Staging Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted, Release 10.0(1)
Service Account Manager
Downloads: This chapterpdf (PDF - 1.38MB) The complete bookPDF (PDF - 4.21MB) | The complete bookePub (ePub - 1.21MB) | Feedback

Service Account Manager

Service Account Manager

Unified ICM and Unified Contact Center Enterprise services, such as Logger or Distributor, execute under the context of a domain user account commonly known as a service account. The Service Account Manager (SAM) tool handles creation and maintenance of service accounts. With Service Account Manager, you can do the following:

  • either create a new service account or choose an existing service account.
  • enter your own password or fix service account group membership issues let the Unified ICM application generate one for you.

    Note


    If you change passwords using an application other than SAM, SAM cannot detect the changes.
  • choose whether (when applicable) or not to update the account in AD and use existing AD accounts as Unified ICM service accounts.
  • fix service account group membership issues (such as modifying Unified ICM service account passwords) without recreating accounts or without re-running ICM installation or setup tools.

You have the option to re-run the Service Account Manager post-installation to modify the Unified ICM service account, or its password, or to verify the account health. You must execute the Service Account Manager on each server locally to configure the service accounts for services listed below.

The Service Account Manager functions only with the following services:

  • Administration & Data Servers
  • LoggerA
  • LoggerB
  • Jaguar

Service Account Management

The Service Account Manager serves three purposes. It allows you to:

  1. Create new accounts with random passwords.
  2. Use existing AD accounts as Unified ICM service accounts.
  3. Provide an interface to modify Unified ICM service account passwords.

The following diagram illustrates the basic workflow of the Service Account Manager.

Figure 1. Service Account Manager Application Workflow

Other Considerations

Permissions

You must have the correct privileges to create or modify accounts in the domain. Typically, this action is performed by a domain administrator. However, the Service Account Manager does not enforce domain administrator privileges. You are expected to have the right permissions before invoking the Service Account Manager.

Domain Restriction

The service account must be in the same domain as the Unified ICM server. When choosing an existing account, the Service Account Manager restricts the account to be selected from the same domain as the server.

Special Case: When the distributor is in a different domain than the logger, the distributor service account must be placed in the instance service security groups of both its own domain and the logger domain.

AD Update Failures

If the Service Account Manager finds that a service is running, it first requests your permission; if you approve, it stops the service. If you choose not to stop the service, the Service Account Manager does not modify the service account information. The Service Account Manager automatically starts the service if it explicitly stopped the service prior to editing the account information. If the Service Account Manager fails to update the account in AD, due to either a noncompliant password policy or any connectivity error, the Service Account Manager warns you and logs the error. At that point, you can choose to fix the problem and retry, or cancel.

Logging

The application maintains its own log file, when invoked as a standalone application. If called through the Web Setup tool, logs are written to the Websetup log files only.

Service Account Memberships Setup for CICM Replication

When the application is invoked from the standalone NAM's Logger servers (sides A and B), the command line is as follows:

  • ServiceAccountManager
  • /SrcInstance<InstanceName>
  • /DestDomain<DomainName>
  • /DestFacility<FacilityName>
  • /DestInstance<InstanceName>

Service Account Manager End User Interfaces

The Service Account Manager has two user interfaces:

  • The Graphical User Interface consisting of the following dialogs boxes:
    • Main
    • Edit Service Account
  • The Command Line Interface

Service Account Manager GUI Dialog Boxes

You can find a shortcut to the application in Windows Start > Programs > Cisco Unified ICM-CCE-CCH Tools folder.

The Service Account Manager has two dialog boxes:

  • Main
    Figure 2. Main Service Account Manager Dialog

  • Edit Service Account dialog box.
    Figure 3. Service Account Manager - Edit Service Account Dialog

Service Account Manager – Main Dialog Box

You can use the Service Account Manager as a standalone application or invoke it from Web Setup for Cisco Unified ICM/Contact Center Enterprise & Hosted and the Cisco Unified ICM/CCE/CCH Installer.

The Main Service Account Manager dialog box is the application's primary interface. It consists of the Services Requiring User Logon Accounts section (which contains the Service Name, Service Logon Account Name, Logon Account Health, Password Expiration, State, and Startup fields), the Facility/Instance drop-down; and the Select All, Edit Service Account, Fix Group Membership, Refresh,Close, and Help buttons.

The following table provides a description for each field and button in this dialog box.

Field/Button/ Drop-down

Description

Service Name

A list of all relevant services. If there are no relevant services on the server, such as a Administration & Data Server, TomCat, Jaguar, or Logger; the field displays the message "This instance does not have any service that requires a service account."

Service Logon Account Name

Displays the service account name for the list of relevant services.

Logon Account Health

The Service Account Manager has an account health check mechanism. When the application starts, it scans all relevant Unified ICM services and flags them as indicated below.

  • Green
    • Healthy Account: the service account state is normal.
  • Yellow
    • Password Warning: the password is due to expire in less than 7 days.
  • Red
    • Invalid Account: service has an invalid account associated with it.
    • Password Expired: service account password has expired.
    • Group Membership Missing: service account is missing from the required domain or local security groups.
    • Account not associated with service: service account created but not replicated, hence not associated yet.

The following messages could appear in the Health column.

  • Healthy
    • Only applies to the service account, not the service itself.
    • The account is a member of the required Unified ICM/CCE/CCH security groups.
    • The account has been validated to start a service.
    • If the account password is changed outside of the Service Account Manager application, Healthy would be displayed even though the service might not actually be healthy because this application cannot detect the change.
  • Need to create service account
    • The Service Account Manager must be used to create a service account for each service.
  • Account not in Instance Domain
    • The Service Account Manager is capable of detecting whether or not a service account exists in the domain.
  • Account Disabled
    • In AD an account can be enabled or disabled. This message indicates the account is disabled in the domain.
  • Password Expired
  • Account not a member of the Instance Service Group
  • Service Group not a member of local Administrators group
  • Central Controller (sideA ) Domain name is unknown (Administration & Data Server only)
    • Administration & Data Servers can be in a different domain than the Central Controller. When Fixed Group is selected, you will be queried for the domain name of the Central Controller if it is different than that of the Administration & Data Server.
  • Central Controller (sideA ) Domain is not trusted or trust is not two-way (Administration & Data Server only)
    • There must be a two-way trust between the Central Controller and the Administration & Data Server. SAM detects the lack of the trust relationship and displays this message. SAM might detect this issue, but is unable to fix it.
  • Account not a member of LoggerA Domain Service Group (Administration & Data Server only)
    • If the Administration & Data Server is on a different domain than the Central Controller, it applies the Administration & Data Server's Domain Service Group to both itself and the Central Controller.
  • Central Controller (sideB ) Domain name is unknown (Administration & Data Server only)
    • Administration & Data Servers can be in a different domain than the Central Controller. When Fixed Group is selected, you will be queried for the domain name of the Central Controller if it is different than that of the Administration & Data Server.
  • Central Controller (sideB ) Domain is not trusted or trust is not two-way (Administration & Data Server only)
    • There must be a two-way trust between the Central Controller and the Disributor. SAM detects the lack of the trust relationship and displays this message. SAM might detect this issue, but is unable to fix it.
  • Account not a member of LoggerB Domain Service Group (Administration & Data Server only)
    • If the Administration & Data Server is on a different domain than the Central Controller, it applies the Administration & Data Server's Domain Service Group to both itself and the Central Controller.
  • Account not associated with service
    • When SAM associates an account with a service it might run into replication issues. Use Edit and select Associate the account with a service rather than selecting editing from the beginning.
  • Service not validated for starting
    • When SAM validates a service it might run into replication issues. Use Validate to successfully start the service.
  • Password About To Expire
    • Check the Password Expiration option to determine the validity period of the password. The Service Account Manager can then be used to reset the password for this pre-existing account.

A service has an Invalid Account health state immediately after creation since no domain account is assigned to it yet. This is expected behavior.

A service can have a Missing Group Membership problem due to a prior AD related failure. The Service Account Manager is capable of fixing this issue by providing an interface that reattempts placing the account in the relevant local and domain security groups.

Note    SAM health reporting might be inaccurate for the period of time while AD replication is in progress. The previous health state might be indicated during this time.

Password Expiration

Service account passwords created by the Service Account Manager are set not to expire. However, you do have the option of setting the service account passwords to expire.

Note   
  • Any service with an account password that expires in seven (7) days is yellow flagged by the application.
  • You own the responsibility to refresh the passwords before they expire. If you do not, the system services fail to function.

State

The current state of the service (Stopped, Start/Stop Pending, or Running).

Startup

Displays how the service is started (Manual or Automatic).

Facility/Instance

Drop-down displaying the "Facility/Instance" name.

In case of multiple instances, the default "Facility/Instance" selected in the drop-down is the last instance edited by Setup.

Select a specific instance. The Service Account Manager lists all relevant services with their account information, account health, password expiration and startup state for the selected instance.

If there are no relevant services on the server (such as a Administration & Data Server, TomCat, Jaguar, or Logger) the Service Account Manager displays the message: This instance does not have any service that requires a service account.

Select All

Click to select all listed services.

Edit Service Account

To fix any account issues, edit one, a few, or all accounts at the same time by selecting them and clicking this button.

Once in the dialog box, the Service Account Manager prompts you to try to use the account recently created, as it keeps track of it. If you agree to use the recently created account, the application tries to reuse the previously created account, thereby escaping from the recursive cycle of trying to create and use an account. If you chose random password, the application creates a new one, or prompts you to enter one. The application never stores the password.

Fix Group Membership

Available ONLY if an account with the Group Membership Missing health state is selected.

Refresh

Refreshes all information in the Service Account Manager Main dialog box.

Close

Closes the Service Account Manager dialog box.

Help

Select to access the online help for the Service Account Manager.

Service Account Manager – Edit Service Account dialog box

The Edit Service Account dialog allows you to create a new or use an existing account, and to choose a random or a user defined password. The status bar at the bottom of the dialog box displays status messages as needed.

The following table provides a description for each field, button, and check box for this dialog box.

Field/Button/check box

Description

Service(s)

Displays the name of the service to be edited.

Service account(s)

Displays the account name for the selected service.

Account Domain

Displays the server's domain. (Read Only)

Password

If the Password Type selected is Random-Generated Password, this field is populated with the generated password.

If the Password Type selected is User-Defined Password, enter the password to be used for this account.

Confirm Password

If the Password Type selected is Random-Generated Password, this field is populated with the same generated password as the Password field.

If the Password Type selected is User-Defined Password, re-enter the password to be used for this account.

Account Type

Allows you to either create a new account or use an existing account by selecting the appropriate radio button.

Create New Account is the default if no domain account assigned yet.

Use Existing Account is the default if a domain account is already assigned.

Password Type

Allows you to choose a random-generated or a user-defined password by selecting the appropriate radio button.

Random Generated Password is the default if you are creating a new account.

User Defined Password is the default, and only, option when using an existing account.

Update Active Directory

Checked is the default, and only, option if you are creating a new account.

Note   

By checking this check box, you are actually making changes to the Active Directory domain and any changes to passwords will affect the password of the existing user.

Unchecked is the default if using an existing account.

Apply

Click to apply any changes on this dialog box.

Close

Click to close this dialog box.

Whenever this dialog box is closed, the Service Account Manager determines if a valid domain account is associated with the services or not.

If the Service Account Manager finds that the you did not successfully associate a valid domain account with a service, it warns you that the service will fail to function until you use the Service Account Manager to associate a valid domain account with the service.

Help

Select to access the online help for the Service Account Manager.

Service Account Manager – Command Line Interface


Note


The Service Account Manager command line option is only supported for NAM/CICM replication.

Silent Setup for Default Service Accounts

Web Setup uses the command line interface to silently create service accounts.

Setup passes the following three arguments to the Service Account Manager:

/Instance <InstanceName>

  • The InstanceName argument specifies the Unified ICM instance name for which the service is being setup.

/Service <ServiceType>

  • The Service argument specifies the type of the service whose account name and password are being created. For example: /Service Distributor Service types to be used are:
    • Distributor
    • LoggerA – For use when on Side A of the logger or for All-In-1 ICM/CCE
    • LoggerB – For use when on Side B of the logger only
    • Jaguar

/Log <Path\LogFileName>

  • The Log argument specifies the log file name and the path where the log is appended. Typically, Web Setup and Cisco Unified ICM/CCE/CCH Installer passes their own log file name to append the logs. The Service Account Manager also maintains its own log file in the temp folder.

Note


  • If any one of the arguments is missing or incorrect, the Service Account Manager returns an error to Setup.
  • If Setup needs to create accounts for more than one service, it invokes the Service Account Manager multiple times using the command line interface.

Set Service Account Memberships for CICM Replication

When upgrading the Unified ICMH to Unified ICM 9.0 (or later), the CICM replication process (CRPL) does not have proper permission to make configuration updates to customer instances without manually configuring the Active Directory.

This configuration entails adding the standalone NAM's logger service accounts to the service groups of the CICMs. Thus the standalone NAM's service account has the permissions necessary to update the database of the CICM.

One function the Service Account Manager provides is to automate the manual configuration steps (as described at http:/​/​www.cisco.com/​en/​US/​products/​sw/​custcosw/​ps5053/​products_​tech_​note09186a00806c6609.shtml). This functionality is exposed through the Service Account Manager command-line interface as described in the Set Service Account Memberships for CICM Replication section.

Typically this functionality is utilized through two batch files (one for the A side and the other for the B side) where there is an entry for each CICM as a destination (/Dest). Each time the Web Setup is executed, running the batch file enables you to configure the Active Directory permissions properly.

Service Account Manager

Create New Account for Single Service

Procedure
    Step 1   Select a single service from Main Service Account Manager dialog box.
    Step 2   Click Edit Service Account.

    The Edit Service Account dialog box opens.

    Step 3   Select Create New Account.

    If no domain account is associated with the service then Create New Account is selected by default.

    Step 4   Enter a password or have one generated randomly.

    Random-Generated Password is selected by default.

    Step 5   Click Apply.

    The Service Account Manager creates a new account in AD with a password.

    If the account name already exists, the Service Account Manager asks you to either recreate it, or just update the password.

    The application associates the account with the service on the server. It places the account in the required domain security group and local security group, and sets the required permissions. Service account gets recreated, or just the password changes, based on your selection prior to clicking Apply.

    Note    If the Service Account Manager fails to put the account in domain security group, it asks you to rerun the application 20 minutes later to give AD time to replicate the account.

    Update Existing Account for Single Service

    Procedure
      Step 1   Select a single service from Main Service Account Manager dialog box.
      Step 2   Click Edit Service Account.

      The Edit Service Account dialog box opens.

      Step 3   Select Use Existing Account.

      If a domain account is associated with the service, Use Existing Account is selected by default.

      Step 4   Enter a password.
      Step 5   Choose whether or not to update the password in AD.
      Step 6   Click Apply.

      If previously selected, the Service Account Manager updates the password in AD. It updates the service on the server with the new account information.

      The Service Account Manager then places the account in required domain security group and local security group, and sets the required permissions.

      Note    If the Service Account Manager fails to put the account in domain security group, the application asks you to rerun the application 20 minutes later to give AD time to replicate the account.

      Create New Accounts for More Than One Service

      Procedure
        Step 1   Select multiple services or click Select All.
        Note    Use the normal Windows conventions for selecting all or multiple services.
        Step 2   Click Edit Service Account.

        The Edit Service Account dialog box opens.

        The Service Name column lists all services. Because multiple services are selected, Use Existing Account is selected by default.

        Step 3   Click Create New Account.

        A separate service account is created for each service.

        Step 4   Enter a password, or have one generated randomly.

        If you choose to enter a password, then the same password is shared across all accounts.

        If you choose to randomize the password, a separate random password is generated for each account.

        Step 5   Click Apply.

        The Service Account Manager creates multiple accounts in AD with the password. The application associates each account with the respective service on the server. It places the accounts in the required domain security group and local security group, and sets the required permissions.

        Note    If the Service Account Manager fails to put the account in domain security group, it asks you to rerun the application 20 minutes later to give AD time to replicate the account.

        Update Existing Account for More Than One Service

        Procedure
          Step 1   Select multiple services or click Select All on the Main Service Account Manager dialog box.
          Step 2   Click Edit Service Account.

          The Edit Service Account dialog box opens.

          The Service Name column lists all services. Since multiple services are selected, Use Existing Account is selected by default.

          Step 3   Enter an account name.
          Step 4   Enter a password.
          Step 5   Choose whether or not to update the password in AD.
          Step 6   Click Apply.

          If previously selected, the Service Account Manager updates the password in AD. It updates the service on the server with the new account information.

          The Service Account Manager then places the account in required domain security group and local security group, and sets the required permissions.

          Note    If the Service Account Manager fails to put the account in domain security group, the application asks you to rerun the application 20 minutes later to give AD time to replicate the account.

          Fix Account Displaying Group Membership Missing State

          Fix Group Membership is only enabled when an account in the "Group Membership Missing" health state is selected.

          Procedure
            Step 1   Select the unhealthy accounts displaying the "Group Membership Missing" state.
            Step 2   Click Fix Group Membership.

            If any of the selected account is not in the "Group Membership Missing" state, Fix Group Membership is disabled.

            Step 3   Click Apply.

            The Service Account Manager then places the account in required domain security group and local security group, and sets the required permissions.

            Note    If the Service Account Manager fails to place the accounts in the groups, it provides an appropriate error.