Distributed Server Architecture (DSA)

Summary

BES has a very sophisticated built-in ability to install multiple BES Servers that will replicate information from each other. In the event of a failure of one BES Server, the other BES Servers will automatically takeover as fully functional BES Servers (will receive data from the BES Relays and BES Clients and accept BES Console connections). When the failed BES Server is restored, it will automatically receive updated information.

DSA Installation Instructions

Please see the BigFix Administrator's Guide at http://support.bigfix.com/resources.html for more information about DSA.

DSA Requirements

  • You must choose an authentication mechanism (either NT Authenticated Domain Users/Groups or SQL Authentication). All servers need to use the same authentication mechanism.
  • The DSA servers should be roughly similar performance characteristics in terms of CPU, memory, disk, and overall system performance (otherwise your performance will suffer in the event of a failure).
  • The DSA servers must all have the same version of SQL Server installed (either SQL Server 2000 or SQL Server 2005).

Authenticating Additional Servers (DSA)

Multiple servers can provide a higher level of service for your BES installation. If you choose to add Distributed Server Architecture (DSA) to your BES installation, you will be able to recover from network and systems failures automatically while continuing to provide local service. To take advantage of this functionality, you will need one or more additional servers with a capability at least equal to your primary server. Because of the extra expense and installation involved, you should carefully think through your needs before committing to DSA.

First, you must decide how you want your BES Servers to communicate with each other. There are three inter-server authentication options: the first two are flavors of NT and the third is SQL. Because it is more secure, BigFix recommends NT Authentication. You can't mix and match; all BES Servers must use the same authorization. Here are the instructions for each option:

Using NT Authentication with Domain Users/User Groups

With this technique, each BES Server uses the specified domain user or a member of the specified user group to access all other BES Servers in the deployment. To authenticate your BES Servers using Domain Users/User Groups, follow these steps:
  1. Create a service account user or user group in your domain. For a user group, add authorized domain users to your BES Servers. You may need to have domain administration privileges to do this.
  2. On the Master BES Server, use SQL Enterprise Manager (or the SQL 2005 Management Studio) to create a login for the domain service account user or user group, with a default database of BFEnterprise, and give this login System Admin (sa) authority. System Admin authority is required in order for operator accounts to be replicated due to SQL Server requirements.
  3. On the Master BES Server, change the LogOn settings for the BES FillDB service to the domain user or member of the user group created above, and restart the service.

Using NT Authentication with Domain Computer Groups

With this technique, each BES Server is added to a specified domain computer group and each server accepts logins from members of that domain group. To authenticate your BES Servers using Domain Computer Groups, follow these steps:
  1. Create a Global Security Group in your domain containing each desired BES Server. You may need to have domain administration privileges to do this.
  2. After creating the group, each server will need to be rebooted in order to update its domain credentials.
  3. On the Master BES Server, use SQL Enterprise Manager (or the SQL 2005 Management Studio) to create a login for the domain group, with a default database of BFEnterprise, and give this login System Admin (sa) authority. System Admin authority is required in order for operator accounts to be replicated due to SQL Server requirements.

Using SQL Authentication

With this technique, each BES Server is given a login name and password, and is configured to accept the login names and passwords of all other BES Servers in the deployment. Be aware that the password for this account is stored in clear-text under the HKLM branch of the registry on each BES Server. To authenticate your BES Servers using SQL Authentication, follow these steps:
  1. Choose a single login name (for example, 'besserverlogin'), and a single password to be used by all servers in your deployment for inter-server authentication.
  2. On the Master BES Server, use SQL Enterprise Manager (or SQL 2005 Management Studio) to create a SQL Server login with this name. Chose SQL Server Authentication as the authentication option and specify the password. Change the default database to BFEnterprise and grant it System Admin (sa) authority. System Admin authority is required in order for operator accounts to be replicated due to SQL Server requirements.
  3. On the Master BES Server, add the following String values under the key HKLM\Software\BigFix\Enterprise Server\FillDB:
    ReplicationUser = [login name]
    ReplicationPassword = [password]
  4. Restart the BES FillDB service.
    5. NOTE: This choice must be made on a deployment-wide basis; you cannot mix domain-authenticated servers with SQL-authenticated servers. Also, all BES servers in your deployment must be running the same version of SQL Server.

Installing Additional Servers (DSA)

NOTE: Before proceeding with this section, determine your authentication method and complete the appropriate steps in the Authenticating Additional Servers (DSA) section above.
    For each additional BES Server you wish to add to your deployment, make sure they are communicating with each other, and then follow these steps:
  1. Install the same SQL Server version being used by the Master BES Server.
  2. Run the BES Server installer on each machine that you wish to configure as an additional BES Server. You should use the same administrative account that you used for the local SQL Server install (so you have sa authority).
  3. If you're extracting the server installer from the BES Installation Generator, select Production Deployment, and I want to install with an existing masthead. Specify the masthead.afxm file from the Master BES Server. Otherwise, use the Server install package from the BESInstallers folder on the Master BES Server.
  4. On the Select Database Replication page of the server installer, select Replicated Database.
  5. On the Select Database page, select Local Database to host the database on the server (typical for most applications).
  6. Proceed through the installer screens as usual until the installer gets to Configuring your new installation and prompts you with a Database Connection dialog box. Enter the hostname of your master server, and the credentials for an account that can log into the master server with DBO permissions on the BFEnterprise database.
  7. The Replication Servers window shows you the BES Server configuration for your current deployment. By default, your newly installed BES Server should be configured to replicate directly from the master server every 5 minutes. You can adjust this as necessary.
  8. Use SQL Enterprise Manager (or SQL 2005 Management Studio) to create the same SQL Server login you created earlier on the Master BES Server with BFEnterprise as the default database and System Admin (sa) authority or the DBO role on the BFEnterprise and master databases.
    • For NT Authentication via Domain User/User Group, change the LogOn settings for the BES FillDB service to the domain user or member of the user group created above, and restart the service.
    • For SQL Authentication, add the following string values to the FillDB registry keys, and restart the BES FillDB Service. HKLM\Software\BigFix\Enterprise Server\FillDB:
      ReplicationUser = [login name]
      ReplicationPassword = [password]
  9. On the newly-installed server, run the BES Administration Tool and select the Replication tab to see the current list of servers and their replication periods. Select the newly installed server from the pull-down menu, and verify in the list below that it is successfully connected to the master server. Then select the master server in the server dropdown, and verify that is properly connected to the new server. You may need to wait for the next replication period before both servers show a successful connection.

    NOTE: The initial replication could take several hours depending on the size of your database. Wait for the replication to complete before taking any actions from a Console connected to the replica BES Server.
  10. You can see a graph of the servers and their connections by clicking the Edit Replication Graph button. You can change the connections between servers by simply dragging the connecting arrows around.