Server Migration

1 like Updated 3/19/15, 10:40 AM by Aram EblighatianTags:

How to Migrate the IBM Endpoint Manager Server (Windows/MS-SQL)

This IBM Endpoint Manager (IEM) document details the steps and operational procedures necessary for migrating the IEM Server from existing hardware onto new computer systems.  Typical use cases for these steps include:

  • Hardware refresh
  • OS or SQL Server upgrades
  • 32-bit to 64-bit architecture migration
  • Remote SQL server migration

The steps below apply to the following IEM server versions for Windows:

  • 7.2
  • 8.0, 8.1, 8.2
  • 9.0, 9.1, 9.2

Due to the complexity and risks of migrating IEM Servers, it is strongly recommended that an IEM Technician help in performing the IEM Server Migration process.  Consider engaging the assistance of Services (http://www-01.ibm.com/software/tivoli/services/consulting/index.html), or IBM Accelerated Value Program (http://www-01.ibm.com/software/support/acceleratedvalue/).

Root/Application Server Migration

Database Migration (For Remote Database Installations)

Verification of Migration (Application Server or Database)



Root/Application Server Migration



General Notes and Guidelines

  1. The migration should first be performed and tested in a segregated test/dev environment, if possible.
  2. If leveraging IEM Disaster Server Architecture (DSA - https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli%20Endpoint%20Manager/page/Disaster%20Server%20Architecture), the replica/secondary server should be migrated before the primary IEM Server.
  3. Custom settings that have been applied to the IEM Server will need to be implemented again after migration
    • Typical examples include: Web Reports HTTPS configurations, Download Gather Cache Size, etc…
  4. Download plug-ins and other extensions/applications will also need to be re-installed in any new installation location.
  5. Typical examples include: Unmanaged Asset Importer, Wake on LAN medic, Upload service, Automation Plan Engine

 Assumptions

The following assumptions are assumed to be true prior to performing the IEM Server migrations:

  1. If migrating the Primary/Master IEM server, the new IEM server will have to leverage the same DNS name/alias or IP address that is specified in the masthead/license (http://www-01.ibm.com/support/docview.wss?uid=swg21505775), otherwise the IEM infrastructure will not be able to communicate with the new IEM server.  If this is not possible, a new license may need to be obtained, and an infrastructure migration be performed rather than a server migration.  This is a crucial element of the migration strategy, and requires proper planning!
    • If the masthead leverages an IP address, the new Server will have to leverage the same IP address.
    • If the masthead leverages a host name, the new Server may have to leverage the same host name.
    • If the masthead leverages a DNS name/alias (per best practice), the alias will have to be re-pointed to the new IEM server as part of the migration process as described in step 18 below.
  2. The existing IEM server is operating normally before the migration.
  3. The new IEM server has been built, meets the requirements of an IEM server, and is properly configured to serve as an IEM server.  In particular, the OS and database platforms should be supported for the given IEM version being migrated.
  4. The installation folders are in the same location and path for the original IEM/DSA servers and the new IEM/DSA servers (if not, some manual modification of files will be necessary, which is outlined in the steps below).
  5. The migration is performed off-hours to minimize potential impact or down-time.

 Pre-Migration Check List

  1. Ensure that a strategy has been determined to allow the Clients to continue to connect to the new IEM Server per the GatherURL specified in the masthead (corresponding to Assumption #1 above).
  2. Back up the BFEnterprise and BESReporting SQL databases.
  3. Back up the site level credentials such as license.crt, license.pvk, and the masthead (http://www-01.ibm.com/support/knowledgecenter/SS63NW_9.2.0/com.ibm.tivoli.tem.doc_9.2/Platform/Adm/c_licensing_tasks.html). If using <8.1 then you should also back up user/operator credentials such as publisher.pvk and publisher.crt.
  4. Document the authentication method to the MSSQL database (SQL versus NT).
    • If using NT Authentication, document the NT Domain/service account used for IEM Server services.
    • If using SQL Authentication, document the SQL account used for SQL Authentication Registry values.
  5. Document (consider taking a screenshot) the ODBC connections: bes_BFEnterprise, bes_EnterpriseServer, enterprise_setup, and LocalBESReportingServer. For 64-bit Windows systems, use the 32-bit version of the ODBC tool (C:\Windows\SysWOW64\odbcad32.exe) to configure the System DSNs.
  6. If migrating the Primary IEM Server, consider implementing the following prior to the migration to reduce downtime:
    • Change the following IEM Client settings on all clients:
      • _BESClient_Report_MinimumInterval = 3600 *This setting will reduce the amount of incoming data from the endpoints to allow the system to recover more quickly and reduce potential downtime.
      • _BESClient_RelaySelect_ResistFailureIntervalSeconds = 21600 *This value represents the amount of time BES Clients will wait after its relay appears down before performing BES Relay selection. This can prevent unnecessary automatic relay selection during the migration.
    • Change the heartbeat in the IEM Console to 6 hours: https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli%20Endpoint%20Manager/page/Console%20Preferences * This is another way to reduce the amount of incoming data from the endpoints.
  7. Carefully review the migration steps.

 IEM Server Migration Processes

  1. Backup and copy the current masthead, site level credentials (license.pvk), license certificate (license.crt), and if applicable, publisher credentials (versions 7.2 to 8.1) from the original IEM Server to the new server.
    • The license.pvk, license.crt, and publisher.pvk files are critical to the security and operation of IEM. If the private key (pvk) files or their passwords are lost, they cannot be recovered.
  2. If using Message Level Encryption (MLE - http://www-01.ibm.com/support/docview.wss?uid=swg21506127), backup the “[BigFix Server folder]\Encryption Keys” folder.

The above files must be securely backed up!

  1. To facilitate migration verification, note the current actionsite version.
    • For any IEM server version: http://www-01.ibm.com/support/docview.wss?uid=swg21506176
    • With v8.2 and above, the actionsite version can also be obtained from the Server’s Diagnostics page (http://<iemserver:port>/rd), select the ‘Get Current Version’ request type under Site Gathering Information, select the actionsite URL from the dropdown, click Submit, and note the actionsite version
  2. Stop and consider disabling all BES Services on the original Server.
  3. For versions prior to v8.2, migrate SQL Accounts for IEM Console Operators as needed to the new DSA Server's computer/SQL Server instance. Further information on performing this operation is available at How to transfer logins and passwords between instances of SQL Server.
  4. Detach the BFEnterprise and BESReporting databases from original IEM Server's SQL Server instance.
  5. Attach the BFEnterprise and BESReporting databases to the new IEM Server's SQL Server instance.
  6. Copy the contents of the following folders from the original IEM Server onto the new IEM Server. Create the necessary folders, or overwrite existing data as needed:
    • [BigFix Server folder]\sitearchive (pre-8.0 only)
    • [BigFix Server folder]\BESReportsData\ArchiveData
    • [BigFix Server folder]\BESReportsServer\wwwroot\ReportFiles
    • [BigFix Server folder]\ClientRegisterData (pre-9.0 only)
    • [BigFix Server folder]\Encryption Keys (if MLE is enabled – for more information, please see: http://www-01.ibm.com/support/docview.wss?uid=swg21506127)
    • [BigFix Server folder]\Mirror Server\Inbox -- NOTE: Be sure to edit and update the paths specified in the GatherState.xml if the installation path has changed, e.g. Program Files to Program Files(x86) for example, otherwise you will receive class NotASignedMessage errors.  This particularly applies when migrating the OS from 32-bit to 64-bit architectures.
    • [BigFix Server folder]\Mirror Server\Config -> DownloadWhitelist.txt
    • [BigFix Server folder]\UploadManagerData
    • [BigFix Server folder]\wwwrootbes
  7. For versions 8.2 and above, you will need to decrypt the EncryptedServerSigningKey from the old server. If you are using pre-8.2 please skip this step and go to 10.
  • Create a folder and place the EncryptedServerSigningKey file located in the BESServer directory "C:\Program Files\BigFix Enterprise\BES Server" into this new folder. This example we will use a folder called "e:\serverkey" The server key tool can be found here.
  • Go to the command line and change directory to e:\serverkey
  • Run - ServerKeyTool.exe decrypt UnencryptedServerKey.pvk
  • Copy the e:\serverkey folder containing the UnencryptedServerKey.pvk file to the new server. We will use the same directory example called "e:\serverkey"
  • On the new server, go to the command line and change directory to e:\serverkey
  • Run - ServerKeyTool.exe encrypt UnencryptedServerKey.pvk
  • Copy the new encrypted "EncryptedServerSigningKey" file to "C:\Program Files\BigFix Enterprise\BES Server" on the new server before the server installation.

Note: For Version 8.2.xx, if the "EncryptedServerSigningKey" is not decrypted from the old server and not migrated to the new server to be encrypted, the installer will create a new key and the LDAP server entry in the new server console will not work. All LDAP users will not be able to login.

  1. If leveraging DSA, use SQL Server Management Studio to connect to the BFEnterprise database and examine the DBINFO and REPLICATION_SERVERS tables:

Look at the REPLICATION_SERVERS table to check that ServerID columns have the expected DNS and URL values:



Record all column values for verification purposes in Step 14.

If DNS aliases are being leveraged for the servers, this should not change. If is using hostnames, and the hostnames are changing, these column values may need manual modification after Step 13.

  1. Download the same version of the IEM Installation Generator onto the new IEM Server (or copy BESInstallers directory from the old IEM server and skip to step 12). For more information, see the following: http://support.bigfix.com/bes/install/downloadbes.html
  2. Run the IEM Installer Software on the new IEM server. Perform a 'Production' installation using the masthead from Step 1.
  3. Install the IEM Server, IEM Console and IEM Client on the IEM server using the installers created in Step 12.
    • If migrating the Primary/Master server, on the Select Database Replication page of the server installer, select “Single or Master Database”, and proceed through the installer screens as usual.
    • If migrating the Secondary/Replica server, on the Select Database Replication page of the server installer, select “Replicated Database”, and proceed through the installer screens as usual.

            NOTE: Ensure that you restore the database on the new IEM server before you install the server component.  Not doing so might prevent Clients from properly reporting in to the IEM server.

  1. Use SQL Server Management Studio to connect to the BFEnterprise database and examine the DBINFO and RELICATION_SERVERS tables. Compare the current values to the values noted in Step 10. They should be the same.
  2. Verify that the new IEM Server is able to connect to the database. Check the [BigFix Server folder]\BESRelay.log, [BigFix Server Folder]\GatherDBData.log, and [BigFix Server Folder]\FillDBData\FillDB log for error messages on connecting to the database.
    • Depending on your database authentication method (NT versus SQL), it may be necessary to modify the domain/service accounts leveraged by the IEM Server services (Root Server, GatherDB, FillDB, and Web Reports) to match the account previously leveraged with the old IEM server (per pre-migration step 3).
  3. Reconfigure any appropriate IEM Server settings (per General Notes/Guidelines item 3)
  4. Verify the actionsite version being hosted by the new IEM Server matches that noted in step 3 using the same steps outlined in step 3
  5. If leveraging a DNS name/alias within the masthead, perform a DNS switch for the DNS name so that the alias now points to the new IEM Server.
    • Wait for the DNS switch to propagate (this may take some time depending on your DNS services/infrastructure).
  6. Verify that clients are able to post data to the new IEM Server correctly. Clients should now appear active in the IEM Console. Take an Action in the IEM Console and ensure that Clients respond to that Action.
    • Check relay selection settings on all top-level Relays. If any point to the original IEM Server using an IP Address or hostname, they may need to be re-pointed to the new IEM server.
  7. Reinstall the UAImporter, BES Server Plugin Service, and any plugins that are currently installed on the original IEM server by re-deploying the appropriate Fixlets. (per General Notes/Guidelines item 4)
  8. Uninstall the IEM Server software from the old IEM Server computer. Do NOT restart the BES Services on this computer. Attempting to use the old IEM Server may cause errors on the new IEM Server if it is used again.
  9. Run BESAdmin.exe /resetDatabaseEpoch to force consoles to refresh their cache with the new server.
  10. Reset the Client settings and heartbeat to settings prior to shutting down the IEM Server services.

Database Migration (For Remote Database Installations)



Pre-Migration Check List

  1. Back up the BFEnterprise and BESReporting SQL databases (A current backup must be taken immediately prior to the move. You must not have any differences between the backup and production database)
  2. Document the authentication method to the MSSQL database (SQL versus NT).
    • If using NT Authentication, document the NT Domain/service account used for IEM Server services.
    • If using SQL Authentication, document the SQL account used for SQL Authentication Registry values.
  3. Document (consider taking a screenshot) the ODBC connections: bes_BFEnterprise, bes_EnterpriseServer, enterprise_setup, and LocalBESReportingServer. For 64-bit Windows systems, use the 32-bit version of the ODBC tool (C:\Windows\SysWOW64\odbcad32.exe) to configure the System DSNs.
  4. Use ODBC wizard on the Root Server to test a basic connection to new database location (new MS-SQL Server)
  5. Consider implementing the following prior to the migration to reduce downtime:
    • Change the following IEM Client settings on all clients:
      • _BESClient_Report_MinimumInterval = 3600 * This setting will reduce the amount of incoming data from the endpoints to allow the system to recover more quickly and reduce potential downtime.
      • _BESClient_RelaySelect_ResistFailureIntervalSeconds = 21600 * This value represents the amount of time BES Clients will wait after its relay appears down before performing BES Relay selection. This can prevent unnecessary automatic relay selection during the migration.
    • Change the heartbeat in the IEM Console to 6 hours: https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli%20Endpoint%20Manager/page/Console%20Preferences * This is another way to reduce the amount of incoming data from the endpoints.
  6. Carefully review the migration steps.

 Migration Steps

  1. Stop all BES Server services
  2. Detatch the BFEnterprise and BESReporting databases from the current SQL Server instance databases
  3. Move the BFEnterprise and BESReporting databases to the new SQL Server instance
  4. Attach the BFEnterprise and BESReporting databases to the new SQL Server instance
  5. Modify the ODBC System DSNs (bes_BFEnterprise, bes_EnterpriseServer, enterprise_setup, and LocalBESReportingServer) to point to the new SQL server instance. This modification will allow you to avoid re-installing the IEM Server application.

*Use ODBC connection wizard to test connection

*For 64-bit Windows systems, use the 32-bit version of the ODBC tool (C:\Windows\SysWOW64\odbcad32.exe) to configure the System DSNs.

 

Verification of Migration (Application Server or Database)

 

To make sure that your IEM Server has been successfully migrated, perform the following steps:

  1. Check the IEM Diagnostics Tool to make sure all services are properly started.
  2. Log in the IEM Admin tool (if it opens normally database connectivity is verified and the tool can be closed).
  3. Log in with the IEM Console and verify that the logins work properly and the database information was properly restored.
  4. IEM Clients and IEM Relays should soon notice that the Server is available and will be reporting data to the server. Full recovery with all Agents reporting will usually take anywhere from a few minutes to many hours (depending on the size of the deployment and how long the Server was unavailable). In any circumstance, at least some Agents should be reporting updated information within an hour or so.
  5. After verifying some agents are reporting properly, send a "blank action" (Tools > Take Custom Action, target "All Computers", click OK) to all computers. The blank action will not make any changes to the Agent computers, but the Agents will report that they received the blank action. If the most Agents respond to a blank action, it is a very strong indicator that everything is working well because sending an action tests many core components and communication paths of IEM.
  6. Log in to Web Reports and ensure the data was restored properly.
  7. Contact IEM Technical Support with any issues or questions.

An older downloadable pre-IEM v9.x version of this article is available here: IEM and DSA Server Computer Migration

 

Engaging Professional Services

Instead of performing this migration yourself, you may want to have our Professional Services organization scope out and take on your migration project for you.

Here is a list of Professional Services' pre-package offerings: http://www-01.ibm.com/software/tivoli/services/consulting/offers-provisioning.html#provisioning_tem

 

Contact IBM Professional Services for more information on your specific projects:

live-assistance

Considering a purchase?

Or call us at:
877-426-3774

Priority code:

109HJ03W