Services
GroupID services are long-running, non-UI software applications that operate in the background and run in their own Windows sessions. They are usually started when you boot the machine they are hosted on, and are scheduled to run in the background to execute some tasks. You can also start, pause, and stop them manually.
GroupID relies on a few of its own services and third-party services for different functions.
GroupID Services
The following table discusses GroupID services.
| Service | Description |
|---|---|
| Data service | GroupID uses it to perform core operations and to communicate with Microsoft SQL Server for storing and fetching data in the database. |
| Security service | - Authenticates and authorizes users on different GroupID functions in accordance with their roles. - Encrypts and decrypts data that GroupID Data service stores and fetches from the SQL database. |
| Replication service | Replicates attributes of the group, user, contact, computer, and organizational unit object from the provider (such as Active Directory) to the Elasticsearch repository. In case of multiple Elasticsearch clusters, this service is also responsible for syncing data between clusters. |
| Mobile service | Enables the GroupID app to communicate with the GroupID server. |
| Email service | Maintains a queue of all notification requests generated by identity stores, and sends them one by one. |
| Scheduler service | Initiates schedule runs for scheduled jobs defined in GroupID. |
These services run in the context of specific accounts that are different from the logged-on user or the default computer account. See the Accounts to Run the Servicestopic for details.
Where are these Services Hosted?
GroupID services are hosted on a web server, that could be native IIS, remote IIS, and Docker.
You can create multiple Data services, Security services, and Mobile services while hosting them on different web servers. For example, you can host one Data service in native IIS and another in Docker.
To launch IIS on a machine, see Opening IIS Manager.
To open Docker Desktop on Windows, search for Docker and select Docker Desktop in the search results
Third-party Services
GroupID requires the following third-party services:
| Service | Description |
|---|---|
| SQL Server Browser service | This service fetches the SQL servers present in the environment and displays them on the Database Settings page of the GroupID Configuration Tool, where you configure a database for GroupID. Moreover, GroupID stops when this service stops. |
| Key Distribution Service (KDS) | You must enable the Key Distribution Service (KDS) on the GroupID server if you want to use Group Managed Service Accounts (gMSA) in GroupID. GroupID supports a gMSA in various contexts, such as for the GroupID app pool and as service account for an identity store. |
| Elasticsearch service | This service is responsible for searching the Elasticsearch repository to display object listings and search results in GroupID. If this service stops, GroupID will not work. |
Where are these Services Hosted?
Third-party services are created as Windows services in Windows Services Manager:
To launch the Services Manager, type ‘ services.msc’ in the Run dialog box and click OK. Here is an example of services in Windows Services Manager. You can start, stop, disable, and delay a service.
Accounts to Run the Services
The GroupID Configuration Tool enables you to specify the service accounts to use for the GroupID app pool and Windows services.
| Services | Service Account Description |
|---|---|
| GroupID App Pool in IIS | Use a domain account or a Group Managed Service Account (gMSA). The account must be a member of the Administrators group or both the Backup Operators and IIS_IUSRS groups. The account is used to manage the GroupID app pool in IIS. Data service, Mobile service, Security service, and the portals run under the app pool. For a Microsoft Entra ID identity store, you can specify a local account (with local administrator rights) in app pool for a machine that is not joined to any domain. |
| Windows services | Use a domain account, system user account, or gMSA. The account must be a member of the Backup Operators group. The account is used to run the Windows services for GroupID, as discussed in the Third-party Services topic. |
Elasticsearch Clusters, Nodes, and GroupID
When you have multiple Elasticsearch clusters in your environment and each cluster has multiple nodes, you will notice the following:
- A separate Admin Center, Data service, Security service, and Replication service is created for each node in a cluster. Hence you will have as many Admin Centers and default services as the number of nodes in all the clusters.
- A separate Email service and Scheduler service is created for each cluster, where one Email
service and Scheduler service serve all nodes in the cluster.
Hence you will have as many Email services and Scheduler services as the number of clusters.
Cluster syncing
Elasticsearch has its own mechanism to sync data between nodes in a cluster.
To sync data between clusters, GroupID uses the Replication service. You have to enable data sync for a Replication service within a cluster to sync th cluster's data to other clusters. See the Enable Elastic Cluster Syncing topic for details.
See Also