Authentication and Privilege Elevation Services Deployment Checklist
The following checklist provides an overview of each of the main steps that are involved when you deploy the Authentication Service and Privilege Elevation Service. For any tasks related to Delinea software, there are links to more information and procedures.
For auditing deployment steps, please see the Audit & Monitoring Service deployment checklist.
| Step# | Installation Step | Notes | Link to Details |
|---|---|---|---|
| PREPARATION AND PLANNING | |||
| 1 | Analyze your network topology to determine where to install components and services and any hardware or software updates required. | Planning a Deployment | |
| 2 | Create a list of the computers where you plan to install different components. | Planning a Deployment | |
| 3 | Determine how you plan to install the software onto your computers. | Planning a Deployment | |
| PRE-INSTALL TASKS | |||
| 4 | Prepare a domain account that has permissions to create Active Directory containers and child objects. | You'll need this account to create the OU using the Installation wizard. | |
| 5 | Prepare an Active Directory group to be zone administrators. | ||
| 6 | Create the Zone Provisioning Agent (ZPA) service account. | Requires Active Directory domain admin privileges | |
| 7 | Apply group policy to allow the ZPA to run as a service. | Requires Active Directory domain admin privileges | |
| INSTALL TASKS | |||
| 8 | Install the Access Manager console, ZPA, group policies, create the OU in Active Directory, and so forth. | Installing Server Suite | |
| 9 | (Optional) Configure ZPA – this is only needed if you plan on automatically provisioning users. | ||
| 10 | Run adcheck on any UNIX computer that you want to manage and fix any issues until adcheck produces no issues. | ||
| 11 | Install a Agent for Windows on each Windows computer that you want to manage. | Installing the Agent for Windows | |
| 12 | Install a Agent for *NIX on each UNIX or Linux computer that you want to manage. | ||
| 13 | Install additional Access Manager consoles on any Windows computer that you want to use for the Authentication and Privilege Management services. | Installing Additional Consoles | |
| 14 | Verify that agents are working correctly. Run adinfo on managed UNIX computers. | Troubleshooting and Common Questions | |
| POST-INSTALL HOUSEKEEPING | |||
| 15 | Identify UNIX users who do not have an Active Directory account. | Automatically done by adimport | adimport man page |
| 16 | Identify service accounts. | ||
| 17 | Collect and analyze sudoers files. | ||
| 18 | Create a list of roles in sudoers that will be migrated to Privilege Elevation Service. | ||
| 19 | Create a list of users and groups to be migrated to Active Directory. | ||
| 20 | Create missing Active Directory user accounts. | ||
| SETUP AND CONFIGURATION | |||
| 21 | Create list of computers that will be joined to each zone. | ||
| 22 | Create parent and child zones. | Creating a New Parent Zone
Creating Child Zones |
|
| 23 | Delegate control to zones. | Delegating Control of Administrative Tasks | |
| 24 | Import UNIX users and groups into Active Directory. | ||
| 25 | Create Zone Provisioning groups and add users and groups to them. | ||
| 26 | Pre-create computer objects in zones. | ||
| 27 | Create role groups . | ||
| 28 | Assign roles and users to role groups. | ||
| 29 | Create ComputerRoles and ComputerRole groups. | Create a New Computer Role | |
| 30 | Assign roles, users, and computers to ComputerRole groups. | Add Role Assignments to the Computer Role | |
| 31 | Use “Show Effective Users” to check that profiles and roles are correct. | ||
| 32 | Start the ZPA agent. | You configured ZPA in a previous step. | |
| 33 | Configure the ZPA provisioning rules for the parent zone. | ||
| 34 | Join UNIX servers to Zones. | ||
| 35 | Change the UID/GID of files for those users who have been assigned a new UID/GID in the Zone. Run adfixid on servers. | * Critical task that must be carefully coordinated with the users. Can be done at time of join to Active Directory with a script. | |
| FINAL TASKS | |||
| 36 | Check the status of the join and roles on the servers. | Run adflush, adinfo and dzinfo | |
| 37 | Back up passwd, shadow, and group files. | ||
| 38 | Remove the users and groups (that have been migrated to Active Directory) from the local files. | Run adrmlocal on servers |
