Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 6997 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Move clients to a new server

Eps

Hi All,

A company I look after has just had their SEC server fall over and die. All the 300 clients are still fine, but they are now server-less. The plan is to permanantly move the clients to a new server which is already named and will not be renamed as the naming convention is required for other software.

I have setup SEC on the other server and have my 300 clients imported from AD. My question now, is how can I get them all to connect to this new server and update from 7.x to 9. I have set update policys and everything. I just need to wrap my head around getting these clients to report to this server.

Any help is appreciated :)

:9929


This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    There are a couple of things here to consider.

    1. the certificates

    2. where the clients are pointing.

    If you install a new SEC afresh, it will have new certificates, therefore all the existing clients will not be able to talk to the new server.  If the new server has a different address, the clients will also fail to find the new server.  If the previous server had a static IP address, the clients will be currently configured to address it using, IP, failing that FQDN an failing that NetBIOS address.  Had it had a dynamic address all the clients would be looking for it using FQDN and then NetBIOS.

    So essentially we need to:
    1. Point the clients at the new server.

    2. Get the clients new certificates.


    Once the above has been done, you will have management of the machines again in SEC.  This will enable you to send policies to them and essentially point them at the new update locations etc.

    The way the clients were initially set up was as follows:

    1. setup.exe from the CID was run.

    2. setup.exe copied to the clients the file cac.pem and mrinit.conf.

    cac.pem is the certificate of the certification manager. Mrinit.conf contains, details that will be used to configure the client message router which will enable it to find the server.  It also has a few identity keys which play a part in the certification stage.  During the install of the RMS package these 2 files are used to configure the client.  Based on the 2 files and knowing where the server is the client is then able to get a certificate for the agent and the router.

    We essentially need to redo this step to point them at the new server and get the machines new certificates.  To do this you could.

    1. Reprotect all the clients, in affect this will run setup.exe again, which will copy down the new cac.pem and mrinit.conf from the new CID.  RMS will reinstall and install the new cac.pem and the router will be pointing at the new server when it reconfigures the machine with the new mrinit.conf.  

    2. Just copy down the new cac.pem and mrinit.conf, delete the existing certificates and run clientmrinit.exe (this is a little exe that gets called during the installation of RMS to transfer the cac.pem and mrinit.conf to the registry)

    I've put together a little HTA to help with point 2 as I belive this is a quicker solution and saves a lot of bandwidth:

    To use:

    1. Run the HTA.

    2. Locate the new cac.pem and mrinit.conf in the new CID and use those for the 2 fields.

    3. The other defaults should be ok.

    4. Generate a script.

    The resultant VBS script file should then be run on all clients to reconfigure them.  I would suggest trying it on a couple first and ensure they become visible back in SEC and manageable.  Once happy you could roll it out to the other machines.

    Good luck,

    Jak

    :9935
Reply
  • 0

    Hi,

    There are a couple of things here to consider.

    1. the certificates

    2. where the clients are pointing.

    If you install a new SEC afresh, it will have new certificates, therefore all the existing clients will not be able to talk to the new server.  If the new server has a different address, the clients will also fail to find the new server.  If the previous server had a static IP address, the clients will be currently configured to address it using, IP, failing that FQDN an failing that NetBIOS address.  Had it had a dynamic address all the clients would be looking for it using FQDN and then NetBIOS.

    So essentially we need to:
    1. Point the clients at the new server.

    2. Get the clients new certificates.


    Once the above has been done, you will have management of the machines again in SEC.  This will enable you to send policies to them and essentially point them at the new update locations etc.

    The way the clients were initially set up was as follows:

    1. setup.exe from the CID was run.

    2. setup.exe copied to the clients the file cac.pem and mrinit.conf.

    cac.pem is the certificate of the certification manager. Mrinit.conf contains, details that will be used to configure the client message router which will enable it to find the server.  It also has a few identity keys which play a part in the certification stage.  During the install of the RMS package these 2 files are used to configure the client.  Based on the 2 files and knowing where the server is the client is then able to get a certificate for the agent and the router.

    We essentially need to redo this step to point them at the new server and get the machines new certificates.  To do this you could.

    1. Reprotect all the clients, in affect this will run setup.exe again, which will copy down the new cac.pem and mrinit.conf from the new CID.  RMS will reinstall and install the new cac.pem and the router will be pointing at the new server when it reconfigures the machine with the new mrinit.conf.  

    2. Just copy down the new cac.pem and mrinit.conf, delete the existing certificates and run clientmrinit.exe (this is a little exe that gets called during the installation of RMS to transfer the cac.pem and mrinit.conf to the registry)

    I've put together a little HTA to help with point 2 as I belive this is a quicker solution and saves a lot of bandwidth:

    To use:

    1. Run the HTA.

    2. Locate the new cac.pem and mrinit.conf in the new CID and use those for the 2 fields.

    3. The other defaults should be ok.

    4. Generate a script.

    The resultant VBS script file should then be run on all clients to reconfigure them.  I would suggest trying it on a couple first and ensure they become visible back in SEC and manageable.  Once happy you could roll it out to the other machines.

    Good luck,

    Jak

    :9935
Children
No Data
Unfiltered HTML