This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SEC migration from a DC

Hi, need to migrate SEC from Server 2008R2 to new virtual server running Server2016.

Problem I have read - Current server is a DC, but the new server will not be a DC. What are the pitfalls and steps with the first server already being a DC.
(this is installed way back and has always been ok)

Are their instructions about this scenario anywhere please?

Many Thanks

Trev



This thread was automatically locked due to age.
Parents
  • Hi  

    It is recommended that Enterprise Console is not installed on a Domain Controller. It is also likely that additional security settings have been configured on a DC which could prevent Enterprise Console installing one of which is listed in this article. You can refer to this migration guide for migrating Sophos Enterprise console from one server to another. 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
    The New Home of Sophos Support Videos! - Visit Sophos Techvids
  • Hi, thanks for the reply. I wasn't clear.

    SEC is already installed on the 2008R2 DC. it has been on there for at least 7 years, it was server 2003 before that.

    I want to migrate SEC from the old current DC to a new virtual server that wont be a DC. Are there likely to be any issues that anyone is aware of?

    The migration literature only seems to mention that they should both not be a DC, but I cant find any info to say what to do if one of them already is a DC with SEC installed.

    Thanks

     

  • Hi, finally having time to run the migration. 

    We are using 55.0  Moving from Server2008 64Bit to Server 2016 64Bit.

    installing 55.0 on the new server using the migration guide. 

    Got to step 8.4 and get an error.

    Build started 11/03/2020 11:43:49.
    Copy file C:\ProgramData\Sophos\ManagementServer\Backup\Databases\SOPHOSPATCH52.bak successful.

    C:\ProgramData\Sophos\ManagementServer\Backup\DataBackupRestore>sqlcmd -E -S "(local)\SOPHOS" -d "master" -b -Q "IF EXISTS (SELECT name FROM master.dbo.sysdatabases WHERE name = N'SOPHOSPATCH52') BEGIN ALTER DATABASE SOPHOSPATCH52 SET OFFLINE WITH ROLLBACK AFTER 5 END"
    'sqlcmd' is not recognized as an internal or external command,
    operable program or batch file.

    Failed

    Process 'C:\ProgramData\Sophos\ManagementServer\Backup\DataBackupRestore\TRS.bat (local)\SOPHOS SOPHOSPATCH52 "C:\ProgramData\Sophos\TempData\SOPHOSPATCH52.bak"' returned Error 9009

    Build FAILED.

    Time Elapsed 00:00:01.40
    Process 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe "C:\ProgramData\Sophos\ManagementServer\Backup\DataBackupRestore"\BackupRestore.proj /t:Restore /clp:NoSummary /p:SubSystem=all;DataSourceType=Database;ExcludeDB=False;LocationSpecific=False;SlientMode=False;DBServerInstance=' returned Error 1

    Any solution to this please?

    Thanks

  • Hello tstan,

    'sqlcmd' is not recognized as an internal or external command ...
    well, sqlcmd should be there if SQL Server is installed. The installer would normally install it.

    Christian

  • Hi,

     

    thanks for getting back so quickly..

    We run the installer for the database component from the extracted SEC_550 folder.

    SQL is listed in Program Files and Program Files x86.

    I have just run the sql installer from the Sophos SEC_550 Pre Req folder and restarted the server..

    This is a Hyper-V server if that makes any difference..?

    thanks

  • Hi  

    There are chances where this installation might not work for you because of the Hyper-V server. SEC 5.5.0 is not supported with Hyper-V server for DB, management server, console server and SUM server. Even SEC 5.5.2 is also not supported.

    Please refer to this article where there is an excel file which has all the information for all the products.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • So  we have to buy a new  physical server?  We have a Datacentre 2019 server, but this is not listed, does that mean I couldn't put it on that one? 

    All our other servers are now virtual on Hyper-V.. 

    The last physical server we have is our Sophos server, on 2008R2 which we need to replace with a virtual 2016/19 server..

     

     

  • Hello tstan,

    to avoid misunderstandings - the server you want to install SEC on is the Hyper-V server or a VM on it? Of course you can use a VM for SEC.

    Christian

  • Hi  

    Datacenter edition is supported for SEC 5.5.0, 5.5.1 and 5.5.2. Please go through the below screenshot.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Hi,

    appreciate the help... a lot..

    Reinstalling SQL and restarting the VM worked and the Build completed.

    We continued the migration and are now in the process of protecting the endpoints from the new SEC.

    It is all working on our Virtual 2016 server on our Hyper-V machine so I am not sure what wont work?

  • Hi  

    You're welcome.

    Your scenario is completely supported and the build should be completed successfully as you are running Windows server 2016 may be standard edition VM on physical Hyper-V server.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Thanks for all the help with this..,, but...

    Install completed and endpoints are gradually reappearing in the console.

    We now want to upgrade from 550 to SEC 552.  on trying the install we get an error message on the pre check 

    You don't have sufficient database rights.

    I followed the /kb/en-us/124245 what to do and run the SQLCMD, the user account is in the list.

    I tried to add it again and it says the server principal already exists...

    this Sophos admin account is a member of Sophos DB Admins, Sophos DB Users, Domain Admins, Sophos Full and Sophos Console..

    I was trying to run it from my desktop as a remote desktop session as its a VM. I ran the installer "Run as Administrator"

    I also tried it on the Hyper-V server itself with the same result..

    I disabled UAC through the registry with the same result.

    The whole migration was done on this account..

    Am I missing something else?

     

Reply
  • Thanks for all the help with this..,, but...

    Install completed and endpoints are gradually reappearing in the console.

    We now want to upgrade from 550 to SEC 552.  on trying the install we get an error message on the pre check 

    You don't have sufficient database rights.

    I followed the /kb/en-us/124245 what to do and run the SQLCMD, the user account is in the list.

    I tried to add it again and it says the server principal already exists...

    this Sophos admin account is a member of Sophos DB Admins, Sophos DB Users, Domain Admins, Sophos Full and Sophos Console..

    I was trying to run it from my desktop as a remote desktop session as its a VM. I ran the installer "Run as Administrator"

    I also tried it on the Hyper-V server itself with the same result..

    I disabled UAC through the registry with the same result.

    The whole migration was done on this account..

    Am I missing something else?

     

Children
  • Hello tstan,

    could you show the associated Sophos_bootstrapper log (please make sure that sensitive information is removed)? 

    Christian

  • Hi, 

    I have noticed something in this file that I missed first time..  

    could this be it .. 

    about a third of the way down.  On the error lines it shows SophopsServer and this should be SophosServer  I've typo'ed somewhere.

    2/03/2020 13:08:02, INFO : Finished retrieving instances - Timeout
    12/03/2020 13:08:17, ERROR : COM error. Connection string: Application Name=SEC Bootstrapper;Database=master;Provider=SQLNCLI11;Server=SophopsServer\SOPHOS;Trusted_Connection=Yes;DataTypeCompatibility=80; - Error: Unspecified error, Description: SQL Server Network Interfaces: Error Locating Server/Instance Specified [xFFFFFFFF].
    12/03/2020 13:08:17, INFO : Checking for presence of database: SOPHOSENC51 on instance: SophopsServer\SOPHOS...
    12/03/2020 13:08:34, ERROR : COM error. Connection string: Application Name=SEC Bootstrapper;Database=master;Provider=SQLNCLI11;Server=SophopsServer\SOPHOS;Trusted_Connection=Yes;DataTypeCompatibility=80; - Error: Unspecified error, Description: SQL Server Network Interfaces: Error Locating Server/Instance Specified [xFFFFFFFF].
    12/03/2020 13:08:34, INFO : Installation value ID '29': ENCDBVERSION="0"

  • I will change the typo's in the registry and see what happens. 

     

  • Got past the first hurdle, but on to the next..

     

  • Hello tstan,

    these are just warnings, simply proceed.

    Christian

  • I did and it failed, just going through the log file now..

     

    12/03/2020 14:15:04, INFO : Installation value ID '12': INSTALLDIR="C:\Program Files\Sophos" INSTALLDIR32="C:\Program Files (x86)\Sophos" SUM_INSTALLDIR="C:\Program Files (x86)\Sophos\Update Manager"
    12/03/2020 14:15:04, INFO : Installation value ID '19': UPGRADE="1"
    12/03/2020 14:15:04, INFO : Installation value ID '6': SERVER_COMPUTERNAME="SophosServer"
    12/03/2020 14:15:04, INFO : Installation value ID '5': SERVER_PORT="80"
    12/03/2020 14:15:04, ERROR : No Sophos Credential Store Service found: 80040154
    12/03/2020 14:15:04, INFO : Installation value ID '1': SERVER_USERNAME="sophosadmin"
    12/03/2020 14:15:04, INFO : Installation value ID '2': SERVER_USERNAMEDOMAIN="????"
    12/03/2020 14:15:05, ERROR : No Sophos Credential Store Service found: 80040154
    12/03/2020 14:15:06, INFO : Installation value ID '4': SERVER_USERNAMEPASSWORD="********"
    12/03/2020 14:15:06, INFO : upn found: Administrator@?????????????
    12/03/2020 14:15:06, INFO : Installation value ID '3': SERVER_UPN="Administrator@???????????"

     

     

    12/03/2020 14:32:52, INFO : Verifying files in folder
    12/03/2020 14:32:53, INFO : Target folder verification completed successfully
    12/03/2020 14:32:53, INFO : About to install Database64.msi
    12/03/2020 14:33:27, INFO : Processing INSTALLMESSAGE_TERMINATE message from MSI
    12/03/2020 14:33:27, INFO : Ended installing Database64.msi
    12/03/2020 14:33:29, INFO : Installation of Database succeeded
    12/03/2020 14:33:29, INFO : Verifying files in folder
    12/03/2020 14:33:29, INFO : Target folder verification completed successfully
    12/03/2020 14:33:29, INFO : About to install CredStore.msi
    12/03/2020 14:33:49, INFO : Processing INSTALLMESSAGE_TERMINATE message from MSI
    12/03/2020 14:33:49, INFO : Ended installing CredStore.msi
    12/03/2020 14:33:51, INFO : Installation of Sophos Credential Store Service succeeded
    12/03/2020 14:33:51, INFO : Verifying files in folder
    12/03/2020 14:33:52, INFO : Target folder verification completed successfully
    12/03/2020 14:33:52, INFO : About to install Server64.msi
    12/03/2020 14:33:53, INFO : Processing INSTALLMESSAGE_TERMINATE message from MSI
    12/03/2020 14:33:53, INFO : Installation of Server64.msi failed with error code: 1603
    12/03/2020 14:33:53, INFO : Ended installing Server64.msi
    12/03/2020 14:33:55, INFO : Installation of Management Server failed with error code: 1603
    12/03/2020 14:33:55, INFO : Deactivate state: Installing
    12/03/2020 14:33:55, INFO : Activate state: Failed
    12/03/2020 14:33:55, INFO : Entered Installation failed page.
    12/03/2020 14:34:45, INFO : Opening logs folder: C:\ProgramData\Sophos\Management Installer
    12/03/2020 14:36:14, INFO : Finished Bootstrapper
    12/03/2020 14:36:14, INFO : Cleaned up socket.
    12/03/2020 14:36:14, INFO : Uninitialized COM in main thread

  • And errors in the Sophos_Server64MSi log

    GetSumCredentialsFromCredStore: Initialized.
    GetSumCredentialsFromCredStore: No Sophos Credential Store Service found: 80070005
    GetSumCredentialsFromCredStore: Error 0x80004005: Failed to get username
    CustomAction CredStore.GetSUMCredentials returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
    Action ended 14:33:53: CredStore.GetSUMCredentials. Return value 3.
    Action ended 14:33:53: INSTALL. Return value 3.

  • Hello tstan,

    is the Sophos Credential Store service running - assuming the Credential Store has been installed?

    Something similar has been mentioned in the Upgrade fails thread but I'm not sure about the sequence of events in your case. First the bootstrapper refused to continue because of the database rights issue. With the next attempt it installed the 5.5.2 database and the new Credential Store and then failed installing the Server? Which Sophos components and versions are in Programs and Features?

    Christian

  • Apologies, was called away on Friday.

    Credential store is running.

    now if I try and run the new installer, I get this..

     

    I am about ready to scrap the whole thing, delete the serve and start from scratch..

    Would the old migrated server still be usable if I redirect the endpoints back?

     

    thanks

  • Hello tstan,

    not surprisingly the versions of the components are different (I've mentioned it in the story of the second server) and there is an applicable article: Sophos Enterprise Console: Installer has detected different versions of the components installed. Your first screenshot shows that the Credential Store is installed but I assume you have checked that the service is indeed running. As it's not clear what the status was during your first attempt to upgrade a second attempt (after uninstalling the database component) might or might not succeed.

    The old server should still be usable, naturally the changes and history done on and recorded by the new server aren't available on the old one.

    Christian