Authentication and Privilege Elevation services deployment checklist

The following checklist provides an overview of each of the main steps that are involved when you deploy Centrify Authentication Service and Centrify Privilege Elevation Service. For any tasks related to Centrify software, there are links to more information and procedures.

For auditing deployment steps, please see the Audit & Monitoring Service deployment checklist.

Step#

Authentication and Privilege Elevation services installation step

Notes

Link to Details

 

PREPARATION AND PLANNING

 

 

1

Analyze your network topology to determine where to install components and services and any hardware or software updates required.

 

Planning a deployment

2

Create a list of the computers where you plan to install different components.

 

Planning a deployment

3

Determine how you plan to install the software onto your computers.

 

Planning a deployment

 

PRE-INSTALL TASKS

 

 

4

Prepare a domain account that has permissions to create Active Directory containers and child objects.

You'll need this account to create the OU using the Installation wizard.

 

5

Prepare an Active Directory group to be zone administrators.

 

 

6

Create the Zone Provisioning Agent (ZPA) service account.

Requires Active Directory domain admin privileges

 

7

Apply group policy to allow the ZPA to run as a service.

Requires Active Directory domain admin privileges

 

 

INSTALL TASKS

 

 

8

Install the Access Manager console, ZPA, group policies, create the OU in Active Directory, and so forth.

 

Installing Centrify Authentication Service, Privilege Elevation Service, and Audit & Monitoring Service

Installing Zone Provisioning Agent

9

(Optional) Configure ZPA – this is only needed if you plan on automatically provisioning users.

 

Configure the Zone Provisioning Agent

10

Run adcheck on any UNIX computer that you want to manage and fix any issues until adcheck produces no issues.

 

Perform administrative tasks using commands

11

Install a Centrify agent for Windows on each Windows computer that you want to manage.

 

Installing the Centrify Agent for Windows

12

Install a Centrify agent for UNIX on each UNIX or Linux computer that you want to manage.

 

Installing agents on computers to be managed

13

Install additional Access Manager consoles on any Windows computer that you want to use for the Authentication and Privilege Management services.

 

Installing additional consoles

14

Verify that agents are working correctly. Run adinfo on managed UNIX computers.

 

Troubleshooting and common questions

Perform administrative tasks using commands

 

POST-INSTALL HOUSEKEEPING

 

 

15

 Identify UNIX users who do not have an Active Directory account.

Automatically done by adimport

adimport man page

16

 Identify service accounts.

 

Identifying service accounts to migrate to Active Directory

17

 Collect and analyze sudoers files.

 

Converting sudoers aliases and user specifications

18

 Create a list of Roles in sudoers that will be migrated to Centrify Privilege Elevation Service.

 

Identifying accounts that should not be migrated

19

 Create a list of users and groups to be migrated to Active Directory.

 

Migrating existing users to hierarchical zones

20

Create missing Active Directory user accounts.

 

 

 

SETUP AND CONFIGURATION

 

 

21

Create list of computers that will be joined to each Zone.

 

 

22

Create parent and child zones.

 

Creating a new parent zone

Creating child zones

23

Delegate control to zones.

 

Delegating control of administrative tasks

24

Import UNIX users and groups into Active Directory.

 

Migrating existing users to hierarchical zones

25

Create Zone Provisioning groups and add users and groups to them.

 

Adding new users to a provisioning group and a role group

26

Pre-create computer objects in zones.

 

Prepare a computer object before joining

27

Create Role Groups .

 

Create role groups for child zones

28

Assign roles and users to role groups.

 

Adding new users to a provisioning group and a role group

29

Create ComputerRoles and ComputerRole groups.

 

Create a new computer role

Working with computer roles

Working with computer roles

30

Assign roles, users, and computers to ComputerRole groups.

 

Add role assignments to the computer role

31

Use “Show Effective Users” to check that profiles and roles are correct.

 

Verifying effective users on each zone

32

Start the ZPA agent.

You configured ZPA in a previous step.

Configure the Zone Provisioning Agent

33

Configure the ZPA provisioning rules for the parent zone.

 

Configure the Zone Provisioning Agent

34

Join UNIX servers to Zones.

 

Joining a domain

35

Change the UID/GID of files for those users who have been assigned a new UID/GID in the Zone. Run adfixid on servers.

* Critical task that must be carefully coordinated with the users. Can be done at time of join to Active Directory with a script.

Perform administrative tasks using commands

 

FINAL TASKS

 

 

36

Check the status of the join and roles on the servers.

Run adflush, adinfo and dzinfo

Perform administrative tasks using commands

Migrating existing users to hierarchical zones

37

Back up passwd, shadow, and group files.

 

 

38

Remove the users and groups (that have been migrated to Active Directory) from the local files.

Run adrmlocal on servers

Perform administrative tasks using commands