How to migrate your Sophos Control Center to a new computer

  • Article ID: 117150
  • Rating:
  • 4 customers rated this article 3.8 out of 6
  • Updated: 24 Jul 2013

This article explains how to migrate your current installation of Sophos Control Center v4.x from an existing computer to a new computer.  

If you do not require previous data (policy information and threat history) you may prefer to install a new Control Center on your new server and follow the last two sections of this article to redirect your existing endpoint computers.

Note:

  • In this article 'old server' refers to the computer that is currently running the Control Center.  The term 'new server' refers to the computer on which you are wanting to install the Control Center.
  • All commands and installations should be run as an administrative user.
  • To ensure existing endpoint computers can report to the new server, and you can successfully protect and manage new endpoint computers review the requirements of a management server using information from the Sophos endpoint deployment guide before migrating your console.
  • Though the SQL Server version of the new server does not have to match the old server (i.e., the SQL Server version of the new server can be higher than the old server) the SQL instance name you are migrating to must be called 'SOPHOS'.
  • The instructions below are based on a default (complete) installation of the Control Center installed on one computer.
  • The instructions below are based on Sophos PureMessage not being installed.
  • If you are using or installing a custom database on the old or new server, you must make sure the collation settings match between them.
    Note: The default collation settings of SQL server can differ when installing on a computer with different locale.
  • If present, you must remove the Sophos Remote Management System component from Add/Remove Programs (Programs and Features) on the new server (i.e., the computer was previously managed by the old server).
  • Before exporting or importing data to the Windows registry see article 10388.
  • To download the latest version of the Control Center to your new server log in to our Downloads and Updates page.  You will need your MySophos login to access the installers.
  • If you have changed your license from Small Business to Enterprise you can use the installer for Sophos Enterprise Console v5.1 (or higher) to upgrade your existing Control Center installation.  However you may need to use the instructions below to initially migrate your Control Center installation to a supported operating system (e.g., you cannot automatically update from Control Center to Enterprise Console v5.1 if the Control Center is installed on a Windows 2000 or Windows XP SP1 or SP2 computer).

What are the key steps?

To migrate Control Center to a new server, you carry out these steps:

  1. Collect existing information from the old server.
  2. Prepare the new server.
  3. Install Control Center on the new server.
  4. Import database to new server.
  5. Update database information with your new server information.
  6. Download endpoint security software on the new server.
  7. Change the account used by endpoints for updates from the server.
  8. Remove management software from 'old server'.
  9. Redirect endpoint computers to report to the new server.
  10. Redirect any remote consoles to the new management server.

These steps are described in the sections below.

Known to apply to the following Sophos product(s) and version(s)

Sophos Control Center 4.1
Sophos Control Center 4.0.1
Sophos Control Center 4.0.0

What To Do

Collect existing information from the old server

On the old server (running the ‘Complete’ installation to be migrated):

  1. If open close the Control Center.
  2. Open Windows services (Start | Run | Type: services.msc | Press return).
  3. Stop and disable (set the 'Startup type' to 'Disabled' on the 'General' tab of the services properties) the following three services:
    1. Sophos Management Service
    2. Sophos Message Router
    3. Sophos Update Manager
  4. Backup the SOPHOS4 database using backupdb.bat. An example usage of this file is:
    1. Open a command prompt (Start | Run | Type: cmd.exe | Press return).
    2. Change directory to the Sophos DB folder:
      • 32-bit computer: cd "C:\Program Files\Sophos\SCC\DB"
      • 64-bit computer: cd "C:\Program Files (x86)\Sophos\SCC\DB"
    3. Remove any existing backup file (that would be appended to otherwise). Type: del C:\Windows\Temp\sophos4db.bak
    4. Type: backupdb.bat C:\Windows\Temp\sophos4db.bak .\sophos sophos4
    For more information on backupdb.bat see article 110380.

    Note: The above commands use 'C:\windows\temp\', if you are running Windows 2000 then use: 'C:\winnt\temp\'.

  5. Copy the database backup file sophos4db.bak to a safe location not on this computer.  Also copy the file to the root of the C:\ drive on the new server.

Prepare the new server

On the new server:

  1. If the 'Sophos Remote Management System' is present in Add/Remove Programs (Start | Run | Type: appwiz.cpl | Press return) you must uninstall it.
  2. Download the Control Center installer.  To download the latest version of the Control Center log in to our Downloads and Updates page.  You will need your MySophos login to access the installers.

Install Control Center on the new server

On the new server:

  1. Double-click the Control Center installer previously downloaded.
  2. When prompted select a 'Complete' installation.
  3. Warning: The install will, by default, check the 'Log off now' option at the end of the installation.  You must uncheck this option and then complete the installer.

Note: If you failed to uncheck the 'Log off' option you need to log back on, close the Control Center, Open Add/Remove Programs (Start | Run | Type: appwiz.cpl | Press return), locate the 'Sophos Control Center' component and select to uninstall it.  Then repeat this section again to re-install the Control Center.

Import database to new server

On the new server:

  1. Ensure sophos4db.bak is in the root of the C:\ drive.
  2. Check the account used for the 'SQL Server (SOPHOS)' service has read access to sophos4db.bak.  This normally requires you to add the 'Network Service' account to the sophos4db.bak file's DACL with read permissions.
    Note: If you do not do this you will see an error message 'Failed to restore' when attempting to run the command in step five below.
  3. Open a command prompt (Start | Run | Type: cmd.exe | Press return).
  4. Change directory to the Sophos DB folder:
    • 32-bit computer: cd "C:\Program Files\Sophos\SCC\DB"
    • 64-bit computer: cd "C:\Program Files (x86)\Sophos\SCC\DB"
  5. Type: restoredb.bat C:\sophos4db.bak .\sophos sophos4
  6. For more information on restoredb.bat see article 110380.

Update database information with your new server information

If the new server's hostname is the same as the old server's hostname you do not need to follow steps one to four below and can immediately skip to step five.

On the new server:

  1. Download the following zip file containing SQL database modification scripts: ControlCenterDBMigrationScripts.zip
  2. Extract the files and save them to the root of the C:\ drive.
  3. Edit the files as follows:
    1. updateShare.sql:
      1. Change 'oldServerName' to be the hostname of your old server.
      2. Change 'newServerName' to be the hostname of your new server.
    2. updateUsername.sql:
      • If the old server is a domain controller:
        1. Change the oldServerName part of 'oldServerName\SophosUpdateMgr' to be the short form of the domain name. For example, if the full domain name is 'sophos.local' you would enter 'sophos'.
        2. Change the newServerName part of 'newServerName\SophosUpdateMgr' to be the hostname of your new server.
      • If the old server is not a domain controller:
        1. Change the oldServerName part of 'oldServerName\SophosUpdateMgr' to be the hostname of your old server.
        2. Change the newServerName part of 'newServerName\SophosUpdateMgr' to be the hostname of your new server.
  4. Open a command prompt (Start | Run | Type: cmd.exe | Press return) and type the following:
    sqlcmd -E -S .\sophos -d sophos4 -i C:\fixsqlmapping.sql  
    sqlcmd -E -S .\sophos -d sophos4 -i C:\resetWizard.sql 
    sqlcmd -E -S .\sophos -d sophos4 -i C:\getSUMServerID.sql
  5. sqlcmd -E -S .\sophos -d sophos4 -Q "exec dbo.sddmserverdeletebyid X" (where X is the ID number shown next to the old server name in the previous command).
    sqlcmd -E -S .\sophos -d sophos4 -i C:\updateShare.sql
    sqlcmd -E -S .\sophos -d sophos4 -i C:\updateUsername.sql
  6. Open Windows services (Start | Run | Type: services.msc | Press return).
  7. Restart the 'Sophos Agent' service.
  8. Log off from the new server.

Download endpoint security software on the new server

On the new server:

  1. Log back on.  The console will open and the initial protection wizard will run.
  2. Enter your Sophos update credentials and select the endpoint security software packages you require.
  3. Wait for the download to complete.
  4. Once the software has been downloaded you do not need to continue the wizard to protect existing computers and should cancel the wizard.
  5. Open a command prompt (Start | Run | Type: cmd.exe | Press return) and type the following:
    sqlcmd -E -S .\sophos -d sophos4 -i C:\hideWizard.sql
  6. In the Control Center select 'Configure Updating' from the left hand panel.
  7. Select the 'Alternative Source' tab.
  8. Confirm the new server name is shown.
    • If it is correct you must select 'OK' to confirm the change.  Do not select 'Cancel'.
    • If the server name is incorrect (i.e., it shows the 'old server') you must repeat this article from the Update database information with your new server information section again.

Change the account used by endpoints for updates from the server

  1. On the new server, locate the SophosUpdateMgr account.
    • Workgroup/member server (from the Computer Management snap-in): Start | Run | Type: compmgmt.msc | Press return.
    • Active Directory: Start | Run | Type: dsa.msc | Press return.
  2. Right-click the SophosUpdateMgr account and reset the password.  Use a secure password that you will remember and complies to the password complexities of your network.
  3. Update the SOPHOS4 database with new password by using the UpdateManagerHelper tool.  For further details see article 112598.  Example usage:
    • New server is a Domain Controller: 
      UpdateManagerHelper -c newServerName "domainname\SophosUpdateMgr" myResetPassword
    • New server is part of a Workgroup or member server: 
      UpdateManagerHelper -c newServerName "newServerName\SophosUpdateMgr" myResetPassword
    Note: Press any key to confirm the command.  Ignore any error/warnings regarding 'Unable to acquire lock on file...'

Remove management software from 'old server'

Now the new server is set up you must uninstall and the Control Center from the old server using the steps below.

On the old server:

  1. Add/Remove Programs or Programs and Features (Start | Run | Type: appwiz.cpl | Press return).
  2. From the list remove the following components:
    1. Sophos Control Center
    2. Sophos Remote Management System
  3. Drop the Sophos database:
    1. Open a command prompt (Start | Run | Type: cmd.exe | Press return).
    2. Type: sqlcmd -E -S .\sophos -Q "drop database sophos4"
  4. Remove the Sophos SQL Server instance.  For more information see the following Microsoft article: Uninstall an Existing Instance of SQL Server (Setup)
  5. Remove registry information:
    1. Open the registry editor (Start | Run | Type: regedit.exe | Press return).
    2. Browse to the following key by expanding the left hand tree:
      • 32-bit computer: HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\
      • 64-bit computer: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\
    3. Delete the following keys if they exist:
      • Certification Manager
      • EE
      • Messaging System
      • Remote Management System
      • UpdateManager
  6. Reboot the computer.

If required install endpoint security software on the old server from the new distribution folder available on the new server.

Note: If decommissioning the 'old server'  delete this from the computer list view by right-clicking on the Computer name and choosing 'Delete'.

Redirect endpoint computers to report to the new server

To reconfigure endpoint computers to report to the new server you can either:

  • Reprotect computers managed from the Control Center. To do this, highlight the computers to reprotect (Ctrl + A will select all) and choose 'Tools', 'Reprotect Computers' from the menu.
  • Create a script to automatically redirect computers to the new server.  The script is created using a graphical tool called EndpointMigrationUtility.hta which is run on the new server.  All that is required is to select two file from the new server (created after the install of the new Control Center)  called mrinit.conf and cac.pem and then select the button 'Create VBScript' button to generate a file called SophosReInit.vbs which will be created in the same folder that you saved the tool to.  The file SophosReInit.vbs then needs to be run on all endpoint computers either manually (faster than re-installing) or using your preferred method of running a script (e.g., log on script, psexec.exe, etc.)  For more information on obtaining the tool and creating a script see article 116737.

Once the endpoint computers have been redirected to the new server you have completed the migration of your Control Center.

Redirect any remote consoles to the new management server

Any remote console installations you have on your network should be pointed to the new management server by uninstalling and re-installing the console component.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments