cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Migrating systems to new server

Our EPO server blew up and is not communicating to agents.  The apache server keeps crashing.  Worked with support but they said we needed to upgrade.  It is a 5.3.2 server and I looked at upgrading it to 5.9.1, but since it has sql 2008 and windows 2012 I think it is best to just migrate to new server.

The only things we use the EPO server for is Drive Encryptions.  I already have a new server with 5.10 on it and all policies setting migrated over.  I have tested a new PC and it works great.  However not sure how to migrate the old PCs.  Drive Encryption version installed on all PCs are 7.2.4.2 or newer. 

I tested by installing the agent from the new server to a PC with the old servers agent on it and seemed to work.  Not sure how it handles the encryption keys or passwords but it worked.  Is this the correct way to do it?

7 Replies
cross
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 8

Re: Migrating systems to new server

MDE clients are designed to upload their recovery data to ePO any time the server or machine\system ID changes, so it would be expected that they upload the recovery data during the normal communication once they become managed by your new ePO server.  The subject of users and passwords can vary to some degree.  In normal circumstances, a move to a new ePO server would be done with the MDE transfer process from https://docs.mcafee.com/bundle/drive-encryption-7.2.5-client-transfer-guide-epolicy-orchestrator/pag... which has some prerequisite items involving the previous server.  Given that the old server has troubles, you may not be able to accomplish everything needed, there.  Unfortunately, if you do not, or are not able to use the transfer method the behavior related to the users could vary.  That could be anywhere from the users being removed when managed by the new server, they could be removed and later re-added in which case their password state goes back to new/default, or they could be retained as they are depending upon the timing of things with each system as they become managed by the new server.  Regardless of the way forward that you take, I would recommend that all data be backed up on the systems before moving as a general precaution and I certainly wouldn't want to get rid of the old server until all systems are correctly working on the new ePO server and you are able to confirm that it has their recovery data.   

Re: Migrating systems to new server

We sync all users from a group to the PCs (around 400).  It syncs these users from LDAP.

I have tested on about 10 computers and I really don't understand how the users stuff works. It allows me to login to PBA with their normal domain password even though they have never logged into a PC connected to the new server.  I expected to have to use 1234567, but I don't.  When I added the old PC into the new server, did it sync the users tokens back to the new server?

Maybe the old PCs already had the tokens synced down for all the users in the PBFS so it allows them?  They won't get synced back until you log into PBA and windows as that user and then it will sync it back to the EPO server right?  

It is working great, but I really have no idea how this is working or if it will cause any problems why we do the transistion.  

cross
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 8

Re: Migrating systems to new server

In many cases, when the systems "land" in the new server if ALDU runs and tries to add them as a user, the existing user information will actually be retained when the addition is done because, on the client system, they were never removed but this is not an outcome that can definitively be expected for all users on all systems.  The possibility still exists for users to be set back to a new/default state if they end up being removed and then returned later and it is still also a possibility to have users removed and if for any reason ALDU fails or has already run they would not be added in that session so an "unknown user" situation could potentially come up.

Re: Migrating systems to new server

Is there any better way?

If users is  back to a new/default state when added to the new system they just login with 1234567 and then should be synced back to new server?

If for any reason ALDU fails or has already run they would not be added in that session so an "unknown user" situation could potentially come up.  For theses we could do a machine recovery and then the next time the agent checks in it should sync down the user?  They may have to use 1234567 the next time they login?

 

 

 

cross
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 8

Re: Migrating systems to new server

Unless using the transfer method is feasible in your case, not really.  If you can use the transfer functionality, it would be much more definitive that users would transfer as they but if you cannot complete the prerequisites for it then it may be more harm than help. 

Of course, you could add various checks to your situation, ensuring recovery data is present and users are reflected for any applicable system in the ePO console before rebooting.

Re: Migrating systems to new server

Thank you so much for you help this was dropped on me and I have been so stressed no knowing what I am doing.

 

What are the best options to check if the recovery key synced to new server? I have been looking in machine logs and see "recovery key sent back", but is there and easier way?

Also are the logs the only way to see if there users were synced?

cross
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 8

Re: Migrating systems to new server

You can use the MfeEpe.log or if the policy allows it, you can export the machine info to check the users on the system which would be the most accurate picture of the situation from the client perspective.  From the server you can check in the encryption users page and view users that the server shows for any given system as well.

As far as checking for recovery keys, you can use the option to export recovery information for any given system to see if there is recovery data returned or an error indicating that there isn't.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community