Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 811 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Advice for upgrading sophos client from 7 to 9 in "Domain Controllers" OU

Salty

Can somebody advise me on how best to upgrade Sophos Endpoint from 7 to 9 on domain controllers. I'm using Enterprise Console 4 and have AD groups synchornised from the root of AD, therefore all DCs are in a "Domain Controllers" OU and Sophos group. I don't particularly want to change the update policy to upgrade the whole "Domain Controllers" OU at the same time since they are DCs and I want to be cautious, and would prefer to upgrade them bit by bit (one or a few at a time), especially as we have 2003, 2008 , & 2008 R2 DCs in the domain at the moment. Does this mean I need to blow away our configuration for the way we have groups implemented so that we are not synchronising from the root of AD and then create manual groups for computers in which to specify versions of Sophos?

Thanks

Mark

:2299


This thread was automatically locked due to age.
Parents
  • 0

    Hello Mark,

    talked with our administrators and "in principle" it should be possible to create containers (groups) under this OU without breaking AD - but they haven't heard that this has been done.

    As removing and reinstating the syncpoint isn't really fun you might consider one of the following approaches:

    1) As you have to restart the machines after migration you might as well manually change the updating policy on them (they will report as non-compliant but that's no problem). Make sure that the updating policy for the DCs is not modified and that Comply with ... is not used during the "transition". After all (or almost all) have migrated assign the new policy to the DC group.

    2) (untested)

    • turn off automatic updating in the legacy policy
    • create a new updating policy also with automatic updating turned off
    • apply the new policy to the group - as the clients do not automatically update (make sure that Update now isn't clicked on the client) nothing happens
    • from SEC use Update Computers Now on selected clients
    • when they have updated restart them
    • if you are through with all clients turn automatic updating on again

    The second scenario assumes that you just want to upgrade the DCs one after another and that you are confident that once they've successfully restarted nothing "has broken"

    Christian 

    :2314
Reply
  • 0

    Hello Mark,

    talked with our administrators and "in principle" it should be possible to create containers (groups) under this OU without breaking AD - but they haven't heard that this has been done.

    As removing and reinstating the syncpoint isn't really fun you might consider one of the following approaches:

    1) As you have to restart the machines after migration you might as well manually change the updating policy on them (they will report as non-compliant but that's no problem). Make sure that the updating policy for the DCs is not modified and that Comply with ... is not used during the "transition". After all (or almost all) have migrated assign the new policy to the DC group.

    2) (untested)

    • turn off automatic updating in the legacy policy
    • create a new updating policy also with automatic updating turned off
    • apply the new policy to the group - as the clients do not automatically update (make sure that Update now isn't clicked on the client) nothing happens
    • from SEC use Update Computers Now on selected clients
    • when they have updated restart them
    • if you are through with all clients turn automatic updating on again

    The second scenario assumes that you just want to upgrade the DCs one after another and that you are confident that once they've successfully restarted nothing "has broken"

    Christian 

    :2314
Children
No Data
Unfiltered HTML