I recently embarked on the adventure of installing BizTalk in a distributed environment. I setup the application on 3 servers - all running Windows Server 2003 SP1:
Stand-alone SSO Server
Engine/Rules Server
Database Server (all databases)
The servers all live in a single AD Domain. Users live in the parent domain (currently i don't have any users - as I just installed).
Here are a few things I ran into...
Setup actually went fine, but configuation of the engine server was a bit difficult due to MSDTC setup issues, and a few BizTalk group permissions issues related to SSO. These are the types of issues you can solve in a few minutes if you know where to look, but took me several hours to discover and resolve.
First, DTC - I believe the documentation with BizTalk is lacking in readability, but does mention the basics here.
- You must allow network DTC via the option under Add/Remove programsWindows Componentsapplication serverEnable Network DTC Access. Reboot required. http://support.microsoft.com/default.aspx?scid=kb;en-us;817064
- DTC service must have good network access on a broad range of ports. http://support.microsoft.com/default.aspx?scid=kb;en-us;306843
After this, issues tend to be permissions related. I needed to make the registry hack to turn off DTC security:
http://support.microsoft.com/default.aspx?scid=kb;en-us;839187
For SP1, the DTC configuration editor has been enhanced, and you may be interested in that information, though I didn't have to make any changes here...
Finally, for testing DTC I used DTCTest and DTCPing
http://download.microsoft.com/download/e/a/2/ea20a97f-672d-4826-8e52-1e83e7d9ddfb/dtcping.exe
http://download.microsoft.com/download/b/8/8/b8841bfc-8bd3-4fea-a5f5-06e1f162bd9a/dtctest.exe
OK, with DTC working, the configuration began to fail on a permissions issue. Which, once I looked into the application event log (never forget about your event logs), was quite clear. The setup user was not authorized in SSO. This is clearly stated in the docs, I just missed it. The user performing the setup has to be in the SSO Administrators group.
To be sure, I was a bit unclear from the docs about all the groups, and if in a domain or local how they had to be setup. I created the 2 admin groups (BizTalk and SSO) both in the domain, and on each of the 3 servers. I pointed the local groups to the domain groups, and added my parent domain account locally on the installation server only. During configuration all groups were pointed to domain groups, and these other groups were created only at the domain level.
I created 3 users in the domain - an SSO service account, a biztalk general services account, and a biztalk host account. The biztalk services account was in all groups, the sso account in the SSO admins group, and the host account in the 2 host groups. During configuration the 2 biztalk domain accounts were specified for the appropriate services.
Finally, I did make a couple of changes to the SSO server, but I don't think they actually made anything work. However, I think the documentation is lacking here. The SSO administration tools are in the program files/common files/enterprise single sign-on folder. I used
- ssoconfig -backupsecret to create a master key backup
- ssomanage -serverall to set the SSO server for all users (this seemed helpful, but not sure)
- various ssomanage listings to see the state of SSO installation.
That got me through installation and configuration. Now, I am off to try and follow along with the tutorial.
Posts
No comments:
Post a Comment