Migrating Passwordstate to a New Domain Part 2

A few weeks ago, we published a blog article on Moving the Passwordstate instance to a new Domain that has a Domain Trust.  That was the first permutation and this week’s blog covers off on the second permutation, moving a Passwordstate instance to a new Domain without a Domain Trust.

The images used in this blog are taken from Builds 9630 (also used in Part 1) and 9653.

Prerequisites – The Same As In Part 1

Again, your instance of Passwordstate will need to be on Version 8 or 9, the same as the first part in this series.

And again, make sure you have the following,

  • A recent successful backup of Passwordstate including the database.  Confirmed by navigating to Administration->Backups
  • your Emergency Access password in case you need it.  To get this navigate to Administration->Emergency Access

Tasks on the Old Passwordstate Website

Now we’ll perform the required tasks on the Old Passwordstate instance prior to the move.  We’ll need to setup a new Privileged Account Credential that uses an AD Account with permissions to read AD accounts and security groups in the new Domain.  To do this navigate to Administration->Privileged Account Credentials,

And, we’ll add in the new Domain name under Active Directory Domains.  To do this navigate to Administration->Active Directory Domains, and specify the newly created Privileged Account Credential at the Account with Read Access.

Next, we’ll add in the new Authorized Web Server under Administration->Authorized Web Servers,

If you have specified any IP Address Ranges in Allowed IP Ranges then these should be recorded for later and deleted (for now).  To do this navigate to Administration->System Settings->Allowed IP Ranges, and delete all listed networks.  The only network range you should retain is for the New Domain,

You’ll now need to create an Account in Passwordstate that will be used to login on the new Domain.  This is done by navigating to Administration->User AccountsAgain, if using Client Access Licenses and are running short you can temporarily toggle one of the existing user accounts to disabled,

Once done, you’ll need to add all the Roles for the new Account you’ve just created under Administration->Security Administrators,

Next, you’ll need to stop the Passwordstate website in IIS to prevent any users from logging in to Passwordstate.

Domain Move and Then Test Login

You’re now ready to move your Passwordstate instance to the new Domain.  The instructions for this can be found on our website here,

Please Note: the order shown here is the reverse of that shown in Part 1 of this series.  It is important to perform the instructions in the order listed,

  1. First (Red Circle 1), perform the database backup and move using the instructions in the document Moving Passwordstate To A New Database Server
  2. Then (Red Circle 2), perform the webserver move to the new Domain following the instructions in the document Moving Passwordstate To A New Web Server,

Now you’ll need to login from a PC in the new Domain and browse to the Passwordstate URL for the instance you just moved.  If this is successful then you’re ready to continue.

Tasks Post Move To New Domain

If the login with the new account was successfully, you’ll need to set the new Domain as the Default and then delete the old Domain.  To do this navigate to Administration->Active Directory Domains, click on the Actions icon next to your new Domain and then select Toggle Default Status.  This will change the current Domain to the default.  You can then delete the old Domain from the Actions icon.

Now navigate to Administration->System Settings->Miscellaneous and update the Base URL field to match your new Passwordstate URL,

You can now start creating the Domain’s Accounts and granting access to the existing Data in Passwordstate.  To do this navigate to Administration->User Accounts.  Here you could either add them one at a time, or alternatively use the Add from AD button, 

Then search and select Users or Security Groups (and their members) to add,

Once you have your User Accounts created, and you’re still on the User Accounts screen, click on the Clone User Permissions button.  This is used to clone permissions between the old Domain’s accounts and the New Domain’s Accounts.  You can do this one at a time like below,

Or by clicking on the Clone Multiple Users button, you can generate a CSV file that can be populated and uploaded.

Next, you’ll need to add the appropriate Security Groups if you’re applying permissions based on AD Security Group membership.  This is not required for Local Groups.  To do this navigate to Administration->Security Groups and click on Add AD Security Group,

Once you’ve added your Security Groups you can Clone Permissions between the old Domain’s Security Groups and the new Domain’s Security Groups,

Final Configuration Changes (If Required)

There are a number of other settings that may need to be changed, depending on your use of them,

  1. If you update passwords in Active Directory, you’ll need a Privileged Account Credential associated with the Domain.  This is configured under Administration->Active Directory Domains,
  2. If you are using any Password Reset features and / or scripts you’ll need to update each of their Privileged Account Credentials with the new Domain Account.  This is configured under Administration->Privileged Account Credentials,
  3. If you are using our Backup feature, you’ll need to update the settings under Administration->Backups.  Full instructions on the required permissions are documented under Help->Security Administrators Manual->Backups,
  4. Navigate to Administration->System Settings->Allowed IP Ranges, and add back in any network ranges that you removed prior to the Passwordstate migration,
  5. Review you and change your email server settings if required.  This is performed under Administration->System Settings->Email Alerts & Options.

Now Test, And Test Again

Finally Restart the Passwordstate Windows Service to ensure that unattended processing of tasks will occur as normal.  To do this start the Microsoft Services Desktop Application on your Passwordstate webserver, select the Passwordstate Service, right click on it and select Restart,

You’ve now effectively migrated your entire Passwordstate instance, inclusive of website, database and data structure to the new Domain, and cloned permissions from each of the old accounts to the corresponding new account.

Now you need to test and make sure all those users can still see and access all the credentials that have been granted permission to.  Only when you’re comfortable, that all data is accessing by those that should have it, should you delete the old Passwordstate User Accounts, Security Groups in your new instance and then remove the old Passwordstate instance.

If you’d like to share your feedback please send it through to support@clickstudios.com.au.