Migrate Primary IBM Tivoli Endpoint Manager and DSA Server Computers -

A Step by Step Process

 

Summary

This IBM Tivoli Endpoint Manager (ITEM) Professional Services whitepaper details the steps and operational procedures necessary for migrating the ITEM Server and DSA Server components from existing hardware onto new computer systems. Due to the complexity and risks of migrating ITEM Servers, it is strongly recommended that a ITEM Support Technician help in performing the ITEM Server Migration process.

General Notes and Guidelines

 

1. The migration should first be performed and tested in a test/dev environment only, if possible.
2. The ITEM DSA Server should be migrated before the primary ITEM Server.
3. If you have HTTPS enabled be sure to restore the server settings for Web Reports at the end of the migration.

 

Assumptions

The following assumptions are assumed to be true prior to performing the ITEM Server migrations:

 

1. The ITEM deployment is licensed using DNS and the new primary ITEM and DSA Servers will be using the same DNS names as the original ITEM/DSA Servers. If this is not the case, a new license will need to be obtained prior to the actual migration.
2. The existing primary ITEM and DSA Servers are operating normally before the migration.
3. The new primary ITEM and DSA Server computers exists and are properly configured to serve as ITEM servers. The servers should have the same version of SQL Server installed prior to the actual migration.
4. The installation folders are the same for the original ITEM/DSA servers and the new ITEM/DSA servers.
5. The ITEM deployment is not being actively used during the migration process.

 

Pre-Migration Check List

 

1. Back up the BFEnterprise and BESReporting SQL databases
2. Document the authentication method used as SQL or NT
3. If using NT Authentication document the NT Domain account used for ITEM Server Services
4. If using SQL Authentication document the SQL account used for SQL Authentication Registry values
5. Document the domain account for the ITEM FillDB service
6. Document (screenshot) ODBC connections: bes_BFEnterprise, bes_EnterpriseServer, enterprise_setup, and LocalBESReportingServer. For 64-bit Windows systems, use the 32-bit version of the ODBC tool (C:\Windows\SysWOW64\odbcad32.exe) to configure the System DSNs
7. Carefully review this entire document.

 

ITEM Server Migration Processes

 

DSA Server Migration

 

1. Copy the current masthead from the original ITEM DSA Server to the new DSA Server computer.
2. Backup site credentials, license certificates, and publisher credentials -- The license.pvk, license.crt, and publisher.pvk files are critical to the security and operation of ITEM. If the private key (pvk) files are lost, they cannot be recovered.
   
   
   
   If using Message Level Encryption (MLE), backup the “[BigFix Server folder]\Encryption Keys” folder.
   
   
   
   These files must be securely backed up!
   
    
3. Stop all BES Services on the original DSA Server.
4. Migrate SQL Accounts for ITEM Console Operators as needed to the new DSA Server's computer/SQL Server instance. Further information on performing this operation is available at: http://support.microsoft.com/kb/246133/
5. Detach the BFEnterprise and BESReporting databases from original DSA Server's SQL Server instance.
6. Attach the BFEnterprise and BESReporting databases to the new DSA Server's SQL Server instance.
7. Download the current ITEM Installer Software onto the new DSA Server computer. Ensure that the current software version is the same as the existing DSA Server. For more information, please see the following: http://support.bigfix.com/bes/install/downloadbes.html
8. Run the ITEM Installer Software on the new DSA Server computer. Perform a 'Production' installation using the masthead from Step 1.
9. Installers for the ITEM Server, Console and Client should now exist on the new DSA Server computer.
10. Copy the contents of the following folders from the original DSA Server onto the new DSA Server. Overwrite existing data if needed:
    
    
    
    [BigFix Server folder]\sitearchive (pre-8.0 only)
    
    [BigFix Server folder]\BESReportsData\ArchiveData
    
    [BigFix Server folder]\BESReportsServer\wwwroot\ReportFiles
    
    [BigFix Server folder]\ClientRegisterData
    
    [BigFix Server folder]\Mirror Server\Inbox
    
    [BigFix Server folder]\UploadManagerData
    
    [BigFix Server folder]\wwwrootbes
    
     
11. Use SQL Server Management Studio to connect to the BFEnterprise database and examine the DBINFO table:
    
    
    
    
    
    
    
    Record all column values for use in Step 13.
    
    
    
    Look at the REPLICATION_SERVERS table check that ServerID column (server0 in this screenshot) has the expected DNS and URL values:
    
    
    
    
    
    
    
    Record all column values for use in Step 13.
    
    
    
    If one is using DNS aliases for the servers, this should not change. If one is using hostnames, and the hostnames are changing, these column values may need manual modification after Step 12.
    
     
12. Install the ITEM Server, ITEM Console and ITEM Client on the new DSA server using the installers created in Step 8.
    
    
    
    On the Select Database Replication page of the server installer, select Replicated Database, and proceed through the installer screens as usual. The ITEM Server installer should recognize the existing BFEnterprise database and use it accordingly. Verify this when ITEM Admin launches, it should have a list of your existing ITEM Console Operators from the old DSA Server. Do NOT continue the migration if the ITEM Console Operators do not appear in ITEM Admin, the migration will fail !!!
13. Use SQL Server Management Studio to connect to the BFEnterprise database and examine the DBINFO and RELICATION_SERVERS tables. Compare the current values to the values noted in Step 11. They should be the same.
14. If you have MLE enabled between the ITEM Server and ITEM Relays, you must copy the encryption keys to the new DSA Server. For further information on MLE please see the following: http://support.bigfix.com/cgi-bin/kbdirect.pl?id=550
15. Stop the FillDB service on the DSA Server, and using the Services applet, change the service's login credentials to use the same credentials as the original DSA Server. Restart the FillDB Service.
16. Verify that the new DSA Server is able to connect to the database. Check the FillDB log for error messages on connecting to the database.
17. Perform a DNS switch for the DNS name in the ITEM License so that the alias now points to the new DSA Server computer.
18. Wait for the DNS switch to propagate (could take up to 20 minutes depending on DNS services).
19. Verify that clients are able to post data to the new DSA Server correctly. Clients should now appear active in the ITEM Console. Take an Action in the ITEM Console and ensure that Clients respond to that Action.
    
    
    
    Note: You will likely only be able to run the ITEM Console on the new DSA Server using NT Authentication at this point.
    
     
20. Reinstall the UAImporter, BES Server Plugin Service, and any plugins that are currently installed on the original DSA server by re-deploying the appropriate Fixlets.
21. Check relay selection settings on all top-level Relays. If any Relays point to the original DSA Server using an IP address or hostname, they need to be re-pointed to the new DSA server.
22. Uninstall the ITEM Server software from the old DSA Server computer. Do NOT restart the BES Services on this computer. Attempting to user the old DSA Server will cause errors on the new ITEM Server if it is used again.

 

Primary ITEM Server Migration

 

1. Copy the current masthead from the primary ITEM Server to the new ITEM Server computer.
   
   
   
   Prior to shutting down the primary ITEM Server change the following ITEM Client settings on all clients:
   
   
   
   _ BESClient_Report_MinimumInterval = 3600
   
   
   
   This setting will keep the ITEM Clients from reporting up as often minimizing the amount of data that the new ITEM Server will need to process before catching up. By doing this "Downtime" is reduced due to any backlog of the FillDB service.
   
   
   
   Change the heartbeat in the ITEM Console to 6 hours.
   
    
2. Backup site credentials, license certificates, and publisher credentials -- The license.pvk, license.crt, and publisher.pvk files are critical to the security and operation of ITEM. If the private key (pvk) files are lost, they cannot be recovered.
   
   
   
   If using Message Level Encryption (MLE), backup the “[BigFix Server folder]\Encryption Keys” folder.
   
   
   
   These files must be securely backed up!
   
    
3. Stop all BES Services on the original primary ITEM Server.
4. Migrate SQL Accounts for ITEM Console Operators as needed to the new ITEM Server's computer/SQL Server instance. Further information on performing this operation is available at: http://support.microsoft.com/kb/246133/
5. Detach the BFEnterprise and BESReporting databases from original ITEM Server's SQL Server instance.
6. Attach the BFEnterprise and BESReporting databases to the new primary ITEM Server's SQL Server instance.
7. Download the current ITEM Installer Software onto the new ITEM Server computer. Ensure that the current software version is the same as the existing ITEM Server. For more information, please see the following: http://support.bigfix.com/bes/install/downloadbes.html
8. Run the ITEM Installer Software on the new ITEM Server computer. Perform a 'Production' installation using the masthead from Step 1.
9. Installers for the ITEM Server, Console and Client should now exist on the new ITEM Server computer.
10. Copy the contents of the following folders from the original ITEM Server onto the new ITEM Server. Overwrite existing data if needed:
    
    
    
    [BigFix Server folder]\sitearchive (pre-8.0 only)
    
    [BigFix Server folder]\BESReportsData\ArchiveData
    
    [BigFix Server folder]\BESReportsServer\wwwroot\ReportFiles
    
    [BigFix Server folder]\ClientRegisterData
    
    [BigFix Server folder]\Mirror Server\Inbox
    
    [BigFix Server folder]\UploadManagerData
    
    [BigFix Server folder]\wwwrootbes
    
     
11. Use SQL Server Management Studio to connect to the BFEnterprise database and examine the DBINFO table:
    
    
    
    
    
    
    
    Record all column values for use in Step 13.
    
    
    
    Look at the REPLICATION_SERVERS table check that ServerID column (server0 in this screenshot) has the expected DNS and URL values:
    
    
    
    
    
    
    
    Record all column values for use in Step 13.
    
    
    
    If one is using DNS aliases for the servers, this should not change. If one is using hostnames, and the hostnames are changing, these column values may need manual modification after Step 12.
    
     
12. Install the ITEM Server, ITEM Console and ITEM Client on the new ITEM server using the installers created in Step 8. The ITEM Server installer should recognize the existing BFEnterprise database and use it accordingly. Verify this when ITEM Admin launches, it should have a list of your existing ITEM Console Operators from the old ITEM Server. Do NOT continue the migration if the ITEM Console Operators do not appear in ITEM Admin, the migration will fail !!!
13. Use SQL Server Management Studio to connect to the BFEnterprise database and examine the DBINFO and RELICATION_SERVERS tables. Compare the current values to the values noted in Step 11. They should be the same.
14. If you have Message Level Encryption (MLE) enabled between the ITEM Server and ITEM Relays, you must copy the encryption keys to the new ITEM Server. For further information on Message Level Encryption please see the following: http://support.bigfix.com/cgi-bin/kbdirect.pl?id=550
15. Stop the FillDB service on the ITEM Server, and using the Services applet, change the service's login credentials to use the same credentials as the original ITEM Server. Restart the FillDB Service.
16. Verify that the new ITEM Server is able to connect to the database. Check the FillDB log for error messages on connecting to the database.
17. Perform a DNS switch for the DNS name in the ITEM License so that the alias now points to the new ITEM Server computer.
18. Wait for the DNS switch to propagate (could take up to 20 minutes depending on DNS services).
19. Verify that clients are able to post data to the new ITEM Server correctly. Clients should now appear active in the ITEM Console. Take an Action in the ITEM Console and ensure that Clients respond to that Action.
    
    
    
    Note: You will likely only be able to run the ITEM Console on the new ITEM Server using NT Authentication at this point.
    
     
20. Reset the Client settings and heartbeat to settings prior to shutting down the ITEM Server services.
21. Reinstall the UAImporter, BES Server Plugin Service, and any plugins that are currently installed on the original DSA server by re-deploying the appropriate Fixlets.
22. Check relay selection settings on all top-level Relays. If any point to the original ITEM Server using an IP Address or hostname, they need to be re-pointed to the new ITEM server.
23. Uninstall the ITEM Server software from the old ITEM Server computer. Do NOT restart the BES Services on this computer. Attempting to user the old ITEM Server will cause errors on the new ITEM Server if it is used again.

 

Verification of Server Migration

To make sure that your ITEM Server has been successfully migrated, perform the following steps:

1. Check the ITEM Diagnostics Tool to make sure all services are properly started.
2. Login with the ITEM Console and verify that the logins work properly and the database information was properly restored.
3. ITEM Clients and ITEM Relays should soon notice that the Server is available and will be reporting data to the server. Full recovery with all Agents reporting will usually take anywhere from a few minutes to many hours (depending on the size of the deployment and how long the Server was unavailable). In any circumstance, at least some Agents should be reporting updated information within an hour or so.
4. After verifying some agents are reporting properly, send a "blank action" (Tools > Take Custom Action, target "All Computers", click OK) to all computers. The blank action will not make any changes to the Agent computers, but the Agents will report that they received the blank action. If the most Agents respond to a blank action, it is a very strong indicator that everything is working well because sending an action tests many core components and communication paths of ITEM.
5. Login to Web Reports and ensure the data was restored properly.
6. Contact ITEM Technical Support with any issues or questions.

 

A downloadable version of this article is available here: ITEM and DSA Server Computer Migration