Control Center consists of the following components:
CCDB, a SQL Server database that stores information Control Center collects from the QDBs it manages, user preferences, and security settings
You can install the CCDB to remote SQL Servers. You do not have to run the setup program on the SQL Server.
You can install the CCDB and the QDB on computers that belong to different domains. For more information about installing the QDB, see Section 6.0, Installing a Management Site.
For information about installing the CCDB on MSCS, see Section D.0, Installing on Microsoft Cluster Service.
Command queue service, a Windows service that performs the following functions:
Retrieves commands from the CCDB, sends them to the appropriate QDBs, and maintains the command status
Supports multiple Control Center consoles if they are connected to the same CCDB
Handles error recovery
Deployment Service, which communicates with the CCDB to process deployment rules and tasks
The computer where you install the Deployment Service is the deployment server. You can have multiple deployment servers for deploying agents remotely. If a firewall is active on your network between the deployment server and the CCDB, the Deployment Service can run in proxy mode, which allows it to use the Deployment Web Service to communicate with the CCDB. For more information about how the Deployment Service communicates with the CCDB and enabling the service to run in proxy mode, see Section 7.1.4, Understanding Deployment Server Configuration.
Deployment Web Service, which consists of two Web services on a Microsoft Internet Information Services (IIS) server called the Web Depot
The Deployment Web Service performs the following functions:
Checks deployment packages into the Web Depot
For more information about checking in deployment packages, see Section 7.1.5, Understanding Package and Deployment Rule Check-in.
Distributes deployment packages to the Deployment Service using Microsoft Background Intelligent Transfer Service (BITS) server extensions
You must enable BITS and BITS Server Extensions on the deployment web server before you install the Deployment Web Service. For more information about enabling BITS and BITS Server Extensions, see Section 7.2, Enabling BITS and BITS Server Extensions on the Deployment Web Server.
Provides a communication proxy for Deployment Services across a firewall
Installing the Deployment Web Service creates three virtual directories under the default website in IIS:
DeploymentWebService
ProxyDeploymentWebService
WebDepot
The ProxyDeploymentWebService directory is only used if you run the Deployment Service in proxy mode for cross-firewall deployments.
Control Center console, which connects to the CCDB and allows you to run jobs on the systems and applications you manage across multiple QDBs
Because you need a Windows agent to enable Control Center to monitor the health of AppManager components, the setup program automatically selects the agent components (the agent services and the AppManager for Microsoft Windows module) for installation when you select the Control Center and Deployment services for installation. For more information about installing agents, see Section 8.0, Installing Agent Components.
NetIQ Corporation recommends distributing Control Center components across computers to improve performance. Because the command queue service runs under a Windows user account and connects to the CCDB using that account, ensure no firewall is present between the command queue service and CCDB computers. On computers running Microsoft Windows Server 2008 or later, a firewall is enabled by default. At a minimum, you will need to open ports 1433 and 135.
If you distribute Control Center components across computers and use Windows authentication between Control Center and the QDBs it manages, configure Kerberos delegation to ensure successful communication between components. For more information about configuring Kerberos delegation, see Section 7.3, Configuring Kerberos Delegation for a Distributed Control Center Environment.
While larger networks require multiple QDBs and management servers, a single CCDB can manage your entire organization. Similarly, a single Deployment Web Service is sufficient for your entire organization. NetIQ Corporation recommends installing multiple deployment servers reporting to a single Deployment Web Service and CCDB. Install a deployment server for every firewall-separated segment of your network.
If you install Control Center components on computers in separate network domains, the CCDB uses both the domain name and user name for authentication purposes. Making connections between Control Center components across untrusted domains is not possible unless you install the CCDB on a SQL Server instance using SQL authentication. To allow a Control Center console to connect to a CCDB in a different trusted network domain using Windows authentication, you must add an Administrator account (in domain\Administrator format) as a Control Center user. For more information about adding users to Control Center, see the Administrator Guide for AppManager, available on the AppManager Documentation page.
The CCDB uses Microsoft Distributed Transaction Coordinator (DTC) to connect to the QDBs it manages. DTC must run as a service on the CCDB computer. During Control Center and Deployment services installation, you can run a utility to verify that DTC connectivity exists between the CCDB and each QDB it will manage. For more information about checking DTC connectivity and troubleshooting connectivity issues, see Section 7.7.1, Verifying Microsoft DTC Connectivity and Section 7.7.3, Troubleshooting DTC Connectivity.
During CCDB installation, the setup program prompts you for an account that can log in to the SQL Server to create the CCDB, and for an account to serve as database owner of the CCDB. For more information about the account requirements, see Section 2.3, Reviewing Required Accounts and Permissions.
Each service runs under a Windows user account that allows the service to connect to the CCDB. The command queue service can also use the account to access each managed QDB. For more information about the account requirements, see Section 2.3, Reviewing Required Accounts and Permissions.
If a firewall is present between the Deployment Service and the CCDB, the Deployment Service uses the Deployment Web Service account to connect to the CCDB. For more information about how the Deployment Service connects to the CCDB, see Section 7.1.4, Understanding Deployment Server Configuration.
You can change the Deployment Service and Deployment Web Service accounts after installation. For more information about changing the Deployment Service account, see Section 7.8, Changing the Deployment Service User Account. For more information about changing the Deployment Web Service account, see Section 7.9, Changing the Deployment Web Service User Account.
The Deployment Service must be able to retrieve task information from the CCDB, either directly or in proxy mode. If you plan to install multiple Deployment Services, NetIQ Corporation recommends co-locating them in your remote sites.
If no firewall is active between the deployment server and the CCDB, the Deployment Service requires a Windows user account to access the CCDB. If the Deployment Service cannot directly access the CCDB because of firewalls, the deployment server must use the Deployment Web Service as a proxy to access the CCDB. In this case, the deployment server uses the Deployment Web Service account to connect to the CCDB.
To allow the Deployment Service to run in proxy mode, enable SSL security on the IIS Web Server for the default website and install an SSL certificate signed by a certification authority on the proxy deployment server and the Deployment Web Service computer. Do not use a self-signed certificate. When you enable SSL security, do not enable the option to require SSL for the certificate. For more information about installing an SSL certificate, see the Microsoft documentation for your operating system.
If you are installing the Deployment Web Service, you can select to check in packages and rules for use in remote deployment. If you choose not to check in packages and rules as part of installation, you can check them in later using the Control Center console. For more information about checking in packages and rules after installation, see the Control Center User Guide for AppManager, available on the AppManager Documentation page.
Packages are installation files for deploying agents and modules. The package check-in procedure makes the installation and configuration files associated with all modules and the Windows agent available to the Control Center console and CCDB.
The default deployment rules are samples that can help you perform basic deployments of agents and modules, with modifications. The rules are disabled by default. Deployment does not occur until you edit and configure the rules for your environment and enable them.
Once the setup program successfully installs the command queue service, if an agent is already present, the setup program automatically runs the Discovery_AMHealth Knowledge Script to prepare Control Center components for health monitoring in Control Center. Otherwise, the setup program runs the Knowledge Script after agent installation. For information about using Control Center to monitor the health of your AppManager components, see the Control Center User Guide for AppManager, available on the AppManager Documentation page.