Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Backup, Restore and Migrate Server Help

JKisner

For disaster recovery purposes, can anyone point me to the process for backing up and restoring the Endpoint Security and Control database server (version 4.0)?

Also, how would you go about migrating to a different server and still maintain connection with your endpoints and the database contents?

Thanks!

:959


This thread was automatically locked due to age.
  • 0

    (This is in a test environment that I'm testing for disastery recovery)

    BackupDB.bat seems to work however I'm having issues with the restore process...RestoreDB.bat appears to have worked but clients cannot connect to database...

    Here's what I did:

    I ran backupdb on my initial install of the database.  Worked.

    Exported the Sophos Certificate Manager HKLM registery entry.

    Uninstalled Console and all MSSQL items.

    Restarted then deleted Sophos and MSSQL folders from Program Files folder.

    Reinstalled Sophos Console 4 and Database.

    Logged Off

    Logged in and closed console, which started automatically.

    Ran RestoreDB.bat - Successful.

    Imported Certificate Manager key - Successful.

    Opened console and got the following error:

    SQL error: 233
    ----- [outer exception] -----
       -- error: 0x80040300
       -- facility: Custom (Defined by the interface)

       at class ATL::CComPtr<struct IDispatch> __thiscall bl::CReusingManagementServiceClientBroker::logIn(void)
       at int __cdecl Run(int,enum bl::ConsoleType::Type)
       at int __stdcall wWinMain(struct HINSTANCE__ *,struct HINSTANCE__ *,wchar_t *,int)

    Hit ok and closed and reopened the console....Data is there from the restore process but endpoints cannot connect to the database.

    Any ideas what I did wrong or what I missed?

    :970
  • 0

    Hi Jkisner,

    You need to import the Certification Manager key before you install the console.

    Maybe someone else can comment on the error you have, but  would try again ensuring you import the reg key first, then install SEC, then import the database.

    Some nice info on upgrading/moving the console around here:

    http://www.sophos.com/support/knowledgebase/article/28276.html

    OD

    :973
  • 0

    Firstly - I have always restored HKLM\Sophos\Certification Manager\ before installing the console (as articles 12366 or 28276 say) and never tried to change these keys in a running system. Maybe someone from Sophos can comment on it - ah, I see this has already been done. (BTW: using this procedure I can easily "switch" clients from one management server to another).

    Secondly - you did not mention credentials especially the SophosUpdateMgr account. Depending on how you installed SEC4 you might not know the password. I the "recovery install" creates a new one it will not match the one in the updating policies.

    Question: endpoints cannot connect to the database - I'm not sure I understand what you are saying here. You mean the clients do not "talk" to the management server (what makes you think so)?

    We've been through a "near disaster" when the management server was hit by Conficker (it was due for replacement anyway since it had some "unknown issue" and refused installation of 2003/SP1). I was on paternal leave at this time Fortunately I had already installed a new management server (using the procedure mentioned above) with a fairly recent snapshot of the database installed. Groups were in place, updating policies pointed to the new server but of course not all clients were known (but drag-and-drop is no rocket science and it helped lowering the adrenaline levels :smileywink:). So it was just an alias in DNS and reconfiguration of the proxy directive for the WebCID) and all fell into place. 

    Depending on your "disaster scenario" you might want to test some additional steps: changed server name(s) and/or IP-address and required DNS settings, firewall settings and of course install from scratch including any "fixes" (and their sources - are they avaiable if your server is gone?) you might have applied.

    Finally - the SQL error was transient?

    Christian 

    :978
  • 0

    Thanks for your reply - I will try importing the key first.  I will keep the credentials the same from the initial install to the restore.

    After the restore process (although I did it incorrectly), I wanted to test connectivity between an endpoint and the management server:  I put an archived copy of Eicar on the client machine and scanned it.  The virus was detected but the management console was never notified of the virus.  I also tried to update - it timed out and said the server was unreachable.  I will retry this after I try the restore process installing the key first.

    Yes, the SQL error only occured on the initial opening of the console AFTER I imported the database and then the key.  After I clicked OK to the error and reopend the console I had no other issues.

    :990
  • 0

    Hello


    I think that Sophos should be create one KB with a several steps to Backup and Restore one EC 4.0 console, mainly for disaster recovery purpose.

    The mainly requisites are:

    1. A copy of Certificates (HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Certification Manager)
    2. A dataBase copy.
    3. The old server and the new server would have the same NAME and IP.

    Too, is very important know if is possible have two EC 4.0 servers (primary and secondary / main and backup) for fault tolerance purpose.

    Regards,

    Linck Tello Flores

    :991
  • 0

    Thanks for your post.  I agree with you totally.  I found enough articles to get me started, but I did not find anything that was geared toward disaster recovery....I checked the online knowledgebase as well as a keyword search of all the PDFs for EC 4.

    It's also my humble opinion that the console should have the option built in to Backup and Restore instead of manually using batch files...This would also include making a copy of the necessary registry entries needed to restore.

    I also have not had any luck with restoring/migrating the management server to a server with a different name and IP address...is this even possible? 

    :992
  • 0

    I can't say I didn't find anything on disaster recovery...KB 12366 was written for it, but it failed to mention anything about the restoredb.bat or backupdb.bat files....

    :993
  • 0

    I also have not had any luck with restoring/migrating the management server to a server with a different name and IP address...is this even possible?

    Keep in mind that when the server name changes the update locations must also be changed (unless you use a share "somewhere else")

    Prerequisite: the key is imported before installing

    Scenario 1:

    Backup the database and restore it on the new server. Change the updating policies on the new server and reprotect the computers. This follows article 28276 which has an incomplete (IMO steps 7-9 of  Upgrading from Enterprise Console 2 to Enterprise Console 3.x must be done after step 8 of  Upgrading from Enterprise Console 3.x to Enterprise Console 4.0 ) description of a migration process. But this is probably not what you are looking for since reprotecting all computers might not be easy.

    Scenario 2:

    Backup and restore. Then create an alias in DNS with the old name pointing to the new server. Clients will then connect to the new server. Copy mrinit.conf to the rms subfolders as described in article 14635 steps 1.2.6 and 1.3. Clients will pick up the new RMS configuration with the next update. That's what we've done after the disaster I mentioned.

    Scenario 3:

    Similar to 2 but you change the RMS configuration in the old CIDs. You don't use the DNS alias but this procedure doesn't work for disaster recovery (unless your CIDs are "somewhere else"). 

    It's also my humble opinion that the console should have the option built in to Backup and Restore instead of manually using batch files.

    Now I'd guess that "big installations" use other products besides Sophos and that they have their own backup, restore and recovery strategy. So backing up a database and keeping important registry settings is not specific to Sophos. Still it'd be nice to have the option to make a backup of "all the important stuff" (the keys, policies and group structure).

    Christian

    :1004
  • 0

    Thanks again for your post - extremely useful information.

    I was using KB article 52383 and trying to only use steps that pertain.  Overall, now I think I have a good idea of the requirements.

    On my first attempt, without any of this info, I left out configuring the Update Policy to reflect the new server name...obviously very important and caused a number of issues for me.

    Hope these posts will help out others.

    :1005
  • 0

    Hi,

    we've tried to update our installation (on a new server). We exported the certificate and imported it on the new server. The import was done before installation.

    After installation there is no way of updating. The Update manager doesn't work at all. It looks likt the certificate is the problem here.

    Is there a way of reusing the certificate?

    Regards,

    Patrick

    :3112
1 2