Installation Notes for Softerra Adaxes 2012.1

This document contains requirements and instructions on how to install Softerra Adaxes 2012.1.

System Requirements

The tables below outline software and hardware requirements for installing and running the Softerra Adaxes components.

Supported Operating Systems

Adaxes Service* Service Administration Console
  • Windows Server 2003 R2 (x86)
  • Windows Server 2003, Standard (x86)
  • Windows Server 2003, Enterprise
  • Windows Server 2003, Datacenter
  • Windows XP Professional SP1 (x86)
  • Windows XP SP1 (x64)
  • Windows Vista SP2 Business
  • Windows Vista SP2 Ultimate
  • Windows Vista SP2 Enterprise
  • Windows Server 2008
  • Windows 7 Enterprise
  • Windows 7 Professional
  • Windows 7 Ultimate
  • Windows Server 2008 R2
  • Windows XP SP2
  • Windows Server 2003 SP1
  • Windows Vista
  • Windows Server 2008
  • Windows 7
  • Windows Server 2008 R2

* Prior to install Adaxes Service on Windows 7 or Windows Vista, you need to install Active Directory Lightweight Directory Services (AD LDS). For details, see How to install AD LDS on Windows 7 and Windows Vista.

Web Interface/SPML Web Service* PowerShell Module for AD
  • Windows XP SP2 (x86)
  • Windows XP (x64)
  • Windows Server 2003
  • Windows Vista
  • Windows Server 2008
  • Windows 7
  • Windows Server 2008 R2
  • Windows XP SP3
  • Windows Server 2003 SP2
  • Windows Vista SP1
  • Windows Server 2008 SP1
  • Windows 7
  • Windows Server 2008 R2

* It's highly recommended to install Web Interface and SPML Web Service on the server editions of Windows because when installed on workstations, IIS has a limitation on the number of simultaneous connections. In this case, the connection limit can be reached when, for example, only two or three persons are using the Web Interface at the same time.

Important: To install Softerra Adaxes, the target computer must be joined to an Active Directory domain.


Hardware Requirements

The minimum hardware required to install and run Softerra Adaxes components includes:

Adaxes Service Service Administration Console Web Interface SPML Web Service
  • CPU: 1.6 GHz or higher recommended
  • RAM: 256 MB or more recommended
  • HDD: 512 MB
  • CPU: 1.1 GHz or higher recommended
  • RAM: 256 MB or more recommended
  • Super VGA (800x600) or higher resolution monitor
  • CPU: 1.6 GHz or higher recommended
  • RAM: 256 MB or more recommended
  • CPU: 500 MHz or higher recommended
  • RAM: 256 MB or more recommended

Note: Hardware requirements depend on the total number of objects managed by your Adaxes service.


Installation Prerequisites

Softerra Adaxes components require Microsoft .NET Framework 3.5 SP1 to be installed on the target system.
To install the framework, see How to install Microsoft .NET Framework 3.5 SP1.

To install Adaxes Service on Windows 7 or Windows Vista, first you need to install Active Directory Lightweight Directory Services (AD LDS). For details, see How to install AD LDS on Windows 7 and Windows Vista.

To use cmdlets included in PowerShell Module for Active Directory, Windows PowerShell 2.0 is installed on the target computer. For details, see How to install Windows PowerShell 2.0.

top of page

Installation

Note: To install Softerra Adaxes, you must log on to your computer using an account that belongs to the local Administrators group.

All Adaxes components (Adaxes Service, Web Interface, Administration Console, PowerShell Module, etc.) are installed using a single installation package. It is not necessary to install all the components on a single computer. In case you need to install different components on different computers, install the Adaxes service first, because to install other components you will need to specify the network location of the Adaxes service.

Installation Instructions

To install Softerra Adaxes:

  1. Log on to the operating system under a user account that has local administrator permissions on the target computer and is a member of an Active Directory domain.
  2. Install Microsoft .NET Framework 3.5 SP1, if not installed. For details, see How to install Microsoft .NET Framework 3.5 SP1.
  3. Launch the Softerra Adaxes installation package (.msi) for the language and OS architecture you want.
    Note: All Softerra Adaxes components (Adaxes Service, Service Administration Console, Web Interface and SPML Web Service) are installed by a single MSI package.
  4. The Welcome screen appears. Read the information provided and click Next.
  5. Accept the license agreement and click Next.
  6. Select the Adaxes components you would like to install and click Next.
    Please note that different Adaxes components have different system and hardware requirements. For details, see System Requirements.
    If you select none of the Adaxes components, only the Softerra Adaxes ADSI provider is installed.
  7. If you have selected Adaxes Service, do the following:
    • On the Service Administrator page, specify the default administrator for the service. Service administrators have unrestricted access to the service configuration and can perfrom all service-related administrative tasks and all operations in the AD domains managed by the service. The account for the default service administrator also determines the security context, in which the Adaxes Service runs (the service will use this account to log on to the system).
      The default service administrator account should have enough privileges to publish and unpublish the Adaxes service in Active Directory (create/delete a service connection point). By default, domain administrators have the necessary permissions. For more information on how to grant these permissions to another user, see Grant Permissions to Publish Adaxes service.
      Note: Although the list of service administrators can be modified after the service installation, the default service administrator cannot be removed or changed.
      Note: The AD domain of the default service administrator will be automatically registered to be managed by Adaxes.
      Click Next.
    • On the Service Configuration page, you can set up the new Adaxes service to join an existing Adaxes configuration set. In this case the service will share its configuration with all the services contained in the configuration set.
      To join an existing configuration set, click Share configuration, specify the DNS host name of any Adaxes service from the configuration set, and select an account with administrative credentials for the service. Usually, all default administrators of the services contained in a configuration set have the necessary administrative permissions.
      Click Next.
  8. If you have selected Web Interface, do the following:
    • On the Web Interface Types page, select Web Interface types you want to install and configure IIS web site parameters for each Web Interface type.

      By default, each Web Interface type allows users to handle tasks that are typically assigned to their job role in the company:

      • Web Interface for Administrators
        Allows Active Directory administrators to perform practically any operation in Active Directory.
      • Web Interface for Help Desk
        Allows Help Desk operators to handle tasks related to user account management like password reset, unlock/enable/disable user accounts, modify general properties of AD objects, etc.
      • Web Interface for Self-Service
        Allows regular users to accomplish self-service tasks without any assistance from administrators or Help Desk staff. Users can update their private information, change passwords, perform basic searches in AD, etc.
      Note: After the installation, you will be able to configure the installed Web Interfaces to meet the specifics of your company.
      Click Next.
    • On the Service for Web Interface page, specify the DNS host name of the Adaxes service the Web Interface will connect to. If the specified Adaxes service shares its configuration with other Adaxes services, the Web Interface will connect to the nearest available Adaxes service contained in the configuration set.
      Note: This page is not available if you install Adaxes Service and Web Interface at the same time. In this case, the Web Interface will use the Adaxes service installed during this installation.
      Click Next.
  9. If you have selected SPML Web Service, do the following:
    • On the SPML Web Service Address page, configure IIS web site parameters of the SPML Provider and click Next.
    • On the AD Access for SPML Web Service page, specify how you want the Adaxes SPML Provider to access Active Directory. Adaxes SPML Provider can access Active Directory directly or via an Adaxes service. Provisioning Active Directory via the Adaxes service allows you to benefit from the Softerra Adaxes features such as Business Rules, Security Roles, Property Patterns. If the SPML Provider accesses Active Directory through an Adaxes service and this service shares its configuration with other Adaxes services, the SPML Provider will connect to the nearest available Adaxes service contained in the configuration set.
      Note: This page is not available if you install Adaxes Service and SPML Web Service at the same time. In this case, the SPML Web Service will use the Adaxes service installed during this installation.
      Click Next.
  10. On the Ready to Install page, click Install to begin the installation.
    Depending on the features you've selected, the setup program may install additional components on your system. For details, see Additional Components.
Note:
During the installation you might be prompted to provide the Windows installation files. It might be necessary to install Windows components used by Softerra Adaxes (e.g. Web Interface and SPML Web Service require Microsoft IIS that is a Windows component).
If the Insert Disk dialog box appears, use one of the following methods:
  • Insert your Windows CD-ROM into your CD-ROM or DVD-ROM drive, and then click OK.
  • Click OK to locate your Windows installation files. In the Files Needed dialog box, click Browse, locate your Windows installation files, and then click Open. For example, the installation files might be in the D:\I386 folder.

Rights Granted to Adaxes Service Logon Account

Since the Adaxes service uses the account of the default service administrator to log on to the system, the setup program grants the 'Log on as service' right to this account.

When the Adaxes service is installed on a workstation rather than on a domain controller, this right is granted locally on this workstation via the Local Policy settings. If there is a conflicting domain-based Group Policy object that grants the 'Log on as service' right to other users, the local right granted by the setup program will be removed during the Group Policy refresh, because the domain-based Group Policy settings override the Local Policy settings. If this happens, the Adaxes service will not start. In this case contact your domain administrator to grant the 'Log on as service' right to the account of the default service administrator in a precedent domain-based Group Policy.

Multi-Server Deployment for High Availability

For many configurations it is desirable to install Adaxes service on multiple computers in order to achieve fault tolerance and load balancing. In a multi-server environment there are multiple Adaxes services that share common configuration (managed AD domains, Security Roles, Business Rules, Scheduled Tasks, etc.). Clients connect to the nearest available Adaxes service. If an Adaxes service becomes unavailable, clients are automatically switched to another one.

Adaxes services sharing common configuration form a logical grouping called a configuration set. When the configuration of an Adaxes service is modified, the configuration of other services in the configuration set becomes inconsistent with the most up-to-date configuration. As the changes get replicated through the configuration set, all service configurations become identical once again. Adaxes uses a type of replication called multimaster replication.

In many circumstances it may be sufficient to use a single-server configuration. However, if you have a geographically distributed environment, or there is a heavy load on the Adaxes service, or you want to improve the availability of your Adaxes service, you may consider a multi-server approach.

To setup a multi-server configuration:

  1. Install the first instance of Adaxes service. This will create a configuration set with only one Adaxes service.
  2. During installation of subsequent instances of Adaxes service, join each new service to the configuration set. For this purpose, on the Service Configuration page of the installation wizard, select the Share configuration option and specify the DNS host name of any Adaxes service from the configuration set. To join a service to a configuration set you will need to provide the credentials of the default administrator of any Adaxes service contained in the configuration set.

Deploying Web Interface to a Web Farm

You can install Adaxes Web Interface in a web farm if you want to share the web-site traffic across multiple servers, improve site availability, and balance load among sites.

To install Adaxes Web Interface in a web farm:

  1. Install Adaxes Web Interface on the Primary Server in the web farm.
  2. Since the Web Interface requires Adaxes ADSI provider, install Adaxes ADSI provider on each Secondary Server in the web farm.

    To install Adaxes ADSI provider:

    • Launch the Adaxes installation wizard.
    • On the Select Features page, deselect all the features and click Next.

    • Finish installation by following the instructions in the wizard.

    Note: When you upgrade the Web Interface you will also need to upgrade the Adaxes ADSI provider on each Secondary Server in the web farm.

  3. Configure client affinity for the web farm. Since Adaxes Web Interface requires all client requests to be routed to the same web server during a client session, you need to configure load balancing to map a client to a Web Interface for the duration of a client session. The load balancing algorithm must be applied only for the very first request from the client. From that point on, all subsequent requests from the same client must be routed to the same Web Interface for the duration of the client session.

    To configure client affinity if you use the Application Request Routing module:

    1. Launch Internet Information Services (IIS) Manager.
    2. Select the server farm and double-click Server Affinity.
    3. Enable the Client affinity option and click Apply.

    To configure client affinity if you use F5 BIG-IP Local Traffic Manager (LTM):

    A similar load balancing model needs to be applied if you use F5 BIG-IP LTM. This is achieved by configuring Source Address Persistence.

    1. Go to the F5 BIG-IP LTM configuration page.
    2. Expand Local Traffic in the navigation panel and select Profiles.
    3. Open the Persistence tab and then click Create.
    4. In the General Properties section type the desired name of the profile you are creating.
    5. Select Source Address Affinity in the Persistence type drop-down list.
    6. Customize other settings of the profile according to your requirements and click Finished.
    7. Open the virtual server(s) that hosts Adaxes Web Interface and open its Resources tab.
    8. In the Default Persistence Profile drop-down list, select the name of the persistence profile you have created.

Installing Web Interface and Administration Console in DMZ

To make Adaxes Web Interface and Administration Console available from outside, they can be installed in the DMZ (also known as perimeter network or extranet). Web Interface can be exposed to the Internet to allow users to perform tasks like password reset and directory search when they are not on the internal network (e.g. users travelling, users working from home, or external users). If you install Adaxes Administration Console on a computer in the DMZ, Administrators will be able to connect to the computer using Remote Desktop and manage Adaxes and Active Directory from outside the internal network.

To deploy Adaxes clients in the DMZ:

top of page

Uninstallation

Note: Before uninstalling Adaxes Service you may want to backup its configuration. For this purpose, use the Softerra.Adaxes.BackupRestore.exe tool.

To uninstall Softerra Adaxes:

  1. If you want to uninstall the Adaxes Service, make sure that the service is running. It is necessary to correctly unregister the service from your system (remove the service connection points and clean up the configuration set metadata).
  2. Open Add or Remove Programs and select the Softerra Adaxes product.
  3. Click Remove and follow the steps provided.

top of page

Upgrade to New Version

To upgrade to a new version of Adaxes you need to perform the following steps:

  1. Back up the configuration of your Adaxes service using the Softerra.Adaxes.BackupRestore.exe tool. This tool is located in the folder where the Adaxes service is installed, which is C:\Program Files\Softerra\Adaxes 3\Service by default.
    Upgrade from Adaxes 2012.1 (build 3.3.8815.0) and earlier
    Adaxes 2012.1 (build 3.3.8815.0) and earlier versions did not include Approval Requests in backup files. To be able to restore Approval Requests after upgrading, you need to manually include Approval Requests to the backup file:
    • Download PowerShell script.
    • Unzip the script to the folder where your Adaxes service is installed (by default, C:\Program Files\Softerra\Adaxes 3\Service).
    • Launch Windows PowerShell.
    • Navigate to the directory where you unzipped the script. For example, if your Adaxes service is installed in C:\Program Files\Softerra\Adaxes 3\Service, type cd C:\Program Files\Softerra\Adaxes 3\Service
    • Run the script using the following command: .\BackupApprovalRequests.ps1 -backupFilePath "<backup_file_path>" -defaultServiceAdminName "<admin_username>" where
      • <backup_file_path> - the path to the backup file created on the 1st step.
      • <admin_username> - the username of the default service administrator. If you are logged on as the default service administrator, you can omit this parameter.
      Example: .\BackupApprovalRequests.ps1 -backupFilePath "C:\Backup.Adaxes.Service.srvcfg" -defaultServiceAdminName EXAMPLE\Administrator
    • The script will output a new backup file updated with the data required to restore Approval Requests. It will be placed in the same folder as the source backup file and will have the same file name with .fixed added to the end. Use this file to restore Adaxes service configuration.
  2. Back up the configuration of your Web Interface using the Softerra.Adaxes.Web.UI.Configuration.exe tool. This tool is located in the folder where the Adaxes Web Interface is installed, which is C:\Program Files\Softerra\Adaxes 3\Web Interface by default.
  3. Uninstall the old version of Adaxes.
  4. Install the new version.
  5. If you have custom Web Interface sites deployed manually, replace old files of these sites with new ones by copying them from the folder of an existing Web Interface. By default, Adaxes Web Interface sites are installed in C:\Program Files\Softerra\Adaxes N\Web Interface.
  6. Restore the configuration of the Adaxes service using the Softerra.Adaxes.BackupRestore.exe tool.
  7. Restore the configuration of the Adaxes Web Interface using the Softerra.Adaxes.Web.UI.Configuration.exe tool.
  8. If you have enabled automatic sign in to the Adaxes Web Interface (Sign In as Current User), you need to manually set the impersonate flag to true in the Web.config file of the Web Interface. By default, this file is located in C:\Program Files\Softerra\Adaxes 3\Web Interface\<Web UI Type>.
      <configuration>
    	<system.web>
    	  ...
    	  <identity impersonate="true"/>
    	</system.web>
      </configuration>

Upgrade a Multi-Server Configuration

If you have multiple Adaxes services sharing the same configuration, you need to reinstall them one after another. Perform the following steps for each Adaxes service in the configuration set:

Note: When upgrading from Adaxes 2012.1 (build 3.3.8815.0) and earlier, you need to perform additional steps to preserve Approval Requests.
Adaxes 2012.1 (build 3.3.8815.0) and earlier versions did not allow to restore Approval Requests after an upgrade. Perform the following steps before uninstalling the old version of Adaxes to preserve Approval Requests:
  • Download PowerShell script.
  • Unzip the script to the folder where the Adaxes Service is installed (by default, C:\Program Files\Softerra\Adaxes 3\Service).
  • Launch Windows PowerShell.
  • Navigate to the directory where you unzipped the script. For example, if your Adaxes service is installed in C:\Program Files\Softerra\Adaxes 3\Service, type cd C:\Program Files\Softerra\Adaxes 3\Service
  • Run the script using the following command: .\BackupApprovalRequests.ps1 -defaultServiceAdminName "<admin_username>"
    where <admin_username> is the username of the default service administrator. If you are logged on as the default service administrator, you can omit this parameter.

    Example: .\BackupApprovalRequests.ps1 -defaultServiceAdminName EXAMPLE\Administrator
  1. Uninstall the old version of Adaxes.
  2. If you are moving an Adaxes service that shares its configuration with other Adaxes services from one computer to another, you need to manually transfer the information on pending Approval Requests.
    How to transfer information on pending Approval Requests
    • On the computer, where the previous instance of Adaxes was installed, locate the file named AdaxesCommandQueueBackup.ldif. A typical path to the file:
      • on Windows XP: C:\Documents and Settings\All Users\Application Data\Softerra\Adaxes 3\,
      • on Windows Vista: C:\ProgramData\Softerra\Adaxes 3\,
      • on Windows 7/8: C:\Users\All Users\Softerra\Adaxes 3\,
    • Copy the file to a similar folder on the computer to which you are transferring Adaxes service.
  3. Install the new version. During the installation, join the new Adaxes service to your configuration set.
  4. Wait until the configuration is replicated. To make sure that the replication is complete, launch Adaxes Administration Console, connect to the newly installed Adaxes service and wait until the connection is established.

top of page

Additional Components

Some of the Softerra Adaxes components require additional software to be installed in your operating system. All the additional software is installed automatically by the setup program, however you can do it manually if the automatic installation fails (the instructions are provided below).
The software components, the setup program is going to install, are listed on the Ready to Install page that is shown right before the installation process starts.

Additional software components installed automatically by the Adaxes setup program include:

Adaxes Service Service Administration Console Web Interface SPML Web Service

Note: After Softerra Adaxes is uninstalled, the additional components installed automatically remain in the system.

top of page

How Do I

Install Microsoft .NET Framework 3.5 SP1

  1. Visit http://www.microsoft.com/downloads/details.aspx?FamilyID=ab99342f-5d1a-413d-8319-81da479ab0d7.
  2. Follow the instructions to download and install Microsoft .NET Framework Version 3.5 SP1.


Grant Permissions to Publish Adaxes Service

  1. Open Active Directory Users and Computers on a domain controller.
  2. Connect to the domain of the target computer (the computer on which you want to install Softerra Adaxes).
    • In the console tree, right-click Active Directory Users and Computers, and then click Connect to Domain.
    • Type the domain name and click OK.
  3. On the View menu, select Advanced Features.
  4. Right-click the computer object, on which you want to install Softerra Adaxes, and then click Properties.
  5. On the Security tab, click Add and type the name of the user whom you want to grant the permissions to and then click OK.
  6. Select the Allow check boxes for the Create All Child Objects and Delete All Child Objects permissions.
  7. Click OK.


Install Microsoft Active Directory Application Mode (ADAM) SP1

To install ADAM, you must log on to your computer using an account that belongs to the local Administrators group.

To install ADAM on Windows Server 2003 or Windows XP:

  1. Visit http://www.microsoft.com/downloads/details.aspx?familyid=9688f8b9-1034-4ef6-a3e5-2a2a57b5c8e4.
  2. Follow the instructions to download and install Microsoft Active Directory Application Mode (ADAM) SP1.

To install ADAM on Windows Server 2003 R2:

  1. Log on as an administrator, click Start, point to Control Panel, and then click Add or Remove Programs.
  2. Click Add/Remove Windows Components.
  3. In the Components list, select the check box next to Active Directory Services, and then click Details.
  4. Select the check box next to Active Directory Application Mode (ADAM), click OK, and then click Next.
  5. Review the message that appears. Based on the contents of message, do one of the following:
    • If the message "You have successfully completed the Windows Component Wizard" appears, click Finish.
    • If an error message appears, make a note of the error, click Finish, and then review the ADAM event messages in Event Viewer.


Install Microsoft Active Directory Lightweight Directory Services (LD LDS) Server Role

To install AD LDS, you must log on to your computer using an account that belongs to the local Administrators group.

To install the AD LDS server role on Windows Server 2008 and Windows Server 2008 R2:

  1. Log on as an administrator, click Start, and then click Server Manager.
  2. In the console tree, right-click Roles, and then click Add Roles.
  3. Review the information on the Before You Begin page of the Add Roles Wizard, and then click Next.
  4. On the Select Server Roles page, in the Roles list, select the Active Directory Lightweight Directory Services check box, and click Next.
  5. Finish adding the AD LDS server role by following the instructions in the wizard.


Install Microsoft Active Directory Lightweight Directory Services (AD LDS)

To install AD LDS on Windows Vista:

  1. Visit http://www.microsoft.com/downloads/details.aspx?FamilyID=E1B7F0A5-2131-44FD-9DDE-FA146154E13A.
  2. Follow the instructions to download and install Microsoft Active Directory Lightweight Directory Services.

To install AD LDS on Windows 7:

  1. Visit http://www.microsoft.com/downloads/details.aspx?familyid=A45059AF-47A8-4C96-AFE3-93DAB7B5B658.
  2. Follow the instructions to download and install Microsoft Active Directory Lightweight Directory Services.


Install Microsoft Core XML Services (MSXML) 6.0

  1. Visit http://www.microsoft.com/downloads/details.aspx?FamilyID=d21c292c-368b-4ce1-9dab-3e9827b70604.
  2. Follow the instructions to download and install Microsoft Core XML Services (MSXML) 6.0.


Install Microsoft Internet Information Services (IIS) Components

To install Microsoft IIS on Windows Server 2003:

  1. Log on as an administrator, click Start, point to Control Panel, and then click Add or Remove Programs.
  2. Click Add/Remove Windows Components.
  3. In the Components list, select the Application Server check box, and then click Details.
  4. Select the Internet Information Services (IIS) check box, and then click Details.
  5. Select World Wide Web Service, and then select the check box.
  6. Click OK two times to return to the Components list, and then click Next.
  7. Click Finish when the IIS service is installed.

To install Microsoft IIS on Windows XP:

  1. Log on as an administrator, click Start, point to Control Panel, and then click Add or Remove Programs.
  2. Click Add/Remove Windows Components.
  3. In the Components list, select the Internet Information Services (IIS) check box, and then click Details.
  4. Select World Wide Web Service, and then select the check box.
  5. Click OK two times to return to the Components list, and then click Next.
  6. Click Finish when the IIS service is installed.

To install Microsoft IIS on Windows Vista and Windows 7:

  1. Log on as an administrator, click Start, point to Control Panel.
  2. Click Programs and Features.
  3. Click Turn Windows features on or off to display the Windows Features dialog.
  4. Click to expand Internet Information Services, and select the World Wide Web Service check box.
  5. Click OK.

To install Microsoft IIS server role on Windows Server 2008 and Windows Server 2008 R2:

  1. Log on as an administrator, click Start, point to Administrative Tools, and then click Server Manager.
  2. In the console tree, right-click Roles, and then click Add Roles.
  3. Review the information on the Before You Begin page of the Add Roles Wizard, and then click Next.
  4. On the Select Server Roles page, in the Roles list, select the Web Server (IIS) check box, and then click Next.
  5. Review the information on the Web Server (IIS) page of the Add Roles Wizard, and then click Next.
  6. On the Select Role Services page, select the ASP.NET check box.
  7. Finish adding the Web Server role by following the instructions in the wizard.


Install Windows PowerShell 2.0

  1. Visit http://support.microsoft.com/kb/968929.
  2. Follow the instructions to download and install Windows PowerShell 2.0.

Note: Windows 7 and Windows Server 2008 R2 have PowerShell 2.0 installed by default.



top of page


Copyright © 2009-2012 Softerra, Ltd. All Rights Reserved