Two possible domain level changes that could affect the InfoPlus.21 (IP.21) database include:
1. Changing the domain that the IP.21 server computer account resides in
2. Changing the domain for the IP.21 Administrator account resides in
For the first scenario, one is moving the IP.21 server computer account from one domain to another domain. Doing this changes the fully qualified computer name for the IP.21 server. For example, if the IP.21 server hostname is IP21Serv and currently resides in the OLD_DOMAIN domain, the fully qualified name would be something similar to IP21Serv.OLD_DOMAIN.companyname.com. If one moves the server to the NEW_DOMAIN domain, the new fully qualified host name would be IP21Serv.NEW_DOMAIN.companyname.com.
For the second scenario, one is changing the account used to start the IP.21 database from an account in the OLD_DOMAIN to an account in the NEW_DOMAIN. This account name is listed in the Services tool (Start | Settings | Control Panel | Administrative Tools | Services) for the Aspen InfoPlus.21 Task Service. Under the Log On tab for this service, a domain account should be specified as the account used to start up the service. For example, if the user account used to start this service were IP21Admin, the account would be listed in the service as OLD_DOMAIN\IP21Admin. After switching over to account in the new domain, the account would be listed as NEW_DOMAIN\IP21Admin.
The following solution details how the IP.21 database can be affected by these domain changes and what steps one can take to ensure a seamless transition.
*********** Changing the domain for the IP.21 server computer account ***********
1. If the new domain is separate then the domain that holds the user accounts for the IP.21 users and the IP.21 task service, ensure that the domains have a trust relationship. A two-way trust relationship is required. This should be verified prior to switching the IP.21 server over to the new domain.
2. Verify that the old fully qualified domain name is not referenced by client applications when accessing the IP.21 server. If in a data source configuration tool, such as ADSA or Local Security (see note below), the full computer name was listed rather than the short hostname (i.e. IP21Serv) these references would have to be modified.
Note: One would only need to check the Local Security configuration if Local Security was installed on the same computer as the IP.21 server.
To check the ADSA configuration, open the ADSA Client Config Tool (Start | Programs | AspenTech | Common Utilities) on the ADSA server or on a client computer. Select the data source for the IP.21 server and select the Edit button. Check through the services listed for the data source to verify the hostname is correct.
To check the Local Security configuration, open the AFW Tools application on a client computer. (Start | Programs | AspenTech | AFW Tools). On the Client Registry Entries tab, double click the URL setting. Check the Data field to ensure that the correct server name is listed in the URL path. It should look something similar to "http://IP21Serv/AspenTech/AFW/Security/pfwauthz.asp"
Other client applications may use means of accessing IP.21 other than through ADSA. If it's unclear on how a particular client application accesses IP.21 and there are concerns that there may be problems after changing the server domain, please contact support.
The general procedure when changing domain for a computer account typically involves rebooting the computer. Once the NT Administrator switches the IP.21 Server to the new domain and the computer is rebooted, IP.21 should start up as normal. Client applications should be able to connect successfully assuming that they are not referencing the old fully qualified domain name.
*********** Changing the domain for the IP.21 Administrator account ***********
Changing the account used to start up the IP.21 services involves more steps. In addition to modifying the account listed for the AspenTech services, the services must be restarted, the IP.21 System Account should be updated (if running IP.21 v5.0 or higher), and the DCOM settings must be updated.
To switch over to the new domain account:
1. Add the new domain user account to the local Administrator group on the IP.21 Server.
2. If Local Security is used, add the domain user account into the Aspen Local Security Administrator role in the AFW Security Manager.
3. Update DCOM security settings allowing for the new domain account to administer IP.21
a. Select Start | Run
b. Type dcomcnfg and click [OK]
c. In the Distributed COM Configuration Properties window select Default Security Tab
d. Click [Edit Default] for the default access permissions
e. In the Registry Value Permissions window Click [Add]
f. In the Add Users and Groups window, select the new domain and click on the [Show Users] button
g. Find and select the user name and click on [Add] to add the user to the Add Names list box.
h. Make sure Allow Access shows in the type of access at the bottom of the window.
i. Click [OK] to return to the Registry Value Permissions window. The selected user will show up in the Names list box.
j. Click [OK] in the Registry Value Permissions and Distributed COM Configuration Properties windows
4. Stop IP.21 from the IP.21 Manager.
5. On the IP.21 server, open the Services Tool. Stop any AspenTech services that start up under a specific account, such as the Aspen InfoPlus.21 Task Service.
Note: Services that require a specific account depend on version and products installed. Some possible services that would require updating include:
AFW Security Client Service
Aspen Audit and Compliance Server
Aspen SQLplus Authorization ServerAspen Production Record Manager BCU ServiceAspen Production Record Manager ServicesAspen InfoPlus.21 Task ServiceAspenTech Calculator EngineCIM-IO Manager
On each service requiring a domain account, update the account and password fields for the new domain user account. Restart the service after the account is updated. Starting the Aspen InfoPlus.21 Task Service should start up the IP.21 Database.
6. Open the IP.21 Manager. Check to see if the database is starting due to the restart of the Task Service. If not, then manually restart the database using the "Start InfoPlus.21" button in the IP.21 Manager.
7. Update the IP.21 System Account used for auto-starting IP.21 on a reboot:
a. Open the IP.21 Administrator. To do so, right-click on the Aspen InfoPlus.21 Administrator desktop app (or shift-right-click on some older Windows operating systems), select run-as-different-user, and use the OLD service account to run the app. Next, right click on the database name and select [Properties] from the context menu.
b. Select the System Account tab on the Properties window. It should show that the system account is the old domain account and that task service account is the new account.
c. Tick the check box for "Set System Account Equal to Task Service Account".
d. Click [OK] and close the IP.21 Administrator tool.
If local security is used, it is required that both the IP.21 Administrator account and the anonymous user account for the AspenTech virtual directory (see note below) should have read access to group membership information from the domain housing the client user accounts. This is required so that the IP.21 security components can access group membership information for user authentication to the IP.21 database.
Note: To see what account is being used as the anonymous user account for the AspenTech Virtual folder:
1. Open the Internet Information Services Manager from Start | Settings | Control Panel | Administrative Tools | Internet Information Services (IIS) Manager
2. Under the Default Web Site, browse to the AspenTech folder and double-click on it.
3. Now, double-click on the Authentication icon in the IIS section in the right pane. Enabale Anonymous Authentication.
4. By default, the IUSR_nodename account is used for anonymous access. This is a local computer account that gets created when IIS is installed on a machine. This is the account that needs to have read permission to the domain controller information. In some cases, a domain account needs to be used for the Anonymous User account in place of the IUSR_nodename account, as the IUSR account is not granted read access to the group list information in the domain controller. If needed, replace the Anonymous User account in the AspenTech virtual directory with an account that does have permission to resolve group information from the Domain. Typically, the account used as the IP.21 Administrator account is sufficient. If this account is changed then IIS must be restarted.
One can use the SSTest or the aspenONE diagnostics utilities to help determine whether or not the anonymous user account for the AspenTech virtual directory needs to be replaced. SSTest is located in the C:\Program Files (x86)\AspenTech\BPE folder. The aspenONE Diagnostics can be run from the Start menu. If the account specified as the Anonymous User does not have correct domain controller permissions, the SSTest utility will fail the "Performing Client ADSI Domain Test".
To verify that IP.21 is working correctly once the domain changes have taken effect, test the client applications such as Process Explorer to make sure they can connect to the database. Verify that one can open the IP.21 Administrator and access the IP.21 database. Also, try opening the AFW Security Manager utility from the security server machine. If there was a problem with security, the Security Manager would fail to open. If there are problems with any of these checks please contact support.