Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Agent_1994
Contributor

unattended upgrade for DC agents

Hello,

 

 Before we start a little disclaimer: this is posted as-is, it's not something I did using Fortinet's official documentation (AFAIK, there isn't any about the DC Agent installer), nor supported by Fortinet. Use at your own risk.

 

 This was tested on a lab environment with Windows Server 2016 and FSSO 5.0.0254.

 

 In a few days, I have to upgrade a customer's FSSO infrastructure and found that there's no method for upgrading the DC Agents on the domain controllers. I can uninstall/reinstall using the collector, or upgrade via RDP/console using manual installation.

 

 It wouldn't be a problem, but they have 31 DCs...

 

 So, reading some stuff about MSI files, checking installation logs, and some inspection using lessmsi I managed to do an unattended upgrade.

 

Hands to work:

What we need:sysinternal's [link=https://docs.microsoft.com/en-us/sysinternals/downloads/psexec]psexec[/link].

the DC Agent installer found in Fortinet's support website, the EXE version, the MSI won't work (and I didn't have the time to figure out why).

domain admin logged in a computer that's a member of the domain. (you can do this with a computer that is not member of the domain, using "NET USE", but I won't cover this here).

upgrade the collector first.

[/ul]Extract the MSI file:run the DC agent installer, up to the Fortinet Single Sign On DC Agent [link=https://vX.X.XXX]vX.X.XXX[/link] Setup screen, and don't go further.

go to the temp folder (Windows + R, "%temp%" will do the trick) and locate a folder with a GUID-like name, look for the dcagentsetup.msi -or dcagentsetup64.msi- and copy that file to a location reachable by the DC you're going to upgrade (I'd suggest a network share, but you can copy it to each DC's C$ admin share). note that you can save this installer for other customers too, what we did here is just extract the .MSI inside the setup file.

abort the installation.

[/ul]For each DC:run the command "psexec \\DC-s msiexec /i \\SERVER\SHARE\dcagentsetup64.msi /qn /forcerestart REINSTALL=ALL REINSTALLMODE=vomus"

after a while, you'll see this "error" message "msiexec exited on DC with error code 1641", code 1641 is "ERROR_SUCCESS_REBOOT_INITIATED"

once rebooted, the DC agent upgrade is completed.

[/ul]I've tested it in a lab with Windows Server 2016 and FSSO [link=https://5.0.0.254]5.0.0.254[/link], upgrading to 5.0.0271. It worked, and it mantained the settings (CA list, ignore list, etc.) after the upgrade.

Tips:This can be used for the initial install of the DC Agents, it's kinda usesless because the Collector doest this for you but, just in case, you can add COLLECTORAGENTLIST="COL_1;COL_2;COL_N" IGNORELIST="IGNORE_1;IGNORE_2;IGNORE_N" to the command line and it will create -or overwrite- the configuration.

If you're feeling really lucky -or willing to play the russian roulette ;) -, you may pass a DC list to psexec using @, more info at: https://community.spiceworks.com/how_to/1812-deploy-msi-files-using-psexec.

[/ul]It's possible that we can further optimize this process, suggestions are welcome :)

 

HTH.

 

 

0 REPLIES 0