This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SEC migration from a DC

Hi, need to migrate SEC from Server 2008R2 to new virtual server running Server2016.

Problem I have read - Current server is a DC, but the new server will not be a DC. What are the pitfalls and steps with the first server already being a DC.
(this is installed way back and has always been ok)

Are their instructions about this scenario anywhere please?

Many Thanks

Trev



This thread was automatically locked due to age.
Parents
  • Hi  

    It is recommended that Enterprise Console is not installed on a Domain Controller. It is also likely that additional security settings have been configured on a DC which could prevent Enterprise Console installing one of which is listed in this article. You can refer to this migration guide for migrating Sophos Enterprise console from one server to another. 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
    The New Home of Sophos Support Videos! - Visit Sophos Techvids
  • Hi, thanks for the reply. I wasn't clear.

    SEC is already installed on the 2008R2 DC. it has been on there for at least 7 years, it was server 2003 before that.

    I want to migrate SEC from the old current DC to a new virtual server that wont be a DC. Are there likely to be any issues that anyone is aware of?

    The migration literature only seems to mention that they should both not be a DC, but I cant find any info to say what to do if one of them already is a DC with SEC installed.

    Thanks

     

  • Hi  

    The reason that neither server is assumed to be a Domain Controller is that hosting the Console on a Domain Controller is not considered a best practice. Although the console can run on a DC server, we do not recommend this type of installation because the database installed, will then support the SQL instances of the Active Directory and that of the SEC, which in case of SQL problem internal, would not only bring down the DC System infrastructure but also the antiviral infrastructure.
    It is good practice that each database is independent of the others. However, it will not negatively impact the Migration. Please note that groups that WOULD have been created locally (Ex: Sophos DB Admins, Sophos Console Admins, etc.) will instead become Domain Groups. This will not affect their permissions or functionality but will cause them to show up in Active Directory. 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
    The New Home of Sophos Support Videos! - Visit Sophos Techvids
  • Hi, 

    thanks again for replying. 

    I will go ahead with the migration then and get it off the DC and on to the new HyperV Server. I just wanted to make sure it wouldn't cause any issues.

    regards

  • Hi  

    You're welcome. Please let us know if you have any other query.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Hi, finally having time to run the migration. 

    We are using 55.0  Moving from Server2008 64Bit to Server 2016 64Bit.

    installing 55.0 on the new server using the migration guide. 

    Got to step 8.4 and get an error.

    Build started 11/03/2020 11:43:49.
    Copy file C:\ProgramData\Sophos\ManagementServer\Backup\Databases\SOPHOSPATCH52.bak successful.

    C:\ProgramData\Sophos\ManagementServer\Backup\DataBackupRestore>sqlcmd -E -S "(local)\SOPHOS" -d "master" -b -Q "IF EXISTS (SELECT name FROM master.dbo.sysdatabases WHERE name = N'SOPHOSPATCH52') BEGIN ALTER DATABASE SOPHOSPATCH52 SET OFFLINE WITH ROLLBACK AFTER 5 END"
    'sqlcmd' is not recognized as an internal or external command,
    operable program or batch file.

    Failed

    Process 'C:\ProgramData\Sophos\ManagementServer\Backup\DataBackupRestore\TRS.bat (local)\SOPHOS SOPHOSPATCH52 "C:\ProgramData\Sophos\TempData\SOPHOSPATCH52.bak"' returned Error 9009

    Build FAILED.

    Time Elapsed 00:00:01.40
    Process 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe "C:\ProgramData\Sophos\ManagementServer\Backup\DataBackupRestore"\BackupRestore.proj /t:Restore /clp:NoSummary /p:SubSystem=all;DataSourceType=Database;ExcludeDB=False;LocationSpecific=False;SlientMode=False;DBServerInstance=' returned Error 1

    Any solution to this please?

    Thanks

  • Hello tstan,

    'sqlcmd' is not recognized as an internal or external command ...
    well, sqlcmd should be there if SQL Server is installed. The installer would normally install it.

    Christian

  • Hi,

     

    thanks for getting back so quickly..

    We run the installer for the database component from the extracted SEC_550 folder.

    SQL is listed in Program Files and Program Files x86.

    I have just run the sql installer from the Sophos SEC_550 Pre Req folder and restarted the server..

    This is a Hyper-V server if that makes any difference..?

    thanks

  • Hi  

    There are chances where this installation might not work for you because of the Hyper-V server. SEC 5.5.0 is not supported with Hyper-V server for DB, management server, console server and SUM server. Even SEC 5.5.2 is also not supported.

    Please refer to this article where there is an excel file which has all the information for all the products.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • So  we have to buy a new  physical server?  We have a Datacentre 2019 server, but this is not listed, does that mean I couldn't put it on that one? 

    All our other servers are now virtual on Hyper-V.. 

    The last physical server we have is our Sophos server, on 2008R2 which we need to replace with a virtual 2016/19 server..

     

     

Reply
  • So  we have to buy a new  physical server?  We have a Datacentre 2019 server, but this is not listed, does that mean I couldn't put it on that one? 

    All our other servers are now virtual on Hyper-V.. 

    The last physical server we have is our Sophos server, on 2008R2 which we need to replace with a virtual 2016/19 server..

     

     

Children
  • Hello tstan,

    to avoid misunderstandings - the server you want to install SEC on is the Hyper-V server or a VM on it? Of course you can use a VM for SEC.

    Christian

  • Hi  

    Datacenter edition is supported for SEC 5.5.0, 5.5.1 and 5.5.2. Please go through the below screenshot.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Hi,

    appreciate the help... a lot..

    Reinstalling SQL and restarting the VM worked and the Build completed.

    We continued the migration and are now in the process of protecting the endpoints from the new SEC.

    It is all working on our Virtual 2016 server on our Hyper-V machine so I am not sure what wont work?

  • Hi  

    You're welcome.

    Your scenario is completely supported and the build should be completed successfully as you are running Windows server 2016 may be standard edition VM on physical Hyper-V server.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Thanks for all the help with this..,, but...

    Install completed and endpoints are gradually reappearing in the console.

    We now want to upgrade from 550 to SEC 552.  on trying the install we get an error message on the pre check 

    You don't have sufficient database rights.

    I followed the /kb/en-us/124245 what to do and run the SQLCMD, the user account is in the list.

    I tried to add it again and it says the server principal already exists...

    this Sophos admin account is a member of Sophos DB Admins, Sophos DB Users, Domain Admins, Sophos Full and Sophos Console..

    I was trying to run it from my desktop as a remote desktop session as its a VM. I ran the installer "Run as Administrator"

    I also tried it on the Hyper-V server itself with the same result..

    I disabled UAC through the registry with the same result.

    The whole migration was done on this account..

    Am I missing something else?

     

  • Hello tstan,

    could you show the associated Sophos_bootstrapper log (please make sure that sensitive information is removed)? 

    Christian

  • Hi, 

    I have noticed something in this file that I missed first time..  

    could this be it .. 

    about a third of the way down.  On the error lines it shows SophopsServer and this should be SophosServer  I've typo'ed somewhere.

    2/03/2020 13:08:02, INFO : Finished retrieving instances - Timeout
    12/03/2020 13:08:17, ERROR : COM error. Connection string: Application Name=SEC Bootstrapper;Database=master;Provider=SQLNCLI11;Server=SophopsServer\SOPHOS;Trusted_Connection=Yes;DataTypeCompatibility=80; - Error: Unspecified error, Description: SQL Server Network Interfaces: Error Locating Server/Instance Specified [xFFFFFFFF].
    12/03/2020 13:08:17, INFO : Checking for presence of database: SOPHOSENC51 on instance: SophopsServer\SOPHOS...
    12/03/2020 13:08:34, ERROR : COM error. Connection string: Application Name=SEC Bootstrapper;Database=master;Provider=SQLNCLI11;Server=SophopsServer\SOPHOS;Trusted_Connection=Yes;DataTypeCompatibility=80; - Error: Unspecified error, Description: SQL Server Network Interfaces: Error Locating Server/Instance Specified [xFFFFFFFF].
    12/03/2020 13:08:34, INFO : Installation value ID '29': ENCDBVERSION="0"

  • I will change the typo's in the registry and see what happens. 

     

  • Got past the first hurdle, but on to the next..

     

  • Hello tstan,

    these are just warnings, simply proceed.

    Christian