Upgrading Secret Server with Web Clustering

Introduction

Secret Server has a built-in Web installer. The Web installer is a series of pages inside Secret Server that allow you to download and run updates. Secret Server is accessible by users for most of the upgrade process. You can bring down outside access to the site if you want to prevent users from making changes during the upgrade. Preventing user access makes restoring the database and site backups simpler if you decide to roll back the upgrade immediately afterward.

You do not need to download the installer or setup.exe.
Please see the Secret Server On-Premises Upgrade Checklist prior to upgrading.
Never overwrite or delete your encryption.config file.
Back up your Secret Server folder and database before performing the upgrade.
Upgrading to Secret Server version 10.7.000000 and above, requires SQL Server 2012 or later as the database for Secret Server. For more information, see the Secret Server Release Notes.
Upgrading to Secret Server version 10.0.000000 and requires configuring integrated pipeline mode on the Secret Server Application Pool. Please see Configuring IIS for installing or upgrading to Secret Server 10 (KBA) for details on configuring integrated pipeline mode in IIS. If using Integrated Windows Authentication, you will also need to update IIS authentication settings as detailed in Configuring Integrated Windows Authentication. If you are at version 9.1.000000 and below, you need to first upgrade to 9.1.000001 before you can upgrade to 10.0.000000 and above.
Upgrading to Secret Server version 8.9.000000 and above requires Windows Server 2008 R2 or later.
Upgrading to Secret Server version 8.5.000000 and above, there are changes in the .NET Framework version you will need to be aware of along with some additional steps in the upgrade process. For more information, see Secret Server Moving to .NET Framework 4.5.1.

Before Beginning

  1. Ensure that you have account credentials information and access for the server hosting Secret Serverand the SQL Server instance hosting your Secret Server database.

  2. Have a recent backup of the application files and database available.

  3. If you use clustering, stop the application pools on all of the servers.

Upgrading a Clustered Environment

  1. Follow the instructions in Upgrading Secret Server or Upgrading Secret Server Without Outbound Access as applicable to upgrade one server.

  2. Once upgraded and working, copy the Web application folder (without the database.config or the encryption.config files) to all secondary servers, and replace the content of the existing Web application folder with the new.

  3. If Delinea Management Server (TMS) is installed and clustered, you need to copy the TMS directory to the secondary servers as well. The TMS directory is included by default for new installs of Secret Server 10.2 and above. TMS is used by advanced session recording and Privilege Manager. If the TMS folder and site does not exist in IIS, then no additional actions are needed beyond copying the Secret Server directory.

  4. Start secondary servers and confirm they still work.

EFS and DPAPI Encryption

When upgrading, after the initial cluster configuration, you do not need to copy the database.config or encryption.config files to the other servers. If you need to copy those files because the database configuration changed and are using DPAPI, disable DPAPI encryption in Secret Server by going to Admin > Configuration and click Decrypt Key to not use DPAPI on the Security tab before copying those files to secondary servers.

EFS encryption is tied to the user account running the Secret Server application pool, so it is not machine specific. Copying EFS encrypted files between Secret Server instances will not result in errors, but is not needed.

Upgrading Database Mirroring

  1. If there is more than one Web server running Secret Server, ensure all instances are pointing to the same database.

  2. Stop all but one of the web servers.

  3. Perform the upgrade on that single instance.

  4. Once upgraded and working, copy the Web application folder to all secondary servers.

  5. Start the secondary servers, and confirm they work.

  6. Ensure all instances are properly activated.

  7. Ensure that the database changes have been replicated to the mirror database.

  8. If the secondary Web server was pointing originally to the secondary database, adjust it to point back to the secondary database.

Upgrading Remote DR Instances

  1. Perform the upgrade on one instance.

  2. Backup that instance.

  3. Copy the database backup to the remote DR instance.

  4. Restore the database.

  5. Once the instance is upgraded and working, copy the Web application folder (but not the database.config or encryption.config files) to the remote DR instance (overwriting the existing files).

  6. Restart IIS or recycle the application pool running Secret Server on the remote DR instance.

  7. Confirm that the remote DR instance is working correctly.

Error Conditions

Error that may arise:

  • Version does not match: If a node is not properly updated from the source node after an upgrade, that node will not run because the application version does not match the database. The solution is to copy the application folder (minus the database.config or encryption.config files) to replace the files on the secondary server.