This article explains how to back up and restore your Sophos Management Server using Sophos-supplied tools.
The instructions for backing up and restoring have been separated out depending on whether you have a default or non-default installation.
Note: In this article the term 'default installation' refers to when you have:
- Installed all components of the Sophos management server to the same server (i.e., select the 'Complete' option during the installation).
- Not changed the default folder path from the following:
- Windows 64-bit:
\Program Files (x86)\Sophos\Enterprise Console\
- Windows 32 and 64-bit:
\Program Files\Sophos\Enterprise Console\
If you have installed components of your management server to different servers (e.g., installed the database to a remote SQL Server, etc.) and/or have changed the default installation path, you have a 'non-default installation'.
Known to apply to the following Sophos product(s) and version(s)
Enterprise Console 5.1.0
Backing up your Sophos Management Server
We recommend you backup your management server immediately before and after you upgrade your server to a new product version. Thereafter:
- Weekly, and:
- After any significant change to groups, policies or computers.
- After any significant change to the configuration of one or more Sophos Update Managers (SUM). For example: subscriptions, schedules, distribution folders, etc.
- After any change to username and passwords (e.g., download credentials in SUM, Windows user account credentials that SUM uses to write to shares, Windows user account credentials entered into endpoint computer updating policies).
For SQL Server best practice advice see article 111353.
Backing up a 'default installation'
The process for backing up a default installation is to use the DataBackupRestore.exe tool which is provided with the installation of Enterprise Console. For more information on the DataBackupRestore.exe tool see article 114299.
If you chose to install the encryption component you should save the company and Master Security Officer (MSO) certificates to a safe location.
As recommended in the article on using the DataBackupRestore.exe tool you should copy the files backed up by the tool (which are saved to a folder called 'backup') to a safe and secure location.
Backing up a 'non-default installation'
The process for backing up a non-default installation is more complex as the location and accessibility of the management components is unknown.
This is because the location of configuration files could be on another drive of the local server, or one or more components could be installed on one or more different servers. Therefore we recommend you follow the advice below.
- On the server that has the 'Management Server' component installed (i.e., the main management services):
- Export using the registry editor the following keys:
| Key Location || Save as... |
| HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Certification Manager || CertificationManager.reg |
| EEPatch.reg |
| HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\EE\Management Tools || ManagementTools.reg |
| HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\EE\Sophos Enterprise Console || SophosEnterpriseConsole.reg |
| HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\ManagementServer || ManagementServer.reg |
| HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Patch || Patch.reg |
- Back up the private store from the registry using the tool ExportPrivateStore.exe
- On the server hosting the Sophos databases back up the Sophos databases.
- If you are uncertain of which computer hosts the SQL databases see article 113030.
- To back up the database you can either use a Sophos-supported tool such as backupdb.bat or a non-Sophos-supported tool such as Microsoft Management Studio Express. In either case you must ensure all Sophos-related databases are backed up at the same time (i.e., do not back up the Sophos core database several hours before backing up the Patch and encryption databases - if you use these features). If the backup of the databases is not completed within a short period of times (minutes) you may have problems restoring the databases later.
- If you chose to install the encryption component you should save the company and Master Security Officer (MSO) certificates to a safe location.
Your management server is now backed up. We recommend you read the steps on restoring a management server (see below) to ensure you are familiar with the process and have all the required items available if/when required.
Restoring your Sophos Management Server
Important: The restore steps in this article assume you are intending to reinstate your management server set-up in exactly the same way it was backed up. This means:
- The same number of components, of the same version, will be installed onto identical computers, of the same operating system and platform.
- All server names (hostname/ NetBIOS), IP addresses, and domain names are the same as the point in time when the backup occurred.
Summarizing what you need in order to restore your management server
In order to reinstate your management server you will need:
- A recent backup of the Sophos databases.
- The registry key 'CertAuthStore'1.
- An export of the Private Store1.
- The username and password of the accounts used by the management server.
- The company and Master Security Officer (MSO) certificates2.
1If used, the DatabackupRestore.exe tool backs up this item.
2If you previously used the encryption feature.
Restoring a 'default installation'
The process for restoring a default installation is to use the restoredb.bat script and the DataBackupRestore.exe tool, both of which are provided with the installation of Enterprise Console.
On the server which is to become your Sophos Management Server:
- Run the main Setup.exe installer. When asked select only the 'Database' component and proceed through the installation until complete.
- Copy the 'backup' folder (as mentioned in the section Backing up a 'default installation' above) to:
Note: In the folder path shown below you will need to create the folder 'ManagementServer' (one word) and ensure the backed up files are available in a folder called 'backup' which is beneath that folder.
- Server 2008 (or higher):
- Server 2003:
C:\Documents and Settings\All Users\Application Data\Sophos\ManagementServer\backup\
- Restore the Sophos databases using the restoredb.bat script.
- Import the registry key 'CertificationManager.reg' (available from the 'backup' directory).
- Run the main Setup.exe installer. Select both the 'Management Console' and 'Management Server' components. Proceed through the installation until complete.
Note: When prompted to log off, or if prompted to restart the server you should de-select this option. If the console loads you should close it.
- Open a command prompt and run the following commands in the order shown:
DataBackupRestore.exe -action=restore -datasourcetype=Registry -ExcludeDB -S
DataBackupRestore.exe -action=restore -datasourcetype=SecureStore -ExcludeDB
- Open the console, select the 'Update managers' view. Right-click you update manager(s) and select 'Comply with Configuration'.
Your management server is now restored.
Restoring a 'non-default installation'
The process for restoring a non-default installation is more complex as we do not know how you previously had the different server-side Sophos components distributed (i.e., console, management services, update manager(s), SQL Server hosting the Sophos databases).
Therefore we recommend you follow the advice below.
- On the server which will have the 'Database' component installed (as available during an installation) and therefore will be the server that hosts the Sophos databases:
- If not already set up: Install a SQL Server named instance for the Sophos databases, and give it the same name as the name it had at the time of the backup (i.e., 'SOPHOS'). If required you can use the Microsoft SQL Server 2008 installer program (called SQLEXP.exe and available from the extraction folder of the main management server installer) to install a dedicated SQL Server instance.
- Run the installer (Setup.exe), select only the 'Database' option and complete the installation.
- Restore all required Sophos-related databases to the SQL Server instance using restoredb.bat or, if you prefer, Microsoft Management Studio Express.
- On the server which will have the 'Management Server' component installed (as available during an installation):
- Using the registry editor, import the registry key 'CertificationManager.reg' (available from the 'backup' directory).
- Run the installer (Setup.exe), select only the 'Management Server' option, and complete the installation.
- During the installation you will be prompted for two Windows accounts. See article 113954 for more information on why these accounts are required.
- When prompted for the location of the Sophos databases point the installation to the server you previously set up the Sophos databases on, as described in step 1.
- Import into the registry the following keys (available from the 'backup' directory):
- Restore the private store from the registry using the tool ExportPrivateStore.exe
- On the computer which will have the 'Management Console' component installed (as available during an installation):
- Run the installer (Setup.exe), select only the 'Management Console' option, and complete the installation.
- If the computer you are installing the console to a different to the server where you installed the 'Management Server' role you will be prompted for the hostname of the management server.
- If you experience any problems using a remote console refer to article 49028.
- Import the registry key 'SophosEnterpriseConsole.reg' (available from the 'backup' directory).
Your management server is now restored.