Moving EC 4.7 (Db on seperate server) to new server.

Hi,

Before I start, just to help understand the environment, I have a few questions:

The SEC server and the SQL server are member servers in the dame domain and the new SEC server is also a member server in the same domain?

The new SEC server is a brand new server with no Sophos products?  It doesn't currently host a SUM or a distribution location?

I assume that the management service is using a domain account to connect to the database, so this account can be re-used on the new server?  The account can be seen under:

HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\EE\Management Tools\DatabaseUser

on the management server machine.

Do you know the password for the account the clients are using to update?  I.e the account in the updating policies.  Typically, unless you do a custom install, which I assume you must have done to perform the distributed install you have, the SophosUpdateMgr account gets created with a random password, it's better to know this accounts password for the migration so you can re-use that on the new install on the new server.  Do you have a custom account for this and know the password?

Also, to redirect the clients, do you have a mechanism available to you to easily deploy a script to the clients, e.g. a VBScript?

Regards,

Jak 

Hi Jak,

Yes, all servers are all member servers in the same domain & the new server is clean & doesn't yet have any sophos programs installed on it.

I do have the update manager password & it is a domain acct.

The majority of the clients are on the domain which is synced with sophos & can deploy a script without any trouble there, however we have around 400 non-domain pc's as well, -they all source their updates from other SUMs though so hopefully won't be an issue. There are around 10 SUMs getting updates from the server that is to be replaced.

I was thinking of setting up a new SUM, directing clients / other SUMs to it rather than the system being replaced untill the cutover & then changing back to the new server.

Thanks,

Hi,

Being in the same domain and member servers all makes it simpler so that's good news as is knowing the SUM account and password.  In that case you should be able to something similar to the document here which will be extracted here:

C:/sec_sua_471/docs/Eng/sec_47_ua46eng.html

if you download and run:
https://secure.sophos.com/support/updates/dp/full/sec_sua_47_sfx.exe

You could just unpack this SFX to get the file.

This document describes the steps you need to do to migrate a SEC 4.5 server running Windows 2000 to a different machine when using a remote database before upgrading.  Which in someway is what you are doing as the "move" steps for 4.5 and 4.7 are the same.  It certainly touches on the main points you need, e.g.:

1. Backup the cert key and inport it on the new server (do this before installing the new server

2. Backup the private store on the old server to an XML file using exportprivatestore.exe running as system (use psexec).

3. Install on the new server
4. Import the private store XML file using exportprivatestore.exe running as system (use psexec).

5. Redirect endpoints to the new server.

The reason I ask about how easy it is to run scripts is that I created a tool to redirect endpoints at a new server (step 5):
/search?q= 8939 might be an easier way to point your clients at the new server location rather than updating the CIDs with batch files.  Please test the generated script on a few clients first :)

I would strongly suggest taking a backup of the SOPHOS47 database on the DB machine before starting and ideally a backup of the current SEC server, maybe a snapshot if it's virtual.

I hope that helps.

Regards,

Jak

Thanks for your help Jak,

All good, between the Sophos documentation, your hints & vb script.

Cheers,