![[Windows]](ngwin.gif)
Windows domains and multi-instance queue managers
A multi-instance queue manager on Windows requires its data and logs to be shared. The share must be accessible to all instances of the queue manager running on different servers or workstations. Configure the queue managers and share as part of a Windows domain. The queue manager can run on a domain workstation or server, or on the domain controller.
This change restricts clients allowed to make remote calls to the Security Accounts Manager (SAM) and could impact IBM® MQ with queue managers failing to start. Access to SAM is critical for the functioning of IBM MQ when IBM MQ is configured as a domain account.
Before configuring a multi-instance queue manager, read Secure unshared queue manager data and log directories and files on Windows and Securing shared queue manager data and log directories and files on Windows to review how to control access to queue manager data and log files. The topics are educational; if you want to go directly to setting up shared directories for a multi-instance queue manager in a Windows domain; see Creating a multi-instance queue manager on domain workstations or servers on Windows.
Run a multi-instance queue manager on domain workstations or servers
From IBM WebSphere® MQ 7.1, multi-instance queue managers run on a workstation or server that is a member of a domain. To run a multi-instance queue manager on Windows, you require a domain controller, a file server, and two workstations or servers running the same queue manager connected to the same domain.
The change that makes it possible to run a multi-instance queue manager on any server or
workstation in a domain, is that you can now create a queue manager with an additional security
group. The additional security group is passed in the crtmqm command, in the
-a parameter. You secure the directories that contain the queue manager
data and logs with the group. The user ID that runs queue manager processes must be a member of this
group. When the queue manager accesses the directories, Windows checks the permissions the user ID has to access the
directories. By giving both the group and the user ID domain scope, the user ID running the queue
manager processes has credentials from the global group. When the queue manager is running on a
different server, the user ID running the queue manager processes can have the same credentials. The
user ID does not have to be the same. It has to be a member of the alternative security group, as
well as a member of the local mqm group.
See Creating a multi-instance queue manager on domain workstations or servers on Windows for details on creating a multi-instance queue manager.
- Creating an Active Directory and DNS domain on Windows.
- Installing IBM MQ on a server or workstation in a Windows domain.
- Creating a shared directory for queue manager data and log files on Windows.
- Reading and writing shared data and log files authorized by an alternative global security group.
Run a multi-instance queue manager on domain controllers
Queue manager data could be secured with the domain mqm group. As the topic
Securing shared queue manager data and log directories and files on Windows explains, you cannot share directories secured with the local
mqm group on workstations or servers. However on domain controllers all group and
principals have domain scope. If you install IBM MQ for Windows
on a domain controller, the queue manager data and log files are secured with the domain
mqm group, which can be shared. Follow the steps in the task, Creating a multi-instance queue manager on Windows domain controllers to configure a multi-instance queue manager on domain controllers.