@USArmy49180 (Customer)​ ,

There are several things to consider when standing up new servers and promoting one to primary.

At what version of software did your current Authentication Manager deployment start?

I ask because if your servers started at Authentication Manager 8.5 or earlier, we recommend replacing those servers. We also need to know if you have a base license, allowing a primary and one replica or an enterprise license allowing up to 15 replicas. You can find this information in the Security Console by navigating to Setup > License > Manage Existing, clicking on the View Installed Licenses button and then clicking on the context arrow for one of the LID number that you see.

A quick overview of the upgrade process (not all steps may apply):

1. If your servers are at a version earlier than 8.5, follow the steps on upgrading to 8.5.
2. When your servers are at Authentication Manager 8.5, run the Authentication Manager 8.6 Pre-Upgrade Check Tool (download | readme) before upgrading to Authentication Manager 8.6 whether you use RADIUS or not.
3. If you get a clean bill of health, install Authentication Manager 8.6 to your primary first then to your replicas,
4. Take a backup of the database via the Operations Console (Maintenance > Backup > Backup Now). Feel free to repeat this step to backup your database after every version upgrade.
5. Apply Authentication Manager 8.7 following steps in Appendix A of the Authentication Manager 8.7 Setup and Configuration Guide (primary first, then replicas).
6. Apply Authentication Manger 8.7 SP1 Authentication Manager 8.7 SP1 Setup and Configuration Guide (primary first, then replicas).
7. Apply Authentication Manager 8.7 SP2 Authentication Manager 8.7 SP2 Setup and Configuration Guide (primary first, then replicas).
8. Following the steps starting on page 57 of the Authentication Manager 8.7 SP2 Setup and Configuration Guide, stand up a new replica server.
9. Attach the new replica to your existing primary.
10. Use the option to promote the replica for maintenance to have one of your new replicas become the primary and you can remove the former primary and old replicas from the deployment.
11. Apply Authentication Manager 8.7 SP2 patch 3 (primary first, then replicas)

NOTES:

• If you have a base license that only allows for one replica at a time, some of the steps above may also include deleting your current replica in order to stand up and attach a new one.
• If you are already running Authentication Manager 8.6 or 8.7 you can skip steps 1 through 3 and any that mention versions you already have installed. More details can be found in this document on the RSA Authentication Manager Upgrade Process.

Are the current servers hardware appliances or running on a virtual platform?

We have seen an issue where if you try to apply Authentication Manager 8.7 SP1 to a hardware appliance that started before Authentication Manager 8.7 SP1 that you could run into a GRUB issue from which you cannot recover the server. In this case, we recommend using virtual servers to upgrade. If your installation requires the use of hardware appliances you can then factory reset the hardware appliance as a replica server running 8.7 SP1 or 8.7 SP2 then attach it to your primary.

If you have additional questions, please post here or open a support case to have a TSE assist with any further questions.