SEC 5.0 Backup/Restore

Hello Thomas,

in fact the database backup and the few registry exports (as described in the MigGuide) are all you need:

In order to be able to continue using (and editing) your existing groups/group structure and policies you need the database. Some policies (AV,  AU, TP) are easy to retype, other can be a pain. If you employ a strict naming convention it might be rather easy to set up groups and distribute the clients but it can quickly get tedious to recreate the setup  

In order to keep protection running you need a live CID with the desired subscription and the credentials the clients use to access it. Could be on another server - you can set up an alias so that clients usually updating from ServerGone can temporarily update from ServerStillHere  

In order to be able to manage the clients "all" you need are the certificates and a CID where they update from (i.e. one which matches their updating policies)

As I have the certificate registry keys around since day one I've been able to "rope in" 2000 clients when the then management server started to behave erratically (for whatever reason and not directly related to Sophos, however management and even download was no longer reliable as the server decided to crash every few hours) but for some reason could not be replaced immediately. As we can't use Protect computers with the majority of clients this was not an option.

The details were complex (they involved using a share other than InterCheck for EM Library, setting up an alias for the old server and configuring both \sau and \rms to make all the clients to update from and talk to the new server), further complicated due to the fact that I was on paternal leave then :smileyhappy: (they only contacted me when they were about to install SEC but had already decided on the identity of the server and set it up - just in time so I could tell them about the certificates). I decided to not migrate the database (didn't really need alerts and events and took the opportunity to redo the group structure, also there weren't that many policies). Took them  two days to set up the new server including SEC and EM (during which time updates more or less worked from the old server) and then I came in for half a day to make the necessary configurations. During the rest of the day almost all clients successfully switched over to the new server (I let others assign the clients to the new groups :smileywink:).

Sounds perhaps scary - it wasn't: You have the certificates, you have the database, you have the credentials for the update user - that's all you need. As I said - if you want a 1:1 replacement an integrated tool would be handy, a snapshot another option (unless the problem is already contained in it). Otherwise a manual restore is not that much work compared to the other steps.

I must admit that I could have figured out this myself

It took me years .... :smileyvery-happy:

Christian

Hello Thomas,

in fact the database backup and the few registry exports (as described in the MigGuide) are all you need:

In order to be able to continue using (and editing) your existing groups/group structure and policies you need the database. Some policies (AV,  AU, TP) are easy to retype, other can be a pain. If you employ a strict naming convention it might be rather easy to set up groups and distribute the clients but it can quickly get tedious to recreate the setup  

In order to keep protection running you need a live CID with the desired subscription and the credentials the clients use to access it. Could be on another server - you can set up an alias so that clients usually updating from ServerGone can temporarily update from ServerStillHere  

In order to be able to manage the clients "all" you need are the certificates and a CID where they update from (i.e. one which matches their updating policies)

As I have the certificate registry keys around since day one I've been able to "rope in" 2000 clients when the then management server started to behave erratically (for whatever reason and not directly related to Sophos, however management and even download was no longer reliable as the server decided to crash every few hours) but for some reason could not be replaced immediately. As we can't use Protect computers with the majority of clients this was not an option.

The details were complex (they involved using a share other than InterCheck for EM Library, setting up an alias for the old server and configuring both \sau and \rms to make all the clients to update from and talk to the new server), further complicated due to the fact that I was on paternal leave then :smileyhappy: (they only contacted me when they were about to install SEC but had already decided on the identity of the server and set it up - just in time so I could tell them about the certificates). I decided to not migrate the database (didn't really need alerts and events and took the opportunity to redo the group structure, also there weren't that many policies). Took them  two days to set up the new server including SEC and EM (during which time updates more or less worked from the old server) and then I came in for half a day to make the necessary configurations. During the rest of the day almost all clients successfully switched over to the new server (I let others assign the clients to the new groups :smileywink:).

Sounds perhaps scary - it wasn't: You have the certificates, you have the database, you have the credentials for the update user - that's all you need. As I said - if you want a 1:1 replacement an integrated tool would be handy, a snapshot another option (unless the problem is already contained in it). Otherwise a manual restore is not that much work compared to the other steps.

I must admit that I could have figured out this myself

It took me years .... :smileyvery-happy:

Christian