SEC and DB backup strategy for a DR

Hi,

In order to reinstall/re-create the Management Server role from the SEC installer you need:

1. A backup of the Certificate Store

HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Certification Manager\CertAuthStore

Call this CertStore.reg for example.  

This is the most important of the 2, without this you will need to either re-protect all the managed clients or run a script that will update the cac.pem and mrinit.conf files on all the machines and get the clients to re-request new certificates.  Quite messy.

2. A backup of the Private Store.

To do so, you need to run the command line tool ExportPrivateStore.exe

http://www.sophos.com/support/knowledgebase/article/111425.html

Note:

If you have AD sync points, remember to also pass the - s switch.  

As the Sophos Management Service is responsible for maintaining this store and that service runs as local system, you must import and export the xml as local system also,  To do so I would suggest running ExportPrivateStore either directly from PsExec with the -s switch or from a command prompt created under the system context by PsExec.

PsExec can be found here:

http://technet.microsoft.com/en-us/sysinternals/bb897553

psexec -s cmd

In the new window running as system run:

exportprivatestore -s -e C:\Export.xml

You would need to export this store every time you add a new account into the system or when you change a password either in SUM, an updating policy or a sync point.

Once you have these 2 files:

Export.xml

CertStore.reg 

If you need to reinstall, you would need to:

1. Import the reg file first (this is important)

2. Install SEC

3. Stop the management service

4, Run 

psexec -s cmd

In the new window running as system run:

exportprivatestore -s -i C:\Export.xml

Note you only need the -s if you're importing sync point data.

5. Start the Management service.

That should be everything.

Regards,

Jak

Hi,

In order to reinstall/re-create the Management Server role from the SEC installer you need:

1. A backup of the Certificate Store

HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Certification Manager\CertAuthStore

Call this CertStore.reg for example.  

This is the most important of the 2, without this you will need to either re-protect all the managed clients or run a script that will update the cac.pem and mrinit.conf files on all the machines and get the clients to re-request new certificates.  Quite messy.

2. A backup of the Private Store.

To do so, you need to run the command line tool ExportPrivateStore.exe

http://www.sophos.com/support/knowledgebase/article/111425.html

Note:

If you have AD sync points, remember to also pass the - s switch.  

As the Sophos Management Service is responsible for maintaining this store and that service runs as local system, you must import and export the xml as local system also,  To do so I would suggest running ExportPrivateStore either directly from PsExec with the -s switch or from a command prompt created under the system context by PsExec.

PsExec can be found here:

http://technet.microsoft.com/en-us/sysinternals/bb897553

psexec -s cmd

In the new window running as system run:

exportprivatestore -s -e C:\Export.xml

You would need to export this store every time you add a new account into the system or when you change a password either in SUM, an updating policy or a sync point.

Once you have these 2 files:

Export.xml

CertStore.reg 

If you need to reinstall, you would need to:

1. Import the reg file first (this is important)

2. Install SEC

3. Stop the management service

4, Run 

psexec -s cmd

In the new window running as system run:

exportprivatestore -s -i C:\Export.xml

Note you only need the -s if you're importing sync point data.

5. Start the Management service.

That should be everything.

Regards,

Jak