Installation Guide s1

Installation Guide Published By Imanami Corporation 2301 Armstrong St. Suite 211 Livermore, CA 94551, United States

All rights reserved. No part of this document may be reproduced or transmitted in any form or by means without the written permission of Imanami Corporation. Imanami made every effort in the preparation of this document to ensure the accuracy of the information. However, the information contained in this document comes without warranty, either expressed or implied. Imanami is not liable for any damage, cost or alleged cost either directly or indirectly by this document.

Other product and company names mentioned herein may be the trademarks of their respective owners.

Prepared By Imanami Technical Communications Team

Document Information Document Version: 5.10.6.0 First Edition Release Date: November 06, 2009 This Release: April 20, 2011

Supported GroupID Version: 5.5

Feedback and Support For feedback on this document, please write to: [email protected]

For complaints or technical support, please contact: [email protected] Table of Contents

1. Notational Conventions...... vii

2. Introduction...... 1 GroupID...... 1

3. System Requirements...... 3 Hardware Requirements...... 3 Operating Systems...... 3 Active Directory and Exchange Servers...... 3 Software Requirements...... 3 Additional Requirements...... 4 Configuration Requirements for Different IIS and Windows Platforms...... 4

4. Installing and Removing GroupID...... 7 Before you Install...... 7 Backing up your Groups...... 7 Group Expiration Policy...... 8 Creating a Service Account for Active Directory and Exchange...... 8 Active Directory Only Environments...... 11 Active Directory Objects Required by GroupID...... 11 Installing GroupID...... 12 GroupID Setup Components...... 12 Steps to Install...... 14 Licensing...... 20 Types of Licenses...... 20 Licensing GroupID...... 21 Upgrading from an Evaluation License to a Full License...... 22 Installing Components Individually using Custom Setup Type...... 22 Installing GroupID Lotus Notes Web Service...... 22 Installing Group Usage Service...... 26 Removing GroupID...... 30

5. Upgrading to GroupID 5.5...... 33 GroupID Upgrade Wizard...... 33

6. Troubleshooting...... 41 Installing and removing GroupID...... 41 Licensing Problems...... 42 Launching Problems...... 42

7. Appendices...... 45 Appendix A - Screenshots...... 45

iii Installation Guide

Appendix B - Installing Windows PowerShell 1.0 on Windows Server 2008...... 48 Appendix C - GroupID Attributes saved in extensionData...... 49

iv Notational Conventions

To help you locate and interpret information easily, this guide follows consistent structure and standard conventions in each topic. These conventions are explained below:

Notation Meaning bold Name of user interface elements and commands. The word that requires emphasis is also presented as bold.

Placeholders that should be replaced with appropriate values.

Courier New Command syntax and examples.

Gill Sans MT Notes and tips.

v Introduction

GroupID

GroupID is a suite of applications that provide Group and Identity Management solutions for your enterprise needs. Built upon the foundation of Imanami's best selling products WebDir, SmartDL, SmartR and DTM, GroupID takes the concept of automation and flexible management one step further. GroupID extends the capabilities and features of these products with the next generation of upgrades by integrating all the previous applications into a single unified user interface.

Synchronize

GroupID Synchronize enables you to transfer data in a flexible, convenient and secure manner between directories, databases or files. Manipulate data by applying simple transformations to join fields, to add or remove characters; or to perform complex conversions by writing your own script for transforming data before getting saved at the target destination. Create a script and run to preview the results before actually committing changes. Save and schedule your jobs to run unattended at a later time.

Self-Service

Reduce the overhead on your network administrators and empower your users to carryout common tasks, such as updating their own information within Active Directory. Assign responsibilities at various levels by authorizing specific users to manage Groups, Contacts or Users. Define Workflows to route User requests through assigned authorities for approval. Create groups with a limited life span, setting them to renew, expire and automatically be deleted from the source directory keeping your directory clean and preventing group glut .

Automate

GroupID Automate offers enhanced administration and automation features for Active Directory Groups. Use Automate to create and update Group memberships dynamically when changes occur within your organization. Share your administrative responsibilities with others by assigning multiple owners to groups while you are out of office. Create Private, Semi-Private, Semi-Public and Public Groups depending on the level of access you require.

Reporting

GroupID Reporting lets you analyze and monitor your Active Directory and Exchange Server activities and collect statistical information about critical objects, thus enabling you to have an up- to-date picture of GroupID progress.

1 System Requirements

Hardware Requirements

 Intel® Pentium® IV (2.4GHz or Higher)

 4GB of RAM

 500MB or more of hard drive space available for execution

Operating Systems

Client Operating Systems

 Windows® XP

 Windows® Vista

 Windows® 7

Server Operating Systems

 Windows® Server 2003

 Windows® Server 2008

 Windows® Server 2008 R2

Active Directory and Exchange Servers

Active Directory

 Active Directory® 2003

 Active Directory® 2008

Exchange Server

 Exchange Server 2003

 Exchange Server 2007 SP2

 Exchange Server 2010 SP1

Software Requirements

 Microsoft® .NET Framework 3.5 with Service Pack 1

 Microsoft® Management Console 3.0

 Windows® PowerShell 1.0 (PowerShell 1.0 is included as a standard feature with Windows Server 2008, although it is not installed by default. See Appendix B for instructions on installing this.)

 Microsoft® Distributed Transaction Coordinator (This service should be, by default, installed on machines running Microsoft Windows 2000 and higher operating systems. The DTC is essential for configuring the Exchange Service Component and hence must be running on the computer where you plan to install GroupID.)

Additional Requirements

For Exchange Server 2007

 Microsoft® Exchange 2007 Management Tools

 Windows® PowerShell 2.0 (This is by default installed with Windows Server 2008 R2)

 Windows® Remote Management (WinRM) 2.0

For Security Groups Expiration feature

 Microsoft SQL Server 2005 Native Client

 Microsoft SQL Server 2005 Command Line Query Utility

For GroupID Self-Service

 Internet Information Server (Install this before installing Microsoft .NET framework.)

Configuration Requirements for Different IIS and Windows Platforms

GroupID Self-Service requires Microsoft Internet Information Server (IIS) 6.0 or higher for its working. The table below shows the IIS configuration required on different Windows platforms for running Self-Service:

Platform Requirement Should How to check Figure be

IIS 7.5 - ASP.NET Installed  Launch Windows 7 Programs and Features.  Click Turn Windows features on or off.

 On the Windows

3 Installation Guide

Features dialog, expand Internet Information Services. IIS 7 - Windows Enabled  Launch the See Windows Authentication Appendix Internet Server 2008, A, Figure Information A-1 IIS 7.5 - Services (IIS) Windows Manager from Server 2008 Administrative R2 Tools.  On the Connections pane, click the server node.  On the Features View, double-click Authentication.

 In the Authentication pane, see status for the Windows Authentication. Application Installed  Launch the See Development Appendix Server A, Figure Manager from A-2 Administrative Tools.  Expand the Roles node and click Web Server (IIS).

 In the Summary section, see the Role Services list. IIS 7 - ASP.NET Installed  Launch See Windows Appendix Programs and Vista A, Figure Features. A-3  Click Turn Windows

features on or off.

 On the Windows Features dialog, expand Internet Information Services. IIS 6 - ASP.NET 2.0 Installed,  Launch the See Windows Allowed Appendix Internet Server 2003 A, Figure Information A-4 Services (IIS) Manager from Administrative Tools.

 Expand the server node and then click Web Service Extensions.

5 Installing and Removing GroupID

Before you Install

Backing up your Groups

Before installing GroupID 5.5, Imanami recommends performing a backup of your groups information that are either created using SmartDL or GroupID 5.0. The following unsupported script is provided as a guide for performing this task.

Please contact Microsoft should you have any questions about ways for backing up or restoring your entire Group information in Active Directory.

Backup script for SmartDL groups

From the domain controller, execute the following command: ldifde -f c:\groupinfobeforeGroupID.ldf -r "(&(objectClass=group) (objectCategory=group)(|(extensionData=SD4=*)(&(!extensionData=*)(| (extensionAttribute13=*)(extensionAttribute14=*)))))" -p Subtree -l extensiondata,extensionAttribute13,extensionAttribute14

Backup script for GroupID 5.0

From the domain controller, execute the following command: ldifde -f c:\groupinfobeforeGroupID.ldf -r "(&(objectClass=group) (objectCategory=group)(|(extensionData=*)))" -p Subtree -l extensiondata

Restoring group information

To restore the group information, use the above file and modify as per the following instructions:

1. Replace changetype: add with changetype: modify.

2. Add replace: extensiondata before the first extensiondata for each record.

3. In the end of each object record, type a hyphen (-) followed by a blank line. For example:

6 Installing and Removing GroupID dn: CN=sSDL,OU=test,DC=w2k8-64,DC=com changetype: modify replace: extensiondata extensionData:: U0Q0PTE7MTslQU5ZU0VSVkVSJTtEQz13Mms4LTY0LERDPWNvbTs3OzsyOyo7Kjs7Ozs7Ozs KCgoKCg o2MzM1OTMwOTgwNzMzODgzMzg7UUFYUDQ1OzE= - dn: CN=ssd,OU=test,DC=w2k8-64,DC=com changetype: modify replace: extensiondata extensionData:: U0Q0PTE7MTslQU5ZU0VSVkVSJTtHQz1kYy53Mms4LTY0LmNvbTs3OzsyOyo7Kjs7Ozs7Oz sKCgoKCg o2MzM1OTMyMjQ1MDE3NjAxOTk7UUFYUDQ1OzE= -

4. Type and run the following command from the domain controller: ldifde -i -f c:\groupinfobeforeGroupID.ldf

Group Expiration Policy

When you launch GroupID for the first time; it applies a default global expiration policy that is, Never Expire to all the existing groups in the Active Directory irrespective of whether they are created using GroupID or not. The group expiration function is only executed when the Self- Service module is licensed to run. The expiration date set for these groups is calculated as:

Expiration Date = GroupID Installation Date + Global Expiration Policy

Expiring a group performs the following actions on the group:

1. Mail-disables the group, if it is mail-enabled.

2. Adds the Expired_ prefix to the group name.

3. Moves the group in a separate node named Expired Groups.

4. If the group being expired is a security group and the Security Groups Expiration component is installed and configured, then its members are cleared and stored in the configured SQL Server database.

Renewing a group performs the following actions on the group:

1. Mail-enables the group, if it is mail-disabled.

2. Removes the Expired_ prefix from the group name.

3. Moves the group from the Expired Groups node to the node where it was created.

4. If the group being renewed is a security group and the Security Groups Expiration component is installed and configured, then its members are restored from the configured SQL Server database.

5. Sets the expiration date of the group, calculated as:

Expiration Date = Group Renewal Date + Group Last Expiration Policy

If you do not want certain groups to be affected by the global expiration policy, you can place those groups in certain containers and add those containers in the GLM exclusion list. If you want to prevent all groups from being affected by the global expiration policy, you can disable the Group Management Service. Refer to the GroupID Help and the GroupID User Manual for more information.

Creating a Service Account for Active Directory and Exchange

Prior to launching GroupID, it is recommended that you add a new service account that has sufficient permissions to Active Directory and Exchange Server (if deployed on the server) objects. Use this service account to connect GroupID to the domain. If you plan to install GroupID on a member server or computer, you will need to add this service account to the membership of the local Administrators group on that machine.

The instructions below guide you on how you can create a service account in Active Directory:

1. Open Active Directory Users and Computers.

 For Windows Servers, click Windows Start button, click Programs (or All Programs), point to Administrative Tools, and then click Active Directory Users and Computer.

 For Windows XP, click Windows XP Start button, click Control Panel, click Performance and Maintenance, click Administrative Tools and then double-click Active Directory Users and Computer. (The given instructions are for the default Windows XP views. Please refer to Windows Help for instructions on the Classic views.)

 For Windows Vista, click Windows Vista Start button , click Control Panel, click System and Maintenance, click Administrative Tools and then double-click Active Directory Users and Computer. (The given instructions are for the default Windows Vista views. Please refer to Windows Help for instructions on the Classic views.)

 For Windows 7, click Windows 7 Start button , click Control Panel, click Administrative Tools and then double-click Active Directory Users and Computer.

2. In the directory tree, right-click the Users container, point to New, and then click User. This will start the wizard for creating a new user.

3. Enter in all required information for the user as you walk through the wizard.

4. As the wizard completes, click the Users container and you will see the newly created user in the Users list.

To grant permissions to this service account, you can do one of the following:

 Make it a member of one of the following groups:

Recommend Domain Admins ed

Minimum Account Operators

 Delegate it permissions at object level using the Delegation of Control Wizard in Active Directory Users and Computers. This method can be used to set the least level of permissions for the service account.

The above steps will create a user account and grant privileges to it for the Active Directory objects. To set permissions on Exchange Server objects for this user, follow the instructions below:

1. In the Windows Programs menu, point to Microsoft Exchange, and then click System Manager.

2. Right-click the organization where you want to delegate permissions, and then click Delegate control. This starts the Exchange Administration Delegation wizard.

3. On the welcome page of the Exchange Administration Delegation wizard, click Next.

4. On the Users or Groups page, click Add. This displays the Delegate Control dialog box.

5. On the Delegate Control dialog box:

 Click Browse and on the Select Users, Computers, or Group dialog box:

o In the Enter the object name to select box, type the name of the user you have just created and press Enter. This displays the name of the user in the box.

o Click OK to close the dialog box.

 The minimum permissions required for the service account is Exchange View Only Administrator role, so from the Role list, select a role accordingly.

 Click OK to close the dialog box. The user or the group that you added appears in the Users and groups list.

6. Click Next and then click Finish.

1. In the Windows Programs menu, point to Microsoft Exchange Server 2007 and then click Exchange Management Console.

2. In the console tree, right-click Organization Configuration and then click Add Exchange Administrator. This starts the Add Exchange Administrator wizard.

3. On the Add Exchange Administrator wizard, click Browse and on the Select User or Group to Delegate dialog box:

 From the list, select the user you have just created.

 Click OK to close the dialog box.

4. The minimum permissions required for the service account is Exchange Recipient Administrator role, so from the Select the role and scope of this Exchange administrator area, select a role accordingly. 5. Click Add. 6. On the Completion page; review the summary, and then click Finish to close the Add Exchange Administrator wizard.

1. Launch the Exchange Management Shell and type the following command:

Add-RoleGroupMember "Recipient Management" -Member domain name\user

Active Directory Only Environments

Environments running Active Directory only, without Exchange, will require extending their schema for GroupID to work properly. GroupID uses the extensionData Exchange attribute to store many configurations (like group life cycle information, security type, additional owners, query information, Dynasty level, Dynasty display name, Dynasty inheritance information and similar. To learn more about the attributes that GroupID stores in the extensionData attribute, see Appendix C). This process does not require a complete Exchange deployment in your environment. To learn more about the attributes that are added or modified during this process, please download the document Active Directory Schema Changes Reference from Microsoft Download Center (http://www.microsoft.com/downloads/en/details.aspx? FamilyID=3d44de93-3f21-44d0-a0a1-35ff5dbabd0b).

The following instructions list the procedure for extending the schema.

1. Launch the Windows Command Prompt.

2. Move to the directory containing Microsoft Exchange setup.

3. Type and then run the following command depending on the version of your Exchange server:

 For Exchange 2003

setup.com /schemaprep

 For Exchange 2007

setup.com /prepareschema

setup /PrepareAD

For Exchange 2007, the schema extensions require the domain functional level to be set to Windows 2000 native or higher.

Active Directory Objects Required by GroupID

During the GroupID installation and at its first launch in a new domain, it creates two objects in Active Directory that are required for its modules to work. These objects are:

1. GroupIDSSUser account

This user account is created by the GroupID Setup wizard if the installation is being performed in a domain running Exchange Server 2007 or higher. The account is used by Imanami Exchange COM+ application service which runs in its context on the host machine. GroupID uses this application service to run commands on Exchange server for actions carried out by users on a Self-Service Portal. For example, creating mail-enabled groups, expiring groups, and renewing groups. In the absence of this account, Self-Service Portals will not work with Exchange 2007 and above.

The GroupIDSSUser account is created as a local account on member servers and computers. On domain controllers, it will be created in the Users organizational unit.

2. GroupIDGlobalConfigurationSettings group

This group is created when GroupID is connected to a domain for the first time and is used to store global configuration settings related to the domain. The group is created in the Users organizational unit for every domain within a single Active Directory forest. GroupIDGlobalConfigurationSettings should not be deleted otherwise it will cause the Automate and Self-Service modules to dysfunction. The process of creating the group requires the use of a user account having read and write permissions on the Users organizational unit. See Creating a Service Account for Active Directory and Exchange for instructions on creating the account with the right permissions for this task. If you need to create the group in an organizational unit other than Users, you will need to create it interactively using GroupID Management Shell as explained later in this section.

If due to improper permissions, GroupID fails to create the group or the group is mistakenly deleted from Active Directory, you can create the group using the instructions below:

On the GroupID Management Shell, execute the following command:

New-ConfigurationGroup

By default, GroupID creates the configuration group in the Users organizational unit. You can specify a different organizational unit by providing its distinguished name (DN) in the command, as:

New-ConfigurationGroup -OrganizationalUnit "OU=Configurations,DC=HR,DC=imanami,DC=US"

Installing GroupID

GroupID Setup Components

This section provides a brief overview of each featuring component in GroupID Setup. The components that are installed on your computer are determined by the setup type you select. The available setup types and their detail is given in the following table:

Setup Components installed Description Type

Typical  GroupID Use this to install the core product components. Management Console  GroupID Management Shell  Security Group Expiration Plugin

 GroupID Management Service Complete All Use this to install the core and additional product components.

Custom Only those selected by the Use this to install only the required user components. This option is recommended for advance users.

The setup consists of the following components:

 GroupID Management Console

This is a custom Microsoft Management Console with GroupID snap-in added. Refer to GroupID Help for detailed information about the console.

 GroupID Lotus Notes Web Service

This service works with Synchronize module (on 32-bits platforms only) and is responsible for creating user ID files and mail files on the Lotus Notes server when a synchronize job is set to be executed from some data source to a Lotus Notes destination. The service is not installed by default in the typical setup type. If you are installing GroupID on a machine where Lotus Notes server is already installed, the service can be installed using the complete or custom setup types. The GroupID setup wizard also places the setup file for the Lotus Notes Web service in the GroupID installation directory which you can use to install the Web service on the required Lotus Notes server in your environment.

 GroupID Management Shell

This is a command-line interface that works under the Automate license and is responsible for managing groups and performing other administrative tasks. Built on Microsoft Windows PowerShell technology, GroupID Management Shell provides a platform to perform many of the tasks that are supported by GroupID Management Console in addition to those not supported by it. GroupID Management Shell is installed by default in the typical and complete setup types. You will need to choose the custom setup type, if you do not want to install this feature.

 Security Group Expiration Plug-in

Security Group Expiration plug-in works under the Self-Service license and is required for expiring security groups and prevent their members from accessing the network resources assigned to them. This plug-in is installed by default in the typical and complete setup types. You will need to choose the custom setup type, if you do not want to install this feature. Security Group Expiration depends on Microsoft SQL Server for its functioning. The supported versions are Microsoft SQL Server 2005 or higher. Other client tools for SQL Server, requiring installation on the GroupID machine, are given in the Software Requirements section.

This feature is disabled by default and will need to be enabled from within GroupID once you have it installed. If you have GroupID installed on more than one computer in your organization, Security Group Expiration will have to be enabled and configured on all computers running GroupID. Failing to do so will result in inconsistent behavior of security group memberships and may even disturb their settings in Active Directory.

 GroupID Usage Service

The Group Usage Service is an added feature of Imanami GroupID and does not automatically install. Working under the Automate license, this service is used for monitoring and creating a time stamp for each group when an Exchange expansion event occurs. This event occurs when an Exchange server expands a distribution list for sending message. The event is recorded in the Exchange server's message tracking log from where the Group Usage Service parses and records the time stamp the distribution list was last used. Then using Imanami Reporting module, you can review the information in a nicely formatted report named "Distribution groups and the time they were last used". The Group Usage Service is not installed with GroupID using the typical setup type. To install the service, you need to select either the complete or custom setup type.

Before installing the Group Usage Service, please verify that message tracking is enabled on all Exchange servers in the Active Directory forest and the Domain administrators group have Read permissions to the Exchange tracking log directory.

For performance reasons, it is recommended not having more than one installation running in a single Exchange organization at any given time. However, if you choose to use multiple instances of the Group Usage Service, please set up each installation to manage a different Exchange server in the organization otherwise you will end up with redundant data.

 GroupID Management Service

Group Management Service works under the Self-Service license and is responsible for expiring and logically deleting groups depending on their expiration policy. The service is also liable to send notifications to designated authorities for different group activities. The detailed functionality of the service is covered in GroupID Help.

Steps to Install

To install GroupID, please follow the instructions given below.

1. Run the GroupID Setup file to begin the installation. Setup will start extracting files required to install GroupID into a temporary location on your C drive (see figure below).

To run the setup file, you should be a member of the local Administrators group on the member server or client where GroupID is being installed.

Figure - GroupID installer copying the setup files to a temporary location

2. The Welcome page of GroupID setup wizard will appear once the setup has extracted all the required files. Click Next to continue.

Figure - The Welcome page

3. On the License Agreement page, review and accept the Licensing Agreement by selecting I accept the terms in the License Agreement. Click Next.

Figure - The License Agreement page

4. On the Customer Information page:

i. In the User Name box, type the name under which you want to install the program.

ii. In the Organization box, type the name of your organization.

iii. From the Install this application for section, select one of the following:

a. Everyone who uses this computer (all users), to install and make GroupID available for all users using this computer.

b. Just for me [User Name], to install and make GroupID available only for the current Windows logged on user (this is the user account you are logged on with).

iv. Click Next.

Figure - The Customer Information page

5. On the Choose Setup Type page, choose one of the installation types:

 Typical, to install the most common program features.

 Complete, to install the complete program features.

 Custom, to select features yourself and change the installation directory.

Figure - The Choose Setup Type page

6. Selecting Custom will present you with an additional page for selecting which features you want to install. For the detailed description of each feature, see the topic GroupID Setup Components. Clicking the icon next to the feature will display the list of options from which you can select the action for it. Use the Browse button to change the installation directory.

Figure - Custom Setup page

7. Click Next to proceed.

8. On the Ready to Install the Program page, click Install to begin the installation.

Figure - The Ready to Install the Program page

9. The Install Wizard Completed page will appear when the installation has finished. On this page, click Finish to complete and close the installation window. If you want to launch GroupID just after the wizard ends, select the Launch GroupID check box before clicking Finish.

Figure - The Install Wizard Completed page

Launching GroupID

You can launch GroupID from the Windows Programs menu by clicking Imanami, GroupID 5.5, GroupID Management Console.

Licensing

Types of Licenses

Evaluation License

An evaluation license is intended to allow customers to evaluate all modules of GroupID in their test environment for a period of 30 days.

Module License

A module license allows you to use a particular module without any restrictions. You can obtain a module license for Synchronize, Automate or Self-Service.

GroupID Reporting is a license free module.

Full License

A full license provides you unrestricted access and allows you to use the product to its full potential.

Licensing GroupID

To use GroupID with all its features, you need to have a license number and a license key. If you want to evaluate GroupID before purchasing it, you can obtain a 30 days evaluation license for it. The evaluation license provides unrestricted access to all GroupID modules; Self-Service, Automate and Reporting. For Synchronize, the access is limited to transferring only first 100 records for all Synchronize Jobs. The instructions for entering license information are given in the following. You can also contact Imanami support for assistance. When you purchase GroupID, you simply need to enter your new license number and license key and all your existing work done with the evaluation license will continue to work.

Entering the license information for GroupID

1. From GroupID Management Console, click the Configuration node and then click Modify User Options.

2. On the Options dialog box, click Licensing and then click Add.

3. On the Edit License dialog box:

i. In the License number box, type the license number for your copy of GroupID.

ii. In the License key box, type the key provided by Imanami for your copy of GroupID.

4. Click OK and restart GroupID.

The license or licenses entered will show in the Licenses list. This list will provide the following information about every license provided:

 Status - The expiry date of the license.

 Number - This is the license number that you entered.

 Key - This is the license key that you entered.

 Licenses - The number of computers this license is valid for.

 Module - The name of the module this license applies to. If a complete license was purchased, this will show All. Otherwise the name of the particular module will be displayed here.

The Options dialog box

Upgrading from an Evaluation License to a Full License

To upgrade evaluation license version of Imanami GroupID or any of its modules to full license version, please contact Imanami Sales. You will be provided with a new license number and a license key. You are just required to replace the evaluation license number and key with the new one and all your existing work done with the evaluation license will continue to work. A full license provides you unrestricted access to the product.

For instructions on how to provide new license details for GroupID or its different modules, please see the topic, Licensing GroupID.

Installing Components Individually using Custom Setup Type

Installing GroupID Lotus Notes Web Service

Follow the instructions below to install Lotus Notes Web Service manually on a Lotus Notes Server:

1. Open the installation directory for GroupID. The default installation location is, X:\Program Files\Imanami\GroupID - where X is the drive where the installation directory is located.

2. Double-click the Synchronize directory and then double-click the LotusNotes directory to open it.

3. Copy the GroupIDLotusNotesWebService.exe file to the machine running Lotus Notes server.

4. Run GroupIDLotusNotesWebService.exe on the Lotus Notes server to begin the installation. This will start the setup wizard.

5. The Welcome page of Web Service setup wizard will appear once the setup has extracted all the required files. Click Next to continue.

Figure - The Welcome page

3. On the License Agreement page, review and accept the Licensing Agreement by selecting the I accept the terms in the License Agreement option. Click Next.

Figure - The License Agreement page

4. On the Customer Information page:

i. In the User Name box, type the name under which you want to install the program.

ii. In the Organization box, type the name of your organization.

iii. From the Install this application for section, select one of the following:

a. Everyone who uses this computer (all users), to install and make GroupID available for all users using this computer.

b. Just for me [User Name], to install and make GroupID available only for the current Windows logged on user (this is the user account you are logged on with).

iv. Click Next.

Figure - The Customer Information page

5. On the Ready to Install the Program page, click Install to begin the installation.

Figure - The Ready to Install the Program page

6. When the installation completes, the Install Wizard Completed page will appear. On this page, click Finish to complete the installation.

Figure - The Install Wizard completed page

Exposing the Lotus Notes Web Service

When the Lotus Notes Web Service is installed on the server, it creates a database file named UserManagementService.nsf in the data folder in the Lotus Notes installation directory. This database file is required to be signed with an administrator ID. Without signing, the Lotus Notes Web Service will not be exposed on the Lotus Notes server.

To sign the database:

1. From the Windows Programs menu, point to Lotus Applications and click Lotus Domino Administrator.

2. On the Lotus Notes dialog box:

i. In the User name box, type the user name of the administrator account.

ii. In the Password box, type the password of the user name you entered.

iii. From the At Location list, select a location of your choice.

iv. Click Log In.

3. Click the domain tab where the Lotus Notes Web Service is installed.

4. On the Files tab, make sure that the root node is selected in the left pane showing the path to the data folder.

 Right-click the database with the title GroupID User Provisioning for Synchronize and click Sign.

5. On the Sign dialog box:

i. In the Which ID do you want to use? section, click Active User's ID.

ii. In the What do you want to sign? section, click All design documents.

iii. Select the Update existing signatures only (faster) check box.

iv. Click OK.

Once you have signed the database file, you can test the Web Service using the following address: http://machine name/UserManagementService.nsf/DotNetWebService

This address calls the Web Service which if returns an XML string, shows that the service has been exposed successfully. If not, an HTTP 404 error will be received.

Installing Group Usage Service

You can install the Group Usage Service separately, if you have not installed it with GroupID. The following instructions guide you on how to perform a separate installation of the Group Usage Service:

To install the Group Usage Service on Windows® Vista, Windows® Server 2008, Windows® 7:

1. Click the Windows® Start button, and then click Control Panel.

2. On the Control Panel window, click Programs and then click Programs & Features.

3. From the Uninstall or Change a program list, locate and select Imanami GroupID 5.5 and click Change.

4. On the welcome page of the wizard, click Next.

Figure - Welcome page

5. On the Modify, Repair or Remove installation page, select Modify and click Next.

Figure - Program Maintenance page

6. On the Custom Setup page, click next to the Group Usage Service option and select Will be installed on local hard drive.

Figure - The Custom Setup page

7. Click Next.

8. On the Ready to Install page, click Install and then on the completion page, click Finish to complete the installation.

Figure - The Completion page

To install the Group Usage Service on Windows® XP:

1. Click the Windows® XP Start button, click Control Panel, and then click Add or Remove Programs.

2. From the Currently installed Programs list, locate and select Imanami GroupID 5.5 and click Change.

3. Follow the steps 4 through 8 given in the section To install the Group Usage Service on Windows® Vista, Windows® Server 2008, Windows® 7 to complete the installation.

Removing GroupID

To remove GroupID on Windows® XP, Windows® Server 2003:

1. Click the Windows® Start button, click Control Panel, and then click Add or Remove Programs.

2. From the Currently installed Programs list, locate and select Imanami GroupID 5.5.

3. Click Remove and then click Yes on the confirmation dialog box.

To remove GroupID on Windows® Vista, Windows® Server 2008, Windows® 7:

1. Click the Windows® Start button, and then click Control Panel.

2. On the Control Panel window, click Programs and then click Programs & Features.

3. From the Uninstall or Change a program list, locate and select Imanami GroupID 5.5.

4. Click Uninstall and then click Yes on the confirmation dialog box.

Following the above instructions will remove Imanami GroupID from your computer. However, it will leave the registry keys, GroupID directory and the files for Self-Service Portals. You will need to remove them manually using the following instructions:

To remove registry keys:

 Open the Registry Editor by typing regedit in the Windows Run dialog box.

 Delete the following registry keys:

o HKEY_LOCAL_MACHINE\software\imanami\GroupID\Version 5.5

o HKEY_CURRENT_USER\software\imanami\GroupID\Version 5.5

To remove the GroupID installation directory:

 Go the location X:\Program Files\Imanami (where X represents the GroupID installation drive).

 Delete the directory named GroupID.

To remove the Self-Service Portals files:

 Open Internet Information Service console by typing inetmgr in the Windows Run dialog box.

 Under the Web Sites node in the console tree, locate the Portals that you have created using the GroupID's Self-Service module.

 Delete each Portal one-by-one by right-clicking the Portal and clicking Remove in the shortcut menu.

 Next, go to the following location depending on the version of your operating system:

o 32-bit - C:\Windows\microsoft.net\framework\v2.0.50727\Temporary ASP.NET Files

o 64-bit - C:\Windows\microsoft.net\framework64\v2.0.50727\Temporary ASP.NET Files

 Delete each Portal file one-by-one.

32 Upgrading to GroupID 5.5

If you are using a previous version of GroupID (5.0) or any of the previous Imanami products: DTM, WebDir and SmartDL; it is necessary for you to upgrade your existing data in order to be able to manage it using GroupID 5.5. This upgrade updates all your existing data and most configurations to GroupID 5.5 format. Without upgrading, you will not be able to manage previous products data in GroupID 5.5.

Imanami products versions from which you can upgrade to GroupID 5.5 are given in the following list. Versions older than those given in the list cannot be upgraded. Please contact [email protected] for further assistance.

 GroupID 5.0  DTM 3.0  WebDir 4.0  SmartDL 4.0

For GroupID 5.0, DTM 3.0 and WebDir 4.0, you need to install GroupID 5.5 on the same computer where these products are installed. For SmartDL 4.0 this is not necessary since the data for SmartDL groups are stored in Active Directory and not on the local machine except for any scheduled tasks. As the scheduled tasks are local to a computer, you will need to recreate them after the upgrade. When upgraded, you may remove the previous Imanami products from your computer as you cannot run them side-by-side with GroupID 5.5.

Upgrading to GroupID 5.5 is an irreversible process and you will not be able to undo it. It is therefore recommended to take a backup of your Active Directory before doing the upgrade. See Backing up Group Information from Active Directory at the beginning of this guide for more information about this process.

GroupID Upgrade Wizard

The following section assumes that you have installed GroupID 5.5 and are launching it for the first time.

Upgrading to GroupID 5.5 requires you to run the GroupID Upgrade Wizard. The upgrade wizard provides a simplified step-by-step procedure for upgrading to GroupID 5.5. The number of steps involved depends on the modules purchased with GroupID 5.5.

The following steps list the procedure for upgrading to GroupID 5.5. Before proceeding with the following steps, please close any programs that may be running on your computer.

The steps given in the instructions below are for a full licensed copy of GroupID 5.5. These steps may vary depending on the modules that you have purchased.

1. On GroupID Management Console, click the Configurations node, and then click Upgrade Wizard. This launches the GroupID Upgrade Wizard.

Figure - The Welcome page.

2. The Welcome page provides you information on what tasks the wizard will perform to upgrade the existing products (if any) to the new format and make them compatible with their counterparts in GroupID 5.5. Once you have read the instructions, click Next to continue.

3. On the Synchronize page, the wizard shows the number of DTM 3.0 or GroupID Synchronize 5.0 Jobs found on your computer. These Jobs will be upgraded to GroupID Synchronize 5.5 format to enable them to be managed through it.

Figure - The Synchronize page.

4. Click Next.

5. The Automate page shows the target domain name where it will search for the SmartDL 4.0 or GroupID Automate 5.0 data to upgrade to the latest format. This data will either be related to an extension attribute or extensiondata attribute.

Figure - The Automate page.

The Advanced Settings section is available by clicking the button. This section is about where the previous query information (SmartDL 4.0) and group permissions (WebDir 4.0) are stored so that they are brought forward into the new modules: Automate and Self- Service.

In the Advance Settings section:

 From the SmartDL 4.0 section:

i. From the Attribute list select the extension data attribute configured for SmartDL 4.0.

ii. The Prefix box is read-only and shows the characters used as prefix when storing and reading data in the specified extension data attribute. The prefix is used to distinguish the version of SmartDL groups so the correct groups are converted during this process.

iii. From the SDGUS Attribute list, select the extension data attribute configured for SmartDL 4.0 Group Usage Service.

 From the WebDir 4.0 section:

i. From the Attribute list, select the name of the extension data attribute configured for WebDir 4.0. The default is extensionAttribute13.

ii. The Prefix box shows the default prefix WD= used by WebDir when storing and reading data in the specified extension data attribute. The prefix is used to distinguish the version of WebDir groups so the correct groups are converted during this process.

SmartDL 4.0 lets you change where the query is stored. If you have selected extensiondata or extension attributes for different groups, they will not be recognized in Automate until the appropriate attribute is selected. For this reason, you may need to run the wizard multiple times in order to have all your groups upgraded to GroupID 5.5 so they can be managed using the GroupID Management Console.

6. Click Next.

6. The Automate Backup page provides you instructions on how to backup and restore your Active Directory data. Read the instructions on this page carefully before proceeding.

Figure - The Automate Backup page.

8. Click Next.

9. On the Self-Service page, the wizard displays the list of WebDir 4.0 virtual servers and GroupID Self-Service 5.0 Portals it found. The Self-Service 5.0 Portals are selected by default. However, you can also select WebDir 4.0 virtual servers that you want to upgrade to GroupID Self-Service 5.5.

 The upgrade wizard also suggests a name for each WebDir 4.0 virtual server with which it will upgrade it to the Self-Service 5.5 Portal. You can change the name by double-clicking the Portal Name box for the required virtual server.

Figure - The Self-Service page.

10. Click Next.

11. The Upgrading page starts the upgrade process and shows the overall progress. You can also view the progress for each individual task by expanding the Tasks section by

clicking .

Figure - The Upgrading page.

12. The last page of the wizard displays the status of the upgrade process. It will also report any errors, if encountered, during the upgrade process.

40 Troubleshooting

Installing and removing GroupID

Problem Solution

Error 1001 encountered while This problem occurs if you are installing GroupID on a installing GroupID. The setup computer which previously had SmartDL installed. To resolve rolls back and GroupID is not this problem remove SmartDL from your computer. installed. To remove the program from your computer:

 In the Windows Run dialog box, type appwiz.cpl.  Click OK.  From the Add or Remove Programs utility, select Imanami SmartDL 4.0 and then click Remove.  Restart your Windows.

After the restart, launch the Windows Service Manager and check for the following services:

 Imanami Group Usage Service  Imanami Group Management Service

If both these services, or any one of them exists you need to remove them first before installing GroupID. If these services do not exist, you are good to go with the installation.

To remove a service from your computer:

Before trying any of the following methods, make sure that the service to remove is not running. I running, stop the service first.

Method 1:

Use the Windows command-line tool sc.exe.

To delete a service using sc on your computer, type: sc delete [service name]

C:> sc delete "Imanami Group Management Service"

Method 2:

Only use this method if you are not able to remove the service using Method 1.

1. Open the Windows Run dialog box, and type regedit.

Problem Solution

2. Click OK. 3. Go to the location, HKEY_LOCAL_MACHINE/SYSTEM/CurrentCo ntrolSet/Services

4. Locate the required service and delete its key. Error while Creating a Global This problem occurs if GroupID fails to create the global Configuration Group configuration group due to improper permissions or the group is mistakenly deleted from Active Directory. To create the group manually, see the topic Active Directory Objects Required by GroupID.

Error 26402 - Failed to create See the article, Error: 26402 during GroupID user due to invalid password, is installation encountered for Self-Service (http://community.imanami.com/forums/thread/1017.aspx) on while installing GroupID. Imanami Knowledge Base.

Error 1306 - Another application This problem occurs if you are removing GroupID or Lotus has exclusive access to the file Notes Web Service on a machine running Lotus Notes server. 'C:\Lotus\Domino\Data\UserProv To resolve this problem: ision.nsf'. Please shut down all other applications, then click 1. Open the Windows Run dialog box, and type Retry. services.msc. 2. Click OK. 3. From the Services list, locate Lotus Domino Server (LotusDominoData).

4. Right-click the service and click Restart. This prompts the Service Control dialog box showing the progress. The dialog box automatically gets closed as the service restarts.

Licensing Problems

Problem Solution

OK button is not enabled on Providing valid license information after a new installation of entering license information. GroupID, sometimes, does not enable the OK button on the Licensing window. This problem can be resolved by closing GroupID Management Console and then launching it again.

42 Troubleshooting

Launching Problems

Proble Solution m

"Some or This problem may be experienced when launching GroupID. The error is related to all Self-Service and is caused because GroupID cannot find ASPNET\ identities account. This account is required to execute ASP.NET worker process that allows referenc ASP.NET to run on your local web server. e could not be To resolve this problem: translate d" error Method 1: occurs on 1. Remove IIS by following the instructions below: launchin g i. Click the Windows® button, click and then GroupID. Start Control Panel click Add or Remove Programs. ii. Click Add/Remove Windows Components. iii. On the Windows Component page of the wizard, clear the Internet Information Services (IIS) check box in the Components list. iv. Click Next. v. Follow the instructions on the wizard to complete the process. When the wizard completes, click Finish.

2. Now, re-install IIS by following the instructions below: i. Repeat step 1(i) and 1(ii). ii. On the Windows Component page of the wizard, select the Internet Information Services (IIS) check box in the Components list and click Next. iii. Follow the instructions on the wizard to complete the installation. As the wizard completes, click Finish.

Method 2:

1. Launch the Windows Command Prompt. 2. Type and run the following command:

"%windir %\Microsoft.NET\Framework\version\aspnet_regiis.exe" -i

In the above command, version represents the version number of .Net Framework installed on your computer.

Method 3:

1. In the Windows Run dialog box, type regedit and click OK. 2. Expand HKEY_LOCAL_MACHINE, SOFTWARE, Microsoft, Windows NT, CurrentVersion, Winlogon, SpecialAccounts,

Proble Solution m

UserList.

3. On the Edit menu, point to New, click DWORD Value and type ASPNET.

44 Appendices

Appendix A - Screenshots

The screenshots shown in this appendix are being referenced in the topic Configuration Requirements for Different IIS and Windows Platforms. Please see the original topic for more information.

Figure A-1, IIS Manager for Windows Server 2008

Figure A-2, Server Manager for Windows Server 2008

46 Appendices

Figure A-3, Windows Features dialog

Figure A-4, IIS Manager for Windows Server 2003

Appendix B - Installing Windows PowerShell 1.0 on Windows Server 2008

Follow the instructions below to install Windows PowerShell 1.0 on Windows Server 2008:

1. Launch the Server Manager from Administrative Tools.

2. Expand the Roles node and click Features.

3. In the Features Summary section, click Add Features. This displays the Add Features Wizard.

4. On the Select Features page, select the Windows PowerShell check box and click Next.

48 Appendices

Figure - The Select Features page

5. On the Confirmation page, click Install to begin the installation.

6. When the installation completes, click Close to close the wizard.

Appendix C - GroupID Attributes saved in extensionData

The table below lists the pseudo attributes that GroupID stores in the extensionData attribute for different types of groups.

Attribute Name Unman SmartG Pass Dyna Query GlobalConfig aged roup word sty based uration Group Expiry distrib Settings Group ution group Group

IMGAdditionalOwners    

IMGExpirationPolicy    

IMGExpiresOn    

IMGFirstUsed     

IMSGGroupIDVersion     

IMGHasAdditionalOwn      ers

IMGIsDeleted    

IMGIsExpired    

IMGLastSentNotificati     onDate

IMGLastUsed     

IMGLastRenewed    

IMGSecurityType     

IMGUsedCount     

IMSGGroupIdConnecti    onString

IMSGCriteria   

IMSGExcludes   

GLMDeleteExpiredGro    up

GLMGroupDeletionInt    erval

IMSGGroupIDVersion   

IMSGGroupUpdateSta     tus

IMSGIncludes   

IMSGGroupEnabled   

IMSGManagedGroupT     ype

IMSGObjectTypes    

IMSGSearchScope    

IMSGSearchServerNa     me

50 Appendices

IMSGServerFilter    

IMSGStartPath    

IMSGGroupIdStateme    nt

IMSGStoreFilter    

IMSGPasswordExpiry  Criteria

IMSGDynastyAliasTe  mplate

IMSGDynastyChildPat  h

IMSGDynastyDisplay  NameTemplate

IMSGDynastyExclude  NestedLists

IMSGDynastyInheritan  ce

IMSGDynastyLegacyC  riteria

IMSGDynastyLevelsS  erializedData

IMSGDynastyParentK  ey

IMSGDynastyTopLeve  l

IMSGDynastyTopMan  ager

ServiceURL 

IMG.ConfiguredExcha  nge