[Windows]

Considerations when promoting Windows servers to domain controllers

When promoting a Windows server to a domain controller, you should consider whether the security setting relating to user and group permissions is appropriate. When changing the state of a Windows machine between server and domain controller, you should take into consideration that this can affect the operation of IBM® MQ because IBM MQ uses a locally-defined mqm group.

Security settings relating to domain user and group permissions

IBM MQ relies on group membership information to implement its security policy, which means that it is important that the user ID that is performing IBM MQ operations can determine the group memberships of other users.

When you promote a Windows server to a domain controller, you are presented with an option for the security setting relating to user and group permissions. This option controls whether arbitrary users are able to retrieve group memberships from the active directory. If a domain controller is set up so that local accounts do have the authority to query the group membership of the domain user accounts, the default user ID created by IBM MQ during the installation process can obtain group memberships for other users as required. However, if a domain controller is set up so that local accounts do not have the authority to query the group membership of the domain user accounts, this prevents IBM MQ from completing its checks that users who are defined on the domain are authorized to access queue managers or queues, and access fails. If you are using Windows on a domain controller that has been set up in this way, a special domain user account with the required permissions must be used.

In this case, you need to know:
  • How security permissions for your version of Windows behave.
  • How to allow domain mqm group members to read group membership.
  • How to configure an IBM MQ Windows service to run under a domain user.
For more information, see Configuring user accounts for IBM MQ.

IBM MQ access to the local mqm group

When Windows servers are promoted to, or demoted from, domain controllers, IBM MQ loses access to the local mqm group.

When a server is promoted to be a domain controller, the scope changes from local to domain local. When the machine is demoted to server, all domain local groups are removed. This means that changing a machine from server to domain controller and back to server loses access to a local mqm group. The symptom is an error indicating the lack of a local mqm group, for example: 

>crtmqm qm0
AMQ8066:Local mqm group not found.

To remedy this problem, re-create the local mqm group using the standard Windows management tools. Because all group membership information is lost, you must reinstate privileged IBM MQ users in the newly-created local mqm group. If the machine is a domain member, you must also add the domain mqm group to the local mqm group to grant privileged domain IBM MQ user IDs the required level of authority.