Loading...

Knowledge Center


How to migrate ePO from a 32-bit system to a 64-bit system (or to a different installation path)
Technical Articles ID:  KB71078
Last Modified:  6/25/2015
Rated:


Environment

McAfee ePolicy Orchestrator (ePO) 5.x, 4.x

Summary

This article provides information on migrating an ePO system from 32-bit to 64-bit or to a different installation path.

Solution

IMPORTANT:
  • The following applies if you are managing DE/EEPC systems:
    • DE 7.1.3 now provides the ePO Administrator with a new capability that allows systems to be transferred from one ePO server to another while preserving user assignments and user data.
    • To review a Drive Encryption statement regarding the migration of managed encrypted systems from one ePolicy Orchestrator server to another, see KB83186.
  • This procedure is intended for use by network and ePO administrators only. Intel Security does not assume responsibility for any damage incurred because they are intended as guidelines for disaster recovery. All liability for use of the following information remains with the user.
  • The procedure is for use with ePO 4.5, 4.6 servers only. For ePO 5.x users, Intel Security recommends that you use the built-in Disaster Recovery feature and use these steps only if a valid Snapshot was not created and a manual recovery is required.
NOTES:
  • The Agent uses either the last known IP address, DNS name, or NetBIOS name of the ePO server. If you change any one of these, ensure that the Agent has a way to locate the server. The easiest way to do this is to retain the existing DNS record and change it to point to the new IP address of the ePO server. After the Agent is able to successfully connect to the ePO server, it downloads an updated SiteList.xml with the current information.
  • The procedure can also be used by customers who want to migrate the ePO server to another system. For ePO 5.x users, Intel Security recommends that you use the built-in Disaster Recovery feature to migrate the ePO server to another system.

Before backing up
Stop the ePO services:
  1. Click Start, Run, type services.msc, and click OK.
  2. Right-click each of the following services and select Stop:

    McAfee ePolicy Orchestrator Application Server
    McAfee ePolicy Orchestrator Event Parser
    McAfee ePolicy Orchestrator Server

Back up the database
Use one of the following methods to back up the SQL database (normally named ePO4_<ServerName>, where <ServerName> is your ePO 4.x server name):
  • To back up the ePO database using OSQL commands, see KB59562.
  • To back up and restore the ePO database using Enterprise Manager/Management Studio, see KB52126.

Back up the file system
You must back up the following folder structures to a location that will be accessible from the new 64-bit system (for example, a network share):

NOTE:
The default installation path is used and your installation might differ. Ensure that all files and subfolders are backed up.
IMPORTANT: Failure to back up all of these directory structures will make it impossible to move your ePO installation to the new 64-bit system and will require a clean start, including the redeployment of agents to all client computers.
  • C:\Program Files\McAfee\ePolicy Orchestrator\Server\Extensions
    The default path to ePolicy Orchestrator software extension information.
  • C:\Program Files\McAfee\ePolicy Orchestrator\Server\conf
    The default path to required files used by the ePolicy Orchestrator software extensions.
  • C:\Program Files\McAfee\ePolicy Orchestrator\Server\Keystore
    These keys are specifically for ePolicy Orchestrator agent server communication and the repositories.
  • C:\Program Files\McAfee\ePolicy Orchestrator\DB\Software
    All products that have been checked into the Master Repository are located here.
  • C:\Program Files\McAfee\ePolicy Orchestrator\DB\Keystore
    The Agent to Server Communication and Repository Keys that are unique to your installation are located here. Failing to restore this folder will result in all client machines being unable to communicate with the server, and you will have to redeploy the agent to all machines. Additionally you will have to check in all deployable packages again.
  • C:\Program Files\McAfee\ePolicy Orchestrator\Apache2\conf
    The server configuration settings for Apache, the SSL certificates needed to authorize the server to handle agent requests, and console certificates are located here.

Install ePO on a 64-bit system
CAUTION: This article contains information about opening or modifying the registry.
  • The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
  • Before proceeding, Intel Security strongly recommends backing up your registry and understanding the restore process. For more information, see: http://support.microsoft.com/kb/256986.
  • Do not run a .REG file that is not confirmed to be a genuine registry import file.
  1. Because the new 64-bit system will have the same name as the existing 32-bit system and you will be using the same SQL server for the new database, delete the existing ePO database on the SQL server. If you do not know how to perform the MSSQL operation, refer to http://technet.microsoft.com/en-us/library/ms177419.aspx or contact Microsoft Support.
     
  2. Enable the 8.3 naming convention so ePO can be installed:

    1. Click Start, Run, type regedit, and click OK.
    2. Navigate to:

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem]
       
    3. Change the NtfsDisable8dot3NameCreation value to 0.
    4. Restart the server.
       
  3. Install ePO on the 64-bit computer. Ensure that you install the same patch level as the existing ePO installation. 

    NOTE:
    You can verify the ePO patch level by looking at the Version field in the backed up Server.ini file (C:\Program Files\McAfee\ePolicy Orchestrator\DB\) and cross referencing it with article KB59938. During the installation, ensure that you specify the same server ports as the current ePO installation.
     
  4. If your previous installation included Policy Auditor 5.x or MNAC 3.x, install the same version of Policy Auditor or MNAC (including any hotfixes).

Restore the database and files
  1. After installation is complete, stop and disable all ePO services:

    1. Click Start, Run, type services.msc, and click OK.
    2. Right-click each of the following services and select Stop:

      McAfee ePolicy Orchestrator Application Server
      McAfee ePolicy Orchestrator Event Parser
      McAfee ePolicy Orchestrator Server 
       
    3. Double-click each of these services and change the Startup type to Disabled.
       
  2. Restore the database.
    NOTE: If you are restoring the database to a different SQL server, ensure that the account being used to access SQL in the existing ePO installation also exists and has the same rights on the new SQL server. (For example, if you are using the sa account to access SQL for the existing installation, ensure that the sa account is enabled and has the same password in the new installation.)

    You have to update the restored DB.PROPERTIES file in C:\Program Files (x86)\McAfee\ePolicy Orchestrator\server\conf\Orion with the new information before starting the server. This will be covered later.
     
  3. Delete the following folders, replacing them with the corresponding folders that were backed up earlier:

    C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\Extensions
    C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\conf
    C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\Keystore
    C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Software
    C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Keystore
    C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf 
Edit files
  1. Navigate to C:\Program Files (x86)\McAfee\ePolicy Orchestrator\SERVER\conf\catalina\localhost and edit all of the XML files in a text editor to reflect the 64-bit path where they are now located:

    C:\Program Files (x86)\McAfee\ePolicy Orchestrator\SERVER\conf\catalina\localhost

    For example, change the contents of rs.xml as follows:

    From:
    <Context docBase="C:/Program Files/McAfee/ePolicy Orchestrator/Server/extensions/installed/rs/2.0.1/webapp"
    privileged="true" antiResourceLocking="false" antiJARLocking="false"></Context>

    To:
    <Context docBase="C:/Program Files (x86)/McAfee/ePolicy Orchestrator/Server/extensions/installed/rs/2.0.1/webapp"
    privileged="true" antiResourceLocking="false" antiJARLocking="false"></Context>

    IMPORTANT: If there is a file called deployer.xml present, do not edit it. This is in a different format than the other XML files.

    You can do this fairly easily by opening all files except deployer.xml in a multi-tab text editor like Notepad++ and replacing “Files/” with “Files (x86)/” in all files. Alternatively, you can use the SQL Server Management Studio Replace in Files feature (Edit, Find and Replace, Replace in Files) to achieve similar results. For more details on how to use this feature, refer to SQL Server Books Online.
      
  2. Determine the 8.3 notation form of the Program Files (x86) folder:

    1. Click Start, Run, type cmd, and click OK.
    2. To change to the root, type CD\ and press ENTER. 
    3. To list the directory structure, type dir /x and press ENTER.
    4. Choose the PROGRA~ that refers to the Program Files (x86) folder. The most common form is PROGRA~2.
       
  3. Open C:\Program Files (x86)\McAfee\ePolicy Orchestrator\APACHE2\conf\httpd.conf in a text editor (such as Notepad) and do the following:

    1. Locate all lines with the old 32-bit path, replacing all of these to reflect the 64-bit path that was determined in step 2.

      For example, change the following:

      From:
      ServerRoot “C:/PROGRA~1/McAfee/EPOLIC~1/”

      To:
      ServerRoot “C:/PROGRA~2/McAfee/EPOLIC~1/”
       
    2. Click Edit, Replace.
    3. Type the "old path" (32-bit) in the Find what field.
    4. Type the "new path" (64-bit) in the Replace with field.
    5. Click Replace All.
      NOTE: There will be multiple places in this file where this path will be modified.
       
    6. Save the changes.
       
       
  4. Open C:\Program Files (x86)\McAfee\ePolicy Orchestrator\APACHE2\conf\ssl.conf in a text editor (such as Notepad) and do the following:

    1. Locate all lines with the old 32-bit path, replacing all of these to reflect the 64-bit path that was determined in step 2.

      For example, change the following:

      From:
      ServerRoot “C:/PROGRA~1/McAfee/EPOLIC~1/”

      To:
      ServerRoot “C:/PROGRA~2/McAfee/EPOLIC~1/”
       
    2. Click Edit, Replace.
    3. Type the "old path" (32-bit) in the Find what field.
    4. Type the "new path" (64-bit) in the Replace with field.
    5. Click Replace All.
      NOTE: There will be multiple places in this file where this path will be modified.
       
    6. Save the changes.
  5. If MNAC 3.x is installed:

    1. Click Start, Run, type explorer, and click OK.
    2. Navigate to: C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\Extensions\Installed\NAC\x.x.x.xxx\conf\nacserver.properties
    3. Modify the path for servlet.cert.keyStoreLocation as follows:

      From: 
      C:/PROGRA~1/McAfee/EPOLIC~1/server/extensions/installed/NAC/3.2.1.148/keystore/nacsub.keystore

      To:
      C:/PROGRA~2/McAfee/EPOLIC~1/server/extensions/installed/NAC/3.2.1.148/keystore/nacsub.keystore
         
  6. Edit C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\bin\setenv.bat and change the paths on the lines starting with the following:

    set JAVA_OPTS=
    set JRE_HOME=
     
  7. Edit C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\bin\setenv.sh (if present) and change the paths on the lines starting with the following:

    export CATALINA_HOME=
    export JAVA_OPTS=
    export JRE_HOME=
     
  8. Edit C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\conf\epo\epo.properties and change the paths on the lines starting with the following:

    epo.install.dir
    epo.db.dir
     
  9. Edit C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\conf\orion\log-config.xml and change the paths on the lines starting with < param name="File".

    NOTE: There are two places where this line exists: under the “Standard log file” and “Rolling log file” sections.
     
  10. Edit C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\conf\orion\orion.properties and change the paths on the lines starting with the following:

    extension.install.dir
    extension.tmp.dir
     
  11. If you restored the database to a different SQL server, edit C:\Program Files (x86)\McAfee\ePolicy Orchestrator\server\conf\Orion\db.properties and update the following entries with the correct information:

    db.database.name
    db.instance.name
    db.port
    db.user.name
    db.server.name
     
Enable/start services:
  1. Enable all ePO services to start automatically on system start up:

    1. Click Start, Run, type services.msc, and click OK.
    2. Double-click each of the following services and change Startup type to Automatic:

      McAfee ePolicy Orchestrator Application Server
      McAfee ePolicy Orchestrator Event Parser
      McAfee ePolicy Orchestrator Server
       
  2. Start only the McAfee ePolicy Orchestrator Application Server service.
  3. Attempt to log on to the ePO console. If you are unable to log in, review all of the steps performed in this article and ensure that they have been properly completed.  If you cannot resolve the console log on issue, contact Technical Support for further assistance before proceeding.

    NOTE: You must be able to log in for the rest of the recovery steps to work. 
     
  4. Rename the SSL.CRT folder to SSL.CRT.OLD and manually create an empty folder named SSL.CRT in the same path; otherwise, the setup will fail to create a new certificate. The path is: 

    64-bit: "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf\ssl.crt"
     
  5. Click Start, Run, type cmd, and click OK.
     
  6. Change directories to your ePO installation directory (this would now be: C:\Program Files (x86)\McAfee\ePolicy Orchestrator\).
     
  7. Run the following command:

    IMPORTANT:
    • This command will fail if User Account Control (UAC) is enabled on this server. If this is a Windows Server 2008 or later, disable this feature. You can find more information about UAC at: http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspx.
    • This command is case-sensitive. The ahsetup.log (found in <installdir\Apache2\conf\ssl.crt>) provides information about whether the command succeeded or failed, and will state if it used the files located in the ssl.crt folder.


    Rundll32.exe ahsetup.dll RunDllGenCerts <eposervername> <console HTTPS port> <admin username> <password> <"installdir\Apache2\conf\ssl.crt">

    Where:
    <eposervername> is your ePO server's NetBios Name
    <console HTTPS port> is your ePO Console Port (default is 8443)
    <admin username> is the admin username (use the default ePO admin account)
    <password> is the password for the ePO Admin console account
    <installdir\Apache2\conf\ssl.crt> is your installation path to the Apache folder (this would now be: C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf\ssl.crt)

    Example:
    Rundll32.exe ahsetup.dll RunDllGenCerts eposervername 8443 administrator password "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf\ssl.crt"

     
  8. Start the following ePO services:

    McAfee ePolicy Orchestrator Event Parser
    McAfee ePolicy Orchestrator Server
     
  9. Check DB\logs\server.log to ensure that the Agent Handler (Apache server) started correctly. It should state something similar to the following:

    20090923173647 I #4108 NAIMSRV ePolicy Orchestrator server started.

    If it does not, there will be an error similar to the following:

    20090923173319 E #4736 NAIMSRV Failed to get server key information.
      

Rate this document

Did this article resolve your issue?

Please provide any comments below

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.