Authenticating Additional Servers
Multiple servers can provide a higher level of service for your BigFix installation.
If you choose to add Disaster Server Architecture (DSA) to your installation, you will be able to recover from network and systems failures automatically while continuing to provide local service. To take advantage of this function, you must have one or more additional servers with a capability at least equal to your primary server. Because of the extra expense and installation involved, you should carefully think through your needs before committing to DSA.
You must first decide how you want your servers to communicate with each other. There are three inter-server authentication options: the first two are flavors of NT and the third is SQL. Because it is more secure, NT Authentication is recommended. You cannot mix and match; all servers must use the same authorization.
Using NT Authentication with domain users and user groups
With this method, each server uses the specified domain user or a member of the specified user group to access all the other servers in the deployment.
- Create a service account user or user group in your domain. For a user group, add authorized domain users to your servers. You might need to have domain administration privileges to do this.
- On the Master Server, use SQL Server Management Studio to create a login for the domain service account user or user group, with a default database of BFEnterprise, and give this login System Admin (sa) authority or the DBO (DataBase Owner) role on the BFEnterprise and master databases.
- On the Master Server, change the LogOn settings for the FillDB, BES Root, and Web Reports services to the domain user or member of the user group created in step 2, and restart the services.
Using NT Authentication with domain computer groups
With this method, each server is added to a specified domain computer group and each server accepts logins from members of that domain group.
- Create a Global Security Group in your domain containing your chosen servers. You might need to have domain administration privileges to do this.
- After creating the group, each server must be rebooted to update its domain credentials.
- On the Master Server, use SQL Server Management Studio to create a login for the domain group, with a default database of BFEnterprise, and give this login System Admin (sa) authority or the DBO (DataBase Owner) role on the BFEnterprise and master databases.
Using SQL Authentication
With this method, each server is given a login name and password, and is configured to accept the login names and passwords of all other servers in the deployment.
The password for this account typed in clear text is obfuscated under the
HKLM branch of the registry on each server, after the restart of the
FillDB service.
- Choose a single login name (for example,
besserverlogin), and a single password to be used by all servers in your deployment for inter-server authentication. - On the Master server, use SQL Server Management Studio to create a SQL Server
login with this name. Choose SQL Server Authentication as the authentication
option and specify the password. Change the default database to
BFEnterpriseand assign the sysadmin server role to the new user, or map it to the role ofdb_owneron theBFEnterpriseand master databases. - On the master server, add the following string values under the
HKLM\Software\Wow6432Node\BigFix\Enterprise Server\FillDBkey:ReplicationUser = <login name> ReplicationPassword = <password> ReplicationPort = <SQL_port> - Restart the
FillDBservice.
- This choice must be made on a deployment-wide basis; you cannot mix domain-authenticated servers with SQL-authenticated servers.
ReplicationUser,ReplicationPassword, andReplicationPortmust be uniquely defined in all the server registries of your DSA environment.- All BigFix servers in your deployment must be running the same version of SQL server.