What is involved in an upgrade to Quest Authentication Services (QAS) 4.x from QAS 3.x?
The purpose of this document is to address some Frequently Asked Questions (FAQs) around upgrading to QAS 4.x.
Firstly, Quest recommends reviewing the upgrade document included with QAS 4.x and also attached to this article. This should answer most questions and concerns.
NOTE: Quest recommends testing the upgrade procedure in a test environment before moving into production.
Some frequently asked questions about upgrading to QAS 4.x:
1. Will my 3.x installation (clients) stop working when I start moving to 4.x?
Older versions of QAS will continue to work. Different versions of QAS joined Unix or Linux machines can co-exist in the same Active Directory (AD) infrastructure. Prepping the domain for QAS 4.x will not affect older versions in any way. This facilitates the need to upgrade machines in stages which is often necessary due to size and complexity scenarios.
2. What changes will need to be made to AD?
There is a new component for QAS 4.x to operate properly with AD. This is the Q.A.C or Quest Application Configuration. This is an object that is installed with Control Center that holds data like licenses, default settings and minimum and maximum UID and GID ranges. This is a fully reversible change. More information about the Q.A.C. can be found here:
Please see the upgrade guide or the install guide for instructions on installing Control Center and Q.A.C., both of which are attached to this article.
3. Are there any changes to authentication?
There is a change to the default logon attribute used for authenticating users in the domain. In version 3.x we used the 'UserPrincipalName' attribute for authenticating users in AD. Since that attribute is not a mandatory attribute we are now using 'saMAccountName' as the default attribute. This default can be changed back if required using Control Center.
4. Is it necessary to 'install' QAS 4.0.x on all of the administrator's work stations if they will not be using the QAS control center?
Yes it is currently necessary to install QAS on the windows system that will be managing the users to get the ADUC extension. In the 3.X days there was a seperate exe that could be installed, this is no longer the case. There is a product enhancement request to have a seperate install for the extension which may be implemented in the future.
QAS 2.6 does not have an upgade path. That software needs to be uninstalled before a newer version can be installed.
You can set the the logon attribute locally before upgrading by running the following command on each client:
/opt/quest/bin/vastool configure vas vasd username-attr-name userPrincipalName
The command will modify /etc/opt/quest/vas/vas.conf file and add the following setting:
username-attr-name = userPrincipalName
There is more information about Windows permissions needed in the AuthenticationServices_4.0_AdminGuide.pdf which is in the doc folder of the download. It is in the Introduction to Quest Authentication Service section and then Windows Permissions.