Date: May 17, 2016
When upgrading from any version of ERPM prior to 5.4, it will be necessary to reinstall the zone processors. to the 5.4 or later versions. A simple file copy cannot be used to to go from 5.0.1 and earlier to 5.4 and later. This is due to the massive change in registry requirements. Either that, or a full recreation of all of the required registry elements will be absolutely required.
With the release of ERPM 5.4, multiple zone processors can be installed on the same target host. However, the standalone zone processor installer cannot perform these installations. For version 5.5.0, the standalone installer can install multiple zones on the same host.
A need has been defined to make use of zone processors for Enterprise Random Password Manager. ERPM can push a zone processor automatically to a target host, however, that presumes there is proper network connectivity to the target zone processor host.
In the event that network connectivity does not properly exist, the following are options to perform an installation:
- Use the standalone installer (available in v4.83.8 and later) to create a custom MSI package for each unique zone. The CreateZoneInstaller program is found in the supplementalInstallers folder of the ERPM installation directory.
- A management console could be installed locally to perform the local zone processor installation. Also, installing the management console requires a proper Windows GUI be running. This of course does not exist on Core installations of Windows.
- Perform a manual installation - this is outlined below
Zone processors are supported on core installations of Windows using the standalone installer or a push from the console or manual steps outlined below.
Without network connectivity the zone processor installation can not be automatically pushed to the target zone processor host. Without a GUI, a local console cannot be installed to perform a local installation of the zone processor service. Also, the standalone zone processor installer cannot perform multiple zone installations on the same host.
To perform a manual installation of a zone processor perform the following steps:
- On the zone processor host, create a folder called LiebermanZoneProcessor at the root of drive C.
- From the ERPM installation directory, copy the following files:
- ipworkssmime9.dll (if exists)
- ipworksssl9.dll (if exists)
- Create the following registry Key(s): HKLM\Software\WoW6432Node\Lieberman\PWC\PWCZonePro cessor\ZONE_NAME_GOES_HERE
- Create the following registry entries at: HKLM\Software\WoW6432Node\Lieberman\PWC\PWCZonePro cessor\ZONE_NAME_GOES_HERE
- Dword = m_bProcessAllJobs
Value = 0
- Dword = m_dwJobAffinity
Value (HEX) = 3f
- String = m_sLocalLogFilePath
Value = complete path to preferred log file location
- String = m_sLocalPathToService
Value = c:\LiebermanZoneProcessor
- String = m_sProcessorID
Value = ZONE_NAME_GOES_HERE (leave blank for all management sets)
- Strong = m_sServiceLogonName
Value = <NULL>
- Binary = m_sServiceLogonPassword
Value = <NULL>
- String = m_sSystemName
Value = zone processor host server name
- String = m_sZoneName
Value = name of the zone (management set) to manage
- String = Version
- Value = 5.4.0
- Use the actual version of ERPM here.
- Dword = m_bProcessAllJobs
- On the E/RPM host, open regedit and export the following registry keys:
- HKLM\Software\Wow6432Node\Lieberman\PWC\DataStoreC onfig
- HKLM\Software\Wow6432Node\Lieberman\PWC\ProgramOpt ions\EncryptionSettings
- Edit the two registry files change each registry path to be as follows
- HKLM\Software\WoW6432Node\Lieberman\PWC\PWCZonePro cessor\ZONE_NAME_GOES_HERE\DataStoreConfig
- HKLM\Software\WoW6432Node\Lieberman\PWC\PWCZonePro cessor\ZONE_NAME_GOES_HERE\DataStoreConfig\AppOper ationMetrics
- HKLM\Software\WoW6432Node\Lieberman\PWC\PWCZonePro cessor\ZONE_NAME_GOES_HERE\ProgramOptions
- HKLM\Software\WoW6432Node\Lieberman\PWC\PWCZonePro cessor\ZONE_NAME_GOES_HERE\ProgramOptions\Encrypti onSettings
- Import the registry keys exported from step 6 on the new zone processor host. If you are working on a core server, copy the registry files over to the core server and run REG IMPORT NameOfRegistryFile.
- At the command prompt of the new zone processor server type the following commands:
- On the core server run the following command: sc create "RouletteSked$ZONE_NAME_GOES_HERE" binpath= c:\LiebermanZoneProcessor\RouletteSked.exe "-zone:ZONE_NAME_GOES_HERE" obj= DOMAINNAME\SvcAccountName password= PASSWORD
- sc config RouletteSked$ZONE_NAME_GOES_HERE start= auto
- sc start RouletteSked$ZONE_NAME_GOES_HERE
- Repeat steps 3-8 for additional zones on the same host.
NOTE! If the zone processor will be unable use the same type of database authentication as the main console (e.g. the console uses integrated auth but the zone processor is untrusted), then configure the main console to use the preferred database authentication settings prior to exporting the HKLM\Software\Wow6432Node\Lieberman\PWC\DataStoreC onfig registry key. After this key has been exported, you may change the database authentication back to the preferred settings.
NOTE! The registry value of m_dwJobAffinity controls what types of jobs the zone processor will be willing to run. The following items identify possible value for the jobs the zone processor will run (values given in HEX):
- All job types = 3f
- Password Change = 1
- Refresh Jobs = 2
- Dynamic Group Updates = 4
- Report Jobs = 8
- Password Test = 10
- Account Elevation Jobs = 20
All values are given in HEX.
- Password Change Job (1) + Password Tests (10) = 11
- Dynamic Group Updates (4) + Report Jobs (8) = C
- Dynamic Group Updates (4) + Report Jobs (8) + Password Tests (10) = 1C
Enterprise Random Password Manager (ERPM)