Home
Contents
CLOSE
AuthLite Interactive Documentation
Quick Start: Install and protect Domain Admins AuthLite Features Supported Tokens Installation and Upgrading Configuration Token Management How to Log In Troubleshooting
CLOSE

Domain controllers' AuthLite MSI version must be newer or equal to the member machines. Upgrade DCs FIRST.  It is OK to continue to run older builds on the member machines, or you can update them to the same version as the DCs.

You can always install a new MSI over the existing one.  There is no need to remove the existing one first, unless the installer directs you to do so.

The same installation software is used for both workstations and servers:

  • AuthLite_installer_x64.msi for 64-bit platforms
  • AuthLite_installer_x86.msi for 32-bit platforms

You can get them from the Downloads page.

Adding new Domain Controllers

There is a specific order of operations you should use for bringing up a new DC for optimal carry-over of AuthLite functionality.

  1. Bring up new server OS
  2. Copy the AuthLite installer .exe or .msi to the new DC. In this example we assume it is copied to C:\TEMP
  3. Promote new server to Domain Controller. Note that you won't be able to log onto the new DC with a 2FA user after it restarts, because DCs authenticate to themselves, and this new DC doesn't understand AuthLite 2FA users yet.
  4. Install AuthLite on the new DC.  You can do this in two ways:
    • Install from an existing DC by using a remote powershell command. Don't forget to replace TheNewDC with the actual computer name of the new DC, and adjust the path from C:\TEMP to where you copied the AuthLite installer:

      invoke-command -computername TheNewDC {C:\TEMP\AuthLite_installer_x64.exe /qn }


      This action should automatically restart the DC after installation succeeds.
    • Or, create a 1-factor Domain Admin account on an existing DC.  Make it a member of the natural Domain Admins group, and not any AuthLite groups. Then log into the new DC directly using that account in order to run the installer. Don't forget to reboot the new DC after install completes.

      Delete the temporary account afterwards, or if you used your emergency break-glass account consider rotating its password afterwards.

    Decommissioning Domain Controllers

    Before retiring an old DC, do a trial shutdown of it, to make sure everything (including 2FA) runs fine with it off. This is a cheap way to prove there's nothing pointing to it exclusively.