Symantec Endpoint Encryption 6.2 Server Installation - Illustrated Step-by-step Guide

book

Article ID: 177430

calendar_today

Updated On:

Products

Endpoint Encryption

Issue/Introduction



Resolution

Before continuing with the steps below please consult the following knowledge base documents:
Overview

This document describes how to install an initial instance of the SEE Server on a member server. Using these steps, you create the necessary groups and user objects in Active Directory, run the ADAM installer, create objects in ADAM, extend the ADAM schema, and set access permissions on the ADAM objects.

Prerequisites
Installing the SEE Server initial instance requires the following:
  • A computer running Windows Server 2003 joined to the domain as a member server.
  • Two domain groups used as Windows security principals for authentication to the SEE Server: for example, ADAM Admins DG and ADAM Clients DG.
  • One domain group used for managing SEE Full Disk help desk functionality: for example, ADAM Read-Only DG.
  • Three local groups on the SEE Server: for example, ADAM Admins LG, ADAM Clients LG, and ADAM Read-Only LG. The three domain groups (ADAM Admins DG, ADAM Clients DG, and ADAM Read-Only DG) will be added as members of their respective local groups on the SEE Server.
  • Two Active Directory domain user accounts: for example, ADAM Admin and ADAM Client. The ADAM Admin domain user account will be added as a member of the domain group ADAM Admins DG, and the ADAM Client domain user account will be added as a member of the domain group ADAM Clients DG.
  • One or more domain user accounts: for example, ADAM Read-Only, that can be assigned a help desk role for assisting users with One-Time Password recovery. These domain accounts will be added as members of the domain group ADAM Read-Only DG.
  • The ADAM Setup folder containing the following three items: the ADAM installer (adamsetup.exe); a configuration file used by the ADAM installer (answer.txt); and the SEE schema (EASchema.ldf). These files could be located on a shared network directory, on the SEE Server(s), or in some other location. The person who provided you with this Guide should be able to direct you to this location.
  • A local administrator account on the SEE Server that possesses sufficient rights to be able to run the ADAM installer, create the local groups, and add the domain user accounts as members of the local groups.
  • The user names and passwords of the three domain user accounts mentioned previously. This Guide uses the names ADAM Admin, ADAM Client, and ADAM Read-Only.

Summary of Steps
This document will walk you through the remaining steps necessary to complete installation:
  1. Create the three local groups on the SEE Server.
  2. Download and install ADAM SP1.
  3. Launch the ADAM Setup Wizard and install the initial ADAM instance.
  4. Create the required OUs on the SEE Server using the ADAM ADSI Edit snap-in.
  5. Import the SEE schema to the SEE Server using the ldifde.exe utility.
  6. Set access permissions for two of the local groups using the dsacls.exe utility.
  7. Set ADAM object membership for one of the local groups using the ADAM ADSI Edit snap-in.
  8. Verify correct operation of the SEE Server using the dsdbutil.exe utility.
  9. Optionally install additional ADAM replica instances.


Local Group Creation

The SEE Server requires three local groups. This Guide uses the names ADAM Admins LG, ADAM Clients LG, and ADAM Read-Only LG. In this step, you will create the three local groups and add the domain groups, ADAM Admins DG, ADAM Clients DG, and ADAM Read-Only DG, as members of their respective groups.

1. On the SEE Server, click Start, and point to Run. Type compmgmt.msc, and click OK. The Computer Management snap-in will display.

2. In the left pane, expand Local Users and Groups, then click the object Groups. The list of local groups will display in the right pane. Right-click the Groups object and choose New Group.

3. The New Group window appears. In the Group name box, type the name of the new group; for example, ADAM Admins LG.

4. Click Add. The Select Users, Computers, or Groups window appears. To add the existing domain group ADAM Admins DG as a member of the local group ADAM Admins LG, specify this group in the Enter the object names to select box.
For example, if the NetBIOS name of your domain is YOUR-ORG, you would type YOUR-ORG\ADAM Admins DG. Click OK.


Select Domain Group “ADAM Admins DG”

5. If you are running under a local account which has local administrator rights, the Enter Network Password dialog will now prompt you to authenticate to the domain. If you are running under a domain account with local administrator rights, you will not be prompted to enter domain credentials, and you may skip ahead to step 7.


Authenticate to Add Domain Group to the Local Group

6. Type the domain credentials and click OK.


Add Group “ADAM Admins DG” to the Local Group “ADAM Admins LG”

7. Click Create. The entry boxes will clear, allowing you to create another new group. You will now repeat steps 3–6 again, this time creating the local group named ADAM Clients LG and adding the existing domain group ADAM Client DG as a member of the local group ADAM Clients LG. If you are running under a local account which has local administrator rights, be prepared to once again type the domain credentials when prompted.

8. With the New Group window still open, type ADAM Clients LG in the Group name box.

9. Click Add. The Select Users, Computers, or Groups window appears. To add the existing domain group ADAM Clients DG as a member of the local group ADAM Clients LG, specify this group in the Enter the object names to select box.
For example, if the NetBIOS name of your domain is YOUR-ORG, you would type YOUR-ORG\ADAM Clients DG. Click OK.


Select Domain Group “ADAM Clients DG”

10. If you are running under a local account that has local administrator rights, the Enter Network Password dialog will now prompt you to authenticate to the domain. If you are running under a domain account with local administrator rights, you will not be prompted to enter domain credentials, and you may skip ahead to step 12.


Authenticate to Add Domain Group to the Local Group

11. Type the domain credentials and click OK.


Add Group “ADAM Clients DG” to the Local Group “ADAM Clients LG”

12. Click Create. The entry boxes will clear, allowing you to create another new group. You will now repeat steps 3–6 again, this time creating the local group named ADAM Read-Only LG and adding the existing domain group ADAM Read-Only DG as a member of the local group ADAM Read-Only LG. If you are running under a local account which has local administrator rights, be prepared to once again type the domain credentials when prompted.

13. With the New Group window still open, type ADAM Read-Only LG in the Group name box.

14. Click Add. The Select Users, Computers, or Groups window appears. To add the existing domain group ADAM Read-Only DG as a member of the local group ADAM Read-Only LG, specify this group in the Enter the object names to select box.
    For example, if the NetBIOS name of your domain is YOUR-ORG, you would type YOUR-ORG\ADAM Read-Only DG. Click OK.


Select Domain Group “ADAM Read-Only DG”

15. If you are running under a local account that has local administrator rights, the Enter Network Password dialog will now prompt you to authenticate to the domain. If you are running under a domain account with local administrator rights, you will not be prompted to enter domain credentials, and you may skip ahead to step 17.


Authenticate to Add Domain Group to the Local Group

16. Type the domain credentials and click OK.


Add Group “ADAM Read-Only DG” to the Local Group “ADAM Read-Only LG”

17. Click Create, then click Close.


Three Local Groups Created on the SEE Server

18. You should now see the ADAM Admins LG, ADAM Clients LG, an in the Computer Management window, as in the screenshot above.


ADAM Installation & Instance Creation

Basics

Before installing the SEE Server, you must download and install ADAM SP1. The ADAM SP1 installer may be downloaded from the Microsoft website at the following URL:
http://www.microsoft.com/downloads/details.aspx?familyid=9688f8b9-1034-4ef6-a3e5-2a2a57b5c8e4&displaylang=en
Make sure that you download the 32-bit version of ADAM SP1 (ADAMSP1_x86_English.exe).

Installing ADAM SP1
If you have not done so already, copy the ADAM Setup folder to the computer that will host your SEE Server instance. Copy the ADAM SP1 installer application (ADAMSP1_x86_English.exe) to the ADAM Setup folder, and launch it. Click Next. The License Agreement page of the ADAM Setup Wizard appears. Select the option I Agree, then click Next. On the final installation screen, click Finish.

Creating the Initial ADAM Instance

1. Click Start, click Programs, click ADAM, then click Create an ADAM instance.

2. The Welcome page of the ADAM Setup Wizard appears. Click Next.


ADAM Setup Wizard, Setup Options

3. On the Setup Options page, accept the default option A unique instance. Click Next.


ADAM Setup Wizard, Instance Name

4. On the Instance Name page, type the name you will use for the first SEE Server instance, then click Next.

Tip: The examples shown throughout this Guide use the instance name EncryptionAnywhere. You can use an instance name of your choice.


ADAM Setup Wizard, Ports

5. The Ports page displays. If the default LDAP and LDAPS port numbers 389 and 636 are available, the LDAP port number and SSL port number boxes will be prefilled with these numbers. If the default ports are already in use, the port number boxes will automatically be prefilled with alternate port numbers starting at port 50000. You can also specify a different set of ports. Click Next.
    The ports you selected will be published as part of the Service Connection Point (SCP). The SCP is an object created in Active Directory as part of ADAM installation, and allows SEE Client Computers to locate the SEE Server instance.


ADAM Setup Wizard, Application Directory Partition

6. On the Application Directory Partition page, click Yes, create an application directory partition. While multiple distinct SEE Servers are supported in a single Active Directory Forest, each SEE Server instance and its replicas must use the same application partition name. Type a valid partition name into the box, for example: dc=EncryptionAnywhere,dc=com

Note: The application directory partition can be expressed in the form of either an X.500- or DNS-style distinguished name. You may not mix X.500- and DNS-style names. For X.500-style names, only the O (Organization) and C (Country/region) attributes are supported. For DNS-style names, only the OU (Organizational Unit) and DC (Domain Component) attributes can be used. Attribute values are limited to 256 characters with no spaces.

Valid forms of X.500-style names include:
  • O=AttributeValue,C=AttributeValue
  • O=AttributeValue,C=AttributeValue,C=AttributeValue
  • O=AttributeValue,O=AttributeValue
  • O=AttributeValue,O=AttributeValue,C=AttributeValue,C=AttributeValue

Valid forms of DNS-style names include:
  • OU=AttributeValue,DC=AttributeValue
  • OU=AttributeValue,DC=AttributeValue,DC=AttributeValue
  • OU=AttributeValue,OU=AttributeValue
  • OU=AttributeValue,OU=AttributeValue,DC=AttributeValue,DC=AttributeValue


ADAM Setup Wizard, File Locations

7. Click Next.

8. On the File Locations page, you can view and change the installation directories of SEE Server data and recovery files. By default, SEE Server data and recovery files are installed in %ProgramFiles%\Microsoft ADAM\instancename\data, where instancename represents the name of the SEE Server instance you specified on the Instance Name page (see screenshot in step 3).
    The DIT data files are the contents of the SEE Server stored as individual files, while the LOG data recovery files are used for SEE Server troubleshooting. The ADAM installer places the ADAM program files and administration tools in the directory %windir%\ADAM.
    Specify alternate locations for these files, or accept the default values and click Next.


ADAM Setup Wizard, Service Account Selection

9. Use the Service Account Selection page to specify the user account under which the SEE Server instance will run. By default, the SEE Server instance runs using the default network service account.

10. Click Next to accept the default value.


ADAM Setup Wizard, ADAM Administrators

11. On the ADAM Administrators page, specify the user or group which will have administrative privileges for the SEE Server instance. Click Browse and type in the full name of the local group you created earlier; for example, EAS-01\ADAM Admins LG, where EAS-01 is the local computer name of the SEE Server on which you are installing ADAM. Click OK.
    In the example shown in the screenshot above, the full name of the local group ADAM Admins LG on the local computer ADAM is specified as EAS-01\ADAM Admins LG. Click Next to continue.


ADAM Setup Wizard, Importing LDIF Files

12. On the Importing LDIF Files page, accept the default choice of Do not import LDIF files for this instance of ADAM, then click Next.
    You will import the SEE LDIF schema from the command line in a later step.


ADAM Setup Wizard, Ready to Install

13. The Ready to Install page is displayed. Before continuing with the installation of ADAM, scroll through the Selections box and review the settings you specified in the previous wizard pages. Once you have verified these settings, click Next to begin installation.

14. The Installing ADAM page is displayed showing installation progress


ADAM Setup Wizard, Installing ADAM

15. Once the installation process has finished, the completion page will be displayed.

16. Click Finish.


New Organizational Units

In the following steps, you will bind to the SEE Server instance and create the two new organizational units (OUs): EncryptionAnywhereComputers and AdminsStore.

Warning: The OU names must be EncryptionAnywhereComputers and AdminsStore, respectively. If you create the OUs using any other names, or change the OU names later on, the clients will be unable to communicate with the SEE Server.

1. Click Start, point to All Programs, point to ADAM, then click ADAM ADSI Edit. The ADAM ADSI Edit snap-in opens.

2. In the left pane, select the top-level node named ADAM ADSI Edit, right-click, and choose Connect to.


ADAM ADSI Edit, Bind to the ADAM Instance

3. In the Connection Settings window, use the following settings to bind to the SEE Server instance:
    In the Server name box, use the default value localhost.
    In the Port box, type 389 (or whatever LDAP port number you specified during ADAM installation)
    Click Distinguished name (DN) or naming context, and in the box type dc=EncryptionAnywhere,dc=com
    Click This account, select the domain user account of the ADAM Admin from the User name list, then type in the password for that account.

4. Click OK to bind to the SEE Server instance.

5. Once your credentials have been accepted, expand the My Connection object in the left navigation pane of the snap-in window. The navigation pane will populate with the SEE Server instance showing its default containers.
    Right-click the container named dc=EncryptionAnywhere,dc=com and point to New, then click Object. The Create Object window appears.


ADAM ADSI Edit, Create an OU Object in ADAM

6. Click organizationalUnit, and then click Next.


ADAM ADSI Edit, Name New OU Object “EncryptionAnywhereComputers”

7. In the Value box, type the name of the first OU you are creating, EncryptionAnywhereComputers, then click Next. Click Finish.

8. You will now repeat steps 5–6 to create a second OU named AdminsStore. With the My Connection object still expanded in the left navigation pane of the snap-in window, right-click the container named dc=EncryptionAnywhere,dc=com and point to New, then click Object. The Create Object window appears.


ADAM ADSI Edit, Create an OU Object in ADAM

9. Select organizationalUnit and click Next.


ADAM ADSI Edit, Name New OU Object “AdminsStore”

10. Type the name of the second OU you are creating in the Value box, AdminsStore, then click Next. Click Finish.
    With two new OUs added to the SEE Server, the container structure of the SEE Server instance should resemble the ADAM ADSI Edit window shown in the screenshot below.


ADAM ADSI Edit, Two New OU Objects Created in ADAM

You are now ready to extend the SEE Server with the SEE schema, allowing SEE Client Computers to store their data in the SEE Server.


SEE Schema Importation

In this step, you will copy the SEE schema file EASchema.ldf from the ADAM Setup folder to the folder in which the ADAM tools were installed. You will then import the schema into the SEE Server using the LDIF Data Exchange
utility (ldifde.exe).

1. Right-click the ADAM Setup folder and choose Explore. An explorer window opens showing the ADAM Setup folder contents in the right pane.

2. Right-click My Computer and choose Explore. In the explorer window that opens, navigate to the C:\Windows\ADAM directory so that the directory contents are shown in the right pane.

3. Expand the ADAM Setup folder explorer window and locate the file EASchema.ldf in the right-hand pane.

4. Right-click the EASchema.ldf file, drag the file into the right pane of the C:\Windows\ADAM explorer window, then release the right mouse button and choose Copy Here.

5. Next, open a command prompt in the ADAM directory using one of the following two methods:
    • Click Start, then click Run. Type cmd, and click OK. In the command prompt window that opens, type CD C:\Windows\ADAM and press ENTER.
    • Click Start, and then point to All Programs, point to ADAM, and click ADAM Tools Command Prompt.

6. At the C:\WINDOWS\ADAM> command prompt, type the following command and press ENTER:
    ldifde.exe -i -f EASchema.ldf -t 389 -b adamadmin your-org * -s localhost -k -c "CN=Schema,CN=Configuration,DC=X" #schemaNamingContext

7. Type the password of the ADAM admin account when prompted.
    Be sure to replace the adamadmin and your-org entries shown in the ldifde.exe command line above with the account name and domain you specified for your own ADAM Admin domain user account. If you did not set the LDAP port to 389 but specified a different port during ADAM setup, replace the 389 shown in the command line above with the port number you specified.


Import the SEE Schema to ADAM


Access Permissions

In the following steps of the manual SEE Server install process, you will set the permissions on the two organizational units (OUs) you created on the SEE Server. You will do this by logging on the SEE Server as an ADAM Administrator and executing the dsacls.exe utility four separate times with four different sets of parameters.

ADAM Clients Local Group Grant Access—ADAM OU

The first time you execute the dsacls.exe utility, you will grant any member of the local group ADAM Clients LG the ability to perform a wide range of operations when accessing the ADAM OU named EncryptionAnywhereComputers and its child objects.
The long permissions string (“GASDDTRCWDWOLCCCDCWSRPWPCALO”) in the following command line represents the list of granted operations. These operations include:
  • Generic read/write/execute,
  • Delete,
  • Delete an object and all of its children,
  • Read or change the security information,
  • Change the owner information,
  • List the children of an object,
  • Create and delete child objects,
  • Write to self,
  • Read and write properties,
  • Control access rights, and
  • List the object access.

If you have not already logged on to the SEE Server using the ADAM Admin domain user account, do so now.

1. At the C:\WINDOWS\ADAM> command prompt, type the following command, and press ENTER:
    dsacls.exe "\\localhost:389\OU=EncryptionAnywhereComputers,dc=EncryptionAnywhere,dc=com" /G "ADAM Clients LG":GASDDTRCWDWOLCCCDCWSRPWPCALO /domain:your-org /user:adamadmin /passwd:* /I:T
2. Type the password of the ADAM admin account when prompted.
    Be sure to replace the domain:your-org and user:adamadmin entries shown with the credentials you specified for your own ADAM Administrator domain user account. Replace the ADAM Clients LG entry with the name you specified for your own ADAM clients local group. If you specified a different LDAP port number during SEE Server setup, replace the 389 shown in the command line above with the port number you specified, and replace dc=EncryptionAnywhere,dc=com with the application partition name of the instance you are configuring.


Grant Local Group “ADAM Clients LG” Access to OU “EncryptionAnywhereComputers”

ADAM Clients Local Group Deny Access—AdminsStore OU

Run the dsacls.exe utility a second time to restrict any member of the local group ADAM Clients from performing a broad range of operations when accessing the AdminsStore OU in the SEE Server. The list of denied operations include:
  • Generic read/write/execute,
  • Delete,
  • Delete an object and all of its children,
  • Read or change the security information,
  • Change the owner information,
  • List the children of an object,
  • Create and delete child objects,
  • Write to self,
  • Read and write properties,
  • Control access rights, and
  • List the object access.

1. At the C:\WINDOWS\ADAM> command prompt, type the following command and press ENTER:
    dsacls.exe "\\localhost:389\OU=AdminsStore,dc=EncryptionAnywhere,dc=com" /D "ADAM Clients LG":GASDDTRCWDWOLCCCDCWSRPWPCALO /domain:your-org /user:adamadmin /passwd:*
2. Type the password of the ADAM admin account when prompted.
    Be sure to replace the domain:your-org and user:adamadmin entries shown with the credentials you specified for your own ADAM Administrator domain user account. Replace the ADAM Clients LG entry with the name you specified for your own ADAM clients local group. If you specified a different LDAP port number during SEE Server setup, replace the 389 shown in the command line above with the port number you specified, and replace dc=EncryptionAnywhere,dc=com with the application partition name of the instance you are configuring.


Deny Local Group “ADAM Clients LG” Access to OU “AdminsStore”

ADAM Clients Local Group Read Access—All Objects

Run the dsacls.exe utility a third time to give any member of the local group ADAM Clients the ability to read and list the children of all other objects in the SEE Server besides those in the EncryptionAnywhereComputers and AdminsStore OUs.

1. At the C:\WINDOWS\ADAM> command prompt, type the following command and press ENTER:
    dsacls.exe "\\localhost:389\dc=EncryptionAnywhere,dc=com" /G "ADAM Clients LG":GRLC /domain:your-org /user:adamadmin /passwd:* /I:T
2. Type the password of the ADAM admin account when prompted.
    Be sure to replace the domain:your-org and user:adamadmin entries shown with the credentials you specified for your own ADAM Administrator domain user account. Replace the ADAM Clients LG entry with the name you specified for your own ADAM clients local group. If you specified a different LDAP port number during SEE Server setup, replace the 389 shown in the command line above with the port number you specified, and replace dc=EncryptionAnywhere,dc=com with the application partition name of the instance you are configuring.
    The screenshot below shows the output of the command prompt window after executing the dsacls.exe command.


Grant Local Group “ADAM Clients LG” Read Access


ADAM Clients Local Group Read & List—Configuration Partition

Run the dsacls.exe utility a fourth and final time to give any member of the local group ADAM Clients LG the ability to read and list the children of all objects in the configuration partition. This allows members of ADAM Clients LG the ability to read configuration information.
Since the dsacls.exe utility requires you to specify the configuration partition according to its GUID, you must first determine the GUID using the ADAM ADSI Edit snap-in.

1. Click Start, point to All Programs, point to ADAM, then click ADAM ADSI Edit. The ADAM ADSI Edit snap-in opens.

2. In the left pane, select the top-level node named ADAM ADSI Edit, right-click, and choose Connect to.

3. In the Connection Settings window, use the following settings to bind to the SEE Server instance:
    In the Server name box, type localhost.
    In the Port box, type 389 (or whatever LDAP port number you specified during ADAM installation)
    Click Well-known naming context, then select Configuration from the drop-down list.
    Click This account, select the domain user account of the ADAM Admin from the User name list, then type in the password for that account.

Connection Settings

4. Click OK to bind to the configuration partition of the SEE Server instance.

5. Once your credentials have been accepted, the left pane of the snap-in window will populate with the configuration partition of the SEE Server instance. The configuration partition container object will have a name similar to
    CN=Configuration,CN={5C8AFFC9-89D2-4ADF-B5E0-6A3AE3D31200}, where the lengthy number between the braces is the Globally Unique Identifier (GUID) of the configuration partition.

6. Select the configuration partition container object, then press CTRL-C to copy the GUID.

7. At the C:\WINDOWS\ADAM> command prompt, type the following command and replace the {GUID.EN_US} parameter with the GUID you captured in the previous step. Press ENTER:
    dsacls.exe "\\localhost:389\CN=Configuration,CN={GUID.EN_US}" /G "ADAM Clients LG":GRLC /domain:your-org /user:adamadmin /passwd:* /I:T
8. Type the password of the ADAM admin account when prompted.
    Be sure to replace the domain:your-org and user:adamadmin entries shown with the credentials you specified for your own ADAM Administrator domain user account. Replace the ADAM Clients LG entry with the name you specified for your own ADAM clients local group. If you specified a port other than 389, replace port 389 shown with your own value.


Grant Local Group “ADAM Clients LG” Read Access to ADAM Config Partition


ADAM Object Membership

In this step, you will add the ADAM Read-Only Local Group as a member of the CN=Readers object in the Configuration Partition, and then add the CN=Readers object of the Configuration Partition to the CN=Readers object of the Application Partition.

Add ADAM Read-Only Local Group as Member of Configuration Readers

Run the ADAM ADSI Edit snap-in to add the local group ADAM Read-Only LG to the members attribute of the CN=Readers object in the Configuration Partition of ADAM.

1. Click Start, point to All Programs, point to ADAM, then click ADAM ADSI Edit. The ADAM ADSI Edit snap-in opens.

2. In the left pane, select the top-level node named ADAM ADSI Edit, right-click, and choose Connect to.

3. In the Connection Settings window, use the following settings to bind to the SEE Server instance:
    In the Server name box, type localhost.
    In the Port box, type 389 (or whatever LDAP port number you specified during ADAM installation)
    Click Well-known naming context, then select Configuration from the drop-down list.
    Click This account, select the domain user account of the ADAM Admin from the User name list, then type in the password for that account.


Connection Settings

4. Click OK to bind to the configuration partition of the SEE Server instance.

5. Once your credentials have been accepted, the left pane of the snap-in window will populate with the configuration partition of the SEE Server instance. Expand the configuration partition container object and click CN=Roles.

6. In the right pane, right-click on CN=Readers and choose Properties. The CN=Readers Properties window displays.


CN=Readers Properties

7. Browse the attributes list and locate the attribute named member, then double-click it. The Multi-valued
    Distinguished Name With Security Principal Editor window displays. This box allows you to add Windows or ADAM groups to the member attribute.


Add Local Group ADAM Read-Only LG as Member

8. Click Add Windows Account. The Select Users, Computers, or Groups window appears. To add the existing local group ADAM Read-Only LG as a member attribute, specify this group in the Enter the object names to select box.
    For example, if the name of your SEE Server is EAS-01, you would type EAS-01\ADAM Read-Only LG. Click OK.


ADAM Read-Only LG Added as Member

9. Click OK to close the Multi-valued Distinguished Name With Security Principal Editor window. Click OK to close the CN=Readers Properties window.

Add Configuration Partition Readers to Application Partition Readers

Run the ADAM ADSI Edit snap-in to add the CN=Readers object of the Configuration Partition to the CN=Readers object of the Application Partition.
Since this step requires you to specify the configuration partition according to its GUID, you must first determine the GUID using the ADAM ADSI Edit snap-in. See section “ADAM Clients Local Group Read & List—Configuration Partition” on page 30 for details on how to obtain the GUID of the configuration partition.

1. Click Start, point to All Programs, point to ADAM, then click ADAM ADSI Edit. The ADAM ADSI Edit snap-in opens.

2. In the left pane, select the top-level node named ADAM ADSI Edit, right-click, and choose Connect to.


Connection Settings

3. In the Connection Settings window, use the following settings to bind to the SEE Server instance:
    In the Server name box, use the default value localhost.
    In the Port box, type 389 (or whatever LDAP port number you specified during ADAM installation)
    Click Distinguished name (DN) or naming context, and in the box type dc=EncryptionAnywhere,dc=com
    Click This account, select the domain user account of the ADAM Admin from the User name list, then type in the password for that account.

4. Click OK to bind to the SEE Server instance.

5. Once your credentials have been accepted, the left pane of the snap-in window will populate with the application partition of the SEE Server instance. Expand the application partition container object and click CN=Roles.

6. In the right pane, right-click on CN=Readers and choose Properties. The CN=Readers Properties window displays.


CN=Readers Properties

7. Browse the attributes list and locate the attribute named member, then double-click it. The Multi-valued
    Distinguished Name With Security Principal Editor window displays. This box allows you to add Windows or ADAM groups to the member attribute.

8. Click Add ADAM Account. The Add ADAM Account window displays.
    To add the readers group object of the configuration partition to the readers group object of the application partition, you must specify the distinguished name of the object in the Add ADAM Account box.
    The CN=Readers object from the configuration partition will have a distinguished name similar to
    CN=Readers,CN=Roles,CN=Configuration,CN={5C8AFFC9-89D2-4ADF-B5E0-6A3AE3D31200}, where the lengthy number between the braces is the Globally Unique Identifier (GUID) of the configuration partition.

9. In the Add ADAM Account box, type the following path and replace the {GUID.EN_US} parameter with the GUID from the configuration partition of your own SEE Server:
    CN=Readers,CN=Roles,CN=Configuration,CN={GUID.EN_US}


Add Configuration Partition Readers Object

10. Click OK. The Multi-valued Distinguished Name With Security Principal Editor window shows that the CN=Readers configuration partition object has been added.


Readers Object Added to Application Partition

11. Click OK to close the Multi-valued Distinguished Name With Security Principal Editor window. Click OK to close the CN=Readers Properties window.
    The SEE Server instance is now fully installed. Next, verify that the SEE Server instance was correctly installed and is working.


Verification

1. At the C:\WINDOWS\ADAM> command prompt, type the following command:
    dsdbutil
    Press ENTER.

2. The dsdbutil utility opens showing the dsdbutil command prompt.
    At the dsdbutil command prompt, type the following command:
    list instances
    Press ENTER.

3. The command prompt window will display information about the SEE Server instances installed on the current computer as shown in the screenshow below.


List Instances with the Dsdbutil Utility

4. Verify that the output window contains the following entries:
    Instance Name: EncryptionAnywhere
    Service state: Running

5. Type quit and press ENTER.

Log File Location

Examine the SEE Server log files to help troubleshoot SEE Server installation issues. These log files are located on the SEE Server at C:\WINDOWS\Debug.





Attachments