This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Enterprise Clients still referring to old server after migration.

Hi Everyone,

Please help!

I migrated our Sophos Enterprise from a Win 2003 server to 2012R2 over the weekend. Had a few migration errors through the migration and I was able to work my way through them till completed the migration successfully. I was also able to run the wizard to "Protect Computers" and it went well for almost 70 percent of my clients and they were showing green little indicator on the computer names' icon. For the rest, it was still showing a red cross on the computer names, which I initially thought these are the laptops which majority are out of office over weekends. however, this morning I see they are still sitting on red cross despite I can see most of them are connected to the network and I have remote access to all. I even went through a few of these failed ones and could see they are still referring to the old SEC server. One thing in common for all these clients, is that all of them refer to the old server as their Primary Update Manager. I went through all the config files, registry keys, and Update policies in the new server (according to various articles in this community) and couldn't find even one reference to the old server. I've cleaned them up during installation. So where do these clients get the old update manager record from. And before you ask, I have already removed the old SUM from the old server as well as the new server. I also went through all my update policies and all of them refer to the new SUM.

Would highly appreciate if someone can share some knowledge or experience in this regards. I tried to look into different log files both on Server and Clients but couldn't find anything relevant. I may well be looking in the wrong place, but a little bit of help would be appreciated.

Please bear in mind, that around 70% of the clients are looking healthy and referring to the right SUM, my issue is with the other 30%.

Happy to share logs if you advice.

Cheers



This thread was automatically locked due to age.
Parents
  • Hi,

    After performing the migration of the management server, there are a few ways to get the clients pointing at it:

    1. Re-protect from the new SEC server.  This will, in effect remove RMS, SAU from the clients and re-install it.  
    You can do this either by using the Protect wizard from the new SEC or by manually/scripting the running of setup.exe from the distribution point on the new server's distribution points, either way the results are the same.

    2. Configure the CID the clients are pointing at with a custom mrinit,conf file, such that the next time they update from the old CID, the move over to the new server.

    3. Create a VBS script using the EMU as per: https://www.sophos.com/en-us/support/knowledgebase/116737.aspx.  This method essentially re-configures the client with a new config as specified when you run the HTA and point it at the config files of the new server.  As long as the resulting script is run as an administrator that will also work.

    It sounds like you used Option 1.  The downside of that option being, that the computers have to be on at the time you issue the protect.  The protect is not queued up for when the client comes online.  So for the computers that are still pointing at the old server you should be able to re-protect them with option 1 or you could even use option 3?

    Hope it helps.

    Regards,

    Jak

Reply
  • Hi,

    After performing the migration of the management server, there are a few ways to get the clients pointing at it:

    1. Re-protect from the new SEC server.  This will, in effect remove RMS, SAU from the clients and re-install it.  
    You can do this either by using the Protect wizard from the new SEC or by manually/scripting the running of setup.exe from the distribution point on the new server's distribution points, either way the results are the same.

    2. Configure the CID the clients are pointing at with a custom mrinit,conf file, such that the next time they update from the old CID, the move over to the new server.

    3. Create a VBS script using the EMU as per: https://www.sophos.com/en-us/support/knowledgebase/116737.aspx.  This method essentially re-configures the client with a new config as specified when you run the HTA and point it at the config files of the new server.  As long as the resulting script is run as an administrator that will also work.

    It sounds like you used Option 1.  The downside of that option being, that the computers have to be on at the time you issue the protect.  The protect is not queued up for when the client comes online.  So for the computers that are still pointing at the old server you should be able to re-protect them with option 1 or you could even use option 3?

    Hope it helps.

    Regards,

    Jak

Children