Embed Size (px)
Citation preview
Datastore Replication with XenApp 5.0 using SQL 2005 SP2 with Windows Authentication This document walks the user through configuration of XenApp 5.0 and SQL 2005 SP2 IMA Datastore Replication from start to finish.
2008
James Richards - Platinum Test TeamContributions by Jeff Reed, Rene Alfonso & Tim Card
Citrix Systems Inc. 8/1/2008
Platinum Tested
2 | P a g e
Table of Contents SQL Install Guidelines: Installation guidelines for SQL 2005 .......................................................................................................................................................... 3 Single Windows service account................................................................................................................................................................ 4 SQL Configured for Windows Auth mode only .......................................................................................................................................... 4 Kerberos Delegation: Configuration of Kerberos Delegation for SQL systems............................................................................................................................. 5 Using the SETSPN command...................................................................................................................................................................... 5 Kerberos Delegation .................................................................................................................................................................................. 6 Specify the user account for Kerberos Delegation .................................................................................................................................... 7 Add and check the name to be used for Kerberos Delegation .................................................................................................................. 7 Verify that the MSSQLSvc info is reported properly .................................................................................................................................. 7 Set the user delegation settings properly.................................................................................................................................................. 8 Configure MSDTC on both SQL DB systems............................................................................................................................................... 9 Configure Replication: Accounts used and create the replica DB and specify dbo rights ............................................................................................................ 10 Check the Security/Logins is set properly ...........................................................................................................................................10‐11 Begin to configure Distribution................................................................................................................................................................ 12 Distributor and Complete the configuration of the Distribution wizard ................................................................................................ 13 Publisher Properties................................................................................................................................................................................. 14 Specify the Publication Database to be used........................................................................................................................................... 15 Begin the New Publication wizard ........................................................................................................................................................... 16 Publication Database and Publication Type............................................................................................................................................. 17 Articles ..................................................................................................................................................................................................... 18 Snapshot Agent and Agent Security......................................................................................................................................................... 19 Snapshot Agent Security details .............................................................................................................................................................. 20 Agent Security – Queue Reader Agent .................................................................................................................................................... 20 Queue Reader Agent Security.................................................................................................................................................................. 21 Publication Name..................................................................................................................................................................................... 21 Publisher Properties and Publication Access List..................................................................................................................................... 22 Configure a New Linked Server................................................................................................................................................................ 23 Linked Server, Security and Options to be used ..................................................................................................................................... 24 Begin the New Subscription wizard ......................................................................................................................................................... 25 Publication ............................................................................................................................................................................................... 26 Distribution Agent Location ..................................................................................................................................................................... 26 Subscribers............................................................................................................................................................................................... 27 Windows Auth for credentials to Subscriber ........................................................................................................................................... 27 Subscribers Subscription Database.......................................................................................................................................................... 28 Distribution Agent Security...................................................................................................................................................................... 28 Specify the Windows account to be used................................................................................................................................................ 29 Verify the Distribution Agent Security ..................................................................................................................................................... 30 Synchronization Schedule........................................................................................................................................................................ 30 Updatable Subscriptions.......................................................................................................................................................................... 31 Login for Updatable Subscriptions........................................................................................................................................................... 31 Initialize Subscriptions ............................................................................................................................................................................. 32 Complete the Wizard ............................................................................................................................................................................... 32 Creating Subscriptions Success ................................................................................................................................................................ 33 Confirming the replicated tables are listed.............................................................................................................................................. 33 View Synchronization Status.................................................................................................................................................................... 34 Monitor the Synchronization Status ........................................................................................................................................................ 34 Replication Monitor ................................................................................................................................................................................. 35 Verification Scenario...........................................................................................................................................................................35‐39 MISC Info.................................................................................................................................................................................................. 40 Blank page for Notes................................................................................................................................................................................ 41
Platinum Tested
3 | P a g e
This guide was originally based on http://support.citrix.com/article/CTX101739 which used SQL 2000 and Mixed Mode Authentication using the default SA account. This guide is by no means the only method in which you can configure replication. The intention is to provide a more secure replication environment using Windows Authentication Only mode. However it should be noted that you can always use Mixed Mode Authentication and the SA account and the default wizards to set up replication.
For information about Datastore replication with SQL 2008, refer to http://support.citrix.com/article/CTX118849
Without having to install SQL servers, these procedures should take one to two hours for the initial setup.
Within this document there are three separate accounts used: 1-svc_IMA – Domain User account is used during the installation of XenApp also has (dbo) owner rights and the Default database is set to use the IMA DB. 2-svc_SQL – Domain User account is used for the SQL Replication procedures. 3-adm_SQL - Domain user account with local Administrator privileges on the SQL systems using the SQL Management Studio.
The screen shot below shows the Domain User accounts created in a ServiceAct OU that was used throughout this document:
Installation guidelines for SQL 2005: There are a number of components that may be installed during the SQL Server 2005 setup. The “SQL Server Database Services” component is required for hosting the Citrix XenApp databases. All other components are optional with regard to Citrix XenApp. The SQL components selection screen is seen below:
The SQL 2005 Books Online makes the following security recommendations:
• Run separate SQL Server services under separate Windows accounts. • Run SQL Server services with the lowest possible privileges. • Associate SQL Server services with Windows accounts. • Require Windows Authentication for connections to SQL Server
(See http://msdn.microsoft.com/en-us/library/ms144228.aspx for more information).
Platinum Tested
4 | P a g e
For the purposes of this document, a single Windows service account was used for all SQL services – “svc_SQL”. However, Microsoft recommends that each service account have separate user accounts as a security best practice.
The SQL 2005 authentication mode was configured for “Windows Authentication Mode”, per Microsoft security best practice. It is possible to set up replication using Mixed Mode, however this is not covered in this document.
For the purposes of this document, the defaults were then chosen for the remainder of the install. After installation, Microsoft SQL Server 2005 Service Pack 2 (SP2) must be installed on both SQL Servers. The specific version used throughout this guide for testing was: Microsoft SQL Server 2005 - 9.00.3068.00 Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 2)
You can use the following SQL Queries to see what version you are running: select @@version OR EXEC xp_msver
Platinum Tested
5 | P a g e
Configuration of Kerberos and Delegation for the SQL systems: SETSPN Kerberos Authentication information: http://support.microsoft.com/kb/319723/ http://poseidom.wordpress.com/2007/12/16/set-spn-for-sql-2005-sccm-remote-sql-fix/
http://msdn.microsoft.com/en-us/library/ms189585.aspx The following commands can either be run on the Domain Controller that the SQL 2005 systems have joined or on each SQL system logged on as the Domain Admin as you need to be the Domain Admin to register SPNs. On Windows Server 2003 systems you will need to obtain the utility from Microsoft, on Windows Server 2008 systems this is already included in the OS. http://support.microsoft.com/kb/892777 SETSPN -A MSSQLSvc/MySQLServer.MyDomain.com:1433 MyDomain\svc_SQL
Examples:
C:\>SETSPN ‐A MSSQLSvc/C3SQL1.c3.sys3lab.com:1433 svc_Sql Registering ServicePrincipalNames for CN=svc_SQL,OU=Service Accounts,OU=System3, DC=c3,DC=sys3lab,DC=com MSSQLSvc/C3SQL1.c3.sys3lab.com:1433 Updated object C:\>SETSPN ‐A MSSQLSvc/C3SQL2.c3.sys3lab.com:1433 svc_Sql Registering ServicePrincipalNames for CN=svc_SQL,OU=Service Accounts,OU=System3, DC=c3,DC=sys3lab,DC=com MSSQLSvc/C3SQL2.c3.sys3lab.com:1433 Updated object ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ C:\>SETSPN ‐L C3SQL1 Registered ServicePrincipalNames for CN=C3SQL1,OU=SQL,OU=Servers,OU=Altiris Mana ged,DC=c3,DC=sys3lab,DC=com: HOST/C3SQL1 HOST/c3sql1.c3.sys3lab.com C:\>SETSPN ‐L C3SQL2 Registered ServicePrincipalNames for CN=C3SQL2,OU=SQL,OU=Servers,OU=Altiris Mana ged,DC=c3,DC=sys3lab,DC=com: HOST/C3SQL2 HOST/c3sql2.c3.sys3lab.com ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ C:\>SETSPN ‐Q MSSQLSvc/C3SQL1.c3.sys3lab.com:1433 CN=svc_SQL,OU=Service Accounts,OU=System3,DC=c3,DC=sys3lab,DC=com MSSQLSvc/C3SQL2.c3.sys3lab.com:1433 MSSQLSvc/c3sql1.c3.sys3lab.com:1433
Platinum Tested
6 | P a g e
Logged on as a Domain Admin, within your Active Directory Users and Computers setup you will need to set up the Delegation to use Kerberos and reference the “svc_SQL” user account and then point to each SQL DB system to be used. 1. For each SQL DB system you will need to select the Properties and then Delegation as seen below, then select the Add button:
2. Select the Users and Computers… button:
Platinum Tested
7 | P a g e
3. Add the “svc_SQL” user account to be used for all Windows Authentication.
4. You should then see both SQL DB systems, provided that you have set the SETSPN information correctly. Make sure to “Select All” in the UI or use the button and then click OK to continue.
The end result for both C3SQL1 and C3SQL2 should show the following, click OK to continue.
Now you will need to set the delegation setting for the “svc_SQL” Domain user account to the following:
Platinum Tested
8 | P a g e
At this point you no longer need Domain Admin access. After the SETSPN and Kerberos settings have been set up and verified from each SQL DB System using the SQL Management Studio run the following SQL Query and ensure it returns NTLM or Kerberos: select auth_scheme from sys.dm_exec_connections where session_id=@@spid
Note: If you run this command directly on each SQL DB System, it returns NTLM, if you run this command from a remote connection to a SQL DB System, it should return Kerberos.
Platinum Tested
9 | P a g e
Verify the MSDTC Security Configuration 1. On each SQL server being used for replication, perform the following steps from Start/Run dcomcnfg 2. Expand the “Component Services” node, then the “My Computer” node, then right-Click and select “Properties” 3. Select the MSDTC Tab, and select the “Security configuration…” button. 4. Select Network DTC Access, Allow Remote Administration, Allow Inbound, Allow Outbound, Mutual Authentication Required 5. Reboot your systems if changes have been made, otherwise click OK to continue and close dcomcnfg.
Platinum Tested
10 | P a g e
At this point you will install/create the first server in the farm using the Publisher/SQL DB system. Before configuring replication, the database that acts as the IMA Datastore must exist on the SQL server acting as the Publisher and the IMA database on the Publisher must contain the tables created by the IMA service. Make sure to check the Security/Logins and verify that the “svc_IMA” account exists on the SQL DB systems and the properties are set accordingly using the below examples:
Platinum Tested
11 | P a g e
1. Create a new (EMPTY) database on the SQL server (Subscriber) that will be used for the replica. The name should reflect the same name already used. In the below example it is “IMA”. Make sure that the database user is the same on the publisher database server as on the replica server and is given database owner rights (dbo). In this case, it is the “svc_IMA” user account. Follow the Security/Logons listed on page 9 for further details.
Platinum Tested
12 | P a g e
2. In the SQL Server Management Studio on the server that is to be used for the master database, right-click the replication folder and click the Configure Distribution option.
Platinum Tested
13 | P a g e
3. Select the current server to be the distributor on the Select Distributor page, then click Next to continue.
4. Keep the default Snapshot folder and leave the default “distribution” database name and locations, then click Next to continue. Keep the Publishers as the Default and click Next to continue. Leave the Wizard Actions as the default set for Configure Distribution and click Next to continue. 5. Click Finish to complete the wizard.
Platinum Tested
14 | P a g e
6. Right-click the Replication Folder, and select the Publisher properties.
Platinum Tested
15 | P a g e
7. Select the Publication Databases and enable the Transactional check box adjacent to the database to be replicated, and click OK to continue.
At this point the Administrator has the option to run the existing DSMAINT command that automatically creates the Publication. However, this command is not covered or used at this point in time and manual steps are used. EXAMPLE ONLY! Execute the dsmaint publishsqlds command on the first server in the farm. This step executes the necessary SQL statements to create the published articles on the current Microsoft SQL Server (Publisher). C:\>dsmaint PUBLISHSQLDS /user:c3\svc_Ima /pwd:******** /joblogin:c3\svc_SQL /jobpwd:********
Platinum Tested
16 | P a g e
8. Select the Replication folder then Right‐click the Local Publications folder. Select New Publication which starts the New Publication wizard.
Platinum Tested
17 | P a g e
9. The next screen is the Choose Publication Database screen. Highlight the database to replicate and click Next.
10. Select the Transactional publication with updatable subscriptions option as the publication type and click Next.
Platinum Tested
18 | P a g e
11. The Specify Articles screen is one of the most important screens of the process. Select the “Tables” check box and click Next, to continue.
You may see the following Article Issues dialog. This issue is ok . Click Next and Next to continue.
Platinum Tested
19 | P a g e
12. Select the option below, create a snapshot immediately, and click Next to continue.
13. Select the Security Settings button to identify the specific account to use for the SQL Server Agent.
Note: If you do not see the option for “Use the security settings from the Snapshot Agent” check box, chances are you ran the DSMAINT PUBLISHSQLDS command as stated on page 14. Otherwise you must Disable Publishing and Distribution and begin again.
Platinum Tested
20 | P a g e
14. Specify the SQL Server Agent account to use.
Once specified, click OK to continue.
15. In the Agent Security screen you must specify the security settings for the Queue Reader Agent, then click the Security Settings button.
Platinum Tested
21 | P a g e
16. Once specified click OK, then Next and Next.
17. The Publication name can be anything, in previous replication documents or administrator’s guides it was called MFXPDS, however, for this document it was changed to something more current - “IMADS”.
18. Click Finish on the final screen of the wizard.
Platinum Tested
22 | P a g e
19. Verify the Publisher Properties and verify the PAL – Publication Access List. Start by Right clicking on the publication and selecting Properties.
20. Ensure that you have the “svc_IMA” account listed here. You may also see the “SA” account. This can be removed for security concerns.
Platinum Tested
23 | P a g e
21. Configuring a Linked Server: Also refer to the MS SQL 2005 Online help for further info. Set up and Configure the Linked Server and Authentication: Create a Linked Server from C3SQL2(Subscriber) to C3SQL1(Publisher)
22. Specify the SQL Server to use:
Platinum Tested
24 | P a g e
23. Within the Security options you will need to specify the option for “Be made using the login’s current security context”
24. For the Server Options, make sure to change the options as seen below:
Platinum Tested
25 | P a g e
25. Right-click the local publications in the Local Publications folder and select New Subscription. This starts the new subscription wizard.
Platinum Tested
26 | P a g e
26. Confirm the correct publisher and publication to use and click Next to continue.
27. Select the option for (Push Subscriptions), if not already selected and click Next to continue.
Platinum Tested
27 | P a g e
28. Select the button to Add SQL Server Subscriber and a security dialog appears asking for the credentials of the Subscriber system. Click Connect to continue.
Platinum Tested
28 | P a g e
29. Ensure that the check box is selected for the subscriber from the list on the next screen, then select the correct empty database to use and click Next to continue.
30. On the Distribution Agent Security page choose the “….”, button.
Platinum Tested
29 | P a g e
31. Select the correct Windows account to use that runs the Distribution Agent process. In this case we are using the main SQL Server service account used during installation. Leave all other fields set to default and click OK to continue.
Platinum Tested
30 | P a g e
32. Confirm that the Windows account used is set correctly for the Distributor and the Subscriber, then click Next.
33. Set the Distribution Agent Schedule to Run Continuously, then click Next.
Platinum Tested
31 | P a g e
34. Set the Commit at Publisher to Simultaneously commit changes, then click Next to continue.
35. Specify the linked server or remote server option to be used and click Next to continue.
Platinum Tested
32 | P a g e
36. Verify that the Initialize Subscriptions is set for Immediately, then click Next and Next to continue.
37. Confirm that the Subscription wizard process has been set correctly and click Finish.
Platinum Tested
33 | P a g e
Upon the completion of the wizard you should see the following Success. Click Close to continue. If you get any Error or Warnings please review that the above procedures have been properly configured.
38. Make sure that the following tables are on the replicated database listed under the System Tables: • dbo.MSreplication_objects • dbo.MSreplication_subscriptions • dbo.MSsnapshotdeliveryprogress • dbo.MSsubscription_agents If the tables are not all there, you must delete the replication setup and start again.
Platinum Tested
34 | P a g e
You can now move on to verifying that Replication is working properly. Start by checking the Replication monitor. Following the below steps:
39. Select the original subscription, right click and select the View Sync Status.
You should see the following Status bar which you can use to monitor when transactions are replicated.
Platinum Tested
35 | P a g e
40. If you then click on the Monitor button, you can view success and errors of the replication process in greater detail.
Scenario for verifying Replication is setup properly:
1. Log on to the second XenApp system as a local Administrator and add the following to the local Admin Group: “svc_IMA”. Llog off and then back on as this new local admin (the “svc_IMA” account) and then proceed to install just the SQL Management Studio. You will then Connect to the C3SQL2 system using Windows Authentication as “svc_IMA”. If Windows Authentication fails, verify that the “svc_IMA” account has been added to the Security Logins and the default DB has been set to the IMA DB. Run the DSRepCheck against the IMA DB. You can download the DS RepCheck Citrix utility to help verify that Replication is also set up correctly. http://support.citrix.com/article/CTX111656 Run the stored procedure on the Subscriber against the IMA DB, then run the following SQL Query: DSRepCheck C3SQL1,IMA
Platinum Tested
36 | P a g e
If all the above is successful, you can proceed to install XenApp and join the farm, use the “svc_IMA” account during the install for the ODBC connection and the Citrix credentials, and point to the Subscriber/replicated SQL DB – C3SQL2.
Platinum Tested
37 | P a g e
2. Make sure that when selecting which SQL DB to use and join, you select the Subscriber system. In the above steps this would be the C3SQL2 DB system.
Platinum Tested
38 | P a g e
Platinum Tested
39 | P a g e
After the installation has completed you must reboot your system. 3. Launch the Access Management Console from the first server in the farm and add an Administrator to the farm for the “svc_IMA” account. 4. Once this second system has been installed and rebooted, launch the Access Management Console on this newly installed server and proceed to publish any application. 5. If replication is working correctly, launch the Access Management Console on the first server in the farm and you should then see the newly added published application. You should also be able to modify the properties of the application as well.
Platinum Tested
40 | P a g e
MISCELLANEOUS INFORMATION
Caution: Do not use merged replication. Using merged replication corrupts the data store. SQL versions and there patch level: http://www.sqlsecurity.com/FAQs/SQLServerVersionDatabase/tabid/63/Default.aspx SQL2K5 Encryption Info: http://www.microsoft.com/technet/prodtechnol/sql/2005/sqlencryption.mspx Existing SPN found for servers in a different farm that are going to be put in the current one. Run chfarm and select the server with the replicated database. If there will be a fresh installation of XenApp, select the replicated database server when prompted. For a server in the current farm that will be configured to use the new database, create a new dsn file on the server which points to the replicated SQL server. Then use the dsmaint config command from a command prompt to re-point the IMA Service to the new data store. http://msdn2.microsoft.com/en-us/library/ms144228.aspx Run separate SQL Server services under separate Windows accounts. Run SQL Server services with the lowest possible privileges. Associate SQL Server services with Windows accounts. Require Windows Authentication for connections to SQL Server sp_link_publication info: http://technet.microsoft.com/en-us/library/ms174991.aspx @security_mode = 2 Database corruption. If a subscriber database becomes corrupted, will it corrupt all the replica databases. Resolution, database backup and restore db: http://msdn.microsoft.com/en-us/library/ms151152.aspx? Currently SQL doesn’t support both mirroring and transactional replication with immediate updating. http://msdn.microsoft.com/en-us/library/ms151799.aspx
Transactional replication with immediate updating will allow changes to occur on the subscriber or publisher. From an application stand point these changes are transparent and SQL is responsible for synchronizing all changes.
The way SQL does this is by using to different mechanisms:
1. Changes on the publisher are recorded to the distribution database using the log reader agent then pushed out by the distribution agent (there may be a slight delay depending on network and SQL performance).
2. Changes on the subscriber are intercepted by triggers that use the Distributed Transaction Coordinator to insure the changes are written in both Database bases (2 Phase commit). Any additional subscribers will be updated by the distribution agent.
Replication supports mirroring the publication database for merge replication and for transactional replication with read-only Subscribers or queued updating Subscribers. Immediate updating Subscribers, Oracle Publishers, Publishers in a peer-to-peer topology, and republishing are not supported.
