1 of 1 people found this helpful
We had a similar situation, migrating to new hardwar, new IP, new server name, new OS. 50000+ endpoints. We choose to start fresh. DR procedure works but would work much better by reusing the old server name and IP and I've used it in the past, but a fresh start gives you 100% availability
From my perspective, safest is to in place upgarde you current ePO to 4.6 . It has excellent tools for exporting policies and tasks, and their related assignements. I would also upgrade you agents at this point. It is not intrusive at all. You shouldn't be running 4.0 agents unless you still have win2k devices.
Export your security keys from the existing server and import in new server, setup a registered server for the new server in the old server, enable system transfer. Once this is done, you can handover agents from the old to the new server. Basically, this will enable the agent to use the server list and encryption key from the new server. Plan to keep your servers in parallel for weeks. Agents that won't transfer are best handled by re-pushing the agent from the new server.
If you are interested in keeping you old data but need to decomission the old servers, you can use rollup reporting to tansfer your data in the rollup database on the new server.
This is the quick version and I can provide more details, but I would highly recomend the parallel setup. If you can keep the old server around, it can make a nice agent handler which reduced the load on your epo app. server and also enables you to continue agent communications between then database and the agents when the main epo server is down.
Wow, great advice there Andre, and I'm thrilled I was able to follow most of it.
Can you say more about the tools for exporting policies and tasks out of the epo server to the new? Are you saying, an inplace upgrade to 4.6 on the existing would be easy, and then parallel installing that same level on the new server, then, leveraging 4.6's niceties in policy and task export, and the ability to register the new server to easy the handover of agents to the new? That sounds like a lot of time savings.
When you transfer an agent from one server to another registered server, are there any restrictions or needs or suggestions on the system hierarchy in the epo asset tree on the new server side? Or is there some sort of export available from epo 4.6 that'll tell a transferred server where in the hierarchy it should go when it comes to the new server?
I don't have a hard deadline on retiring the old server, and old data isn't that much of a big deal, but it's really nice to know such a rollup is available in this approach. But this approach does make it sound like the primary driver for this move (the VSE engine update) is well worth doing in the existing environment rather than trying to do too many things at once bringing things from old to new.
I'm glad I asked. I'd be interested in other commentary as well.
Yes, an in place upgrade on the old server and fresh install on the new one. This way, you keep you servers in parallel and keep you environment managed with no interruption.
Once that is done, you can export you client tasks and task assignments, policies and policy assignments,you can also export you server tasks (and that will automatically export the queries used by the server tasks if it applies).
Then export you queries and custom dashboard.
In regards to where you systems would end up in your system tree depends on you.
If you use the IP sorting rules, you would to recereate that and the sorting rules would apply. If you create the leaf nodes (the managed system in the tree) , then it should attach the migrated systeme to the blank system you created,. If you have AD and sync from AD, then that would make you life simpler as it would create the objects and OU in your system tree. That' sthe way we manage our stuff. But to migrate your task and policy assignements, you woudl have to keep the same tree structure I think.
Considering you driver, I would move forward with updating the McAfee epo Agent to 4.8, do engine 5600 and VSE88 since the date is approaching then work on transferring to the new ePO and continue updating your security products.