SEC migration from a DC

Hi, need to migrate SEC from Server 2008R2 to new virtual server running Server2016.

Problem I have read - Current server is a DC, but the new server will not be a DC. What are the pitfalls and steps with the first server already being a DC.
(this is installed way back and has always been ok)

Are their instructions about this scenario anywhere please?

Many Thanks


  • Hi  

    It is recommended that Enterprise Console is not installed on a Domain Controller. It is also likely that additional security settings have been configured on a DC which could prevent Enterprise Console installing one of which is listed in this article. You can refer to this migration guide for migrating Sophos Enterprise console from one server to another. 

  • In reply to Shweta:

    Hi, thanks for the reply. I wasn't clear.

    SEC is already installed on the 2008R2 DC. it has been on there for at least 7 years, it was server 2003 before that.

    I want to migrate SEC from the old current DC to a new virtual server that wont be a DC. Are there likely to be any issues that anyone is aware of?

    The migration literature only seems to mention that they should both not be a DC, but I cant find any info to say what to do if one of them already is a DC with SEC installed.



  • In reply to tstan:


    The reason that neither server is assumed to be a Domain Controller is that hosting the Console on a Domain Controller is not considered a best practice. Although the console can run on a DC server, we do not recommend this type of installation because the database installed, will then support the SQL instances of the Active Directory and that of the SEC, which in case of SQL problem internal, would not only bring down the DC System infrastructure but also the antiviral infrastructure.
    It is good practice that each database is independent of the others. However, it will not negatively impact the Migration. Please note that groups that WOULD have been created locally (Ex: Sophos DB Admins, Sophos Console Admins, etc.) will instead become Domain Groups. This will not affect their permissions or functionality but will cause them to show up in Active Directory. 

  • In reply to Shweta:


    thanks again for replying. 

    I will go ahead with the migration then and get it off the DC and on to the new HyperV Server. I just wanted to make sure it wouldn't cause any issues.


  • In reply to tstan:


    You're welcome. Please let us know if you have any other query.