Moving a Management Server


1. Ensure that the old management server is completely up to date with all Total Defense patches.

2. Backup c:\Program Files\CA\TotalDefense\ManagementServer\master directory from the old management server to somewhere off the machine.  These files will be needed if the new management server’s hard drive is lost, so it is recommended to back up the directory to a secure location.

3. Use SQL Server Management Studio (available from http://www.microsoft.com/en-us/download/details.aspx?id=7593 if it is not already installed) to back up the itmdb database from the SQL Server instance in use by the management server.  The instance name may be obtained from:

And fill in the initial Management Studio screen as follows:The example above shows what to do when using the default instance of SQL Server.  By default, the Total Defense install creates an instance of SQL Express, in which case you sign in using the following:Expand the ‘Databases’ branch, right click ‘itmdb’ and select ‘Tasks’\’Back Up…’.  You will get a screen like this:

The default location is inconvenient, so click the ‘Remove’ button in the ‘Destination’ section and click the ‘Add…’ button just above it.  In the ‘Select Backup Destination’ dialog, click the ‘…’ button and select where you want the backup to be stored.  Provide a file name, such as ‘itmdb.bak’.  Make sure to use the ‘.bak’ extension.  Then click ‘OK’ until the backup starts.

4. Backup the C:\Program Files\CA\TotalDefense\ManagementServer\Packages directory.  Only the directories named after a number need to be included; the directories ‘Certificates’, ‘DefaultPolicies’ and ‘InstallKit’ directories do not need to be backed up.

5. Install Windows 7.  It is not important that the new machine has the same IP address as the old, but it is important that the old host name resolves to the new management server.  The easiest way to accomplish this is to install the machine with the same name as the old management server, or the machine’s name can be changed to the old management server’s after the OS is installed.  The machine may not be safely renamed after the Total Defense installation.

6. Enable IIS.

a. Open the control panel.  Click the ‘Programs’ link.

b. Select ‘Turn Windows Features On or Off’ under ‘Programs and Features’.

c. Select all features under ‘Internet Information Services’\’Web Management Tools’\’IIS 6 Management Capability’.

d. Select all features under ‘Internet Information Services’\’Web Management Tools’.

e. Select ‘ASP.NET’ under ‘Internet Information Services’\’Application Development Features’.  Leave all the other features that check automatically checked.

f. Select ‘Default Document’, ‘HTTP Errors’, and ‘Static Content’ under ‘Internet Information Services’\’Common HTTP Features’.

g. Select ‘HTTP Logging’ under ‘Internet Information Services’\’Health and Diagnostics’.

h. Leave ‘Request Filtering’ checked under ‘Internet Information Services’\’Security’.

i. Check ‘Windows Communication Foundation HTTP Activation’ and ‘Windows Communication Foundation non-HTTP Activation’ under ‘Microsoft .NET Framework 3.5.1’.

j. Check ‘MSMQ HTTP Support’ under ‘Microsoft Message Queue (MSMQ) Server’\‘Microsoft Message Queue (MSMQ) Server Core’.

k. Click ‘OK’.

7. Install the management server.  An up to date (SE3, aka build 831) installation may be obtained from http://www.totaldefense.com/downloadmanager/index.aspx.  Make sure to use the same certificate password as the previous install.

8. Allow the management server to update itself completely.  This will require a couple of reboots.

9. Open a command prompt as administrator and make the C:\Program Files\CA\TotalDefense\ManagementServer\WebServices\bin directory the current directory.  Run ‘StopMgmtServer’ and wait for the utility to complete.  Leave the command prompt open.

10. Use SQL Server Management Studio to restore the backed up database.  To do this, expand the ‘Databases’ branch, right click ‘itmdb’ and select ‘Tasks’\’Detach…’.  Click the ‘Drop’ checkbox.  You should see a screen like this:

Click ‘OK’.  Right click the ‘Databases’ branch and select ‘Restore Database…’.  In the ‘Restore Database – itmdb’ dialog box, select the ‘From Device’ radio button.  Click the ‘…’ button and in the ‘Specify Backup’ dialog, leave the ‘Backup Media’ as ‘File’ and click the ‘Add’ button.  Expand the directory containing the itmdb.bak file from the old management server and select the file.  Click ‘OK’ until you are back in the ‘Restore Database’ dialog.  Click the ‘Restore’ checkbox for the backup file under ‘Select the backup sets to restore:’ and you should see a screen like this:

11. Click the ‘Options’ page in the ‘Restore Database’ dialog and check the ‘Overwrite the existing database (WITH REPLACE)’ checkbox. You should see a screen like this:Click ‘OK’ and the database will be restored.

12. Restore the packages backup to the C:\Program Files\CA\TotalDefense\ManagementServer\Packages directory on the new management server.  Only the directories named after a number (e.g. ‘5’) need to be restored.

13. Run ‘mmc’ from the command prompt that ran StopMgmtServer and perform the following procedure:

a. Select ‘File’\’Add/Remove Snap-in…’.

b. Select ‘Certificates’ and click ‘Add’.

c. Select ‘Computer Account’ and click ‘Next>’.

d. Leave ‘Local Computer’ selected and click ‘Finish’.

e. Expand ‘Certificates (Local Computer)’\’Personal’ and select ‘Certificates’.

f. Select ‘CA TD Client’ and ‘CA TD Server’ and click the delete button.  Click the ‘Yes’ button when mmc asks you to confirm.

g. Expand ‘Certificates (Local Computer)’\‘Trusted Root Certification Authorities’ and select ‘Certificates’.

h. Select ‘CA TD Root’ and click the delete button.  Click the ‘Yes’ button when mmc asks you to confirm.

i. Expand ‘Certificates (Local Computer)’\’Trusted People’ and select ‘Certificates’.

j. Select ‘CA TD Client’ and ‘CA TD Server’ and click the delete button.  Click the ‘Yes’ button when mmc asks you to confirm.

14. Restore the master directory from the old management server to a directory on the new management server (e.g. c:\production_certs).

15. Copy this file to C:\Program Files\CA\TotalDefense\ManagementServer\WebServices\bin:

16. Use the command prompt that ran StopMgmtServer to run the command:

AssignCert c:\production_certs certificate-password

Replace c:\production_certs with the correct directory if the certificates were restored to a different directory in step 14. Replace ‘certificate-password’ with the certificate password used in the initial install of R12 on the old management server.

17. Run ‘mmc’ from the command prompt that ran StopMgmtServer and perform the following procedure:

a. Select ‘File’\’Add/Remove Snap-in…’.

b. Select ‘Certificates’ and click ‘Add’.

c. Select ‘Computer Account’ and click ‘Next>’.

d. Leave ‘Local Computer’ selected and click ‘Finish’.

e. Expand ‘Certificates (Local Computer)’\’Personal’ and select ‘Certificates’.

f. Right click ‘CA TD Server’ and select ‘All Tasks’\’Export…’.

g. Click ‘Next>’ in the ‘Certificate Export Wizard’.

h. Leave ‘No, do not export the private key’ selected and click ‘Next>’.

i. Leave ‘DER encoded binary X.509 (.CER)’ selected and click ‘Next>’.

j. Click the ‘Browse’ button in ‘File to export’ and select the C:\Program Files\CA\TotalDefense\ManagementServer\Packages\Certificates directory.  Specify the file name ‘SERVER.cer’, confirm the overwrite and click ‘Next>’.

k. Click ‘Finish’.

18. Copy client.pfx and root.cer from the old management server certificates directory (c:\production_certs) to C:\Program Files\CA\TotalDefense\ManagementServer\Packages\Certificates.

19. Use the command prompt that ran ‘StopMgmtServer’ and run ‘StartMgmtServer’.  If you get an error like this: wait for a minute and try again.

In case of Reporting Problems

On occasion, the reporting functionality in the console GUI will not work after performing the above procedure. If this occurs, call support or follow this procedure:

1. Open ‘Windows Explorer’ and click in the edit box at the top of the window.  You should see something like this:Then type c:\ProgramData.  Your screen should look like this:Then use explorer in the conventional way to go to the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys directory.  You should see something like this:For each file that has a modification date set to the date the management server was moved, perform this procedure:

a. Right click the file and select ‘Properties’.  Select the ‘Security’ tab.  You should see something like this:

 

b. Click the ‘Continue’ button and click the ‘Add…’ button.  You should see a dialog like this:

 

c. Make sure that the ‘From this location:’ is set to the local machine, not the domain and type ‘IIS AppPool\EventPool’ in the ‘Enter the object names to select’ box.  Click ‘OK’.

d. Leave the ‘Read’ and ‘Read & Execute’ checked in the ‘Permissions’ dialog and click ‘OK’.

e. Repeat the procedure for the file, but grant rights to the ‘IIS AppPool\ReportPool’ user.



* The attached Word Document includes Screenshots and Files required to perform the Migration.