Installing RSCD agents in a replicated domain controller environment

To install RSCD agents in a Windows replicated domain controller environment, you set Domain Controller Security Policies on one domain controller and then install RSCD agents in the correct sequence on all domain controllers. This topic contains the following sections:

Overview of the process

The RSCD installer will create a user named BladeLogicRSCDDC instead of the default BladeLogicRSCD when installing on a domain controller. This is to avoid the possibility that member servers could cause a lockout of the Domain level BladeLogicRSCD account. This is a known issue with certain utilities that run through the RSCD agent, as the utility first tries to authenticate to the domain with the credentials of the user that is running the utility, which in this case is the member server's BladeLogicRSCD account.

The password for the BladeLogicRSCD user or an alternate user of non-domain controller machines is generated at run time. However in the case of a domain controller, the BladeLogicRSCD user or alternate user is assigned a password from a fixed set of passwords. BMC recommends that you change the default password as per your company's password policies. For steps on changing the password, see Changing-the-BladeLogicRSCDDC-account-password-on-domain-controllers.

If you want to create a single account for each domain controller (instead of the default single account for all domain controllers), or if you want to use an alternate account name that differs from the default BladeLogicRSCDDC, you can perform the procedure described in this topic.

Important

If SYSTEM User Only Mapping is configured, the BladeLogicRSCDDC user is not created, as it is not utilized. See Impersonation-and-privilege-mapping.


Before you begin

Note

This section is applicable only while you are upgrading the RSCD agent in a replicated domain controller environment.

During RSCD agent upgrade, you map a client user to a local user on the target server. Make sure that the local user to which you are mapping is a direct member of the Builtin\Administrators group and you do not map to the BladeLogicRSCD account. 

Preparing an alternate user name for the agents in the Windows system

If using an alternate user name for the RSCD agent, limit the length of the user name to a maximum of 20 characters. By design, the agent fails to create the account if you use more than 20 characters.  The account will be created during the RSCD service startup.

Installing RSCD agents in a replicated domain controller environment with the default, alternate, or per-server account name

On a domain controller, perform the following steps to set Domain Controller Security Policies for the BladelogicRSCDDC user account (or any other equivalent account that you use for running the agent in the domain):

  1. Start the Group Policy Management Console (GPMC).
  2. In the GPMC console tree, right-click Default Domain Controllers Policy, and then click Edit.
  3. In the Group Policy Management Editor window, in the console tree, go to Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/User Rights Assignment.
  4. In the details pane, double-click Deny logon locally.
  5. Ensure that the Define these policy settings check box is selected, and then click Add User or Group.
  6. Type the name of the account that you want to deny the ability to log on locally (BladelogicRSCDDC or any other equivalent account that you use for running the agent in the domain). As an alternative, click Browse to locate the account with the Select Users, Computers, or Groups dialog box, and then click OK.
  7. After you have the account name entered, click OK in the Add User or Group dialog box, and then click OK in the Deny Log on Locally Properties dialog box.

  8. Repeat for User Right Log on as a batch job.

    Note

    If Domain Controller Security Policies are not set to defined, as described in step 1, the RSCD agent creates Local Security Policies instead. In this situation, you must manually set the Domain Controller Security Policies to continue.

  9. If you use a unique account name per domain controller, each account name must be present in the above policies.
  10. Continue with the relevant task:

Installing with the default account

  1. Install the RSCD agent on the PDC emulator.

    Step

    Example screen


    1


      1. Extract the TSSA<version>-RSCDAgents.zip file that you downloaded from EPD to obtain the rscd folder. The folder contains separate installers for 32-bit and 64-bit Windows systems.

      2. Navigate to the windows_64 folder, which is inside the rscd folder and run the following command:

        RSCD<version>-WIN64.msi

        NEW IN 23.4 Otherwise, if you want to use SYSTEM User Only mapping, run the following command:

        RSCD<version>-WIN64.msi MAP_TO_SYSTEM_USER_ONLY=1

        For more information on SYSTEM User Only Mapping, see Impersonation-and-privilege-mapping.

      3. Click Run.
        The installation wizard is displayed.
      4. Click Next.

    Welcome.png

    2


      1. Accept the license agreement, and click Next.
      2. Configure the following Smart Agent parameters to connect to the Smart Hub for sending work requests, and click Next.
        • Enable Smart Agent: Specify whether you want to enable the Smart Agent service. The service is enabled by default, which indicates that the Smart Agent is started automatically after installation.
        • Smart Hub hostname: The name of the host where the Smart Hub is installed.
        • Smart Hub port: The listener port of the Smart Hub. The default port is 443.
        • Enroll as: The server is enrolled in the Application Server using this value. Specify one of the following identifiers to be used for the enrollment:
          • <HOSTNAME>: Indicates the server host name. This is the default identifier.
          • <SMARTHUB_PEER_IP>: Indicates the IP address of the server. A server might have multiple IP addresses. The IP address that is used for connecting to the Smart Hub is represented by this field.
          • <SMARTHUB_PEER_FQDN>: Indicates the fully qualified domain name for the <SMARTHUB_PEER_IP>.
          • <UUID>: Indicates a random UUID value. Use it to enroll the target server in the AWS public cloud data center.
        • Enroll interval time (mins): The interval at which the server enrollment request is sent to the Smart Hub. The default interval is 15 minutes. Specify the interval in the range 1 - 360 minutes.
        • Heartbeat interval time (mins): The interval at which the agent sends heartbeats to the Smart Hub for status updates. The default interval is 5 minutes. Specify the interval in the range 1 - 360 minutes.
        • Access key: The access key that is configured for the Smart Hub. This key is used for authenticating with the Smart Hub. To obtain the access key, see Configuring the Smart Hub.
        • Smart Hub polling interval time (sec): The interval (in seconds) at which the Smart Hub is polled for work requests. The default is 300 seconds.
        • Tunnel feature: Specify whether you want to enable or disable (default) the Tunnel feature. 

    SmartAgent.png

    3

    Select one of the following options, and click Next:


      • Typical: Installs the agent with the default settings.
      • Custom: Allows you to customize the default settings.

     setuptype.png

    4

     Click Install to begin the RSCD agent installation.




     ReadytoInstall.png

    5

    The installer checks whether Microsoft Visual C++ 2015 Redistributable is installed on the server. If this is not installed, the installation program aborts installation with an error message.

    RSCD_MSVC.png

    6

    Create password for the BladeLogicRSCDDC user, and click Next:

    You can change the password later by using the command or agentctl utility. For more information, see Changing-the-BladeLogicRSCDDC-account-password-on-domain-controllers.

    Important

    If you chose to use the SYSTEM User Only mapping in step 1, the User Preferences panel does not appear.

    image2022-11-25_18-2-36.png

    7

    You can select the Show the Windows Installer log option to view a detailed report of the installation process.

    Click Finish to exit the wizard.

     Complete.png

  2. The account will be created on agent startup.  After the default account is created, force replication from Active Directory Sites and Services to the other domain controllers.
  3. Install the RSCD agent on the other domain controllers.

Installing or modifying an existing installation with an alternate or per-server account

  1. If the RSCD agent is already installed and running on the target Domain controller(s), stop the RSCD service (see Starting and stopping the RSCD agent).
  2. On the PDC emulator in the domain, add (if this is a fresh installation) or modify (pre-existing installation) the registry value HKEY_LOCAL_MACHINE\SOFTWARE\BladeLogic\RSCD Agent\BladelogicRSCDUser. The registry value should be of type REG_SZ (string value), and be set to the desired account name.
  3. If you will be using the same account name on other domain controllers in the domain, complete the following steps:
    1. On the other domain controllers in the domain, add or modify the same registry value and use the same account name as on the PDC emulator.
    2. Install the RSCD agent or start the RSCD service on the PDC emulator.
    3. After the service has started and the service account exists, force replication to the other domain controllers from the Active Directory Sites and Services menu.
    4. Install or start the the RSCD agent on the other domain controllers.
  4. If you will use a unique account name for each domain controller, complete the following steps:
    1. On the other domain controllers in the domain, add or modify the same registry value and use the unique account name.
    2. Install or start the RSCD agent on each domain controller after making the registry change (there is no concern about replication or order here as each system gets its own account).

Notes

  • If the RSCD does not fully start, even though the User Rights have been set and allowed to replicate, you may need to reset the BladelogicRSCDDC account, as follows:
    1. Stop the TrueSight Server Automation RSCD Agent service on all domain controllers.
    2. On the PDC, delete the BladelogicRSCDDC user.
    3. Wait for (or force) replication.
    4. Start the TrueSight Server Automation RSCD Agent service on the PDC.
    5. Check the rscd.log file.
    6. If it is error free, you can start the TrueSight Server Automation RSCD Agent on the other domain controllers.
  • Windows Domain Controllers have no local users. To set up user privilege mapping on Windows Domain Controllers, map users to a member of a first-level group, such as BuiltIn\Administrators. The mapped user cannot receive administrative privileges via a group within another group. For example, if the mapped account is in Domain Admins and Domain Admins is in BuiltIn\Administrators, the mapping will not work. The default UPM mapping cannot traverse multiple groups. For details about user privilege mapping, see Impersonation-and-privilege-mapping.
  • If you change the password in a domain environment, and then subsequently need to install an RSCD agent on another domain controller in the same domain, use the agentctl utility to set the password on the new domain controller. For more information, see Changing-the-BladeLogicRSCDDC-account-password-on-domain-controllers.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*