Restoring Sophos45 on Sophos50 database

HI,

What you're doing is not really supported.  The upgrade should work as follows:

Scenario: SEC 4.5 with its SOPHOS45 database, all working, then upgrading to SEC 5.0.

Run the installer of SEC 5.0.  The database component of the install, will create you a SOPHOS50, SOPHOSPATCH database.   Note: A list of databases to versions is here: http://www.sophos.com/en-us/support/knowledgebase/17323.aspx.

So no data at this point has been moved from the SOPHOS45 to SOPHOS50.  SOPHOS50 and SOPHOSPATCH just have all the tables, stored procedures, functions etc.

The next component to be installed is the server part, this is the component that under the covers runs UpgradeDB.exe.  This exe connects to the new database (in this case SOPHOS50) by reading the connection string and runs a stored procedure to move the data from SOPHOS45 to SOPHOS50.  This is when the data is actually migrated.  The last component to go on is the console, and you're done.  At this point if all has gone well you can drop SOPHOS45 as it is no longer referenced or used.

You can't really, install SEC 5.0, then attach a previous SOPHOS45 to the instance, and run:

upgradeDB.exe -debug -sourceVersion=45

to move the data over.  The old database will have entries in it that refer to the tickets in the secret store that wasn't moved over.  http://www.sophos.com/en-us/support/knowledgebase/27265.aspx describes how to do disaster recovery and touches on this sort of thing.

So, the command you ran:

restoredb.exe d:\sophos45.bak .\sophos sophos50

Is wrong as you can't restore the SOPHOS45 database over the SOPHOS50.  The Sophos management service will not connect to it as it's the wrong version.

If you want to try doing it this way, you will now need to:

Re-create the SOPHOS50 database and SOPHOSPATCH databases by running the commands as mentioned here:

http://www.sophos.com/en-us/support/knowledgebase/116768.aspx

C:\Sec_50\ServerInstaller\DB\Core\InstallDB.bat .\SOPHOS [DomainName] SOPHOS50

C:\Sec_50\ServerInstaller\DB\Patch\CreatePatchDB.bat .\SOPHOS [DomainName] SOPHOSPATCH

Where:
[DomainName] should be in the domain NetBIOS name form. E.g. DOMAIN, not the full DNS name for the domain. This should be the 'context' of the 'Sophos DB Admins' group.  So on a member server or workgroup it's typically the computer name, if it's a DC it will be the domain name.

Then create a SOPHOS45 database using the command:

sqlcmd -E -S .\sophos -Q "create database SOPHOS45"

drop the existing one first if needed:
sqlcmd -E -S .\sophos -Q "drop database SOPHOS45" 

Restore your old SOPHOS45 to the new database by running:
restoredb.bat d:\sophos45.bak .\sophos sophos45

Then you can try running:
upgradeDB.exe -debug -sourceVersion=45

to move the data from SOPHOS45 to SOPHOS50.

The management service will then start (if not check the application event log for the latest error from the management service), but you will probably need to re-enter the passwords for the updating accounts and the SUM accounts in the policies and SUM config as the migrated data will reference private store entries that don't exist.

Hope it helps get you going.

Regards,

Jak

Hello boeink_ID,

restoredb.exe d:\sophos45.bak .\sophos sophos50

SEC uses specific database names for specific versions (please see Sophos consoles and associated database names). Thus a backup from a SOPHOS45 database must be restored as SOPHOS45.

UpgradeDB.exe looked up to registry ... so i edited the key

Wrong again :smileywink:

It works (and indeed does) as follows:

You back up your old database (e.g. SOPHOS45) and restore with the same name (SOPHOS45) on your new (SOPHOS) database instance which was installed (or is used) by the new installation. The install created and initialized the database for the current version (in your case SOPHOS50).

The key you mentioned names the current (i.e. target) version for the UpgradeDB, thus setting it to something else won't produce the desired results.

So if you use upgradeDB.exe -sourceVersion=45 it looks for a SOPHOS45 database. I'd have expected that it would complain when not finding it but indeed it doesn't. Thus although the upgrade seemed "successful" the new database is empty due to the missing source.

I see that while I was writing this Jak has already provided a detailed answer.

I'd like to add one more caveat: If you intend to manage your existing clients (i.e. "move them over" to the new server) you'd have to reprotect them unless you imported the Certification Manager registry keys before installing SEC5.0.    

Christian

hi jak,

many thanks for your help. i followed your instructions and it worked.

before sec5.0 installation, i copy the oldserver's certificate registry, and import it in the new server (as what christian said).
after installation i execute your instruction.
as the result, i have 2 update manager location in sec5.0.
- first is the OLDSERVER with old working update configuration : http://sophosupdate.net (intranet alias that point directly to parent server) and 'sophos' below it
- and the second is NEWSERVER with nothing in it (brand new, haven't configured yet)

so i copy what is in OLDSERVER to NEWSERVER. and then begin update. it said software delivery failed. so i update from 'sophos', and success without error.

next i protect NEWSERVER with endpoint downloaded from 'sophos' viola!, worked. but... it still using Endpoint 9.5. wasn't it supposed to be endpoint 10.0? how can i get the software? or, why is the 'sophos' give me ver 9.5 instead of 10.0?

plus, i want to set my server to be able deliver update to other sec 5.0 via http? my NEWSERVER is IIS enabled.but i don't know the how to, n dont find it in sec50aseng.pdf manual.

many thanks for the help, jak.

hi Christian,

about your comment  " unless you imported the Certification Manager registry keys before installing SEC5.0.   " how does it work? before installation sec5.0 i have your instruction it it. i imported the certificate from old server.

but even after successfull updates n software download from 'sophos', it seems SEC50 can't protect the client/ is there some steps that missing?

again, many thanks Christian.

HI,

To get SAV10, you just need to check that the subscription(s) that your new SUM is using is set to use SAV 10.  I would start by finding the subscriptions the new SUM has (right column of the "Subscriptions" tab of the SUM config).  E.g. Recommended.  Then on the left of the "Update Managers" view you can see/edit the subscription to ensure it contains SAV 10.

Once the download has completed, you can check in the "View - Bootrap locations, exactly where it is.

To protect the old SEC server you need to uninstall the Sophos components first.  You probably want to delete the old SUM form your SUM list view.

I assume all the clients are pointing at the old server?  In which case:

http://www.sophos.com/en-us/support/knowledgebase/116737.aspx

should help if you can't reprotect everything.  I would also recommend upgrading your new SEC 5.0 to SEC 5.1, the protect computers is more reliable in 5.1.  

Regards,

Jak

Hello boeink_ID,

IIS enabled.but i don't know the how to

the basics are described in How to create a Web CID. As the shared location SophosUpdate contains both the CIDs and the Warehouse it can be used for client updates as well as source for a SUM.

HTH