Upgrading Secret Server with Web Clustering
Introduction
Secret Server has a built-in Web installer. The Web installer is a series of pages inside Secret Server that allow you to download and run updates. Secret Server is accessible by users for most of the upgrade process. You can bring down outside access to the site if you want to prevent users from making changes during the upgrade. Preventing user access makes restoring the database and site backups simpler if you decide to roll back the upgrade immediately afterward.
setup.exe
.encryption.config
file.Before Beginning
-
Ensure that you have account credentials information and access for the server hosting Secret Serverand the SQL Server instance hosting your Secret Server database.
-
Have a recent backup of the application files and database available.
-
If you use clustering, stop the application pools on all of the servers.
Upgrading a Clustered Environment
-
Follow the instructions in Upgrading Secret Server or Upgrading Secret Server Without Outbound Access as applicable to upgrade one server.
-
Once upgraded and working, copy the Web application folder (without the
database.config
or theencryption.config
files) to all secondary servers, and replace the content of the existing Web application folder with the new. -
If Delinea Management Server (TMS) is installed and clustered, you need to copy the TMS directory to the secondary servers as well. The TMS directory is included by default for new installs of Secret Server 10.2 and above. TMS is used by advanced session recording and Privilege Manager. If the TMS folder and site does not exist in IIS, then no additional actions are needed beyond copying the Secret Server directory.
-
Start secondary servers and confirm they still work.
EFS and DPAPI Encryption
When upgrading, after the initial cluster configuration, you do not need to copy the database.config
or encryption.config
files to the other servers. If you need to copy those files because the database configuration changed and are using DPAPI, disable DPAPI encryption in Secret Server by going to Admin > Configuration and click Decrypt Key to not use DPAPI on the Security tab before copying those files to secondary servers.
Upgrading Database Mirroring
-
If there is more than one Web server running Secret Server, ensure all instances are pointing to the same database.
-
Stop all but one of the web servers.
-
Perform the upgrade on that single instance.
-
Once upgraded and working, copy the Web application folder to all secondary servers.
-
Start the secondary servers, and confirm they work.
-
Ensure all instances are properly activated.
-
Ensure that the database changes have been replicated to the mirror database.
-
If the secondary Web server was pointing originally to the secondary database, adjust it to point back to the secondary database.
Upgrading Remote DR Instances
-
Perform the upgrade on one instance.
-
Backup that instance.
-
Copy the database backup to the remote DR instance.
-
Restore the database.
-
Once the instance is upgraded and working, copy the Web application folder (but not the
database.config
orencryption.config
files) to the remote DR instance (overwriting the existing files). -
Restart IIS or recycle the application pool running Secret Server on the remote DR instance.
-
Confirm that the remote DR instance is working correctly.
Error Conditions
Error that may arise:
- Version does not match: If a node is not properly updated from the source node after an upgrade, that node will not run because the application version does not match the database. The solution is to copy the application folder (minus the
database.config
orencryption.config
files) to replace the files on the secondary server.