How do I upgrade from Group Policy Administrator (GPA) version 4.x to version 5.0? (NETIQKB52230)

  • Document ID:7752230
  • Creation Date:02-Feb-2007
  • Modified Date:17-Oct-2007
    • Micro Focus Products:
      Group Policy Administrator

Resolution

goal
How do I upgrade from Group Policy Administrator (GPA) version 4.x to version 5.0?

goal
If the database is upgraded to 5.0 first, will the 4.6 consoles still be able to connect to it?

goal
What versions of Group Policy Administrator can be upgraded directly to version 5.0?

goal
What is the upgrade process from GPA 4.x to GPA 5.0?

fact
NetIQ Group Policy Administrator 4.x

fact
NetIQ Group Policy Administrator 5.0

fix

Upgrading from Previous Versions
You can upgrade to GPA 5.0 from GPA 4.0, 4.5, and 4.6. The upgrade process is the same for each of these earlier versions of GPA. To continue using your earlier version of GPA without interruption until you have completed the upgrade process, you need to install the new GPA components in the following order:

  1. GP Repository
  2. GPA Server
  3. GPA Console

To improve security, this version of GPA includes new restrictions that help ensure only authorized access to the GP Repository. The upgraded GPA Consoles must use an authorization code, called the Repository Authorization Code, to access the GP Repository. The GPA Server uses a new service account, called the GPA Security account, to access the GP Repository.

Upgrade Overview
The following list provides a summary of the steps to follow to upgrade GPA, as well as links to detailed instructions to complete the upgrade. If you are not using the GPA Server in your current configuration, skip any steps that pertain to installing the GPA Server.

The new GPA Server replaces the existing version, which depended on Microsoft Internet Information Server (IIS). The new GPA Server and existing GPA Server cannot be installed on the same computer at the same time. To install the new GPA Server and leave the existing GPA Server in place until you have finished upgrading GPA Consoles, you need to install the new GPA Server on a separate computer from your existing GPA Server computer. If you attempt to install the new GPA Server on the same computer as the existing GPA Server, the installer will uninstall the existing version and then install the new version.

  1. Create the GPA Security account. For more information about the GPA Security account, see Understanding the GPA Security account.
  2. Upgrade the GP Repository. Existing GPA Consoles and GPA Servers will work with the new GP Repository until you set the Repository Authorization Code.
  3. Install the new GPA Server. Existing GPA Consoles will continue to use the existing GPA Server and new GPA Consoles will use the new GPA Server. The existing GPA Server will work with the new GP Repository until you set the Repository Authorization Code. 
  4. Upgrade GPA Consoles.
  5. Uninstall any GPA Consoles you did not upgrade.
  6. Uninstall the prior version of the GPA Server.
  7. Set the Repository Authorization Code on the GP Repository.

Understanding the Repository Authorization Code
The Repository Authorization Code is a unique identifier for every GP Repository that GPA Consoles must use to communicate with the GP Repository. You specify the Repository Authorization Code when you upgrade the GP Repository. Although you have the option to accept a default value, defining your own Repository Authorization Code ensures a higher level of security for your GPA installation. Follow best practices for creating strong passwords, such as using a combination of upper and lowercase letters, numbers, and special characters.

Record the Repository Authorization Code you define for later use. Although you specify a Repository Authorization code during the upgrade, the installer does not set the code on the GP Repository. You must set the Repository Authorization Code on the GP Repository using the NqGPARepConfig tool. You set the code on the GP Repository as the last step in the upgrade process to ensure older versions of the GPA Console and GPA Server can continue to access the GP Repository. You must also provide the Repository Authorization Code whenever you install a GPA Console to enable communication between the GP Repository and the GPA Console.

If you are setting up an environment with more than one GP Repository, you can use the same Repository Authorization Code for each one. Using the sam.
e code greatly simplifies your administration of GPA Consoles and ensures that each GPA Console can communicate with any GP Repository.

Understanding the GPA Security Account
The GPA Security account is a service account that has permission to change the Repository Authorization code. The Repository Authorization Code is a unique identifier you create when you install the GP Repository that each GPA Console must use to access the GP Repository. You use the GPA Security account to change the Repository Authorization Code after installation. For example, you may need to change the Repository Authorization code if the original code is compromised. If you are using the GPA Server, the GPA Server uses the GPA Security account to access the GP Repository. The GPA Security account also has special permissions on the GP Repository that the GPA Server needs to export GPOs.

Creating the GPA Security Account
By default, GPA uses the credentials of the user account used to upgrade the GP Repository for the GPA Security account. Creating a separate service account improves GPO security by limiting the functions the GPA Security account performs to a specific service account. Creating a specific service account also improves change control and auditing by being able to uniquely identify the tasks the GPA Service account performs.

The GPA Security account must be a member of the Domain Users group and requires no other Active Directory permissions.

To create the GPA Security account:

  1. Using an account with domain administrator privileges, log on to the domain where you plan to upgrade the GP Repository.
  2. Run the Active Directory Users & Computers console.
  3. Create a new service account called "GPA Security Account."

Upgrading the GP Repository
To install the GP Repository, your user account must have administrative rights in the domain as well as database administrator rights for Microsoft SQL Server. Before you begin the upgrade, ensure that all GPOs are checked into the GP Repository.

If the GP Repository you want to upgrade is installed on the same computer as the GPA Server, you will either have to uninstall the old GPA Server or replace it with the new GPA Server to complete the GP Repository upgrade. The following installation instructions replace the old GPA Server with the new GPA Server if it is present.

Do not forget to record the Repository Authorization Code you define during the GP Repository upgrade. You need to configure each upgraded GPA Console to use the Repository Authorization Code. You also need to set this code on the GP Repository at the end of the upgrade process using the NqGPARepConfig tool.

To upgrade the GP Repository:

  1. Log on to the computer where you want to install the GP Repository with an account that has domain administrator and Microsoft SQL Server database administrator permissions.
  2. Close all open applications.
  3. Run the setup program from the GPA installation kit.
  4. Click Begin Setup on the Setup tab.
  5. Click Next.
  6. To confirm you want to upgrade the GP Repository, click Next.
  7. Specify the user and organization information and the application settings, and then click Next.
  8. Confirm that Custom is selected, and then click Next.
  9. Expand Components.
  10. Confirm that Database is set to Will be installed on local hard drive.
  11. If there are other GPA components installed on the same computer as the GP Repository, such as the GPA Console or GPA Server, confirm that they are also set to Will be installed on local hard driveSTRONG>.
  12. Select Entire feature will be unavailable for any remaining components, and then click Next.
  13. Follow the remaining instructions in the installation program until you finish installing the GP Repository.
  14. To complete the installation, click Finish.

Installing the GPA Server
The GPA Server is an optional component. If you are not using the GPA Server in your current configuration, you do not need to install the GPA Server as part of the upgrade process.

If you install the new GPA Server, you must install it in the same domain or a domain trusted by the domain where you upgraded the GP Repository. A one-to-one relationship exists between the GP Repository and the GPA Server. You can install only one GPA Server per GP Repository.

GPA includes a Prerequisite Checker with the GPA installation kit. The Prerequisite Checker helps you ensure the computer on which you install the GPA Server is ready for the GPA Server implementation. Run the Prerequisite Checker before installing the GPA Server.

If you want to install the GPA Server on a computer that has a prior version of the GPA Console, you will either have to uninstall the prior version of the GPA Console or upgrade it to the new GPA Console to complete the GPA Server installation. The following installation instructions upgrade the prior version of the GPA Console to the new GPA Console if it is present.

To install the GPA Server, your user account must also have local administrator privileges on the computer where you want to install the GPA Server.

To install the GPA Server:

  1. Log on to the computer where you want to install the GPA Server with an account that has domain administrator and Microsoft SQL Server database administrator permissions.
  2. Close all open applications.
  3. Run the setup program from the GPA installation kit.
  4. Click Begin Setup on the Setup tab.
  5. Click Next.
  6. If you are installing the new GPA Server on the same computer where you installed an earlier version of the GPA Server, the installer prompts you to confirm you want to continue. To continue, click Next.
  7. Specify the user and organization information and the application settings, and then click Next.
  8. Confirm that Custom is selected, and then click Next.
  9. Expand Components.
  10. Confirm that Server is set to Will be installed on local hard drive.
  11. If there are other GPA components installed on the same computer as the GP Server, such as the GPA Console, confirm that they are also set to Will be installed on local hard drive.
  12. Select Entire feature will be unavailable for any remaining components, and then click Next.
  13. Follow the remaining instructions in the installation program until you finish installing the GPA Server.
  14. To complete the installation, click Finish.

Upgrading the GPA Console
You can install the GPA Console on multiple computers to distribute Group Policy management tasks among several GPA users. To install the GPA Console, you must know the Repository Authorization Code of the GP Repository with which the GPA Console is going to communicate. Your user account must also have local administrator rights on the computer where you want to install the GPA Console.

If you are using an Export Override account to export GPOs from the GP Repository, you must also re-configure the Export Override account after you upgrade the GPA Console.

To upgrade the GPA Console:

<.
OL>
  • Log on to the computer where you want to upgrade the GPA Console with an account that has local administrator permissions.
  • Close all open applications.
  • Run the setup program from the GPA installation kit.
  • Click Begin Setup on the Setup tab.
  • Click Next.
  • To confirm you want to upgrade the GPA Console, click Next.
  • Specify the user and organization information and the application settings, and then click Next.
  • Select Console, and then click Next.
  • Choose whether to use the previously installed license or browse to the location of a new license file, and then click Next.
  • Accept the default installation directory or browse to a new location, and then click Next.
  • Enter the Repository Authorization Code you defined when you upgraded the GP Repository, and then click Next.
  • Follow the remaining instructions in the installation program until you finish installing the GPA Console.
  • To complete the installation, click Finish.

    • Each GPA user who starts the GPA Console for the first time must provide the Repository Authorization Code for the GP Repository with which the GPA Console is communicating. Each GPA user needs to provide the Repository Authorization Code only once.

    Setting the Repository Authorization Code
    Once you have completed upgrading all the GPA components, you can set the Repository Authorization Code on the GP Repository. Once you set the Repository Authorization Code, prior versions of the GPA Console and GPA Server will no longer work with the new GP Repository. Use the NqGPARepConfig tool to set the Repository Authorization Code.

    To set the Repository Authorization Code:

    1. Log on to the computer where you installed the GP Repository with an account that has domain administrator permissions and database administrator permissions for Microsoft SQL Server.
    2. Open a command prompt window.
    3. Change directory locations to the \Program Files\NetIQ\Group Policy Administrator\Tools folder.
    4. Type the following command:
      NqGPARepConfig /RepAuthCode:RepositoryAuthorizationCode
      where RepositoryAuthorizationCode is the code you defined when you upgraded the GP Repository.

    For more information about using the NqGPARepConfig tool, type NqGPARepConfig /? at the command prompt to see the usage statement.

    .


    note
    Note: This information can also be obtained from the GPA 5.0 release notes.

    Additional Information

    Formerly known as NETIQKB52230