Downloading and Installing a Distributed Engine

  1. Navigate to Admin > Distributed Engine and click Add Engine.

  2. Select Default for the Preconfigured Site and click Download Now.

  3. Open the Downloads directory on your machine and extract the Thycotic.DistributedEngine.Service.Default.x64 zip.

  4. Open the unzipped folder and run setup.exe.

  5. Open Services on the App Server and right-click the Thycotic Distributed Engine. Make sure that you use a service account with the least amount of privileges or level of access.

  6. Select Properties and click the Log On tab.

  7. Click This account and click Browse.

  8. Click Locations and select Entire Directory.

  9. Type the Service Account you would like to run in the Enter the object text box, check Names, then click Ok.

  10. Switch back to your browser and reload the page.

  11. Enter the Password for the Administrator and click Ok.

  12. Switch back to your browser and reload the page.

  13. Expand the Default site.

  14. Hover over the Engine that is now showing, click the three dots menu, select Activate and click OK in the pop-up.

  15. Green checkmarks should appear for Connection and Activation Status and your Engine has now been installed.

Facilitating Auto Upgrades of Your Distributed Engine

We have seen issues in the past getting engines auto-upgraded when the service is running as a domain account instead of the built-in account. Our Product Management team determined what is required to facilitate the auto upgrade for this scenario which is outlined below. From our research and testing, the important things that are needed to use an AD service account and to have successful, hands-free upgrades are the following:

  1. Service account should be in the local Administrators group (so the account can start/stop the service).

  2. Method 2 should be implemented in Group Policy editor from the Microsoft KB article

  3. Service account needs full permissions to the DE installation directory

  4. After setting the service account as the DE logon account, the service must be restarted to have the logon identity change take effect

After changing the service account, the DE will show up as a Pending engine. The old engine with the local logon identity should be deactivated and removed from the Site, and the new engine/identity instance added back to the Site upon activation.