Server Migration

1 like Updated 2/14/17, 6:19 PM by Gabriella SantoroTags:

How to Migrate the IBM BigFix Manager (Endpoint Manager) Server (Windows/MS-SQL)

This BigFix document details the steps and operational procedures necessary for migrating the BigFix Server from existing hardware onto new computer systems.  Typical use cases for these steps include:

  • Hardware refresh
  • OS or SQL Server upgrades
  • 32-bit to 64-bit architecture migration
  • Remote SQL server migration

The steps below apply to the following BigFix server versions for Windows:

  • 7.2
  • 8.0, 8.1, 8.2
  • 9.0, 9.1, 9.2, 9.5

 

Due to the complexity and risks of migrating BigFix Servers, it is strongly recommended that an BigFix Technician help in performing the BigFix Server Migration process.  Consider engaging the assistance of Services (http://www-01.ibm.com/software/tivoli/services/consulting/index.html), or IBM Accelerated Value Program (http://www-01.ibm.com/software/support/acceleratedvalue/).

Root/Application Server Migration

Database Migration (For Remote Database Installations)

Verification of Migration (Application Server or Database)

 

Root/Application Server Migration

 

General Notes and Guidelines

  1. The migration should first be performed and tested in a segregated test/dev environment, if possible.
  2. If leveraging BigFix Disaster Server Architecture (DSA - https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli%20Endpoint%20Manager/page/Disaster%20Server%20Architecture), the replica/secondary server should be migrated before the primary BigFix Server.
  3. Custom settings that have been applied to the BigFix Server will need to be implemented again after migration
    • Typical examples include: Web Reports HTTPS configurations, Download Gather Cache Size, etc…
  4. Download plug-ins and other extensions/applications will also need to be re-installed in any new installation location.
  5. Typical examples include: Unmanaged Asset Importer, Wake on LAN medic, Upload service, Automation Plan Engine

 Assumptions

The following assumptions are assumed to be true prior to performing the BigFix Server migrations:

  1. If migrating the Primary/Master BigFix server, the new BigFix server will have to leverage the same DNS name/alias or IP address that is specified in the masthead/license (http://www-01.ibm.com/support/docview.wss?uid=swg21505775), otherwise the BigFix infrastructure will not be able to communicate with the new BigFix server.  If this is not possible, a new license may need to be obtained, and an infrastructure migration be performed rather than a server migration.  This is a crucial element of the migration strategy, and requires proper planning!
    • If the masthead leverages an IP address, the new Server will have to leverage the same IP address.
    • If the masthead leverages a host name, the new Server may have to leverage the same host name.
    • If the masthead leverages a DNS name/alias (per best practice), the alias will have to be re-pointed to the new BigFix server as part of the migration process as described in step 18 below.
  2. The existing BigFix server is operating normally before the migration.
  3. The new BigFix server has been built, meets the requirements of an BigFix server, and is properly configured to serve as an BigFix server.  In particular, the OS and database platforms should be supported for the given IEM version being migrated.
  4. The installation folders are in the same location and path for the original BigFix /DSA servers and the new BigFix /DSA servers (if not, some manual modification of files will be necessary, which is outlined in the steps below).
  5. The migration is performed off-hours to minimize potential impact or down-time.

 Pre-Migration Check List

  1. Ensure that a strategy has been determined to allow the Clients to continue to connect to the new BigFix Server per the GatherURL specified in the masthead (corresponding to Assumption #1 above).
  2. Back up the BFEnterprise and BESReporting SQL databases.
  3. Back up the site level credentials such as license.crt, license.pvk, and the masthead (http://www-01.ibm.com/support/knowledgecenter/SS63NW_9.2.0/com.ibm.tivoli.tem.doc_9.2/Platform/Adm/c_licensing_tasks.html). If using <8.1 then you should also back up user/operator credentials such as publisher.pvk and publisher.crt.
  4. Document the authentication method to the MSSQL database (SQL versus NT).
    • If using NT Authentication, document the NT Domain/service account used for BigFix Server services.
    • If using SQL Authentication, document the SQL account used for SQL Authentication Registry values.
  5. Document (consider taking a screenshot) the ODBC connections: bes_BFEnterprise, bes_EnterpriseServer, enterprise_setup, and LocalBESReportingServer. For 64-bit Windows systems, use the 32-bit version of the ODBC tool (C:\Windows\SysWOW64\odbcad32.exe) to configure the System DSNs.
  6. If migrating the Primary BigFix Server, consider implementing the following prior to the migration to reduce downtime:
    • Change the following BigFix Client settings on all clients:
      • _BESClient_Report_MinimumInterval = 3600 *This setting will reduce the amount of incoming data from the endpoints to allow the system to recover more quickly and reduce potential downtime.
      • _BESClient_RelaySelect_ResistFailureIntervalSeconds = 21600 *This value represents the amount of time BES Clients will wait after its relay appears down before performing BES Relay selection. This can prevent unnecessary automatic relay selection during the migration.
    • Change the heartbeat in the BigFix Console to 6 hours: https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli%20Endpoint%20Manager/page/Console%20Preferences * This is another way to reduce the amount of incoming data from the endpoints.
  7. Carefully review the migration steps.

 BigFix Server Migration Processes

  1. Backup and copy the current masthead, site level credentials (license.pvk), license certificate (license.crt), and if applicable, publisher credentials (versions 7.2 to 8.1) from the original BigFix Server to the new server.
    • The license.pvk, license.crt, and publisher.pvk files are critical to the security and operation of BigFix . If the private key (pvk) files or their passwords are lost, they cannot be recovered.
  2. If using Message Level Encryption (MLE - http://www-01.ibm.com/support/docview.wss?uid=swg21506127), backup the “[BigFix Server folder]\Encryption Keys” folder.

The above files must be securely backed up!

  1. To facilitate migration verification, note the current actionsite version.
    • For any BigFix server version: http://www-01.ibm.com/support/docview.wss?uid=swg21506176
    • With v8.2 and above, the actionsite version can also be obtained from the Server’s Diagnostics page (http://<iemserver:port>/rd), select the ‘Get Current Version’ request type under Site Gathering Information, select the actionsite URL from the dropdown, click Submit, and note the actionsite version
  2. Stop and consider disabling all BES Services on the original Server.
  3. For versions prior to v8.2, migrate SQL Accounts for BigFix Console Operators as needed to the new DSA Server's computer/SQL Server instance. Further information on performing this operation is available at How to transfer logins and passwords between instances of SQL Server.
  4. Detach the BFEnterprise and BESReporting databases from original BigFix Server's SQL Server instance.
  5. Attach the BFEnterprise and BESReporting databases to the new BigFix Server's SQL Server instance.
  6. Copy the contents of the following folders from the original BigFix Server onto the new BigFix Server. Create the necessary folders, or overwrite existing data as needed:
    • [BigFix Server folder]\sitearchive (pre-8.0 only)
    • [BigFix Server folder]\BESReportsData\ArchiveData
    • [BigFix Server folder]\BESReportsServer\wwwroot\ReportFiles
    • [BigFix Server folder]\ClientRegisterData (pre-9.0 only)
    • [BigFix Server folder]\Encryption Keys (if MLE is enabled – for more information, please see: http://www-01.ibm.com/support/docview.wss?uid=swg21506127)
    • [BigFix Server folder]\Mirror Server\Inbox -- NOTE: Be sure to edit and update the paths specified in the GatherState.xml if the installation path has changed, e.g. Program Files to Program Files(x86) for example, otherwise you will receive class NotASignedMessage errors.  This particularly applies when migrating the OS from 32-bit to 64-bit architectures.
    • [BigFix Server folder]\Mirror Server\Config -> DownloadWhitelist.txt
    • [BigFix Server folder]\UploadManagerData
    • [BigFix Server folder]\wwwrootbes
  1. ** Skip this step and go to step 10 if you are migrating an IBM BigFix Server with version earlier than 8.2. ** Starting from version 8.2 you must decrypt the configuration keys encrypted on the old server, save them to a folder on the new server, and encrypt them on the new server. Depending on the version of the IBM BigFix Server in your environment, you must migrate:
  • The EncryptedServerSigningKey and EncryptedClientCAKey keys, if the version of the IBM BigFix Server is 8.2 or later and earlier than 9.5 Patch 3.
  • The EncryptedServerSigningKey, EncryptedClientCAKey, EncryptedAPIServerKey, EncryptedPlatKey, and EncryptedWebUICAKey if the version of the IBM BigFix Server is 9.5 Patch 3 or 9.5 Patch 4.

The encrypted keys are located, by default, in the C:\Program Files (x86)\BigFix Enterprise\BES Server\ folder.

Use the ServerKeyTool.exe and run the steps documented in this page for each key that you are required to migrate.

 

Note: By using the ServerKeyTool to migrate the keys on BigFix Servers V8.2.xx, you ensure also that the existing LDAP configuration is successfully migrated to the new server. In fact, when installing the new server, if the installer does not find the encrypted EncryptedServerSigningKey key under C:\Program Files (x86)\BigFix Enterprise\BES Server, it generates automatically a new key which is unknown to the configured LDAP server. If this happens the login of the LDAP operators on the new server will not work.

 

  1. If leveraging DSA, use SQL Server Management Studio to connect to the BFEnterprise database and examine the DBINFO and REPLICATION_SERVERS tables:

Look at the REPLICATION_SERVERS table to check that ServerID columns have the expected DNS and URL values:



Record all column values for verification purposes in Step 14.

If DNS aliases are being leveraged for the servers, this should not change. If is using hostnames, and the hostnames are changing, these column values may need manual modification after Step 13.

  1. Download the same version of the BigFix Installation Generator onto the new BigFix Server (or copy BESInstallers directory from the old BigFix server and skip to step 12). For more information, see the following: http://support.bigfix.com/bes/install/downloadbes.html
  2. Run the BigFix Installer Software on the new BigFix server. Perform a 'Production' installation using the masthead from Step 1.
  3. Install the BigFix Server, BigFix Console and BigFix Client on the IEM server using the installers created in Step 12.
    • If migrating the Primary/Master server, on the Select Database Replication page of the server installer, select “Single or Master Database”, and proceed through the installer screens as usual.
    • If migrating the Secondary/Replica server, on the Select Database Replication page of the server installer, select “Replicated Database”, and proceed through the installer screens as usual.

            NOTE: Ensure that you restore the database on the new BigFix server before you install the server component.  Not doing so might prevent Clients from properly reporting in to the BigFix server.

  1. Use SQL Server Management Studio to connect to the BFEnterprise database and examine the DBINFO and RELICATION_SERVERS tables. Compare the current values to the values noted in Step 10. They should be the same.
  2. Verify that the new BigFix Server is able to connect to the database. Check the [BigFix Server folder]\BESRelay.log, [BigFix Server Folder]\GatherDBData.log, and [BigFix Server Folder]\FillDBData\FillDB log for error messages on connecting to the database.
    • Depending on your database authentication method (NT versus SQL), it may be necessary to modify the domain/service accounts leveraged by the BigFix Server services (Root Server, GatherDB, FillDB, and Web Reports) to match the account previously leveraged with the old BigFix server (per pre-migration step 3).
  3. Reconfigure any appropriate BigFix Server settings (per General Notes/Guidelines item 3)
  4. Verify the actionsite version being hosted by the new BigFix Server matches that noted in step 3 using the same steps outlined in step 3
  5. If leveraging a DNS name/alias within the masthead, perform a DNS switch for the DNS name so that the alias now points to the new BigFix Server.
    • Wait for the DNS switch to propagate (this may take some time depending on your DNS services/infrastructure).
  6. Verify that clients are able to post data to the new BigFix Server correctly. Clients should now appear active in the BigFix Console. Take an Action in the BigFix Console and ensure that Clients respond to that Action.
    • Check relay selection settings on all top-level Relays. If any point to the original BigFix Server using an IP Address or hostname, they may need to be re-pointed to the new BigFix server.
  7. Reinstall the UAImporter, BES Server Plugin Service, and any plugins that are currently installed on the original BigFix server by re-deploying the appropriate Fixlets. (per General Notes/Guidelines item 4)
  8. Uninstall the BigFix Server software from the old IEMBigFix Server computer. Do NOT restart the BES Services on this computer. Attempting to use the old BigFix Server may cause errors on the new BigFix Server if it is used again.
  9. Run BESAdmin.exe /resetDatabaseEpoch to force consoles to refresh their cache with the new server.
  10. Reset the Client settings and heartbeat to settings prior to shutting down the BigFix Server services.

Database Migration (For Remote Database Installations)

 

Pre-Migration Check List

  1. Back up the BFEnterprise and BESReporting SQL databases (A current backup must be taken immediately prior to the move. You must not have any differences between the backup and production database)
  2. Document the authentication method to the MSSQL database (SQL versus NT).
    • If using NT Authentication, document the NT Domain/service account used for BigFix Server services.
    • If using SQL Authentication, document the SQL account used for SQL Authentication Registry values.
  3. Document (consider taking a screenshot) the ODBC connections: bes_BFEnterprise, bes_EnterpriseServer, enterprise_setup, and LocalBESReportingServer. For 64-bit Windows systems, use the 32-bit version of the ODBC tool (C:\Windows\SysWOW64\odbcad32.exe) to configure the System DSNs.
  4. Use ODBC wizard on the Root Server to test a basic connection to new database location (new MS-SQL Server)
  5. Consider implementing the following prior to the migration to reduce downtime:
    • Change the following BigFix Client settings on all clients:
      • _BESClient_Report_MinimumInterval = 3600 * This setting will reduce the amount of incoming data from the endpoints to allow the system to recover more quickly and reduce potential downtime.
      • _BESClient_RelaySelect_ResistFailureIntervalSeconds = 21600 * This value represents the amount of time BES Clients will wait after its relay appears down before performing BES Relay selection. This can prevent unnecessary automatic relay selection during the migration.
    • Change the heartbeat in the BigFix Console to 6 hours: https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli%20Endpoint%20Manager/page/Console%20Preferences * This is another way to reduce the amount of incoming data from the endpoints.
  6. Carefully review the migration steps.

 Migration Steps

  1. Stop all BES Server services
  2. Detatch the BFEnterprise and BESReporting databases from the current SQL Server instance databases
  3. Move the BFEnterprise and BESReporting databases to the new SQL Server instance
  4. Attach the BFEnterprise and BESReporting databases to the new SQL Server instance
  5. Modify the ODBC System DSNs (bes_BFEnterprise, bes_EnterpriseServer, enterprise_setup, and LocalBESReportingServer) to point to the new SQL server instance. This modification will allow you to avoid re-installing the BigFix Server application.

*Use ODBC connection wizard to test connection

*For 64-bit Windows systems, use the 32-bit version of the ODBC tool (C:\Windows\SysWOW64\odbcad32.exe) to configure the System DSNs.

 

Verification of Migration (Application Server or Database)

 

To make sure that your BigFix Server has been successfully migrated, perform the following steps:

  1. Check the BigFix Diagnostics Tool to make sure all services are properly started.
  2. Log in the BigFix Admin tool (if it opens normally database connectivity is verified and the tool can be closed).
  3. Log in with the BigFix Console and verify that the logins work properly and the database information was properly restored.
  4. BigFix Clients and BigFix Relays should soon notice that the Server is available and will be reporting data to the server. Full recovery with all Agents reporting will usually take anywhere from a few minutes to many hours (depending on the size of the deployment and how long the Server was unavailable). In any circumstance, at least some Agents should be reporting updated information within an hour or so.
  5. After verifying some agents are reporting properly, send a "blank action" (Tools > Take Custom Action, target "All Computers", click OK) to all computers. The blank action will not make any changes to the Agent computers, but the Agents will report that they received the blank action. If the most Agents respond to a blank action, it is a very strong indicator that everything is working well because sending an action tests many core components and communication paths of BigFix .
  6. Log in to Web Reports and ensure the data was restored properly.
  7. Contact IBM Technical Support with any issues or questions.

An older downloadable pre-BigFix v9.x version of this article is available here: IEM (BigFix) and DSA Server Computer Migration

 

Engaging Professional Services

Instead of performing this migration yourself, you may want to have our Professional Services organization scope out and take on your migration project for you.

Here is a list of Professional Services' pre-package offerings: http://www-01.ibm.com/software/tivoli/services/consulting/offers-provisioning.html#provisioning_tem

 

Contact IBM Professional Services for more information on your specific projects:

live-assistance

Considering a purchase?

Or call us at:
877-426-3774

Priority code:

109HJ03W