continue to Create LDAP Technicians in Support Center.
Step 3: Remove existing Connected Backup passwords (7.x Accounts only)
Before you can remove any passwords associated with your Connected Backup 7.x Accounts, you must first confirm that any exist.
To confirm if your account has an LDAP password, run the following script on your 7.x Accounts:
IMPORTANT: The following script is for 7.x accounts only. Do not run on 8.x accounts.
Use registry
UPDATE Customer
SET LoginID = '<login id>',
Ldappassword=1,
Modified=1
where Account = <account number>
where:
To remove the Connected Backup password associated with your 7.x Accounts, complete the following procedure:
-
To find the CommunityId of the community that you want to associate with Enterprise Directory, run the following query:
SELECT CommunityId FROM Community
WHERE CommunityName = �name�
where 'name' is the name of the community
-
You must run LDAPMigrate.exe in the context of the BackupServer service account. Use the RunAs command with the /user switch for this purpose. LDAPMigrate /? lists the usage for the LDAPMigrate executable.
At command prompt run LDAPMigrate.exe. Use the CommunityID obtained in step one as an input parameter in the command. Use the following syntax:
LDAPMigrate /user domain \CNTD_DCSERVICES <community_id>
The following example shows how to specify a community with an ID of 3:
LDAPMigrate /user domain \CNTD_DCSERVICES 3
LDAPMigrate.exe generates the following results:
-
Creates the OldAccount.txt file. This file contains a list of all accounts using a pre-6.1 version of the Agent. You must upgrade these accounts to the most current version of the Agent in use on your Data Center before proceeding.
-
Creates the TempAccountPassword table in the Registry database. This table records all accounts with account passwords enabled and their new passwords.
-
Creates the AccountPassword.ini file. The customer downloads this file later in the procedure.
-
Creates one entry per account in the DownloadFileSetAccount table. This table lists which accounts need updates to their account password.
-
In the DataCenter\Configuration$ folder, create a Download folder.
-
Use the Compress tool located in the DataCenter folder to compress the AccountPassword.ini and UpdateAccountPassword.exe files.
These two files are located in the same folder as the LDAPMigrate.exe file that you downloaded in step two of this procedure. The AccountPassword.ini file generates when you run LDAPMigrate.exe. The compressed files must have the same name as the uncompressed versions.
-
Do one of the following tasks:
-
To enable the Data Center to download two files to all accounts in the given community, insert two records into the DownloadFile table.
To run the following two scripts for this task, use SQL Query Analyzer or SQL Server Management Studio (for the purpose of this task, Iron Mountain Digital assumes that you created a download folder in the Datacenter\Configuration$ folder for the two compressed files):
IMPORTANT: Do not run the following queries more than once.
Use registry
INSERT INTO DownloadFile(Cdate, gid, Type, Disposition, Billing, Audit, FileName, TargetName, Description, Truename, Version)
VALUES (GETDATE(), -70062, 0, 0, 0, 1, 'RegistrationMaster-Configuration$\download \AccountPassword.ini', NULL, '', NULL, NULL)
waitfor delay '00:00:01'
Use registry
INSERT INTO DownloadFile(Cdate, gid, Type, Disposition, Billing, Audit, FileName, TargetName, Description, Truename, Version)
VALUES (GETDATE(), -70062, 1, 0, 0, 1,'RegistrationMaster- Configuration$\download\UpdateAccountPassword.exe', NULL, '', NULL, NULL)
When a Account from the community connects to the Data Center for backup, the Data Center downloads the two files. The UpdateAccountPassword.exe file updates the account password and triggers the same change in the Customer table on the Data Center.
Security Issue: The AccountPassword.ini file contains the hashed values of the encryption key for of the accounts that need passwords updated. This might be a security issue if there is a problem running the UpdateAccountPassword.exe on the Agent. The UpdateAccountPassword.exe deletes this file as soon as it has run.
-
To check the number of accounts that have not connected to the Data Center and downloaded the AccountPassword.ini and UpdateAccountPassword.exe files, enter the following script:
Use Registry
SELECT COUNT(*) FROM TempAccountPassword
Do not continue with the procedure until you complete this step and the table is empty. When the result equals zero, all accounts have connected to the Data Center to receive the download. This step can take several days depending on the frequency of backups.
-
To delete the TempAccountPassword table and temporary trigger, enter the following query:
Use Registry
DROP TABLE TempAccountPassword
IF EXISTS (SELECT * FROM sysobjects WHERE id = object_id(N'[dbo].[tr_TempDownLoadTrail]') AND
OBJECTPROPERTY(id, N'IsTrigger') = 1)
DROP TRIGGER [dbo].[tr_TempDownLoadTrail]
The Update AccountPassword.exe file changes the hashes in the keys.dat file for the passwords and sets the password value to 0 (pwd=0). The password information comes from the AccountPassword.ini file that the account downloads.
Note: Complete the following step only if you use an Enterprise Directory password value for your accounts.
To change the LDAP password value, complete the following steps:
Change the value of the ldap password in the Config.ini file for the account. To complete this step, run the Config.ini Change Tool once.
This action allows the account to use its network password after the community is associated with an Enterprise Directory. To perform this step for a community, complete the following steps:
-
Use Notepad to create a file named input.txt.
-
Add the following text to the file:
[Internal]
LDAPPassword=1
-
Open a Command Prompt and navigate to the Data Center folder.
-
To compress the file and rename it to input.ini, enter the following commands:
Compress /f "Configuration$\input.txt "Configuration$\download\input.ini
Compress /f "Configuration$\ConfigIniChange.exe" "Configuration$\download\ConfigIniChange.exe"
-
If you use a mirrored or clustered configuration, copy the ConfigINiChange.exe and input.ini files to the DataCenter\Configuration$\download folder on all servers in the Data Center. You might need to create the \download folder if one does not exist.
-
Open SQL Query Analyzer or SQL Server Management Studio and connect to the Data Center server. If you use a clustered configuration, connect to one of the Registration Master servers and run the following scripts:
use registry
insert downloadfile
values (dateadd(mi,1,getdate()),1337,1,0,0,1,
"RegistrationMaster- Configuration$\download\ConfigIniChange.exe',NULL,'Update Config.ini utility', NULL,NULL)
wait for delay '00:00:000'
use registry
insert downloadfile
values (dateadd(mi,1,getdate()),1337,1,0,0,1,
"RegistrationMaster- Configuration$\download\input.ini',NULL,"Input file for config.ini update', NULL,NULL)
-
Download the revised config.ini file to the community you are converting to use an Enterprise directory.
-
Use SQL Query Analyzer or SQL Server Management Studio to run the following script:
/*Start query for download to entire community*/
use registry
DECLARE @communityname nvarchar(64)
DECLARE @communityid INT
SET @communityname = '<community name>'
SET @communityid = (select communityid from community where communityname = @communityname)
IF Exists (select * from community where communityid = @communityid)
/**Insert into downloadfilesetcommunity**/
Insert INTO Downloadfilesetcommunity
(Cdate,gid,OfferId,Name,Description)
Values (getdate(),1337,@communityid,'all','Update config.ini file')
/**print if communityname not found*/
IF NOT Exists (select * from community where communityid = @communityid)
print 'Community name entered was not found'
/*end query*/
If you use a mirrored or clustered configuration, the information the script inserts into the database automatically replicates to the mirrored server.
Step 4: Configure Enterprise Directory in Support Center
The following procedure inserts your Enterprise Directory information into the Registry database. To complete this procedure, you need the following information:
-
The URL for your Enterprise Directory server.
-
The LoginId and password established for Support Center in your Enterprise Directory.
-
Whether the SSL setting needs to be on or off.
-
Whether the user authentication needs to be on or off.
-
The default action for accounts that cannot be located in Enterprise Directory. Accounts that cannot be located can either be changed to an account status of on hold or canceled.
-
The User Class, UniqueID, and LoginID information for your Enterprise Directory.
-
Do one of the following:
For Version 7.x Data Centers: Use SQL Query Analyzer or SQL Server Management Studio and the information gathered above to run the following script:
Use Registrytry
INSERT INTO LDAPServer (CDate, CommunityID, URL, UseSSL, SCLoginID, Password,
Authenticate, AccountStatusOnAuthenticateFail, ObjectClass, Status, UserLoginId, UniqueLDAPId)
Values(GetDate(), 15, 'ldap://airius.com/o=airius.com', 1, 'uid=scenter, ou=applications, o=airius.com',
0x0, 1, 'C', 'inetOrgPerson', 1, 'cn', 'uid')
For Version 8.x Data Centers: Use SQL Query Analyzer and the information gathered above to run the following script (the mail value is required for 8.x Data Centers):
Use Registry
INSERT INTO LDAPServer (CDate, CommunityID, URL, UseSSL,
SCLoginID,
Password,
Authenticate, AccountStatusOnAuthenticateFail,
ObjectClass, Status,
UserLoginId, UniqueLDAPId,email)
Values
(GetDate(), 15, 'ldap://airius.com/o=airius.com', 1
,'user@airius.com',
0x0, 1,'C', 'inetOrgPerson', 1,
'SamAccountName','SamAccountName','mail')
Note: The value for CommunityID (15 in the above SQL script) comes from step one in Removing exhisting Connected Backup. The URL value and other fields must be entered according to your Enterprise Directory specification. The password value must be 0x0. UserLoginId must be mapped to the field with which the technician is logged on. In this case, UserLoginId maps to SamAccountName. The technician must be logged on to Support Center with the same ID as the SamAccountName in Enterprise Directory.
-
In Support Center, refresh the database by clicking the refresh button  at the top-left side of the browser and then navigate to the Enterprise Directory screen.
Note: The database refresh must be done in order to see the information on the Enterprise Directory screen. Logging out and logging in again will not cause the database to refresh.
-
Change the password to a valid one for the Login DN (Distinguished Name, or UniqueLDAPId) you entered in the step above.
-
Use the Enterprise Directory screen to add or change the mapping entries, if necessary, and click Save. For version 8.x Data Centers, mapping the Mail field is required.
-
If you have connection problems, verify that the Enterprise Directory server is running properly. If it is, verify the parameters used in the queries above are correct.
-
Use SQL Query Analyzer or SQL Sever Management Studio to run the following script:
Use registry
INSERT INTO LDAPTechnician (CDate, TechID, RootCommunityID)
values (GetDate(), '<loginid>'.<communityid>'
where:
-
In Support Center, navigate to the converted community and create a technician ID with the same ID that exists on Enterprise Directory server.
-
Give this technician access to all permissions.
-
Log out of Support Center and use this technician ID to log on again.
Step 6: Verify LDAP Changes
Before you verify the LDAP changes for 7.x accounts, you need the following file:
To verify the changes that you have made to the LDAP, complete the following steps:
-
Run LDAP synchronization on the primary Data Center server. The LDAPSyncher.exe file is located in the Data Center installation directory. To verify which Data Center server is the primary, run the following SQL script against the Registry database:
Use Registry
SELECT Servername FROM Registry.DBO.Server WHERE IsPrimary=1
The primary Data Center server has a value equal to 1 in the IsPrimary column.
To run LDAP synchronization, select Control Panel > Scheduled Tasks from the Start menu. Right-click LDAPSyncher and select Run to run the executable.
-
To verify that there are no errors reported in the Application and DC Maint logs, use DCMC.
-
In Support Center, click the refresh button in the top-left area of the browser.
-
Log out of Support Center and use the new logon password to log back onto Support Center.
The community is now associated with an Enterprise Directory server and is ready to authenticate new accounts and technicians against it.
|
