Move a VM 3.0 with AD Integration to a new server. Creation date: 17/06/2008 Last Review: 26/06/2008 Revision number: 1 Document type: How To Security status: EXTERNAL Summary This Document describes how to move a VACMAN Middleware (VM) 3.0 installation with AD Integration to a new server. Details We will describe step by step how to move an existing installation of VM 3.0 with AD Integration to a new machine with a different IP address. In our example we will refer to: The existing installation as old server. The IP address of this machine is 10.10.5.91 The server where the VM has to be moved to as the new server. The IP address of this machine is 10.10.1.92 In summary, the process to move the installation consists of the following steps: 1. On the old server, create an Authentication Server Component for the new server. 2. On the old server, license the new component, created in step 1. 3. On the old server, backup the configuration files. 4. On the new server, install the VM 3.0 from scratch. 5. On the new server, restore the configuration file(s). 6. On the new server, restart the VM Service and check that the VM started up correctly. 7. On the new server, remove the Authentication Server Component of the old server. 8. Optionally, if there are OWA or Citrix filters, let these filters point to the new server. Compared to the move of the VM 3.0 in an installation with embedded PostgreSQL Database, there are a few steps less: we do not have to backup and restore the database. In an installation with AD integration, AD is used as database. The database resides centrally on the domain controller, and is accessible for both the old and the new server. For more details, check KB 120055: Move a VM 3.0 with embedded PosgreSQL installation to a new server. Page 1 of 8
1. On the old server, create an Authentication Server Component for the new server. Create an Authentication Server Component with the IP address of the new server, as show in the screenshots below: Be sure to specify the IP address of the new server as the Location. Select the same Policy as the policy that is used for the Authentication Server Component of the old server: The result is 2 Authentication Server Components. One for the old server, and one for the new server: Page 2 of 8
2. On the old server, license the new component, created in step 1. If you need guidance with the licensing of the Authentication Server Component, please check KB article 120051: How to (re-)license VACMAN Middleware 3.0? 3. On the old server, backup the configuration files. The configuration files are located in the Bin subdirectory of the VM installation directory. The default location is: C:\Program Files\VASCO\VACMAN Middleware 3\Bin. The files to backup are: dpauthserver.xml dpadmincmd.xml (optionally, if the command-line administration is used) mdcconfig.xml (Optionally, if the message delivery component for Virtual Digipasses is used) 4. On the new server, install the VM 3.0 from scratch. You do not have to do an AD schema extension. This has already been done during the installation of the VM 3.0 on the old server. Be sure to select the option Server Install using Active DIrectory during the installation: Page 3 of 8
Be sure to check the checkbox This is not the first Authentication Server to be installed : You can skip the licensing part of the installation procedure. We licensed the new component in step 2. Page 4 of 8
5. On the new server, restore the configuration file(s). Copy the file dpauthserver.xml from step 3 in the bin subdirectory of the VM installation directory. In this configuration file, there will be references to the IP address of the old server. To change it to the IP address of the new server, we will have to change it in the Authentication Server Configuration. Open the Authentication Server Configuration from the Windows Start Menu: Change IP Address in the Component Location field from the old server IP address to the IP Address of the new server: Change here to the IP address of the new server, 10.10.5.92 in our example Page 5 of 8
You will be requested to restart the Authentication Service, press the Yes Button to do so: Copy the file dpadmincmd.xml from step 3 in the bin subdirectory of the VM installation directory. In this configuration file, there will be references to the IP address of the old server. To change it to the IP address of the new server, we will have to edit the file. Open the file in Wordpad, and change the IP address to the IP address of the new server in the 2 lines indicated in the screenshot below: Copy the file mdcconfig.xml from step 3 in the bin subdirectory of the VM installation directory. Page 6 of 8
6. Restart the Authentication Service and check the VM started up correctly. Restart the Digipass Authentication Server service manually from the Microsoft Services MMC, or from the computer management MMC: Check the Windows Event Viewer, application log. If anything went wrong, you will find error messages in there. Check the VM audit log. The audit log can be found in the Log subdirectory of the VM installation directory. By default this is: C:\Program Files\VASCO\VACMAN Middleware 3\Log The filename is in the format: dpauthserv200806.audit, where 2008 is the year, and 06 is the month. (By default, there will be a new audit file every month) Look for the following 2 lines, indicating that the VM started up correctly: 2008/06/26 14:26:46, Info, 0x8D6F0777D5A0E7F36C74891DAD3A58BA, Initialization, VACMAN Middleware 3, I-002004, "The RADIUS protocol handler has been initialized successfully.", Version ["3.0.14.154"], Configuration Details ["Request-Cache:{max_age: 5, max_size: 0, clean_threshold: 200, min_clean_interval: 30, max_references: 0}, Proxy-Cache:{max_age: 99999999, max_size: 0, clean_threshold: 200, min_clean_interval: 30, max_references: 2}, IP-Address:10.10.5.92, Authentication-Port:1812, Accounting-Port:1813"] and 2008/06/26 14:26:46, Info, 0xA1054F85CAAD8F35DE61C53E2B15860E, Initialization, VACMAN Middleware 3, I-001002, "The Authentication Server has started up successfully.", Configuration Details ["Trace-File:C:\\Program Files\\VASCO\\VACMAN Middleware 3\\Log\\dpauthserv.trace, Trace- Mask:0x3FFFFFFF, AAL3-Library-Path:C:\\Program Files\\VASCO\\VACMAN Middleware 3\\Bin\\aal3ad30.dll, Component-Location:10.10.5.92, Component- Cache:{max_age: 900, max_size: 1000, clean_threshold: 800, min_clean_interval: 60}, Require-Client-Component:false, Max-Concurrent- Sessions:10, Max-Session-Time:86400, Session-Timeout:28800, Communicators:{C:\\Program Files\\VASCO\\VACMAN Middleware Page 7 of 8
3\\Bin\\dpauthseal.dll, C:\\Program Files\\VASCO\\VACMAN Middleware 3\\Bin\\dpauthradius.dll}"], Source Location ["10.10.5.92"], Version ["3.0.14.154"], Data Source ["File"], Data Source Location ["C:\\Program Files\\VASCO\\VACMAN Middleware 3\\Bin\\dpauthserver.xml"] 2008/06/26 14:18:32, Success, 0x9865136F635371A9D0A4C032244D7318, Database, VACMAN Middleware 3, S-001001, "A query for a single [Component] record was successful.", Object ["Component"], Input Details ["Component Type:Authentication Server, Location:10.10.5.92"], Output Details ["Component Type:Authentication Server, Location:10.10.5.92, Policy ID:VM3 ADMINISTRATION LOGON, Created Time:2008/06/17 17:35:33, Modified Time:2008/06/17 17:35:33"] 7. On the new server, remove the Authentication Server Component of the old server. Open de VM administration MMC from the Windows Start menu. Select the components from the tree in the Left Pane. Right click the Authentication Server component of the old server and delete it. Applies to: VACMAN Middleware 3.0 Page 8 of 8