Make sure to read System Requirements prior to proceeding
In some rare cases you might want to install the Server with just Domain Admins privileges. While doing so, some tasks might fail and you would need to adjust failed components once you have or can delegate the necessary privileges. To start the installer without requiring the Enterprise Admins group membership, starting with version 2.8, fire up an elevated command prompt and start the installer from that console, providing the parameter
After copying the binaries, the installer performs configuration changes to the domain environment by ether creating new entities or updating the exiting ones, depending on the state of the environment. Here is the list of the changes made.
The installer adds the following containers to your directory structure under the
Program Data container:
These containers are later populated with SystoLOCK-specific data: tokens, participating computers, etc. The installer sets special permissions on these containers in order to provide proper security of the system - please, do not alter anything inside these containers manually, unless told so by SystoLOCK Support.
The installer adds the following DNS records of type SRV for every computer you install SystoLOCK Server on, with priority 0 and weight 100:
If your site structure has non-continuous availability, you might want to delete any records that will lead to non-availability.
The installer looks for an appropriate x509 certificate (that can be used for HTTPS-binding) in the local machine store of the server. If it does not find an appropriate certificate in the store, it obtains one automatically from the local certification authority.
The Installer installs new certificate templates into the certificate authority. These templates are made available for use by SystoLOCK Servers only.
The templates are made available on CAs selected during the installation. If you have specific CA-servers that should not or cannot server these templates, you would need to remove these templates from the list of available on those servers.
Finally the installer creates a windows service that runs SystoLOCK Server instance. If installed on a domain controller, the service is made dependent on Domain Service.
The installer also registers three PowerShell modules in the system:
The first module is used to manage and administer SystoLOCK system as a whole, the second one - to manage, correct and alter the installation instance, and the third one to perform any diagnostics tasks.
The installer will configure the local firewall to allow three local TCP ports: 21571 (for CRL requests over HTTP), 21572 (for all client connections, incl. AD FS, VPN, etc.) and 21573 (for the management console), be sure to make the specified ports available via any intermediate firewalls.
Please, also take into consideration the full list of ports used by SystoLOCK components.
After the installer finishes, you can check if all configuration tasks have completed successfully, especially if you observed any errors during installation.
Using PowerShell and the aforementioned module
Systola.SystoLOCK.Setup, you can check for any installation errors and correct them. A cmdlet
Test-SystolockInstance will invoke a series of tests and will output the results in a tree-like view as shown below:
PS C:\> Test-SystoLockInstance Result ------ [√] DNS record _systolock._https.company.local 0 IN SRV 0 100 21572 dc01.company.local [√] DNS record _systolock._https.Default-First-Site-Name._sites.company.local 0 IN SRV 0 100 21572 dc01.company.local [√] DNS record _systolock._tcp.company.local 0 IN SRV 0 100 21573 dc01.company.local [√] DNS record _systolock._tcp.Default-First-Site-Name._sites.company.local 0 IN SRV 0 100 21573 dc01.company.local [√] HTTP URL ACL https://+:21572/ [√] SystoLOCK service certificate [√] AD entry Systola [√] AD entry SystoLock [√] AD entry Groups [√] AD group SystoLock Administrators [√] AD group SystoLock Services [√] DC01 membership in SystoLock Services [√] Certificate template SystoLOCK SCL 20M [√] msPKI enterprise OID 18.104.22.168.4.1.37708.1.5.1 [√] Certificate template SystoLOCK SCL 24H [√] msPKI enterprise OID 22.214.171.124.4.1.37708.1.5.2 [√] Certificate template SystoLOCK CLA 20M [√] msPKI enterprise OID 126.96.36.199.4.1.37708.1.5.3 [√] Certificate template SystoLOCK CBA 1Y [√] msPKI enterprise OID 188.8.131.52.4.1.37708.1.5.4 [√] AD group SystoLock Offline Computers [√] AD group SystoLock Self-Provisioning Users [√] AD group SystoLock Unsafe Self-Provisioning Users [√] AD entry Devices [√] AD entry Oath [√] AD entry Roaming [√] AD entry Clients [√] AD entry Settings [√] AD entry License [√] AD entry Offline [√] AD entry Computers [√] AD entry Services [√] msPKI enterprise OID 184.108.40.206.4.1.37708.1.6 [√] SystoLOCK service
If any of the checkboxes are not checked, it indicates a problem and has to be corrected. Examine the problem by issuing corresponding
Test-Systolock... commands and take corrective actions either at the source of the problem or be issuing the corrective commands from the same module. You may also check the status of the whole setup using
Test-SystoLockInfrastructure CmdLet. Please refer to PowerShell Reference for more details.