Secret Server Disaster Recovery 101
Part 1: Form your DR plan
Just like any tool that enhances your company’s security, the security of the tool itself is of ultimate importance. That means no back-doors and no way for Thycotic or anyone other than yourselves to decrypt your data. This is really important, but a disaster recovery plan is critical to ensure your organization’s data and hard work will be preserved in any scenario. Secret Server is designed with multiple DR options – below is a guide to the fundamental points of Secret Server disaster recovery. Don’t forget to review your disaster recovery plan regularly to make sure it meets your current needs.
The “absolute minimum” backup plan
At minimum, have a backup of your encryption.config file and database. This is the MOST IMPORTANT part!! We can’t emphasize this enough. If you lose your database, you lose your data, and if you lose your encryption.config file, you lose any ability to read that data.
For your security, we do not have copies to anyone’s encryption.config file.
Back up your encryption.config file by copying it from your Secret Server application directory. See Choose your backup option, below, for more information about taking a manual backup of your SQL database.
The comprehensive backup plan
Backing up your database and encryption.config file will allow you to restore Secret Server in an emergency, but will likely require the assistance of technical support if you don’t have the application files as well.
For a more comprehensive backup, back up the entire Secret Server application directory. This will preserve not only your encryption.config file but also the application files matching the Secret Server version of your database and files such as the web-appSettings.config that you may have customized with additional settings.
Choose your backup option
So how do I perform the backups, you might ask?
- Back up files through the Secret Server UI. Do this from Administration > Backups. Specify a file path to back up the files. From this page, you can either perform a backup right away or configure automatic backups. For further details, see the Backup/Disaster Recovery section of the User Guide.
- Back up files through Windows on the server(s) hosting Secret Server. This involves (1) taking a backup of the database through SQL Server Management Studio, and (2) sending the Secret Server application directory to a .zip file. See How to manually backup Secret Server for instructions.
Choose your backup paths wisely. Remember that you’ll need the files in the event that your primary servers go down, so backing them up to the same local server won’t do you any good.
Whether you choose to manage backups through Secret Server, manually, or with another tool in your environment, make sure they’re done regularly, and as a standard process before major changes are made to the server, such as migrating or upgrading Secret Server.
Know the important accounts
Know which accounts are running your application pool and connecting Secret Server to the SQL Server database.In the event that you need to set up Secret Server on a backup server, you will need to know which account(s) to use to run the application pool and connect Secret Server to the SQL database. These accounts are configured during installation. For more information about the accounts (including how to determine the identity running your application pool), see the Installation Guide.
Know your local admin account password
Can’t log in with domain credentials? When troubleshooting login issues for domain accounts, you’ll need to have the ability to log in with a local account that has administrative rights. (Remember that local admin account you created when first installing Secret Server?) Knowing these credentials will allow you to log into Secret Server when your domain authentication isn’t working and access Active Directory sync issues. Keep a reminder of this account in a safe place, such as a safe; if Secret Server is down, you won’t be able to log in to find it. One suggestion: store a cleartext export of your most important Secrets as a printed copy in a safe or other physically secure location. See the User Guide for more information about cleartext exports.
Make use of our support number
If you are preparing for disaster recovery or find yourself in an actual DR situation, our technical support team is available to help! Give us a call and we’ll help you get things sorted out.
Keep an eye out for Part 2 of our disaster recovery review, where we’ll cover how to use your backups to restore Secret Server in a DR scenario.
Latest posts by Thycotic Team (see all)
- Security Metrics Must Tell a Story That is Relevant to Your Business - September 6, 2016
- Predicting Potential Threat: Behavior Analytics & Threat Modeling - October 21, 2014
- (Video) Are You Following Password Best Practices? - September 23, 2014