Domain name migration questions

Just let me add that we are using Sophos Enterprise Console version 5.0

Thx!

Hello Fabrice,

we "just" want to change domain name

it's not "just" , any of the changes mentioned in 119532 requires a full uninstall/reinstall. If I understand correctly you are moving your existing computers to a new domain - trust or not, joining a new domain is a significant change.

not relevant as we do not want to do a server to server migration

The main question is what you want to preserve. If you intend to start from scratch (i.e. with an empty database) there's indeed no migration. Otherwise there are an old and a new server (and an old database to migrate). Do not forget that the endpoints will also change their domain membership, thus OLDDOMAIN\ENDPOINT1 and NEWDOMAIN\ENDPOINT1 will be two different computers in SEC. What about the endpoints - will they be moved before or after the server move, all at the same time or staggered?

IMO it's less of a hassle to simply set up the servers from scratch in NEWDOMAIN.

Christian

Hello Christian.

Thank you for your quick reply!

Almost all endpoints have already migrated (around 11.000 computers) to the NEWDOMAIN and continue to communicate with the Management Server still in the OLDDOMAIN without any issue (for now... :smileyhappy:)

We did not need to change anything.

I want to keep all information within the database and to do less things with endpoints we have around 12.500 endpoints to manage.

What do you suggest?

Thank you.

Regards,

Fabrice

Hello Fabrice,

thanks for the clarification. Just curious - did the endpoints (when joined to the new domain) simply change their domain info in SEC or appear as new computers?

Anyway, it's clear you want to keep the database, naturally  you'd have to amend the updating policies. Personally I'd consider a complete reinstall of the two servers, after exporting the database and certificates and taking a snapshot  just in case - depends on the amount of customization on the servers besides the SEC stuff - followed by an import of the database. Might also be a good occasion to upgrade SEC.

Christian 

Christian,

endpoints simply change their domain in fo in SEC (not as a new computers).

When you say "complete reinstall of the two servers", you mean remove Sophos components only and then reinstall (with all other tasks of backup in between)  OR a full operating system re-installation?

...because the 1st option is clearly our preferred one :) as i do not want to add this extra-time consuming work.

Additional thing, for the NEW service account that will be used by the management server to connect to the remote database, should we add this account in specific group? do additional SQL stuff?

I was also thinking about updgrade to SEC5.2 but not sure if i want to do this at same time?

In this case, do you recommend to migrate to SEC 5.2 before the migration to the new domain or after?

Thank you Christian!

regards,

Fabrice

Hello!

I was running the following command in order to list all database files

sqlcmd -E -S (local)\SOPHOS -Q "SELECT name, filename from sysdatabases" > c:\databases.txt

i got this:

AuditStore E:\Program Files\Microsoft SQL Server\MSSQL$SOPHOS\Data\AuditStore_Data.MDF
AlertStore E:\Program Files\Microsoft SQL Server\MSSQL$SOPHOS\Data\AlertStore_Data.MDF
GeneralStore E:\Program Files\Microsoft SQL Server\MSSQL$SOPHOS\Data\GeneralStore_Data.MDF
SecurityStore E:\Program Files\Microsoft SQL Server\MSSQL$SOPHOS\Data\SecurityStore_Data.MDF
PolicyStore E:\Program Files\Microsoft SQL Server\MSSQL$SOPHOS\Data\PolicyStore_Data.MDF
ReportStore E:\Program Files\Microsoft SQL Server\MSSQL$SOPHOS\Data\ReportStore_Data.MDF
SavexCnfg E:\Program Files\Microsoft SQL Server\MSSQL$SOPHOS\data\SavexCnfg.mdf
SavexDir E:\Program Files\Microsoft SQL Server\MSSQL$SOPHOS\data\SavexDir.mdf
SavexQuar E:\Program Files\Microsoft SQL Server\MSSQL$SOPHOS\data\SavexQuar.mdf
SavexRprt E:\Program Files\Microsoft SQL Server\MSSQL$SOPHOS\data\SavexRprt.mdf
SOPHOS50 E:\Program Files\Microsoft SQL Server\MSSQL$SOPHOS\data\SOPHOS50.mdf
SOPHOSPATCH E:\Program Files\Microsoft SQL Server\MSSQL$SOPHOS\data\SOPHOSPATCH.mdf

Except SOPHOS50 and SOPHOSPATCH, are all the others related to NAC product?

We are not using NAC anymore.

How can i remove these databases which are taking a large disk space?

Thank you for your help.

Regards,

Fabrice

Hello Fabrice,

are all the others related to NAC product?

probably - anyway they don't belong to SEC.

Although the article is named Dropping previous databases used by Enterprise Console it applies to other databases alike.

Christian

Christian, 

Endpoints simply change their domain in fo in SEC (not as a new computers).

When you say "complete reinstall of the two servers", you mean remove:

Option 1 >> Sophos components only and then reinstall (with all other tasks of backup in between)  

OR

Option 2 >> a full operating system re-installation?

...because the 1st option is clearly our preferred one as i do not want to add this extra-time consuming work.

Thank you.

Regards,

Fabrice

Hello Fabrice,

endpoints simply change their domain

fine - SEC does its best to keep track of known endpoints but given the complexity of the task the algorithm is not infallible, so I thought I'd ask.

OR a full operating system re-installation?

Well, at our shop setting up a (virtual) Windows server isn't considered extraordinary work (although removing the half-dozen components is definitely less). Depending on the procedures available YMMV. It's an opportunity to upgrade the OS and other components (please see also Supported Platforms for Sophos products) and get rid of potential debris.

the NEW service account [...] do additional SQL stuff?

The installer should take care of the group membership (see http://www.sophos.com/en-us/support/knowledgebase/113954.aspx). Whatever procedure you choose you'll likely have to deal with SQL and the changed SIDs (you might need the ResetUserMappings.sql mentioned here). I've started with a new database when we had to rename our domain and anyway this was a long time ago, so no experience.

SEC 5.2

Thinking about it - migration and upgrade more or less in one step isn't a documented scenario (and probably also not supported). But then it's also not guaranteed not to work :smileywink:.BTW, are you using Patch - dunno if it's necessary to migrate the patch database or if it simply gets repopulated over time?

So ... I'd backup the database(s) and export the Certificate Store (the rest would have to be changed anyway or can easily be recreated). Install 5.2.x (yes!) components on the database and management server respectively. Next step would be to restore the SOPHOS50 database ("completely manually" if the path to the database files is different from the previous installation). As the management server connects to the new SOPHOS521 database the old SOPHOS50 would have to be upgraded (i.e. its contents appropriately replicated to the new one) manually. When the management service is eventually started it should see a server-to-server same-version migration and make the necessary amendments. I've done it once during beta-tests ...

Oh, as you keep the server's name, IP and certificates your endpoints will assail your new/redomained server with their messages as soon as its services are running and they can connect to it - so make sure the server is out of reach for them until you are done with a database migration.   

Christian

Thank you very much with all these details Christian!

Additional question again, please.

My SQL server is using FULL recovery model.

Thus, i need to backup SOPHOS50 + SOPHOSPATCH dbs and transaction logs so:

SOPHOS50.mdf

SOPHOS50_log.LDF

SOPHOSPATCH.mdf

SOPHOSPATCH_log.LDF

It seems that with backupDB.bat, it is only possible to backup MDF file and not  transcation logs file.

So, my question:

Is it possible to backup db+transaction file using SQL Management Studio or SQL commands and then restore db following this:

http://www.sophos.com/en-us/support/knowledgebase/34657.aspx#backuprestore

Thank you.

Regards,

Fabrice