What’s involved in the deployment process

Most of the planning in this chapter has focused on designing the auditing infrastructure and
deciding where to install components. The following illustration provides a visual summary of the
complete deployment process and highlights the keys to success. The sections after the
flowchart provide additional details about what’s involved in each phase or the decisions you will
need to make, such as who should be part of the deployment team, where to install the
software, and who has permission to do what.
Plan
During the first phase of the deployment, you collect and analyze details about your
organization’s requirements and goals. You can then also make preliminary decisions about
sizing, network communication, where to install components, and what your zone structure
should look like.
Here are the key steps involved:
qIdentify the goals of the deployment.
●Is identity and privilege management or auditing a primary goal?
●Are identity and privilege management and auditing equally important to the organization?
●Is auditing important for specific computers?
●Is auditing important for computers used to perform administrative tasks?
●Is auditing important for computers that host specific applications or sensitive information?
●Should auditing be required for users in specific groups or with specific roles?
For example, if auditing is important, are you primarily interested in auditing Windows servers,
such as SQL Server, Exchange, and IIS, administrative workstations, or computers that host
specific applications or sensitive information?
qAssemble a deployment team with Active Directory and other expertise.
●People with specific knowledge, such as Exchange, IIS, or Sharepoint administrators.
●If auditing, at least one Microsoft SQL Server database administrator.
qProvide basic training on Centrify architecture, concepts, and terminology.
qStudy the existing environment to identify target computers where you plan to install Centrify
components.
●Plan for permissions and the appropriate separation of duties for your organization.
●Review network connections, port requirements, firewall configuration.
For more information about network communication and the ports used, see Default ports for
network traffic and communication.
●Identify computers for administration.
aBasic deployment—Access Manager and Deployment Manager
bAuditing—Audit Manager and Audit Analyzer consoles
●Identify computers to be used as collectors, audit stores, and the management database.
cVerify that you have reliable, high-speed network connections between components that
collect and transfer audit data.
dVerify you have sufficient disk storage for the first audit store database.
●Identify the initial target group of computers to be managed and audited.
qDesign a basic zone structure that suits your organization.
●Single or multiple top-level parents.
●Initial child zones, for example, separate zones for different functional departments or
administrative groups.
Prepare
After you have analyzed the environment, you should prepare the Active Directory
organizational units and groups to use. You can then install administrative consoles and the
auditing infrastructure, and prepare initial zones.
Here are the key steps involved:
q(Optional) Create organizational units or containers to define a scope of authority.
The deployment team should consult with the Active Directory enterprise administrator to
determine whether any additional containers or organizational units would be useful, who should
be responsible for creating Licenses and Zones container objects, and who will manage the
objects in those containers.
q(Optional) Create the additional Active Directory security groups for your organization.
Groups can simplify permission management and the separation of duties.
qInstall Access Manager on at least one administrative Windows computer.
qOpen Access Manager for the first time to run the Setup Wizard for the Active Directory
domain.
qCreate a parent zone and the appropriate child zones as identified in your basic zone design.
The hierarchical zone structure you use depends primarily on how you want to use inheritance
and roles.
qPrepare Windows computer accounts in the appropriate zones and assign the default
Windows Login role to the appropriate Active Directory users and groups.
qInstall Audit Manager and Audit Analyzer together or separately.
qCreate an installation and a management database on one computer.
qCreate an audit store and audit store database on at least one computer.
qInstall a collector on at least two computers.
Deploy
After you have prepared Active Directory, installed administrative consoles on at least one
computer, created at least one zone, and prepared the auditing infrastructure, you are ready to
deploy on the computers to be managed.
Here are the key steps involved:
qCreate Desktop, Application, and Network Access rights.
qAdd Desktop, Application, and Network Access rights to custom role definitions.
qAssign custom roles to the appropriate Active Directory users and groups.
qInstall the Centrify agent for Windows on a target set of computers.
qJoin the appropriate zones.
qPrepare a Group Policy Object for deploying agents remotely using a group policy.
qAssign the appropriate permissions to the users and groups who should have access to audit
data.
Validate
After you have deployed agents on target computers, you should test and verify operations
before deploying on additional computers.
Here are the key steps involved:
qLog on locally to a target computer using an Active Directory user account and password to
verify Active Directory authentication and Windows Login role assignment.
qOpen a Remote Desktop Connection to a target computer to verify Active Directory
authentication and Windows Login role assignment on a remote computer.
qCreate a new desktop that gives you administrative rights and verify that you can start and
stop Windows services or perform other administrative tasks.
qRight-click an application, select Run using selected roles, then select an available role for
running the application.
qOpen Audit Analyzer and query for your user session if auditing is enabled.
Manage
After you have tested and verified identity management, privilege management, and auditing
operations, you are ready to begin managing the installation and refining on-going operations.
Here are the key steps involved if you deploying identity management, privilege management,
and auditing for Windows computers:
qSecure the installation.
qAdd roles and assign roles and permissions to the appropriate users, groups, and computers.
qDelegate administrative tasks to the appropriate users and groups for each zone.
qDeploy additional group policies on the appropriate organizational units.
qCreate new databases and rotate the active database.
qArchive and delete old audit data.
qAutomate key administrative tasks using Centrify-defined Powershell-based cmdlets and
scripts.

https://docs.centrify.com/en/css/2018-
html/#page/Managing_Windows/win_adm_deploy_process.html