Pricing  Get Quote
 
 

Knowledge Base

Self Service Password Management » Knowledge Base

How to Migrate ADSelfService Plus Database from PostgreSQL to MS SQL

In this article

Objective

ADSelfService Plus comes bundled with a PostgreSQL database server to store basic user attributes and enrollment data. It also allows you to migrate from the built-in PostgreSQL to MS SQL. This article walks you through the database server migration process.

Prerequisites

  • Supported MS SQL server versions: 2014, 2016, 2017, 2019, 2022, and 2025.
  • MS SQL server configuration: In the MS SQL server instance used for migration, make sure that the following conditions are satisfied:
    1. The SQL Server Browser service must be up and running.
    2. For SQL Server Network Configuration, TCP/IP protocol must be enabled.
    3. All the client protocols must be enabled.
    4. The account used for migration must have the sysadmin server role and the db_owner database role on the target database.

    Note: These elevated privileges are required only for the initial migration; see Appendix B for how to reduce them afterward.

Refer to Appendix A for configuring prerequisites 1, 2, and 3. Refer to Appendix B for configuring prerequisite 4.

Migration steps

Step 1: Back up the ADSelfService Plus database

If you're installing ADSelfService Plus for the first time and don't have any data to back up, skip this step and proceed to the next step. However, if you want to backup the data, follow the steps given below:

  1. Stop ADSelfService Plus:
    • If ADSelfService Plus is running in console mode, click the Windows icon, search for ADSelfService Plus, and choose Stop ADSelfService Plus.
    • If ADSelfService Plus is running as a service, click the Windows icon, search for Services. In the window that appears, choose ManageEngine ADSelfService Plus, and select Stop the service.
  2. Open an elevated Command Prompt, and navigate to <ADSelfService Plus installation directory>\bin.

    Note: By default, ADSelfService Plus is installed in: C:\Program Files\ManageEngine\ADSelfService Plus

  3. Run the backupDB (Windows Batch) file as an administrator. Don't terminate until the process is finished.

    Backing up the database in ADSelfService Plus

  4. Data in the default database of ADSelfService Plus will be backed up and stored under <ADSelfService Plus installation directory>\backup\OfflineBackup_<Backup Time>-

    Note: If an error shows up while running the backupDB file, make sure the product has been stopped before proceeding.

    Managing server seems to be running error in ADSelfService Plus

The Auto Backup option is only available when using the built-in PostgreSQL database. After migrating to MS SQL, use native MS SQL Server backup tooling instead.

Step 2: Migrate PostgreSQL Data to MS SQL

Note: It's important to make sure you stop the ADSelfService Plus console/service before this process.

  1. If the MS SQL Server is installed on a remote computer, install the necessary command line utilities and MS SQL Native Client on that computer, and proceed to the next step.

    Note: The links in the table below will redirect you to the main Microsoft SQL feature pack page. Install the corresponding SQL Native Client or command line utilities as per the MS SQL Server version and CPU type of the machine where ADSelfService Plus is installed. The command line utilities have the term SQLCMD in them, and the native client file can be found under the name sqlncli.

    SQL Server Version Command Line Utilities Native Client ODBC Driver (x86) ODBC Driver (x64)
    2014 Download Not Applicable Download Download
    2016, 2017, and 2019 Download Not Applicable Download Download
    2022 Download Not Applicable Download Download
    2025 Download Download Download * Download

    * Microsoft has deprecated the x86 ODBC driver for SQL Server 2025. The Native Client has been superseded by MSOLEDBSQL, which can be downloaded using the link.

  2. Copy the following files to <ADSelfService Plus installation directory>\bin:
    • bcp.exe — located at \Tools\Bin\bcp.exe" with the full typical path: "C:\Program Files\Microsoft SQL Server\Client SDK\ODBC<version>\Tools\Bin\bcp.exe
    • bcp.rll — located at \Tools\Bin\bcp.exe" with the full typical path: "C:\Program Files\Microsoft SQL Server\Client SDK\ODBC<version>\Tools\Bin\Resources\1033\bcp.rll

    Note: To ensure that bcp.exe's dependencies are installed correctly, open Command Prompt in <ADSelfService Plus installation directory>\bin and run bcp.exe /v. If the bcp.exe file's version is displayed, the dependencies are properly installed.

  3. Navigate to <ADSelfService Plus installation directory>\bin.

    Migrating from the default database in ADSelfService Plus

  4. Run ChangeDB.bat (Windows Batch file) as an administrator. The Database Setup Wizard will open.
  5. Select MS SQL Server as the Server Type, and enter the Host Name of the MS SQL Server instance.
  6. If your MS SQL Server requires an encrypted connection, check the SSL Connection checkbox. This is recommended for cross-server migrations or deployments where the connection traverses an untrusted network.
    1. Ensure that the SQL Server Browser service is running and that ports 1433 (TCP) and 1434 (UDP) are open, so that the available MS SQL Server instances are fetched and displayed. The values for Port Number and Available MS SQL Server Instances will be automatically loaded. From the displayed list of instances, select the one you'd like to use, and enter the Database Name.

      Note: If the specified database does not exist, it will be created automatically, provided the account has the required permissions to do so.

  7. Choose your authentication method:
    • Windows Authentication: Provide the Domain Name, Username, and Password of the user account that has access to the server.
    • SQL Server Authentication: Enter the SQL Server Username and Password.
    • Windows Authentication requires a Kerberos/NTLM trust path between the ADSelfService Plus host and the MS SQL host. If they reside in different domains without a trust relationship, use SQL Server Authentication instead.
    • If ADSelfService Plus is already running as a Windows service, you can use its service account for the database configuration or create a separate account. If you are creating a separate account, ensure that the ADSelfService Plus service account also has the permission required to access the MS SQL server. Check out Appendix B to know about the necessary permissions.
  8. To migrate your existing data to MS SQL:
    • Builds 6527 and later: Check the Migrate Data From Existing Server checkbox. Leave it unchecked if you are setting up a fresh database with no data to migrate.
    • Builds 6526 and earlier: Open an elevated Command Prompt, navigate to the <ADSelfService Plus installation directory>\bin folder, and run the changeDB.bat true command.

    Available SQL DB instances for Changedb.bat file in ADSelfService Plus

  9. Click Test to verify connectivity, authentication, and that the account has sufficient permission to create or access the target database. If the test fails, check your credentials and confirm the account has the required permissions.
  10. Click Save.

Step 3: Connecting through an Availability Group Listener (Always On)

Note: This step is only relevant if your MS SQL Server is part of an Always On Availability Group (AG) — a high-availability setup where the database is automatically handed off to a standby server if the primary server goes down. If you are using a regular standalone MS SQL instance, skip this step.

What is an Availability Group (AG) Listener?

The AG Listener is a single, stable address that always points to whichever SQL Server node is currently active. Even if the database fails over to a different server, the Listener address stays the same, so ADSelfService Plus stays connected without any manual intervention.

Prerequisites on the MS SQL Side

Before connecting ADSelfService Plus, make sure the following are already configured in your SQL Server AG setup:

  • An Availability Group is created and the database is added to it.
  • An AG Listener is configured with a name and port (the default port is 1433).
  • The database exists on the primary replica and has been synchronized to all secondary replicas.
  • The SQL user account used for the ADSelfService Plus connection has the required permissions (sysadmin and db_owner) on all nodes in the Availability Group, not just the primary; else post-failover connections will fail authentication.
  • For automatic failover to work transparently for ADSelfService Plus, the AG should use Synchronous commit mode with automatic failover configured between the primary and at least one secondary replica. Asynchronous replicas can receive failover but may involve data loss — consult your DBA before configuring.

These are MS SQL Server configurations. If you need help setting them up, refer to Microsoft's documentation on Always On Availability Groups.

Connecting ADSelfService Plus to the Availability Group

When running the Database Setup Wizard in Step 2, the only difference from a regular MS SQL setup is what you enter in the Host Name field:

  • Instead of entering the hostname or IP address of a specific SQL Server, enter the AG Listener Name (for example, AG-Listener or AG-Listener.domain.com).
  • The wizard will connect through the Listener, which always routes the connection to the current active node.

Everything else in the wizard — port, instance, database name, authentication, and the Migrate Data From Existing Server checkbox — works exactly the same as a regular MS SQL setup.

Note: Unlike standalone named instances, the SQL Server Browser service does not always advertise the port for an AG Listener. Enter the Listener's port number manually in the Port field in the wizard. Do not rely on it being auto-populated.

Once configured, ADSelfService Plus will automatically reconnect to the new primary node through the Listener if a failover occurs.

Appendix A: Configuring MS SQL Server

If you already have a functional MS SQL Server instance, this step is not required. Follow the steps below to configure a freshly installed MS SQL Server instance.

  1. Open SQL Server Configuration Manager, or run compmgmt.msc in the Command Prompt.
  2. Go to SQL Server Services > SQL Server Browser and make sure the SQL Server Browser is running.

    Running the SQL server while migrating from ADSelfService Plus

  3. Go to SQL Server Network Configuration, and double-click Protocols for <Instance_name>;.
  4. Click on the TCP/IP protocol and enable it.
  5. Go back to SQL Server Configuration Manager. In the left pane:
    • Navigate to SQL Server Network Configuration > Protocols for SQLEXPRESS, and enable all the protocols.
    • Navigate to SQL Native Client Configuration > Client Protocols, and enable all the protocols.

    Note: SQLEXPRESS is the instance name provided while configuring MS SQL Server in general; however, it can be changed. SQLEXPRESS will be used in this document hereafter.

  6. Restart the SQL Server Service for the changes to take effect.

Appendix B: Delegating MS SQL Server Access

To complete the migration process, you need a database admin account for the MS SQL connection. If ADSelfService Plus is already running as a Windows service, you can use its service account as the MS SQL database admin account. Ensure the account has the required privileges. If there is no such account in MS SQL, follow the steps below to create a new user account and assign the required permissions.

  1. Log in to SQL Server Management Studio.
  2. In the left pane, navigate to Machine Name > SQLEXPRESS > Security > Logins.
  3. Right-click on Logins and select New Login.
  4. Provide a Login Name and choose whether to use Windows Authentication or SQL Server Authentication.
    • If you choose Windows Authentication, enter the Windows NT name of the user to whom access must be granted.
    • If you choose SQL Server Authentication, you will be prompted to create a new Username and Password.
  5. The new user must have the sysadmin role at the server level and db_owner role at the database level. Follow these steps to assign the roles:
    • Navigate to Machine Name > SQLEXPRESS > Security > Logins. Right-click the user > Properties.
    • Go to Server Roles, select the sysadmin checkbox, and click OK.
    • Go to User Mapping in the left pane. In the Users mapped to this login list, check the box next to the database. In the Database role membership list, select db_owner, and click OK.

      SQL database role selection while migrating from ADSelfService Plus

For details about user roles, refer to the following:

In general, the configured account needs one of these three sets of privileges to complete the migration process successfully:

  Required Database Role Required Permissions
Set 1 db_datareader,
db_datawriter,
db_ddladmin,
db_backupoperator		 Not required
Set 3 db_ddladmin ALTER ANY TABLE, ALTER ANY AGGREGATE, ALTER ANY DEFAULT, ALTER ANY FUNCTION, ALTER ANY PROCEDURE, ALTER ANY QUEUE, ALTER ANY RULE, ALTER ANY SYNONYM, ALTER ANY TYPE, ALTER ANY VIEW, ALTER ANY XML SCHEMA COLLECTION, ALTER ANY REFERENCES, CONTROL ON CERTIFICATE::[ZOHO_CERT] TO [user], CONTROL ON SYMMETRIC KEY::[##MS_DatabaseMasterKey##] TO [user], CONTROL ON SYMMETRIC KEY::[ZOHO_SYMM_KEY] TO [user]

Important: You must have the db_owner permission while migrating PostgreSQL to MS SQL for the first time. After a successful migration, you can revoke the db_owner permission for the account and provide Set 2 or Set 3 permissions instead.

To revoke sysadmin after a successful migration: In SQL Server Management Studio, navigate to Machine Name > SQLEXPRESS > Security > Logins. Right-click the account > Properties > Server Roles. Uncheck sysadmin and click OK.

Request for Support

Need further assistance? Fill this form, and we'll contact you rightaway.

  • Name
  •  
  • Business Email *
  •  
  • Phone *
  •  
  • Problem Description *
  •  
  • Country
  •  
  • By clicking 'Submit' you agree to processing of personal data according to the Privacy Policy.
Highlights of ADSelfService Plus

Password self-service

Allow Active Directory users to self-service their password resets and account unlock tasks, freeing them from lengthy help desk calls.

One identity with single sign-on

Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications using their Active Directory credentials.

Password and account expiry notification

Intimate Active Directory users of their impending password and account expiry via email and SMS notifications.

Password synchronization

Synchronize Windows Active Directory user passwords and account changes across multiple systems automatically, including Microsoft 365, Google Workspace, IBM iSeries, and more.

Password policy enforcer

Strong passwords resist various hacking threats. Enforce Active Directory users to adhere to compliant passwords by displaying password complexity requirements.

Directory self-update and corporate directory search

Enable Active Directory users to update their latest information themselves. Quick search features help admins scout for information using search keys like contact numbers.

« Home
Knowledge Base »

ADSelfService Plus trusted by

Embark on a journey towards identity security and Zero Trust
Password management Adaptive MFA Enterprise SSO Self-service & security Related products