Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

[Labs] How to upgrade Centrify Privilege Service On Premises with Windows Failover Clustering HA

11 April,19 at 11:50 AM

Starting with version 17.7 of Centrify Privilege Service (customer managed/on premises), the standalone option has been removed and only highly-available configurations leveraging Windows Server Failover Clustering are supported.

 

This blog covers the process of upgrading Centrify Privilege Service while maintaining high-availability.

 

The Upgrade Process

 

upg-pro.png Cluster Upgrade Requirements

  • As of this writing, CPS On-Premises runs on Windows Server 2012 R2.
  • The upgrade requires at least 2 nodes, and ideally 3 nodes (to have at least a 2-node cluster when an upgrade is in progress).
  • Access and administrative rights to the Windows Cluster.
  • Centrify Privilege Service software (the version to upgrade to).
  • Administrative rights in the cluster nodes to perform the upgrade.

 Connector Upgrade Requirements

  • Connectors can run on Windows Server 2012R2 and up.
  • Since connectors are highly-available by default, all you have to worry about is having multiple systems servicing important sites or identify any subnets, systems, databases or domains that are serviced by an individual connector. 
    For those, a maintenance window is required.
  • Another consideration for the upgrade is current sessions when SSH or RDP and other dedicated connectors like for AD or LDAP Proxying and RADIUS.

 Steps Overview

 A. Cluster Node Maintenance Mode

  1. Log in to your Windows Server Failover Cluster console system.
  2. Open Failover Cluster Manager and connect to your cluster.
  3. Review the current Role owner.
    verif.png
  4. Review any issues with the cluster.
    Check the cluster events (or your SIEM console).  It's not a good idea to ride unhealthy clusters.
  5. Set your passive node in maintenance.  Nodes > [nodename] > Pause > Drain Roles
    drain.PNG

B. Running Privilege Service Upgrade (or System Patching)

  1. Log in to your cluster node (the one that was put on maintenance).
  2. Run the Centrify Privilege Service setup program (or other maintenance like Windows or hardware patching).
    For CPS upgrade, expect to do this process at least twice.  During upgrade, the setup program will attempt to talk to the active node.
  3. For CPS upgrade: Answer the PowerShell prompt.
    prompt.png
    Note:  There are really only two options:  Y or N.  The default is N because you have to repeat the upgrade for all nodes until you reach the last one.

C. Reviewing IIS Application Pool Status  (only if using early access or prerelease)

  1. Open IIS Manager
  2. Navigate to Application pools and verify that the Centrify app pool is running.
    pool.png
  3. If it's stopped, start it.  If all of them are stopped and you get a Windows Process Activation error, you may have to reboot due to Windows Update dependency issue.

D. Getting the node system back in service

  1. Log in to your Windows Server Failover Cluster console system.
  2. Open Failover Cluster Manager and connect to your cluster
  3. Resume your recently upgraded node  (Cluster > Nodes > [node] > Resume > Do not Fail Roles Back)
    failback.PNG
  4. Transfer the CPS Role ownership to the recently-upgraded node.
    move.png
  5. Monitor the Cluster transfer, IIS Service and Database Service (for example, the database service on node1).
    Get-Service cisdb-pgsql -ComputerName node1.example.vms
    

F. Verifying functionality

  1. Log on to privilege service
  2. In the upper right corner icon (your name is displayed), select About.
    m4.png
    This should reflect the new upgrade version.
  3. If this was the first node, repeat the same process from A to F until  you are done with all nodes.

 

Upgrading the Centrify Connector Infrastructure
Connectors provide CPS with the ability to reach systems, domains, databases, public/private clouds and offer an array of services including session and audit capture.  Connectors can be upgraded manually or automatically.  The options are outlined below:

 conn-upgrd.png

 

Connector Planning Topics

  • What are the capabilities of the existing connectors, what AD or LDAP domains do they serve, are they at the same version level?
  • Are there any subnets, systems, databases or domains that are only being serviced by only one connector?
    subnetmap.PNG
    Based on the screen shot above, looks like this subnet is under-served (only one connector).  Time to plan for a maintenance window, or add another connector to provide high-availability.
  • For IaaS (like Azure, AWS or Google Cloud):  Are there any Centrify connectors that may not have persistent connectivity to the server nodes?

 

Video - Upgrading a 3-Node Cluster and 2 Connectors
(17 min)

Privilege Service On Premises -  High Availablility - Where to next?

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.