Lithnet Access Manager
PricingRequest a trial or quoteDownloads
v2.0
v2.0
  • Home
  • What's new in Access Manager v2
  • How does Lithnet Access Manager help prevent lateral movement?
  • Access Manager Editions
  • Licensing
  • Change log
  • Installation
    • Getting started
    • System Requirements
    • Downloads
    • Upgrading from Access Manager v1
    • Installing the Access Manager Server
      • Creating a service account for the Access Manager Service
      • SQL installation options
      • Installing the Access Manager Service
      • High availability options
        • Load balancing Access Manager
        • Installing Access Manager in a Failover Cluster
    • Installing the Access Manager Agent
      • Choosing between the Microsoft and Lithnet agents for LAPS support
      • Installing the Access Manager Agent on Windows
      • Installing the Access Manager Agent on Linux
      • Installing the Access Manager Agent on macOS
  • Configuration
    • Setting up Authentication
      • Setting up authentication with ADFS
      • Setting up authentication with Azure AD
      • Setting up authentication with Okta
      • Setting up smart card authentication
      • Setting up integrated windows authentication
    • Deploying Features
      • Setting up Microsoft LAPS for Active Directory
      • Setting up Microsoft LAPS for Azure Active Directory
      • Setting up Lithnet LAPS
        • Preparing the AMS directory
        • Setting the AMS directory for Lithnet LAPS clients
        • Setting up Lithnet LAPS for Azure AD joined and registered devices
        • Setting up Lithnet LAPS for domain-joined devices
        • Setting up Lithnet LAPS for macOS and Linux
        • Setting up Lithnet LAPS for standalone Windows devices
      • Setting up BitLocker access
      • Setting up JIT for computers
      • Setting up JIT for roles
    • Importing authorization rules
      • Import Microsoft LAPS permissions from Active Directory
      • Importing BitLocker permissions from Active Directory
      • Importing local administrator group membership from domain-joined Windows devices
      • Import mappings from a CSV file
      • Importing rules from the Lithnet LAPS web app
      • Performing an offline discovery of local admins
  • Help and support
    • Frequently asked Questions
    • Troubleshooting
    • Quick start guides
      • Getting started with Windows LAPS and Lithnet Access Manager
      • Getting started with Windows LAPS for Active Directory
      • Getting started with Windows LAPS for Azure Active Directory
    • Support Articles
      • KB000001: The Access Manager Agent cannot connect and logs a token-validation-failed error
      • KB000002: Users retain their admin rights after their JIT period expires
      • KB000003: Configuring the Access Manager Agent to manage an account other than 'root' on Linux
      • KB000004: Creating a log file to troubleshoot installation issues with the Access Manager Service
      • KB000005: Access Manager stops working after applying the November 2022 Windows update
      • KB000006: Migrating the Access Manager Database
      • KB000007: Adding JIT groups via Group Policy doesn't work with NTLM Disabled
      • KB000008: AMS is unable to JIT into privileged groups such as Domain Admins
    • Advanced help topics
      • Ports and traffic flows
      • Internet access requirements
      • Access evaluation in Access Manager Service (AMS)
      • Recovering from a lost encryption certificate
      • Script-based authorization
      • Customized auditing with PowerShell notification channels
      • Variables available in audit notification channels
      • Setting up audit templates
      • Backup and Restore
      • Event ID reference
    • PowerShell reference
      • Add-AmsDeviceRegistrationKeyGroup
      • Add-AmsGroupMember
      • Export-AmsServerDiagnostics
      • Get-AmsActiveDirectoryJitOptions
      • Get-AmsComputerAuthorizationRule
      • Get-AmsDevice
      • Get-AmsDeviceRegistrationKey
      • Get-AmsGroup
      • Get-AmsGroupMembers
      • Get-AmsHostConfig
      • Get-AmsJitSchedulerJob
      • Get-AmsLocalAdminPassword
      • Get-AmsLocalAdminPasswordHistory
      • Get-AmsRoleAuthorizationRule
      • New-AmsComputerAuthorizationRule
      • New-AmsDeviceRegistrationKey
      • New-AmsGroup
      • New-AmsRoleAuthorizationRule
      • Remove-AmsComputerAuthorizationRule
      • Remove-AmsDevice
      • Remove-AmsDeviceRegistrationKey
      • Remove-AmsDeviceRegistrationKeyGroup
      • Remove-AmsGroup
      • Remove-AmsGroupMember
      • Remove-AmsJitSchedulerJob
      • Remove-AmsRoleAuthorizationRule
      • Set-AmsActiveDirectoryJitOptions
      • Set-AmsComputerAuthorizationRule
      • Set-AmsDevice
      • Set-AmsDeviceRegistrationKey
      • Set-AmsGroup
      • Set-AmsHostConfig
      • Set-AmsRoleAuthorizationRule
    • Application help pages
      • Access Manager Directory configuration page
      • Access Manager Directory Devices page
      • Access Manager Directory Groups page
      • Lithnet LAPS configuration page (Access Manager Directory)
      • Access Manager Directory Registration Keys page
      • Lithnet LAPS configuration page (Active Directory)
      • Microsoft LAPS configuration page
      • Active Directory configuration page
      • Auditing page
      • Authentication configuration page
      • Computer authorization rules page
      • Role authorization rules page
      • Azure Active Directory configuration page
      • BitLocker configuration page
      • Database configuration page
      • Effective access page
      • Email configuration page
      • IP Address detection configuration page
      • Just-in-time access configuration page
      • Licensing configuration page
      • Rate limit configuration page
      • Host configuration page
      • User interface configuration page
      • Security page
    • Getting Support
Powered by GitBook
On this page
  • Prerequisites
  • Installation procedure
  • 1. Install and configure the base cluster service
  • 2. Configure the cluster quorum
  • 3. Install Access Manager
  • 5. Install the cluster role

Was this helpful?

  1. Installation
  2. Installing the Access Manager Server
  3. High availability options

Installing Access Manager in a Failover Cluster

PreviousLoad balancing Access ManagerNextInstalling the Access Manager Agent

Last updated 2 years ago

Was this helpful?

High availability is an Enterprise edition feature

Prerequisites

Installing Access Manager in a failover cluster requires the following;

  • A Lithnet Access Manager enterprise edition license

  • At least one Windows Server 2012 R2 domain controller in the domain where AMS will be installed

  • The KDS root key in the domain must be enabled

  • The same account must be used on all hosts in the farm. A group-managed service account is strongly recommended

  • Each host must be running the same version of the Access Manager Service at all times

  • An external SQL server, or an SQL server that is installed in the same cluster where Access Manager will be installed

  • You must meet the hardware and storage requirements for a Microsoft failover cluster

Note: It is not supported to use SQL express when deploying Access Manager into a Failover Cluster

Installation procedure

1. Install and configure the base cluster service

Follow the steps outlined in Microsoft documentation for creating a new failover cluster. Stop once you reach the section for Creating clustered roles and continue from this guide.

2. Configure the cluster quorum

If you are setting up a cluster containing an even number of nodes, you must configure an appropriate witness to ensure a cluster quorum.

3. Install Access Manager

  • On the first node, run the Access Manager Service installer.

  • Enter the name of a group-managed service account when prompted. You must use the same account on all cluster nodes.

  • Specify the connection string to the SQL server you want to use with this instance. Note, SQL Express is not supported when installing Access Manager in a cluster.

  • When the installer finishes, launch the Lithnet Access Manager Configuration Tool from the start menu

  • Start the service if prompted, and navigate to the Host configuration page.

  • Import or select the SSL certificate you want to use for this host. Enable the web app and API as required.

  • On the licensing page, provide your AMS license key

  • Save the config, and restart the service when prompted

  • Repeat this process for the next cluster node. Make sure to use identical service accounts, connection strings, and SSL certificates on each server. You will not need to provide the license key after installing it on the first node.

5. Install the cluster role

  • Once AMS has been installed on all nodes, open the Failover Cluster Manager and go to the Roles node of the cluster

  • Click Configure rule... from the actions pane

  • Select Generic service as the role type

  • Select Lithnet Access Manager Service from the services list

  • Provide an IP address and name for your client access point. This will be the name of the clustered service, and by default, forms the AD hostname of the cluster

  • Skip the shared storage and registry replication screens, and complete the remaining steps of the wizard

  • Ensure the new role transitions to an 'online' state

  • Use the Failover Cluster Manager to move the role on each node, testing that the service starts correctly on each node.

At this point, the cluster-specific configure is complete. You can now follow the steps in the installation guide for configuring the AMS features as appropriate for your environment.

generic_service
select_service
select_cap
cluster_online