Complete the changes for the new MSA and DMSA accounts

Step 2 of 2 associated with the procedure to configure the required accounts in the new Windows domain.

Perform these sub-procedures in the order listed. Step-by-step instructions for each sub-procedure are provided below.

Procedure 

Sub-procedure 1 of 8 associated with completing the changes for the new MSA and DMSA accounts.

In this procedure, you must verify that the Watchdog application is not repeatedly restarting failing services. This procedure requires you to turn off the Watchdog application temporarily on every managed server Server that is managed by the Enterprise Manager application. in the enterprise.

You must perform this procedure on every managed server in the enterprise.

  1. From the Windows desktop on a managed server, use the System Tools to turn off the Watchdog application.

  2. Verify that none of the services monitored by the Watchdog application are failing. If any services are failing, you must correct the problem causing the services to fail.

  3. When you are sure that none of the services monitored by the Watchdog application are failing, use the System Tools to restart the Watchdog application.

  4. Repeat steps 1 through 3 on every server in the enterprise.

Sub-procedure 2 of 8 associated with completing the changes for the new MSA and DMSA accounts.

Before using Enterprise Manager to specify the change the Management Services Account and Database Management Account, you must resolve any active alarms in the enterprise.

If your environment includes a single server that hosts the Import Manager Server role in the Site zone that is used to import recorded content (audio and metadata) from external source systems into the recorder’s local call buffer for system use and processing. application and an active IP Recorder server role Entity that contains a logical, predefined set of components (system software or certified third-party software) deployed in the Data Center and Site Zones that provide specific functionality for the system. or IP Recorder Video role, changing the MSA account can cause this server to falsely trigger an alarm named “Disk Manager Detected Unarchived Files” (alarm number 39004).

If you see this alarm raised by such a server in the Alarm Dashboard, you can acknowledge the alarm without performing the corrective action for the alarm. The alarm is triggered falsely and the conditions that normally cause the alarm do not exist.

Procedure 

  1. Click System Monitoring > System Monitor > Alarm Dashboard.

  2. In the Installations tree (left pane), select the Enterprise node, and then click Filter at the bottom of the pane.

  3. All of the active alarms on all servers in the enterprise display in the Enterprise Alarms section on the right side of the page.

    For each alarm displayed in the Enterprise Alarms section, do the following:

    1. Click on the alarm.

    2. In the Details section, review the corrective action for the selected alarm.

    3. Perform the corrective action for the alarm.

  4. After you have performed the corrective actions for all of the alarms, acknowledge all of the alarms.

    1. In the Alarm Dashboard, click the Servers page (next to the Instances page).

    2. Click the icon under the Acknowledge column to acknowledge each alarm.

    3. Click Yes when prompted to acknowledge the alarm.

  5. Allow the system to stabilize by ensuring that all of the corrective actions you have performed have resolved all of the conditions that were causing the alarms. Do not continue to the next sub-procedure until you feel certain that none of the alarms will recur.

Sub-procedure 3 of 8 associated with completing the changes for the new MSA and DMSA accounts.

In this procedure, you run the Database Permissions Configuration Tool to automatically assign the new Management Service Account (MSA) and the new Database Management Account (DMSA) with the required database permissions.

To complete this procedure, you must complete these three tasks:

You can run the Database Permissions Configuration Tool from any server on which a database platform Predefined logical group of server roles installed together on a physical server. is installed.

In this procedure, do the following:

  • Identify the database platform server from which you will run the Database Permissions Configuration Tool.

    To verify the tool is present on the server, look for this directory: [Software Directory]/CommonDB/Utils/Database Permissions Configuration Tool.

  • Verify that you are defined as the following on the server from which you will run the Database Permissions Configuration Tool:

    • A local Windows administrator on the server on which the tool resides

    • A member of the SQL SysAdmin server role on each computer running an SQL Server

Perform this procedure on the server from which you will run the Database Permissions Configuration Tool.

Verify that the PowerShell execution policy on the server is Unrestricted.

  1. On the computer running SQL Server, run Start > Windows PowerShell.

  2. In the Administrator: Windows PowerShell console, run the Get-ExecutionPolicy command.

    If the result is:

    • Unrestricted: Servers with the Unrestricted, RemoteSigned, or AllSigned PowerShell functionality can run the PowerShell setup file (Setup_signed.ps1).

    • Restricted: Enable the machine for restricted functionality and then use the PowerShell setup file, as follows:

      1. In the console, run the Set-ExecutionPolicy AllSigned command.

      2. Enter Y to confirm the change.

        Use the Setup_signed.ps1 when running the tool.

Run the Database Permissions Configuration Tool once for each computer in the enterprise that runs an SQL Server. Update the server name and port for each instance.

  1. From the Database Permissions Configuration Tool folder run the relevant setup file.

  2. If prompted, confirm that you trust the publisher, enter [A] Always run or [R] run once.

  3. Enter the Details of the the computer running SQL Server:

    • SQL Server Name: The host name or IP address of the computer running SQL Server.

    • Port: The SQL Server listening port. The default port is 1433.

  4. Enter the Login Details of the computer running SQL Server:

    Parameter

    Description

    Database Management Account Name

    Enter the user name of the Windows domain account used as the Database Management Account (DMSA).

    Note: If your enterprise does not use the DMSA, enter the user name of the MSA.

    Database Management Password Name

    Enter the password of the Windows domain account used as the Database Management Account.

    Note: If your enterprise does not use the DMSA, enter the password of the MSA.

    Management Service Account Name

    Enter the user name of the Windows domain account used as the Management Service Account.

    Management Service Account Password

    Enter the password of the Windows domain account used as the Management Service Account.

  5. Click Apply. When the confirmation message appears, click Yes.

  6. A permissions validation message appears if the SQL public server role does not have the execute permission. Click Details to troubleshoot relevant scripts and refer to the SQL public server role permissions table.

  7. Result: When the database permissions are all successfully assigned to the service accounts, the success message All database permission scripts ran successfully appears.

    If the success message does not appear at the end of the text box, scroll through the SQL Server scripts the tool ran and search for Status: Failed. Troubleshoot the stored procedure script above this status. If not, scroll through the logs displayed to review which database permission was denied or failed.

  8. For multiple instances of computers running SQL Server, run the tool again for each instance from the same machine by changing the SQL Server Name and Port to the server name hosting the next instance.

Sub-procedure 4 of 8 associated with completing the changes for the new MSA and DMSA accounts.

In this procedure, you use Enterprise Manager to specify the new Management Services Account and Database Management Account in the Enterprise Settings page.

Follow the steps below:

  1. Select System Management Module that allows performing suite-wide system management activities from a single, Web-based application, the Enterprise Manager. > Enterprise Management > Settings.

  2. In the Installations tree (left-hand pane), select the Enterprise node.

  3. Select the Enterprise Settings page.

  4. Under the Access section, change the following settings:

    • Management Service Account Username - Enter the username associated with the new Management Service Account you created earlier in Step 1.

    • Management Service Account Password - Enter the password associated with the new Management Service Account you created earlier in Step 1.

    • Database Management Account Username - Enter the username associated with the new Database Management Account you created earlier in Step 2. If the enterprise does not use this account, enter the username associated with the MSA.

    • Database Management Account Password - Enter the password associated with the new Database Management Account you created earlier in Step 2. If the enterprise does not use this account, enter the password associated with the MSA.

  5. Click Save.

Sub-procedure 5 of 8 associated with completing the changes for the new MSA and DMSA accounts.

In this step, you do specify the new MSA account as the account that runs the report server service and the account used to connect to the Reporting Services Server role in the Data Center that provides reporting services for Workforce Management (WFM), Scorecards, eLearning, Coaching, Customer Feedback, Interactions and Speech Analytics products. database.

Perform this procedure from the server that hosts the Reporting Services server role.

Procedure 

  1. Launch the Reporting Services Configuration Manager.

    (Usually located at Start > All Programs > Microsoft SQL Server 2008 R2 > Configuration Tools.)

  2. In the Reporting Services Configuration Connection window:

    1. Ensure that the Server Name and Report Server Instance fields specify the values appropriate for the computer running SQL Server that hosts the Reporting Services database.

    2. Click Connect.

  3. In the left-pane, select Service Account.

  4. Select Use another account.

    • In the Account (Domain\user) field, enter the domain\username of the MSA account.

    • In the Password field, enter the password of the MSA account.

  5. Click Apply.

  6. In the SQL Server Connection Dialog, you must specify the credentials of an account that has permission to access the Reporting Services database. The MSA account has this permission. Complete the fields as noted below:

    • Server Name: - Specify the name of the computer running SQL Server that hosts the Reporting Services server role.

    • Credentials Type - Select one of the following from the drop-down box.

      • Current User - Integrated Security - Select this option if you are currently logged into Windows using an administrator account that has the permission to access the Reporting Services database. If you select this option, you do not need to enter a user name and password.

      • SQL Server Account - Select this option to specify the credentials of an account that has permission to access the Reporting Services database. If you select this option, enter the username and password for this account in the fields provided.

  7. Click OK.

Sub-procedure 6 of 8 associated with completing the changes for the new MSA and DMSA accounts.

In this step, you save the Reporting Services server role settings. This step ensures that SSRS will be redeployed after you break the trust with the old domain.

Perform this procedure from the server that hosts the Reporting Services server role.

Procedure 

  1. Select System Management > Enterprise Management > Settings.

  2. In the Installations tree (left-hand pane):

    1. Expand the Server node that hosts the Reporting Services server role.

    2. Click in the Reporting Services server role node.

  3. Click Save.

Sub-procedure 7 of 8 associated with completing the changes for the new MSA and DMSA accounts.

The changes you have made in previous sub-procedures will trigger alarms that indicate it is necessary to restart particular services.

In this procedure, repeat the procedure discussed in 2. Resolve any active alarms. Resolve the new alarms that were raised by restarting the services indicated by the alarms.

Sub-procedure 8 of 8 associated with completing the changes for the new MSA and DMSA accounts.

In this procedure, verify that the SQL services are running under the new MSA and DMSA (if applicable) accounts that you have created in the new domain.

You can verify the accounts under which the SQL services are running from the Windows Services window (select Start > Administrative Tools > Services from the Windows desktop).

What to do next 

Complete the SSO configuration for servers in the new domain