Date: May 17, 2016
A need has been defined to make use of zone processors for Enterprise Random Password Manager. ERPM can push a zone processor automatically to a target host, however, that presumes there is proper network connectivity to the target zone processor host.
In the event that network connectivity does not properly exist, the following are options to perform an installation:
- Use the standalone installer (available in v4.83.8 and later) to create a custom MSI package for each unique zone. The CreateZoneInstaller program is found in the supplementalInstallers folder of the ERPM installation directory.
- A management console could be installed locally to perform the local zone processor installation. However, in versions prior to 4.83.9, this requires a license for each console. Also, installing the management console requires a proper Windows GUI be running. This of course does not exist on Core installations of Windows.
- Perform a manual installation - this is outlined below
Zone processors are supported on core installations of Windows.
Without network connectivity the zone processor installation can not be automatically pushed to the target zone processor host. Without a GUI, a local console cannot be installed to perform a local installation of the zone processor service. Also, the standalone zone processor installer cannot perform multiple zone installations on the same host.
To perform a manual installation of a zone processor perform the following steps:
- On the zone processor host, create a folder called LiebermanZoneProcessor at the root of drive C.
- From the ERPM installation directory, copy the following files:
- ipworksssh9.dll (if exists, older versions did not have this dll)
- Create the following registry Key(s): HKLM\Software\WOW6432Node\Lieberman\PWC\PWCZonePro cessor\ZONE_NAME_GOES_HERE
- Create the following registry entries at: HKLM\Software\WOW6432Node\Lieberman\PWC\PWCZonePro cessor\ZONE_NAME_GOES_HERE
- Dword = m_bProcessAllJobs
Value = 0
- Dword = m_dwJobAffinity
Value (HEX) = 3f
- String = m_sLocalLogFilePath
Value = complete path to preferred log file location
- String = m_sLocalPathToService
Value = c:\LiebermanZoneProcessor
- String = m_sProcessorID
Value = ZONE_NAME_GOES_HERE
- Strong = M_sServiceLogonName
- Binary = m_sServiceLogonPassword
- String = m_sSystemName
Value = zone processor host server name
- String = m_sZoneName
Value = name of the zone (management set) to manage
- Dword = m_bProcessAllJobs
- Create the following registry entries at: HKLM\Software\WOW6432Node\Lieberman\PWC\
- String = Version
Value = 5.0.1
Use the actual version of ERPM here.
- String = Version
- On the E/RPM host, open regedit and export the following registry keys:
- HKLM\Software\Wow6432Node\Lieberman\PWC\DataStoreC onfig
- HKLM\Software\Wow6432Node\Lieberman\PWC\ProgramOpt ions\EncryptionSettings
- HKLM\Software\Wow6432Node\Lieberman\PWC\RetryOptio ns
- Import the registry keys exported from step 6 on the new zone processor host. If you are working on a core server, copy the registry files over to the core server and run REG IMPORT NameOfRegistryFile.
- At the command prompt of the new zone processor server type the following commands:
- On the core server run the following command: sc create "RouletteSked$ZONE_NAME_GOES_HERE" binpath= c:\LiebermanZoneProcessor\RouletteSked.exe "-zone:ZONE_NAME_GOES_HERE" obj= DOMAINNAME\SvcAccountName password= PASSWORD
- sc config RouletteSked$ZONE_NAME_GOES_HERE start= auto
- sc start RouletteSked$ZONE_NAME_GOES_HERE
NOTE! If the zone processor will be unable use the same type of database authentication as the main console (e.g. the console uses integrated auth but the zone processor is untrusted), then configure the main console to use the preferred database authentication settings prior to exporting the HKLM\Software\Wow6432Node\Lieberman\PWC\DataStoreC onfig registry key. After this key has been exported, you may change the database authentication back to the preferred settings.
NOTE! The registry value of m_dwJobAffinity controls what types of jobs the zone processor will be willing to run. The following items identify possible value for the jobs the zone processor will run (values given in HEX):
- All job types = 3f
- Password Change = 1
- Refresh Jobs = 2
- Dynamic Group Updates = 4
- Report Jobs = 8
- Password Test = 10
- Account Elevation Jobs = 20
All values are given in HEX.
- Password Change Job (1) + Password Tests (10) = 11
- Dynamic Group Updates (4) + Report Jobs (8) = C
- Dynamic Group Updates (4) + Report Jobs (8) + Password Tests (10) = 1C
Enterprise Random Password Manager (ERPM)
Random Password Manager (RPM)