SEC migration from a DC

Hi, need to migrate SEC from Server 2008R2 to new virtual server running Server2016.

Problem I have read - Current server is a DC, but the new server will not be a DC. What are the pitfalls and steps with the first server already being a DC.
(this is installed way back and has always been ok)

Are their instructions about this scenario anywhere please?

Many Thanks

Trev

  • Hi  

    It is recommended that Enterprise Console is not installed on a Domain Controller. It is also likely that additional security settings have been configured on a DC which could prevent Enterprise Console installing one of which is listed in this article. You can refer to this migration guide for migrating Sophos Enterprise console from one server to another. 

  • In reply to Shweta:

    Hi, thanks for the reply. I wasn't clear.

    SEC is already installed on the 2008R2 DC. it has been on there for at least 7 years, it was server 2003 before that.

    I want to migrate SEC from the old current DC to a new virtual server that wont be a DC. Are there likely to be any issues that anyone is aware of?

    The migration literature only seems to mention that they should both not be a DC, but I cant find any info to say what to do if one of them already is a DC with SEC installed.

    Thanks

     

  • In reply to tstan:

    Hi  

    The reason that neither server is assumed to be a Domain Controller is that hosting the Console on a Domain Controller is not considered a best practice. Although the console can run on a DC server, we do not recommend this type of installation because the database installed, will then support the SQL instances of the Active Directory and that of the SEC, which in case of SQL problem internal, would not only bring down the DC System infrastructure but also the antiviral infrastructure.
    It is good practice that each database is independent of the others. However, it will not negatively impact the Migration. Please note that groups that WOULD have been created locally (Ex: Sophos DB Admins, Sophos Console Admins, etc.) will instead become Domain Groups. This will not affect their permissions or functionality but will cause them to show up in Active Directory. 

  • In reply to Shweta:

    Hi, 

    thanks again for replying. 

    I will go ahead with the migration then and get it off the DC and on to the new HyperV Server. I just wanted to make sure it wouldn't cause any issues.

    regards

  • In reply to tstan:

    Hi  

    You're welcome. Please let us know if you have any other query.

  • In reply to Jasmin:

    Hi, finally having time to run the migration. 

    We are using 55.0  Moving from Server2008 64Bit to Server 2016 64Bit.

    installing 55.0 on the new server using the migration guide. 

    Got to step 8.4 and get an error.

    Build started 11/03/2020 11:43:49.
    Copy file C:\ProgramData\Sophos\ManagementServer\Backup\Databases\SOPHOSPATCH52.bak successful.

    C:\ProgramData\Sophos\ManagementServer\Backup\DataBackupRestore>sqlcmd -E -S "(local)\SOPHOS" -d "master" -b -Q "IF EXISTS (SELECT name FROM master.dbo.sysdatabases WHERE name = N'SOPHOSPATCH52') BEGIN ALTER DATABASE SOPHOSPATCH52 SET OFFLINE WITH ROLLBACK AFTER 5 END"
    'sqlcmd' is not recognized as an internal or external command,
    operable program or batch file.

    Failed

    Process 'C:\ProgramData\Sophos\ManagementServer\Backup\DataBackupRestore\TRS.bat (local)\SOPHOS SOPHOSPATCH52 "C:\ProgramData\Sophos\TempData\SOPHOSPATCH52.bak"' returned Error 9009

    Build FAILED.

    Time Elapsed 00:00:01.40
    Process 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe "C:\ProgramData\Sophos\ManagementServer\Backup\DataBackupRestore"\BackupRestore.proj /t:Restore /clp:NoSummary /p:SubSystem=all;DataSourceType=Database;ExcludeDB=False;LocationSpecific=False;SlientMode=False;DBServerInstance=' returned Error 1

    Any solution to this please?

    Thanks

  • In reply to tstan:

    Hello tstan,

    'sqlcmd' is not recognized as an internal or external command ...
    well, sqlcmd should be there if SQL Server is installed. The installer would normally install it.

    Christian

  • In reply to QC:

    Hi,

     

    thanks for getting back so quickly..

    We run the installer for the database component from the extracted SEC_550 folder.

    SQL is listed in Program Files and Program Files x86.

    I have just run the sql installer from the Sophos SEC_550 Pre Req folder and restarted the server..

    This is a Hyper-V server if that makes any difference..?

    thanks

  • In reply to tstan:

    Hi  

    There are chances where this installation might not work for you because of the Hyper-V server. SEC 5.5.0 is not supported with Hyper-V server for DB, management server, console server and SUM server. Even SEC 5.5.2 is also not supported.

    Please refer to this article where there is an excel file which has all the information for all the products.

  • In reply to Jasmin:

    So  we have to buy a new  physical server?  We have a Datacentre 2019 server, but this is not listed, does that mean I couldn't put it on that one? 

    All our other servers are now virtual on Hyper-V.. 

    The last physical server we have is our Sophos server, on 2008R2 which we need to replace with a virtual 2016/19 server..

     

     

  • In reply to tstan:

    Hello tstan,

    to avoid misunderstandings - the server you want to install SEC on is the Hyper-V server or a VM on it? Of course you can use a VM for SEC.

    Christian

  • In reply to tstan:

    Hi  

    Datacenter edition is supported for SEC 5.5.0, 5.5.1 and 5.5.2. Please go through the below screenshot.

  • In reply to Jasmin:

    Hi,

    appreciate the help... a lot..

    Reinstalling SQL and restarting the VM worked and the Build completed.

    We continued the migration and are now in the process of protecting the endpoints from the new SEC.

    It is all working on our Virtual 2016 server on our Hyper-V machine so I am not sure what wont work?

  • In reply to tstan:

    Hi  

    You're welcome.

    Your scenario is completely supported and the build should be completed successfully as you are running Windows server 2016 may be standard edition VM on physical Hyper-V server.

  • In reply to Jasmin:

    Thanks for all the help with this..,, but...

    Install completed and endpoints are gradually reappearing in the console.

    We now want to upgrade from 550 to SEC 552.  on trying the install we get an error message on the pre check 

    You don't have sufficient database rights.

    I followed the /kb/en-us/124245 what to do and run the SQLCMD, the user account is in the list.

    I tried to add it again and it says the server principal already exists...

    this Sophos admin account is a member of Sophos DB Admins, Sophos DB Users, Domain Admins, Sophos Full and Sophos Console..

    I was trying to run it from my desktop as a remote desktop session as its a VM. I ran the installer "Run as Administrator"

    I also tried it on the Hyper-V server itself with the same result..

    I disabled UAC through the registry with the same result.

    The whole migration was done on this account..

    Am I missing something else?