Migrating the Privilege Manager Server

If you are moving/migrating Privilege Manager to a new machine and have installed IIS and .NET Framework as described in the Installation Guide on the new machine, you do not need to run the installer, simply follow the steps below:

  1. Copy the folder that holds your Privilege Manager instance to the new computer.

  2. Shut down the old web site and recycle its application pool as it is running background threads which are accessing the database.

  3. Set up the new folder in Internet Information Server (IIS) as a virtual directory/application under the Default Web Site or as a separate Website (refer to the Advanced Installation section of the Installation Guide for detailed instructions).

  4. Browse to your TMS URL database connection page e.g. https://<YOUR_URL_INSTANCE>/TMS/setup/database/connectdatabase (for Arellia this URL would be slightly different e.g. https://<YOUR_URL_INSTANCE>/ams/setup/database/connectdatabase) and you will see a page to enter your database connection details.

  5. Activate the licenses for the new server by going to the Licenses page.

  6. If you are using certs, remember to set them on your new IIS, then browse to Privilege Manager over HTTPS and re-enable force HTTPS if this was set on the original machine.

  7. Re-enable DPAPI if this was disabled in the earlier step.

If you're migrating the Privilege Manager web application from Windows Server 2008 to 2012 or newer AND your Privilege Manager is below version 8.5, make sure that:

  • .Net extensions 3.5 and ASP.Net 3.5 when adding the IIS role on the new server.
  • Change the Privilege Manager Application Pool to 2.0 and recycle the application pool after running the installer.

Steps to Setup Secondary Node with both Secret Server & Privilege Manager

If you are migrating a combined install environment, also perform these steps:

  1. Check web-auth.config and web-cookie.config (in Secret Server web folder) to make sure forceSSL = 'false'.

  2. Confirm app pool account and IIS settings (confirm if SS and TMS are virtual directories, confirm IIS auth settings).

  3. Disable DPAPI.

  4. Disable Force SSL.

  5. Decrypt connectionStrings.config on primary web server:

    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pd "connectionStrings" -app "/Tms"

  6. Copy files to secondary.

  7. Download current installer to secondary server.

  8. Run installer to confirm and fix pre-requisites only. DO NOT install the application with the installer.

  9. Make sure Secret Server and TMS web folders from primary are in C:\inetpub\wwwroot (or a similar location).

  10. Create 4 app pools: SecretServer, TMS, TMSAgent, and TMSWorker (same as set for primary node).

  11. Assign service account to all 4 app pools (same as set for primary node).

  12. If the Secret Server and TMS directories do not appear in IIS Manager, add the virtual directories (same as set for primary).

  13. Convert to Applications

    1. Right-click on Secret Server > Convert to Application, make sure SecretServer app pool is assigned.
    2. Right-click on TMS > Convert to Application, make sure TMS app pool is used.
    3. Under TMS, right-click on Agent > Convert to Application, make sure TMSAgent app pool is used.
    4. Under TMS, right-click on ServiceBus > Convert to Application, make sure TMSWorker app pool is used.
    5. Under TMS, right-click on Services > Convert to Application, make sure TMS app pool is used.
    6. Under TMS, right-click on Setup > Convert to Application, make sure TMS app pool is used.
    7. Under TMS, right-click on Worker > Convert to Application, make sure TMSWorker app pool is used.
  14. Run the ASP.NET IIS Registration Tool:

    1. Change the directory to your .NET framework installation directory using the "cd" command (i.e.: C:\Windows\Microsoft.NET\Framework\v4.0.30319 or C:\Windows\Microsoft.NET\Framework64\v4.0.30319).
    2. Type in .\aspnet_regiis -ga <domain name>\<user name> and press enter.
  15. Assign folder permissions:

    1. Give your service account "modify" access to C:\Windows\TEMP.
    2. Give your service account "modify" access to the Secret Server web folder.
    3. Give your service account "modify" access to the TMS web folder.
  16. Set IIS authentications (set to same as primary, depending on IWA and other settings), typical example:

    • Secret Server (Anonymous & Forms, except winauthwebservices = Forms & Windows; see TMS notes)
  17. Install certfification on new server, if not already done.

  18. Give the 3 TMS App Pools read access on the PrivateKey of the cert.

    1. MMC snap-in > Certificates.
    2. Find the certificate (most like in personal store).
    3. Right-click > All Tasks > Manage PrivateKey.
    4. Choose local computer name from location and format is iis apppool\tms, iis apppool\tmsagent, iis apppool\tmsworker.
  19. Login in to Secret Server.

  20. Activate licenses.

  21. Re-enabled Force SSL.

  22. Re-enabled DPAPI on all web nodes.

  23. Re-encrypt connectionStrings.config on all web nodes:

    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pe "connectionStrings" -app "/Tms"