Knowledge Center

ePolicy Orchestrator server backup and disaster recovery procedure
Technical Articles ID:   KB66616
Last Modified:  10/9/2019


McAfee ePolicy Orchestrator (ePO) 5.x


This article provides information about the backup and disaster recovery process for the ePO server.

  • This procedure is intended for use only by network and ePO administrators. McAfee does not assume responsibility for any damage incurred because the article is intended as a guideline for disaster recovery. All liability for use of the following information remains with the user.
  • It is preferable to use the built-in Disaster Recovery feature. Use the steps in this article only if a valid Snapshot was not created and a manual recovery is required. For information about the Disaster Recovery feature, see the "Restoring McAfee ePO" section of the relevant ePolicy Orchestrator Installation Guide.

    For McAfee product documents, go to the Enterprise Product Documentation portal at https://docs.mcafee.com.

  • If you are migrating from a 32-bit to a 64-bit operating system or installing ePO to a different path, you must follow the instructions in KB71078 instead.


  • The agent uses either the last known IP address, DNS name, or NetBIOS name of the ePO server. If you change any one of these values, make sure that the agents have a way to locate the server. The easiest way is to retain the existing DNS record and change it to point to the new IP address of the ePO server. After the agent successfully connects to the ePO server, it downloads an updated Sitelist.xml with the current information.
  • You can also use this procedure if you want to migrate the ePO server to another system. But, it is preferable to use the built-in Disaster Recovery feature to migrate the ePO server to another system.
  • If you import a certificate to the Java certificate store after following the process documented in KB84628, you must reimport the certificate after you complete an upgrade, snapshot recovery, or disaster recovery.

  • Make sure that you restore the same version of ePO Server and Update.
  • To make sure a smooth recovery, do not perform a backup while the server is in the process of installing an extension.

Before backing up
If possible, shut down the ePO Application Server service (Tomcat) entirely when you perform the backup. If you can't shut down Tomcat, make sure that no one is performing the following actions during the backup:
  • Installing, uninstalling, or upgrading an extension
  • Updating the ePO database configuration 

To back up the ePO server
  1. Use the following documents to back up the SQL database (normally named ePO_<ServerName>, where <ServerName> is your ePO server name):
    • See article KB52126 for details about backing up the ePO database using SQL Server Management Studio.
    • See article KB59562 for details about backing up the ePO database using OSQL commands.

      IMPORTANT: In ePO 5.10 and later, threat event information has been split into its own database, so you must back up both databases. Carry out the backup process on both the main database (default name ePO_<ePO_server_name>) and the events database (default name ePO_<ePO_server_name>_Events).
  2. You must also back up the following folder paths:
    NOTE: The default 64-bit installation paths are listed below. But, your installation might differ. For example, the default 32-bit installation path is C:\Program Files\McAfee\ePolicy Orchestrator.
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\extensions
The default path to ePO software extension information.

C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\conf
The default path to required files used by the ePO software extensions.

C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\keystore
These keys are for ePO agent-server communication and the repositories.
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Software
All products that have been checked in to the Master Repository are located here.

C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Keystore
The agent-server communication and Repository Keys that are unique to your installation are located here. Failing to restore this folder results in all client systems being unable to communicate with the server, and you have to redeploy the agent to all systems. Also, you must check in all deployable packages again.
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf
The following are located here:
  • The server configuration settings for Apache
  • SSL certificates needed to authorize the server to handle agent requests
  • Console certificates
NOTE: Failure to back up and restore these directory structures requires a reinstallation of ePO to create new ones. It might also require a clean database installation and redeployment of agents to all client systems.

To recover the ePO server
  1. Delete the ePO database on the SQL Server. If you do not know how to perform the MSSQL operation, see http://technet.microsoft.com/en-us/library/ms177419.aspx or contact Microsoft Support.
  2. If restoring ePO to the same system, uninstall ePO. Make sure that there is no ePolicy Orchestrator folder in the original installation path after the software is uninstalled.

    NOTE: Renaming the existing ePO folder and leaving the old directory in place might interfere with the new installation. So, we recommend that you remove the old directory completely.
  3. Reinstall ePO to the same version and update level as the server you are restoring.

    NOTE: You can verify the ePO update level. Look at the Version field in the backed-up Server.ini file (C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\) and cross-reference it with article KB59938.

    IMPORTANT: You must reinstall ePO to the exact same directory path as the previous installation for this article to apply. If you do not, the initialization of extensions fails when the restore is complete. If the installation path is different, follow the steps in article KB71078 instead.
  4. Apply any additional updates, hotfixes, or POCs to ePO that had been previously applied. If you previously installed Policy Auditor 6.2 for use with ePO, install the same version of Policy Auditor. Including any hotfix releases, that had been installed before.

    IMPORTANT: If you are restoring an ePO 5.10 environment that has had a Cumulative Update applied, make sure that you apply the same update version to the newly installed ePO server. If this action is not done, the ePO Application Server service is unable to start.
  5. Stop and disable all ePO services:
    1. Click Start, Run, type services.msc, and click OK.
    2. Right-click each of the following services and select Stop:
      McAfee ePolicy Orchestrator Application Server
      McAfee ePolicy Orchestrator Event Parser
      McAfee ePolicy Orchestrator Server
    3. Double-click each of the following services and change Startup type to Disabled:
      McAfee ePolicy Orchestrator Application Server
      McAfee ePolicy Orchestrator Event Parser
      McAfee ePolicy Orchestrator Server
  6. Restore the database. See article KB52126 for details about restoring the ePO database using SQL Server Management Studio.
    NOTE:  Restore the database so that you do not require the ePO database configuration to be updated. For example, same name, host, port. Otherwise, you must update the restored DB.PROPERTIES file in C:\Program Files\McAfee\ePolicy Orchestrator\Server\conf\orion with the new information, before you start the server.

    IMPORTANT: In ePO 5.10 and later, threat event information has been split into its own database, so you must restore both databases. Carry out the restore process on both the main database and the events database.
  7. Rename the following folders. For example, rename the extensions folder to extensions_old. Then replace them with the corresponding folders that were backed up earlier in step 2:
    C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\extensions
    C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\conf
    C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\keystore
    C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Software
    C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Keystore
    C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf
  8. Start only the McAfee ePolicy Orchestrator Application Server service. 
  9. Access the core/config page of ePO and confirm the DB credentials if you are unable to access the ePO console. See KB69850 for detailed instructions on how to access the core\config page and update the DB credentials if needed.

    IMPORTANT: If you are restoring an ePO 5.10 environment, select Change password and re-enter the password for the account used to access SQL, even though it has not changed. 
    Verify that the password is accepted by using the Test Connection option. Assuming the connection is successful, click Apply to save the password, and restart the ePO application server service. This step is required to create a new password hash based on the new ePO server's unique key.
  10. Attempt to log on to the ePO console. If you are unable to log on, review all steps performed in this article and make sure that they have been properly completed. If you can't resolve the console logon issue, contact Technical Support for further assistance before you continue.
    To contact Technical Support, log on to the ServicePortal and go to the Create a Service Request page at https://support.mcafee.com/ServicePortal/faces/serviceRequests/createSR:
    • If you are a registered user, type your User Id and Password, and then click Log In.
    • If you are not a registered user, click Register and complete the required fields. Your password and logon instructions will be emailed to you.

    You must be able to log on for the rest of the recovery steps to work.
  11. Rename the SSL.CRT folder (see path below) to SSL.CRT.OLD and manually create an empty folder named SSL.CRT in the same path. If you do not, the setup fails to create a new certificate: 
    64-bit: "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf\ssl.crt"
    32-bit: "C:\Program Files\McAfee\ePolicy Orchestrator\Apache2\conf\ssl.crt"
  12. Click Start, type cmd in the search field, right-click, and select Run as administrator.
  13. Change directories to your ePO installation directory.
    Default paths:
    64-bit: Program Files (x86)\McAfee\ePolicy Orchestrator\
    32-bit: Program Files\McAfee\ePolicy Orchestrator\
  14. Run the following command:
    Rundll32.exe ahsetup.dll RunDllGenCerts <ePO_server_name> <console_HTTPS_port> <admin_username> <password> <"installdir\Apache2\conf\ssl.crt">
    <ePO_server_name> is your ePO server NetBIOS name
    <console_HTTPS_port> is your ePO console port (default is 8443)
    <admin_username> is administrator (use the default ePO administrator console account)
    <password> is the password to the ePO administrator console account
    <installdir\Apache2\conf\ssl.crt> is your installation path to the Apache folder; Default installation path:
    64-bit: "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf\ssl.crt"
    32-bit: "C:\Program Files\McAfee\ePolicy Orchestrator\Apache2\conf\ssl.crt"
    Rundll32.exe ahsetup.dll RunDllGenCerts epo_server_name 8443 administrator password "C:\Program Files\McAfee\ePolicy Orchestrator\Apache2\conf\ssl.crt"
    • This command fails if you have enabled User Account Control (UAC) on this server. If the server is running Windows Server 2008 or later, disable this feature. You can find more information about UAC at: http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspx.
    • This command is case sensitive. The ahsetup.log provides information about whether the command succeeded or failed. It also states whether it used the files located in the ssl.crt folder.
      NOTE: The ahsetup.log is located in ePO_install_directory\Apache2\conf\ssl.crt.
  15. Start the following services:
    McAfee ePolicy Orchestrator Event Parser 
    McAfee ePolicy Orchestrator Server
  16. Look in the DB/logs/server.log to make sure that the Agent Handler (Apache server) started correctly. It must state something similar to the following:
    I #4108 NAIMSRV ePolicy Orchestrator server started.

    If it does not, there is an error similar to the following: 
    E #4736 NAIMSRV Failed to get server key information

Rate this document

Glossary of Technical Terms

 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.