5 Configuring Users, Groups and Environments for Oracle Grid Infrastructure and Oracle RAC

You must configure certain users, groups, and environment settings used during Oracle Grid Infrastructure for a Cluster and Oracle Real Application Clusters installations.

5.1 Creating Installation Groups and Users for Oracle Grid Infrastructure and Oracle RAC

To install Oracle Grid Infrastructure and Oracle RAC, you must have an installation user and optionally an Oracle Home User.

Note:

During an Oracle Grid Infrastructure installation, both Oracle Clusterware and Oracle Automatic Storage Management (Oracle ASM) are installed. You no longer can have separate Oracle Clusterware installation owners and Oracle ASM installation owners.

5.1.1 About the Oracle Installation User

The Oracle Installation User can be either a local user or a domain user.

To install the Oracle Grid Infrastructure or Oracle Database software, you must use either a local or domain user that is a member of the Administrators group. This user is the Oracle Installation User.

If you use a local user account for installing Oracle Grid Infrastructure or Oracle Real Application Clusters (Oracle RAC), then:

  • The user account must exist on all nodes in the cluster.

  • The user name and password must be the same on all nodes.

  • OUI displays a warning message.

If you use a domain user account for installing Oracle Grid Infrastructure or Oracle Real Application Clusters (Oracle RAC), then:

  • The domain user must be explicitly declared as a member of the local Administrators group on each node in the cluster. It is not sufficient if the domain user has inherited membership from another group.

  • The user performing the installation must be in the same domain on each node. For example, you cannot have use the DBADMIN\dba1 user on the first node and the RACDBA\dba1 user on the second node.

  • A local user of the same name cannot exist on any of the nodes. For example if you use RACDBA\dba1 as the installation user, none of the nodes can have a local NODE1\dba1 user account.

If you use different users to install Oracle Grid Infrastructure and Oracle RAC, then the user that installs Oracle RAC must be a member of the ASMDBA and ASMADMIN groups to access the Oracle Automatic Storage Management (Oracle ASM) Disks.

5.1.2 About the Oracle Home User for the Oracle Grid Infrastructure Installation

During installation of Oracle Grid Infrastructure, you can specify an optional Oracle Home user associated with the Oracle Grid home.

For example, assume that you use an Administrator user named OraSys to install the software (Oracle Installation user), then you can specify the ORADOMAIN\OraGrid domain user as the Oracle Home user for this installation. The specified Oracle Home domain user must exist before you install the Oracle Grid Infrastructure software.

The Oracle Home user for the Oracle Grid Infrastructure installation can be either the Windows built-in account (LocalSystem) or an existing user. If you specify an existing user as the Oracle Home user, then the Windows User Account you specify must be a domain user or Group Managed Service Account (gMSA) user. When you use an Oracle Home User, a secure wallet in Oracle Cluster Registry (created automatically) stores the Oracle Home User name and password information. If you decide not to create an Oracle Home user, then the Windows built-in account is used as Oracle Home User.

Note:

You cannot change the Oracle Home User after the installation is complete. If you must change the Oracle Home User, then you must reinstall the Oracle Grid Infrastructure software.

For Oracle Grid Infrastructure 12c release 12.1.0.1, if you choose the Oracle Grid Infrastructure Management Repository option during installation, then use of an Oracle Home user is mandatory. Similarly, if you perform a software-only installation of Oracle Grid Infrastructure, then you must choose a Windows Domain User account to configure the Oracle Grid Infrastructure Management Repository after installation.

During installation, the installer creates the software services and configures the Access Control Lists (ACLs) based on the information you provided about the Oracle Home User. See the section "Setting File Permissions" in Oracle Database Platform Guide for Microsoft Windows for more information.

When you specify an Oracle Home user, the installer configures that user as the Oracle Service user for all software services that run from the Oracle home. The Oracle Service user is the operating system user that the Oracle software services run as, or the user from which the services inherit privileges.

See Also:

Oracle Database Platform Guide for Microsoft Windows for more information about the Oracle Home User and how database services run in this user account

5.1.3 About the Oracle Home User for the Oracle RAC Installation

During installation of Oracle RAC, you can either use a Windows built-in account or specify an optional, non-Administrator user that is a Windows domain user to be the Oracle Home User associated with the Oracle RAC home.

The Oracle Home User for Oracle RAC can be different from the Oracle Home User you specified during the Oracle Grid Infrastructure installation. If a Windows domain user account is chosen, then it should be an existing domain user account with no administration privileges.

For Oracle RAC installations, Oracle recommends that you use a Windows domain user (instead of Windows built-in account) as the Oracle Home User for enhanced security.

The services created for the Oracle RAC software run using the privileges of the Oracle Home User for Oracle RAC, or the Local System built-in Windows account if you did not specify an Oracle Home User during installation. Oracle Universal Installer (OUI) creates multiple operating system groups, such as the ORA_DBA group, on all nodes. The user performing the installation is automatically added to those groups necessary for proper database administration. For more information about the Oracle Home User implementation for Oracle Database, see Oracle Database Platform Guide for Microsoft Windows.

For an administrator-managed database, you have the option of storing Oracle Home User password in a secure wallet (stored in Oracle Cluster Registry). Use the following CRSCTL command to create this secure wallet for storing the Windows operating system user name and password:

crsctl add wallet -osuser -passwd

If the wallet (stored in Oracle Cluster Registry) exists, then Oracle administration tools automatically use the password from the wallet without prompting the administrator to enter the password of Oracle Home User for performing administrative operations.

A policy-managed database mandates the storage of Oracle Home User password in the wallet (stored in Oracle Cluster Registry). When a policy-managed database is created, DBCA automatically creates the wallet, if one does not exist.

Note:

If you choose to use an Oracle Home User for your Oracle RAC installation, then the Windows User Account you specify must be a domain user.

5.1.4 When to Create an Oracle Home User

You must create an Oracle Home User in certain circumstances.

  • If an Oracle Home User exists, but you want to use a different operating system user, with different group membership, to give database administrative privileges to those groups in a new Oracle Database installation

  • If you have created an Oracle Home User for Oracle Grid Infrastructure, such as grid, and you want to create a separate Oracle Home User for Oracle Database software, such as oracle

5.1.4.1 Restrictions and Guidelines for Oracle Home Users

Review the following restrictions and guidelines for Oracle Home Users for Oracle software installations.

  • If you intend to use multiple Oracle Home Users for different Oracle Database homes, then Oracle recommends that you create a separate Oracle Home User for Oracle Grid Infrastructure software (Oracle Clusterware and Oracle ASM).

  • If you plan to install Oracle Database or Oracle RAC, then Oracle recommends that you create separate Oracle Home Users for the Oracle Grid Infrastructure and the Oracle Database installations. If you use one Oracle Home User, then when you want to perform administration tasks, you must select the utilities from the Oracle home for the instance you want to administer, or change the default %ORACLE_HOME% value to the location of the Oracle Home from which the instance runs. For Oracle ASM instances, you must use the Oracle Grid Infrastructure home and for database instance use the Oracle Database home.

  • If you try to administer an Oracle home or Grid home instance using sqlplus, srvctl, lsnrctl, or asmcmd commands while the environment variable %ORACLE_HOME% is set to a different Oracle home or Grid home path, then you encounter errors. For example, when you start SRVCTL from a database home, %ORACLE_HOME% should be set to that database home, or SRVCTL fails. The exception is when you are using SRVCTL in the Oracle Grid Infrastructure home. In that case, SRVTCL ignores %ORACLE_HOME%, and the Oracle home environment variable does not affect SRVCTL commands. In all other cases, you must start the utilities from the Oracle home of the instance that you want to administer.

    If you need to set the user environment to use a specific Oracle home, then use Oracle Universal Installer. On the landing page, click Installed Products. In the Inventory window, click the Environment tab. Select the Oracle Home you want to use, and deselect the other Oracle homes, then click Apply. You can then exit Oracle Universal Installer. When you use Oracle Universal Installer to set the Oracle Home, it updates the ORACLE_HOME environment variable and updates the PATH variable.

5.1.4.2 Determining if an Oracle Home User Exists

You must decide to use an existing user, or create a new user.

  1. Open the Control Panel window.
  2. Select User Accounts.
  3. Select Manage User Accounts.
  4. Scroll through the list of names until you find the ones you are looking for.
    If the names do not appear in the list, then the user has not yet been created.
See one of the following sections for the next steps:

5.1.4.3 Creating an Oracle Home User

Use the Manage User Accounts window to create a new user.

The user must not be a member of the Administrators group. If you are creating an Oracle Home User for an Oracle RAC installation, then the user must be a Windows domain user, and the user must be a member of the same domain on each node in the cluster.
  1. Open the Control Panel window
  2. Select User Accounts.
  3. Select Manage User Accounts.
  4. Create the user using the interface.

See Also:

Oracle Database Platform Guide for Microsoft Windows for information about the Oracle Home User Control utility

5.1.4.4 Using an Existing Oracle Software Owner User

If the user you have decided to use as an Oracle Home user exists, then you can use this user as the Oracle Home user for a different installation.

Oracle does not support changing the ownership of an existing Oracle Database home from one Oracle Home user to a different user.
  • During the software installation, specify the existing user for the Oracle Home user.
    Oracle Universal Installer (OUI) creates the appropriate group memberships.

5.1.5 Oracle Home User Configurations for Oracle Installations

When the Oracle software installation completes, you will have one of the following configurations:

Installation Type Oracle Home user configuration

Oracle Grid Infrastructure with a domain user specified for the Oracle Home User

The Oracle Home user owns the Oracle Grid Infrastructure Management Repository service. The other services are run under the built-in Administrator account, except for the listeners, which run as LocalService (a built-in Windows account).

Oracle Grid Infrastructure with the Windows built-in Administrator account as the Oracle Home User

The Oracle Grid Infrastructure services are run under the built-in Administrator account, except for the listeners, which run as LocalService.

Oracle RAC with specified Oracle Home User

The Oracle Home User owns all the services run by the Oracle Database software.

Oracle RAC with Built-in Oracle Home user

The services run under the built-in LocalSystem account.

Note:

You cannot change the Oracle Home User after installation to a different Oracle Home User. Only out-of-place upgrade or move allows the Oracle Home User to be changed to or from the built-in Windows account.

5.1.6 Understanding the Oracle Inventory Directory and the Oracle Inventory Group

You must have a group whose members are given access to write to the Oracle Inventory directory, which is the central inventory record of all Oracle software installations on a server.

When you install Oracle software on the system for the first time, Oracle Universal Installer (OUI) creates the directories for the Oracle central inventory. OUI also creates the Oracle Inventory group, ORA_INSTALL. The ORA_INSTALL group contains all the Oracle Home users for all Oracle homes on the server. The location of the Oracle central inventory on Windows is always %SYSTEM_DRIVE%\Program Files\Oracle\Inventory.

Whether you are performing the first installation of Oracle software on this server, or are performing an installation of additional Oracle software on the server, you do not need to create the Oracle central inventory or the ORA_INSTALL group. You cannot change the name of the Oracle Inventory group - it is always ORA_INSTALL.

Members of the Oracle Inventory group have write privileges to the Oracle central inventory directory, and are also granted permissions for various Oracle Clusterware resources, OCR keys, directories in the Oracle Clusterware home to which DBAs need write access, and other necessary privileges. All Oracle software install users must be members of the Oracle Inventory group. Members of this group can talk to Cluster Synchronization Service (CSS).

Note:

If Oracle software is already installed on the system, then, when you install new Oracle software, the existing Oracle Inventory group is used instead of creating a new Inventory group.

5.1.7 Operating System Groups Created During Installation

When you install either Oracle Grid Infrastructure or Oracle RAC, the user groups listed in the following table are created, if they do not already exist.

Table 5-1 Operating System Groups Created During Installation

Operating System Group Names System Privileges Description

ORA_ASMADMIN

SYSASM system privileges for Oracle ASM administration

The OSASM group for the Oracle ASM instance.

Using this group and the SYSASM system privileges enables the separation of SYSDBA database administration privileges from Oracle ASM storage administration privileges. Members of the OSASM group are authorized to connect using the SYSASM privilege and have full access to Oracle ASM, including administrative access to all disk groups that the Oracle ASM instance manages.

ORA_ASMDBA

SYSDBA system privileges on the Oracle ASM instance

The OSDBA group for the Oracle ASM instance.

This group grants access for the database to connect to Oracle ASM. During installation, the Oracle Installation Users are configured as members of this group. After you create an Oracle Database, this groups contains the Oracle Home Users of those database homes.

ORA_ASMOPER

SYSOPER for Oracle ASM system privileges

The OSOPER group for the Oracle ASM instance.

Members of this group are granted SYSOPER system privileges on the Oracle ASM instance, which permits a user to perform operations such as startup, shutdown, mount, dismount, and check disk group. This group has a subset of the privileges of the OSASM group.

Similar to the ORA_HOMENAME_OPER group, this group does not have any members after installation, but you can manually add users to this group after the installation completes.

ORA_GRIDHM_DBA

SYSDBA system privileges for the Oracle Grid Infrastructure Management Repository database

Members of this group are granted the SYSDBA system privileges for managing the Oracle Grid Infrastructure Management Repository database, where GRIDHM is the name of the Oracle Grid Infrastructure home.

The default home name is OraGrid12Home1, so the default group name is ORA_OraGrid12Home1_DBA.

ORA_GRIDHM_OPER

SYSOPER system privileges for the Oracle Grid Infrastructure Management Repository database

Members of this group are granted the SYSOPER system privileges for managing the Oracle Grid Infrastructure Management Repository database, where GRIDHM is the name of the Oracle Grid Infrastructure home.

If you use the default Grid home name of OraGrid12Home1,then the default operating system group name is ORA_OraGrid12Home1_OPER.

ORA_DBA

SYSDBA system privileges for all Oracle Database installations on the server

A special OSDBA group for the Windows operating system.

Members of this group are granted SYSDBA system privileges for all Oracle Databases installed on the server.

ORA_OPER

SYSOPER system privileges for all Oracle databases installed on the server

A special OSOPER group for the Windows operating system.

Members of this group are granted SYSOPER system privileges all Oracle Databases installed on the server. This group does not have any members after installation, but you can manually add users to this group after the installation completes.

ORA_HOMENAME_DBA

SYSDBA system privileges for all database instances that run from the Oracle home with the name HOMENAME

An OSDBA group for a specific Oracle Home with a name of HOMENAME.

Members of this group can use operating system authentication to gain SYSDBA system privileges for any database that runs from the specific Oracle home. If you specified an Oracle Home User during installation, the user is added to this group during installation.

ORA_HOMENAME_OPER

SYSOPER system privileges for all database instances that run from the Oracle home with the name HOMENAME

An OSDBA group for the Oracle Home with a name of HOMENAME.

Members of this group can use operating system authentication to gain SYSOPER system privileges for any database that runs from the specific Oracle home. This group does not have any members after installation, but you can manually add users to this group after the installation completes.

ORA_HOMENAME_SYSBACKUP

SYSBACKUP system privileges for all database instances that run from the Oracle home with a name of HOMENAME

OSBACKUPDBA group for a specific Oracle Home with a name of HOMENAME.

Members of this group have privileges necessary for performing database backup and recovery tasks on all database instances that run from the specified Oracle Home directory.

ORA_HOMENAME_SYSDG

SYSDG system privileges for all database instances that run from the Oracle home with a name of HOMENAME

OSDGDBA group for a specific Oracle Home with a name of HOMENAME.

Members of this group have privileges necessary for performing Data Guard administrative tasks on all database instances that run from the specified Oracle Home directory.

ORA_HOMENAME_SYSKM

SYSKM system privileges for all database instances that run from the Oracle home with a name of HOMENAME.

OSKMDBA group for a specific Oracle Home with a name of HOMENAME.

Members of this group have privileges necessary for performing encryption key management tasks on all database instances that run from the specified Oracle Home directory.

During installation, the gridconfig.bat script creates the services and groups on each node of the cluster. The installed files and permissions are owned by the Oracle Installation user, and require the Administrator privilege.

Oracle creates and populates the groups listed in this table during installation to ensure proper operation of Oracle products. You can manually add other users to these groups to assign these database privileges to other Windows users.

Members of the ORA_DBA group can use operating system authentication to administer all Oracle databases installed on the server. Members of the ORA_HOMENAME_DBA, where HOMENAME is the name of a specific Oracle installation, can use operating system authentication to manage only the databases that run from that Oracle home.

5.1.8 Operating System Groups and Users for Job Role Separation

A job role separation configuration of Oracle Database and Oracle ASM is a configuration with groups and users to provide separate groups for operating system authentication.

5.1.8.1 About Job Role Separation Operating System Privileges Groups and Users

With Oracle Database job role separation, each Oracle Database installation has separate operating system groups to provide authentication for system privileges on that Oracle Database, so multiple databases can be installed on the cluster without sharing operating system authentication for system privileges. In addition, each Oracle software installation is associated with an Oracle Installation user, to provide operating system user authentication for modifications to Oracle Database binaries.

With Oracle Grid Infrastructure job role separation, Oracle ASM has separate operating system groups that provide operating system authentication for Oracle ASM system privileges for storage tier administration. This operating system authentication is separated from Oracle Database operating system authentication. In addition, the Oracle Grid Infrastructure Installation user provides operating system user authentication for modifications to Oracle Grid Infrastructure binaries.

During the Oracle Database installation, the OSDBA, OSOPER, OSBACKUPDBA, OSDGDBA and OSKMDBA groups are created and users assigned to these groups. Members of these groups are granted operating system authentication for the set of database system privileges each group authorizes. Oracle recommends that you use different operating system groups for each set of system privileges.

Note:

This configuration is optional, to restrict user access to Oracle software by responsibility areas for different administrator users.

To configure users for installation that are on a network directory service such as Network Information Services (NIS), refer to your directory service documentation.

See Also:

5.1.8.2 Oracle Software Owner for Each Oracle Software Product

Oracle recommends that you use the following operating system groups and users for all installations where you specify separate Oracle Home Users:

Separate Oracle Installation users for each Oracle software product (typically, oracle, for the Oracle Database software, and grid for the Oracle Grid Infrastructure software.

You must create at least one Oracle Installation user the first time you install Oracle software on the system. This user owns the Oracle binaries of the Oracle Grid Infrastructure software, and you can also use this same user as the Oracle Installation user for the Oracle Database or Oracle RAC binaries.

The Oracle Installation user for Oracle Database software has full administrative privileges for Oracle instances and is added to the ORA_DBA, ORA_ASMDBA, ORA_HOMENAME_SYSBACKUP, ORA_HOMENAME_SYSDG, and ORA_HOMENAME_SYSKM groups. Oracle Home users are added to the ORA_HOMENAME_DBA group for the Oracle home created during the installation. The ORA_OPER and ORA_HOMENAME_OPER groups are created, but no users are added to these groups during installation.

See Also:

Oracle Database Security Guide for more information about the available operating system groups and the privileges associated with each group

5.1.8.3 Standard Oracle Database Groups for Job Role Separation

The Oracle Database supports multiple operating system groups to provide operating system authentication for database administration system privileges.

  • OSDBA group (ORA_DBA)

    The installation process creates this group the first time you install Oracle Database software on the system. This group identifies operating system user accounts that have database administrative privileges (the SYSDBA system privilege) for all database instances running on the server.

    Members of the ORA_DBA group do not have SYSASM system privilege on Oracle ASM instances, which are needed for mounting and dismounting disk groups.

  • OSOPER group for Oracle Database (ORA_OPER)

    Use this group if you want a separate group of operating system users to have a limited set of database administrative privileges for starting up and shutting down the database (the SYSOPER system privilege).

  • OSDBA group for a particular Oracle home (ORA_HOMENAME_DBA)

    This group is created the first time you install Oracle Database software into a new Oracle home. This group identifies operating system user accounts that have database administrative privileges (the SYSDBA system privilege) for the database instances that run from that Oracle home.

  • OSOPER group for a particular Oracle home (ORA_HOMENAME_OPER)

    Use this group if you want a separate group of operating system users to have a limited set of database administrative privileges for starting up and shutting down the database instances that run from a particular Oracle home (the SYSOPER system privilege).

5.1.8.4 Extended Oracle Database Groups for Job Role Separation

Starting with Oracle Database 12c Release 1 (12.1), in addition to the SYSOPER system privilege to start and shut down the database, you can create new administrative privileges that are more task-specific and less privileged than the ORA_DBA group (or SYSDBA system privilege) to support specific administrative privileges tasks required for everyday database operation. Users granted these system privileges are also authenticated through operating system group membership.

The installer automatically creates operating system groups whose members are granted these system privileges. The OSDBA subset job role separation privileges and groups consist of the following:

  • OSBACKUPDBA group for Oracle Database (ORA_HOMENAME_SYSBACKUP)

    Assign users to this group if you want a separate group of operating system users to have a limited set of database backup and recovery related administrative privileges (the SYSBACKUP privilege).

  • OSDGDBA group for Oracle Data Guard (ORA_HOMENAME_SYSDG)

    Assign users to this group if you want a separate group of operating system users to have a limited set of privileges to administer and monitor Oracle Data Guard (the SYSDG privilege).

  • OSKMDBA group for encryption key management (ORA_HOMENAME_SYSKM)

    Assign users to this group if you want a separate group of operating system users to have a limited set of privileges for encryption key management such as Oracle Wallet Manager management (the SYSKM privilege).

See Also:

Oracle Database Installation Guide for Microsoft Windows for information about these groups.

5.1.8.5 Oracle ASM Groups for Job Role Separation

The SYSASM, SYSOPER for ASM, and SYSDBA for ASM system privileges enables the separation of the Oracle ASM storage administration privileges from SYSDBA.

During installation, the following groups are created for Oracle ASM:

  • OSASM Group for Oracle ASM Administration (ORA_ASMADMIN)

    Use this separate group to have separate administration privilege groups for Oracle ASM and Oracle Database administrators. Members of this group are granted the SYSASM system privilege to administer Oracle ASM. In Oracle documentation, the operating system group whose members are granted privileges is called the OSASM group. During installation, the Oracle Installation User for Oracle Grid Infrastructure and Oracle Database Service IDs are configured as members of this group. Membership in this group also grants database access to the ASM disks.

    Members of the OSASM group can use SQL to connect to an Oracle ASM instance as SYSASM using operating system authentication. The SYSASM system privilege permits mounting and dismounting disk groups, and other storage administration tasks. SYSASM system privileges do not grant access privileges on an Oracle Database instance.

  • OSDBA for ASM Database Administrator group (ORA_ASMDBA)

    This group grants access for the database to connect to Oracle ASM. During installation, the Oracle Installation Users are configured as members of this group. After you create an Oracle Database, this groups contains the Oracle Home Users of those database homes.

  • OSOPER for ASM Group for ASM Operators (ORA_ASMOPER)

    This is an optional group. Use this group if you want a separate group of operating system users to have a limited set of Oracle ASM instance administrative privileges (the SYSOPER for ASM system privilege), including starting up and stopping the Oracle ASM instance. By default, members of the OSASM group also have all privileges granted by the SYSOPER for ASM system privilege.

    To use the Oracle ASM Operator group to create an Oracle ASM administrator with fewer privileges than those granted by the SYSASM system privilege you must assign the user to this group after installation.

5.1.8.6 Changes in Oracle ASM System Privileges When Upgrading to Oracle Grid Infrastructure 12c Release 1 (12.1.0.2)

When upgrading from Oracle Grid Infrastructure release 12.1.0.1 to release 12.1.0.2, the upgrade process automatically updates the group memberships and the disk ACLs for Oracle ASM privileges.

  • The disk ACLs are updated to add ORA_ASMADMIN and remove ORA_ASMDBA.

  • The database service SIDs are added to both ORA_ASMADMIN and ORA_ASMDBA

  • The Oracle Service user (typically the Oracle Home user) is added to ORA_ASMDBA

These updates ensure that databases using either Oracle Database release 12.1.0.1 or release 12.1.0.2 can use Oracle ASM after the upgrade to Oracle Grid Infrastructure release 12.1.0.2.

If Oracle ASM is freshly installed as part of Oracle Grid Infrastructure 12c Release 1 (12.1.0.2), then only the 12.1.0.2 version of the privileges are configured:

  • The database service SIDs are added to ORA_ASMADMIN

  • The Oracle Service user (typically the Oracle Home user) is added to ORA_ASMDBA

  • The disk ACLs are updated to include ORA_ASMADMIN

Before you install Oracle Database 12c release 12.1.0.1 software on a system with a new installation (not an upgraded installation) of Oracle Grid Infrastructure 12c Release 1 (12.1.0.2), you must apply a patch to ensure the proper privileges are configured when you create an Oracle Database 12c release 12.1.0.1 database.

5.1.9 Example of Using Role-Allocated Groups and Users

You can use role-allocated groups and users that is compliant with an Optimal Flexible Architecture (OFA) deployment.

Assumptions:

  • The user installing the Oracle Grid Infrastructure software is named RACDOMAIN\grid. This user was created before starting the installation.

    The option to use the Windows Built-in Account was selected for the Oracle Home user for Oracle Grid Infrastructure.

  • The name of the home directory for the Oracle Grid Infrastructure installation is OraGrid12c.

  • The user installing the Oracle RAC software is named oracle. This user was created before starting the installation.

    During installation of Oracle RAC, an Oracle Home user named RACDOMAIN\oradba1 is specified. The oradba1 user is a Windows domain user that was created before the installation was started.

    The name of the Oracle home for the Oracle RAC installation is OraRAC12c_home1.

  • You have a second, Oracle Database installation (not Oracle RAC) on this server. The installation was performed by the oracle user. The Oracle Home user is oradba2, and this user was not created before starting the installation.

    The Oracle Home name is OraDB12c_home1.

  • Both the Oracle databases and Oracle Clusterware are configured to use Oracle ASM for data storage.

After installing the Oracle software, you have the following groups and users:

Operating System Group Name Type of Group Members

ORA_DBA

OSDBA group

oracle, RACDOMAIN\grid, and the Local System built-in Windows account

ORA_OraRAC12c_home1_DBA

OSDBA group for the Oracle RAC home directory

RACDOMAIN\oradba1

ORA_OraDB12c_home1_DBA

OSDBA group for the Oracle Database home directory

oradba2

ORA_OPER

OSOPER group

none

ORA_OraRAC12c_home1_OPER

OSOPER group for the Oracle RAC home directory

none

ORA_OraDB12c_home1_OPER

OSOPER group for the Oracle Database home directory

none

ORA_ASMADMIN

OSASM group

RACDOMAIN\grid and the Local System built-in Windows account, and the database service IDs

ORA_ASMOPER

OSOPER for ASM group

 

ORA_ASMDBA

OSDBA for ASM group for Oracle ASM clients

RACDOMAIN\grid, oracle, the Local System built-in Windows account, and Oracle Home Users of database homes

ORA_RAC12c_home1_SYSBACKUP, ORA_RAC12c_home1_SYSDG, and ORA_RAC12c_home1_SYSKM

Specialized role groups that authorize users with the SYSBACKUP, SYSDG, and SYSKM system privileges.

none

ORA_DB12c_home1_SYSBACKUP, ORA_DB12c_home1_SYSDG, and ORA_DB12c_home1_SYSKM

Specialized role groups that authorize users with the SYSBACKUP, SYSDG, and SYSKM system privileges.

none

If there are no users listed for an operating system group, then that means the group has no members after installation.

5.2 Configuring User Accounts

When installing Oracle Grid Infrastructure for a cluster, you run the installer software as an Administrator user. During installation, you can specify an Oracle Home user.

Before starting the installation, there are a few checks you need to perform for the Oracle Installation users, to ensure the installation will succeed.

5.2.1 Configuring Environment Variables for the Oracle Installation User

The installer uses environment variables set for the Oracle Installation User.

5.2.2 Verifying User Privileges to Update Remote Nodes

You must insure that operations that are performed on multiple nodes can be performed during installation of the Oracle Grid Infrastructure software.

For the installation to be successful, you must use the same user name and password on each node in a cluster or use a domain user. You must explicitly grant membership in the local Administrators group to the installation user on all of the nodes in your cluster.
  1. Determine if User Account Control (UAC) remote restrictions have been disabled for the local installation user. If you are using a domain user for installation, then skip this step.
    Check the value of the LocalAccountTokenFilterPolicy registry entry for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System. The value should be set to 1. If this registry entry does not exist, then, do the following:
    1. Click Start, click Run, type regedit, and then press Enter.
    2. Navigate to the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.
    3. On the Edit menu, select New, and then click DWORD Value.
    4. Type LocalAccountTokenFilterPolicy and then press Enter.
    5. Right-click LocalAccountTokenFilterPolicy, then click Modify.
    6. In the Value data box, type 1, then click OK.
    7. Exit the registry editor.
    By setting the value of LocalAccountTokenFilterPolicy to 1, a user who is a member of the local administrators group on the target remote computer establishes a remote administrative connection with an elevated token, enabling the user to perform administrative tasks. If you do not disable the UAC remote restrictions for administrative users, then when installing Oracle Grid Infrastructure on multiple nodes you might encounter the following error:
    INS-40937 The following hostnames are invalid
    
  2. Before running OUI, from the node where you intend to run the installer, verify that the user account you are using for the installation is configured as a member of the Administrators group on each node in the cluster.
    Enter the following command for each node that is a part of the cluster where nodename is the node name:
    net use \\nodename\C$
    
  3. If you will be using other disk drives in addition to the C: drive, then repeat the net use command for every node in the cluster, substituting the drive letter for each drive you plan to use.
  4. Verify the installation user is configured to update the Windows registry on each node in the cluster.
    1. Run regedit from the Run menu or the command prompt.
    2. From the File menu select Connect Network Registry.
    3. In the 'Enter the object name…' edit box enter the name of a remote node in the cluster, then click OK.
    4. Wait for the node to appear in the registry tree.

If the remote node does not appear in the registry tree or you are prompted to fill in a username and password, then you must resolve the permissions issue at the operating system level before proceeding with the Oracle Grid Infrastructure installation.

5.2.3 Managing User Accounts with User Account Control

To ensure that only trusted applications run on your computer, Windows Server 2008 and Windows Server 2008 R2 provide User Account Control.

If you have enabled the User Account Control security feature, then depending on how you have it configured, OUI prompts you for either your consent or your credentials when installing Oracle Database. Provide either the consent or your Windows Administrator credentials as appropriate.

You must have Administrator privileges to run some Oracle tools, such as DBCA, NETCA, and OPatch, or to run any tool or application that writes to any directory within the Oracle home. If User Account Control is enabled and you are logged in as the local Administrator, then you can successfully run each of these commands. However, if you are logged in as "a member of the Administrators group," then you must explicitly run these tools with Windows Administrator privileges.

All of the Oracle shortcuts that require Administrator privileges are automatically run as an "Administrator" user when you click the shortcuts. However, if you run the previously mentioned tools from a Windows command prompt, then you must run them from an Administrator command prompt.

OPatch does not have a shortcut and must be run from an Administrator command prompt.

5.3 Creating Oracle Software Directories

During installation, you are prompted to provide a path to a home directory to store Oracle Grid Infrastructure software.

You also need to provide a home directory when installing Oracle RAC. Each directory has certain requirements that must be met for the software to work correctly.

Oracle Universal Installer creates the directories during installation if they do not exist.

5.3.1 About the Directories Used During Installation of Oracle Grid Infrastructure

OUI uses several directories during installation of Oracle Grid Infrastructure.

Note:

The base directory for Oracle Grid Infrastructure 12c and the base directory for Oracle RAC 12c must be different from the directories used by the Oracle RAC 11g Release 2 installation.

5.3.1.1 Temporary Directories

To install properly across all nodes, OUI uses the temporary folders defined within Microsoft Windows.

The TEMP and TMP environment variables should point to the same local directory on all nodes in the cluster.

By default, these settings are defined as %USERPROFILE%\Local Settings\Temp and %USERPROFILE%\Local Settings\Tmp in the Environment Settings of My Computer. It is recommended to explicitly redefine these as %WINDIR%\temp and %WINDIR%\tmp.

For example, if Windows is installed on the C drive, then the temporary directories would be defined as C:\Windows\temp or C:\Windows\tmp for all nodes.

5.3.1.2 Grid Home Directory

The directory that Oracle Grid Infrastructure is installed in is the Grid home.

When installing Oracle Grid Infrastructure, you must determine the location of the Grid home. Oracle ASM is also installed in this home directory.

If you plan to install Oracle RAC, you must choose a different directory in which to install the Oracle Database software. The location of the Oracle RAC installation is the Oracle home.

Note:

For installations with Oracle Grid Infrastructure only, Oracle recommends that you let OUI create the Grid home and Oracle Inventory directories.

5.3.1.3 Oracle Base Directory

During installation, you are prompted to specify an Oracle base location, which is owned by the user performing the installation. You can choose a location with an existing Oracle home, or choose another directory location that does not have the structure for an Oracle base directory.

If you install Oracle Database 12c Release 1 (12.1) on a computer with no other Oracle software installed, OUI creates an Oracle base directory for you. If Oracle software is already installed, then one or more Oracle base directories already exist. In the latter case, OUI offers you a choice of Oracle base directories to use during installation.

Caution:

After installing Oracle Database 12c Release 1 (12.1) (or later) release with a Windows User Account as Oracle Home User, do not install older releases of Oracle Databases that share the same Oracle Base Directory. During installation of the software for older releases, the ACLs are reset and Oracle Database 12c Release 1 (12.1) (or later) services may not be able to access the Oracle Base directory and files.

In a default Windows installation, the Oracle base directory appears as follows, where X represents a disk drive and username is the name of the currently logged in user:

X:\app\username

Using the Oracle base directory path helps to facilitate the organization of Oracle installations, and helps to ensure that installations of multiple databases maintain an Optimal Flexible Architecture (OFA) configuration.

The Oracle base directory for the Oracle Grid Infrastructure installation is the location where diagnostic and administrative logs, and other logs associated with Oracle ASM and Oracle Clusterware are stored. For Oracle installations other than Oracle Grid Infrastructure for a cluster, the Oracle base directory is also the location under which an Oracle home is placed.

However, for an Oracle Grid Infrastructure installation, you must create a different path for the Grid home, so that the path for Oracle base remains available for other Oracle installations. You can have only one active Oracle Grid Infrastructure installation on a cluster, and all upgrades are out-of-place upgrades. Because of this, Oracle recommends that you create both an Oracle base for the Grid Installation User (grid), and an Oracle home for the Oracle Grid Infrastructure binaries using the release number of that installation. For example, use the following path to create an Oracle Grid Infrastructure home (Grid home):

D:\app\12.1.0\grid

During installation, ownership of the path to the Grid home is changed to the LocalSystem user. If you do not create a unique path to the Grid home, then after the Oracle Grid Infrastructure installation, you might encounter permission errors for other installations, including any existing installations under the same path.

Caution:

For Oracle Grid Infrastructure (for a cluster) installations, note the following restrictions for the Oracle Grid Infrastructure home (the Grid home directory for Oracle Grid Infrastructure):

  • It must not be placed under one of the Oracle base directories, including the Oracle base directory of the Oracle Grid Infrastructure installation owner.

  • It must not be placed in the home directory of an installation owner.

These requirements are specific to Oracle Grid Infrastructure for a cluster installations. Oracle Grid Infrastructure for a standalone server (Oracle Restart) can be installed under the Oracle base for the Oracle Database installation.

Oracle recommends that you let the Oracle Universal Installer create the Oracle Grid Infrastructure Grid home and Oracle base directories.

Note:

Placing Oracle Grid Infrastructure for a cluster binaries on a cluster file system is not supported.

Oracle recommends that you install Oracle Grid Infrastructure locally, on each cluster member node. Using a shared Grid home prevents rolling upgrades, and creates a single point of failure for the cluster.

5.3.1.4 Oracle Inventory Directory

The Oracle Inventory directory is the central inventory location for all Oracle software installed on a server.

By default, the location of the Oracle Inventory directory is C:\Program Files\Oracle\Inventory. This directory is created automatically the first time you install Oracle software on a Windows server.

5.3.2 Requirements for the Oracle Grid Infrastructure Home Directory

Review directory path requirements for Oracle Grid Infrastructure Home directory.

  • It is located in a path outside existing Oracle homes, including Oracle Clusterware homes.

  • It is not located in a user home directory.

  • If you create the path before installation, then the Oracle Installation user for Oracle Grid Infrastructure can create the directories in the path.

Oracle recommends that you install Oracle Grid Infrastructure on local homes, rather than using a shared home on shared storage.

For installations with Oracle Grid Infrastructure only, Oracle recommends that you create a path compliant with Oracle Optimal Flexible Architecture (OFA) guidelines, so that Oracle Universal Installer (OUI) can select that directory during installation.

Note:

Oracle Grid Infrastructure homes can be placed in a local home on servers, even if your existing Oracle Clusterware home from a prior release is in a shared location.

If you are installing Oracle Grid Infrastructure for a database (Oracle Restart), then the home directory for Oracle Restart can be under the Oracle base directory for the Oracle Installation user for Oracle Database. Refer to Oracle Database Installation Guide for your platform for more information about Oracle Restart.

5.3.3 About Creating the Oracle Base Directory Path

The Oracle base directory for the Oracle Installation User for Oracle Grid Infrastructure is the location where diagnostic and administrative logs, and other logs associated with Oracle ASM and Oracle Clusterware are stored.

If the directory or path you specify during installation for the Grid home does not exist, then OUI creates the directory.

Note:

  • Placing Oracle Grid Infrastructure for a cluster binaries on a cluster file system is not supported.

  • The base directory for Oracle Grid Infrastructure 12c and the base directory for Oracle RAC 12c must be different from the directories used by the Oracle RAC 11g Release 2 installation.

5.4 Enabling Intelligent Platform Management Interface (IPMI)

Intelligent Platform Management Interface (IPMI) provides a set of common interfaces to computer hardware and firmware that system administrators can use to monitor system health and manage the system. Oracle Clusterware can integrate IPMI to provide failure isolation support and to ensure cluster integrity.

You can configure node-termination with IPMI during installation by selecting a node-termination protocol, such as IPMI. You can also configure IPMI after installation with crsctl commands.

See Also:

Oracle Clusterware Administration and Deployment Guide for information about how to configure IPMI after installation

5.4.1 Requirements for Enabling IPMI

You must have the following hardware and software configured to enable cluster nodes to be managed with IPMI:

  • Each cluster member node requires a Baseboard Management Controller (BMC) running firmware compatible with IPMI version 1.5 or greater, which supports IPMI over local area networks (LANs), and configured for remote control using LAN.

    Note:

    On servers running Windows Server 2008, you may have to upgrade the basic I/O system (BIOS), system firmware, and BMC firmware before you can use IPMI. Refer to Microsoft Support Article ID 950257 (http://support.microsoft.com/kb/950257) for details.
  • Each cluster member node requires an IPMI driver installed on each node.

  • The cluster requires a management network for IPMI. This can be a shared network, but Oracle recommends that you configure a dedicated network.

  • Each cluster member node's Ethernet port used by BMC must be connected to the IPMI management network.

  • Each cluster member must be connected to the management network.

  • Some server platforms put their network interfaces into a power saving mode when they are powered off. In this case, they may operate only at a lower link speed (for example, 100 megabyte (MB), instead of 1 GB). For these platforms, the network switch port to which the BMC is connected must be able to auto-negotiate down to the lower speed, or IPMI will not function properly.

Note:

IPMI operates on the physical hardware platform through the network interface of the Baseboard Management Controller (BMC). Depending on your system configuration, an IPMI-initiated restart of a server can affect all virtual environments hosted on the server. Contact your hardware and OS vendor for more information.

5.4.2 Configuring the IPMI Management Network

You can configure the Baseboard Management Controller (BMC) for Dynamic Host Configuration Protocol (DHCP), or for static IP addresses.

Oracle recommends that you configure the BMC for dynamic IP address assignment using DHCP. To use this option, you must have a DHCP server configured to assign the BMC IP addresses.

Note:

If you configure Intelligent Platform Management Interface (IPMI), and you use Grid Naming Services (GNS), then you still must configure separate addresses for the IPMI interfaces. Because the IPMI adapter is not seen directly by the host, the IPMI adapter is not visible to GNS as an address on the host.

5.4.3 Configuring the IPMI Driver

For Oracle Clusterware to communicate with the BMC, the IPMI driver must be installed permanently on each node, so that it is available on system restarts.

On Windows systems, the implementation assumes the Microsoft IPMI driver (ipmidrv.sys) is installed, which is included with the Windows Server 2008 and later versions of the Windows operating system. The driver is included as part of the Hardware Management feature, which includes the driver and the Windows Management Interface (WMI).

Note:

An alternate driver (imbdrv.sys) is available from Intel as part of Intel Server Control, but this driver has not been tested with Oracle Clusterware.

5.4.3.1 Configuring the Hardware Management Component

Hardware management is installed using the Add/Remove Windows Components Wizard.

  1. Press Start, then select Control Panel.
  2. Select Add or Remove Programs.
  3. Click Add/Remove Windows Components.
  4. Select (but do not check) Management and Monitoring Tools and click the Details button to display the detailed components selection window.
  5. Select the Hardware Management option.
    If a BMC is detected through the system management BIOS (SMBIOS) Table Type 38h, then a dialog box will be displayed instructing you to remove any third-party drivers. If no third-party IPMI drivers are installed or they have been removed from the system, then click OK to continue.

    Note:

    The Microsoft driver is incompatible with other drivers. Any third-party drivers must be removed
  6. Click OK to select the Hardware Management Component, and then click Next.
    Hardware Management (including Windows Remote Management, or WinRM) will be installed.

After the driver and hardware management have been installed, the BMC should be visible in the Windows Device Manager under System devices with the label "Microsoft Generic IPMI Compliant Device". If the BMC is not automatically detected by the plug and play system, then the device must be created manually.

To create the IPMI device, run the following command:

rundll32 ipmisetp.dll,AddTheDevice