Make sure to read System Requirements prior to proceeding
Enterprise Admins groupIn some rare cases you might want to install the Server with just Domain Admins privileges. While doing so, some tasks might fail and you would need to adjust failed components once you have or can delegate the necessary privileges. To start the installer without requiring the Enterprise Admins group membership, starting with version 2.8, fire up an elevated command prompt and start the installer from that console, providing the parameter
ALLOW_DOMAIN_ADMIN=1.
After copying the binaries, the installer performs configuration changes to the domain environment by ether creating new entities or updating the exiting ones, depending on the state of the environment. Here is the list of the changes made.
The installer adds the following containers to your directory structure under the Program Data container:
Systola/SystoLOCK/DevicesSystola/SystoLOCK/GroupsSystola/SystoLOCK/OfflineSystola/SystoLOCK/SettingsThese containers are later populated with SystoLOCK-specific data: tokens, participating computers, etc. The installer sets special permissions on these containers in order to provide proper security of the system - please, do not alter anything inside these containers manually, unless told so by SystoLOCK Support.
The installer adds the following DNS records of type SRV for every computer you install SystoLOCK Server on, with priority 0 and weight 100:
_systolock._https.<domain.name>
and
_systolock._tcp.<domain.name>
_systolock._https.<site-name>._sites.<domain.name>
and
_systolock._tcp.<site-name>._sites.<domain.name>
If your site structure has non-continuous availability, you might want to delete any records that will lead to non-availability.
The installer looks for an appropriate x509 certificate (that can be used for HTTPS-binding) in the local machine store of the server. If it does not find an appropriate certificate in the store, it obtains one automatically from the local certification authority.
The Installer installs new certificate templates into the certificate authority. These templates are made available for use by SystoLOCK Servers only.
The templates are made available on CAs selected during the installation. If you have specific CA-servers that should not or cannot server these templates, you would need to remove these templates from the list of available on those servers.
Finally the installer creates a windows service that runs SystoLOCK Server instance. If installed on a domain controller, the service is made dependent on Domain Service.
The installer also registers three PowerShell modules in the system:
The first module is used to manage and administer SystoLOCK system as a whole, the second one - to manage, correct and alter the installation instance, and the third one to perform any diagnostics tasks.
The installer will configure the local firewall to allow three local TCP ports: 21571 (for CRL requests over HTTP), 21572 (for all client connections, incl. AD FS, VPN, etc.) and 21573 (for the management console), be sure to make the specified ports available via any intermediate firewalls.
Please, also take into consideration the full list of ports used by SystoLOCK components.
After the installer finishes, you can check if all configuration tasks have completed successfully, especially if you observed any errors during installation.
Using PowerShell and the aforementioned module Systola.SystoLOCK.Setup, you can check for any installation errors and correct them. A cmdlet Test-SystolockInstance will invoke a series of tests and will output the results in a tree-like view as shown below:
PS C:\> Test-SystoLockInstance
Result
------
[√] DNS record _systolock._https.company.local 0 IN SRV 0 100 21572 dc01.company.local
[√] DNS record _systolock._https.Default-First-Site-Name._sites.company.local 0 IN SRV 0 100 21572 dc01.company.local
[√] DNS record _systolock._tcp.company.local 0 IN SRV 0 100 21573 dc01.company.local
[√] DNS record _systolock._tcp.Default-First-Site-Name._sites.company.local 0 IN SRV 0 100 21573 dc01.company.local
[√] HTTP URL ACL https://+:21572/
[√] SystoLOCK service certificate
[√] AD entry Systola
[√] AD entry SystoLock
[√] AD entry Groups
[√] AD group SystoLock Administrators
[√] AD group SystoLock Services
[√] DC01 membership in SystoLock Services
[√] Certificate template SystoLOCK SCL 20M
[√] msPKI enterprise OID 1.3.6.1.4.1.37708.1.5.1
[√] Certificate template SystoLOCK SCL 24H
[√] msPKI enterprise OID 1.3.6.1.4.1.37708.1.5.2
[√] Certificate template SystoLOCK CLA 20M
[√] msPKI enterprise OID 1.3.6.1.4.1.37708.1.5.3
[√] Certificate template SystoLOCK CBA 1Y
[√] msPKI enterprise OID 1.3.6.1.4.1.37708.1.5.4
[√] AD group SystoLock Offline Computers
[√] AD group SystoLock Self-Provisioning Users
[√] AD group SystoLock Unsafe Self-Provisioning Users
[√] AD entry Devices
[√] AD entry Oath
[√] AD entry Roaming
[√] AD entry Clients
[√] AD entry Settings
[√] AD entry License
[√] AD entry Offline
[√] AD entry Computers
[√] AD entry Services
[√] msPKI enterprise OID 1.3.6.1.4.1.37708.1.6
[√] SystoLOCK service
If any of the checkboxes are not checked, it indicates a problem and has to be corrected. Examine the problem by issuing corresponding Test-Systolock... commands and take corrective actions either at the source of the problem or be issuing the corrective commands from the same module. You may also check the status of the whole setup using Test-SystoLockInfrastructure CmdLet. Please refer to PowerShell Reference for more details.