Loading...

Knowledge Center


ePolicy Orchestrator cluster backup and disaster recovery procedure
Technical Articles ID:   KB75497
Last Modified:  9/25/2019
Rated:


Environment

McAfee ePolicy Orchestrator (ePO) 5.x

Summary

This article provides cluster backup and disaster recovery steps for ePO.

IMPORTANT:
  • This procedure is intended for use by network and ePO administrators only. McAfee does not assume responsibility for any damage incurred because it is intended as a guideline for disaster recovery. All liability for use of the following information remains with the user.
  • It is preferable to use the built-in Disaster Recovery feature and use these steps only if a valid Snapshot was not created and a manual recovery is required.
  • If you are going from a 32-bit to a 64-bit OS, or installing ePO to a different path, use article KB71078.
NOTES:  
  • The agent uses either the last known IP address, DNS name, or NetBIOS name of the ePO server. If you change any one of these, ensure that the agents have a way to locate the server. The easiest way to do this is to retain the existing DNS record and change it to point to the new IP address of the ePO server. After the agent is able to successfully connect to the ePO server, it downloads an updated SiteList.xml with the current information. 
  • You can also use this procedure to migrate the ePO cluster to another system. But, it is preferable to use the built-in Disaster Recovery feature to migrate the ePO server to another system.
Preparation
To ensure a smooth recovery, do not perform a backup while the server is in the middle of installing an extension.

Before backing up the ePO cluster
If possible, open the Windows Cluster Administrator/Management tool and set all ePO services to offline:
  • On Windows Server 2008: Click StartPrograms, Administrative Tools, Failover Cluster Management.
  • On Windows Server 2003: Click StartProgram FilesAdministrative ToolsCluster Administrator.
Otherwise, ensure that no one is performing the following actions during the backup:
  • Installing, uninstalling, or upgrading an extension
  • Updating the ePO database configuration
Backing up the ePO cluster
  1. Use the following to back up the SQL database (normally named ePO_<ServerName>, where the <ServerName> is your ePO server name):
    • For details on backing up the ePO database using OSQL commands, see article KB59562.
    • For details on backing up the ePO database using SQL Server Management Studio, see article KB52126.
       
  2. You must back up the following folder paths from the Share drive that was specified during installation:
Example: (S:\ePolicy Orchestrator\...)

S:\ePolicy Orchestrator\bin\Server\extensions
The default path to ePO software extension information.

S:\ePolicy Orchestrator\bin\Server\conf
The default path to required files used by the ePO software extensions.

S:\ePolicy Orchestrator\bin\Server\keystore
These keys are for ePO agent-to-server communication and the repositories.

S:\ePolicy Orchestrator\DB\Software
All products that have been checked in to the Master Repository are located here.

S:\ePolicy Orchestrator\DB\Keystore
The Agent, Server, and Repository Keys that are unique to your installation are located here. Failing to restore this folder will result in all client systems being unable to communicate with the server, and you will have to redeploy the agent to all systems. Additionally, you will have to check in all deployable packages again.

S:\ePolicy Orchestrator\Apache2\conf
The server configuration settings for Apache, the SSL certificates needed to authorize the server to handle agent requests, and console certificates are located here.

NOTE: Failure to back up and restore these directory structures will require a re-installation of ePO to create new ones and possibly require a clean database installation and redeployment of agents to all client systems.
Recovering the ePO cluster
  1. Delete the ePO database on the SQL server. If you do not know how to perform the MSSQL operation, refer to the Microsoft tech note at: http://technet.microsoft.com/en-us/library/ms177419.aspx or contact Microsoft Support.
     
  2. If restoring ePO to the same system, uninstall ePO. Ensure that there is no ePO folder in the original installation path after the software is uninstalled.
     
    NOTE: Renaming the existing ePO folder and leaving the old directory in place may interfere with the new installation. It is recommended that you remove the old directory completely.
     
  3. Re-install ePO to the same version and patch level as the server you are restoring. Installation must follow the steps in the ePolicy Orchestrator 5.3.0 Installation Guide (PD25506): "Perform cluster installation" section.

    NOTE: You can verify the ePO patch level by looking at the Version field in the backed up Server.ini file (\ePolicy Orchestrator\DB\) and cross referencing it with article KB59938.

    IMPORTANT: You must reinstall ePO to the exact same directory path as the previous installation for this article to apply (or initialization of extensions will fail when the restore is complete). If the installation path is different, refer to the steps in article KB71078.
     
  4. Apply any additional patches/hotfixes/POCs to ePO that had been previously applied. 
     
  5. After installing, open the Windows Cluster Administrator/Management tool and set all McAfee ePO services to offline:
    • On Windows Server 2008: Click StartProgramsAdministrative ToolsFailover Cluster Management.
    • On Windows Server 2003: Click StartProgram FilesAdministrative ToolsCluster Administrator.
       
  6. Restore the database.

    NOTE: Restore the database so that you do not require the ePO database configuration to be updated (for example: same name, host, port, and so on). Otherwise, you have to update the restored DB.PROPERTIES file in S:\ePolicy Orchestrator\bin\Server\conf\orion with the new information before starting the server.
     
  7. Delete the following folders, and replace them with the corresponding folders that were backed up earlier in step 2:

    S:\ePolicy Orchestrator\bin\Server\extensions
    S:\ePolicy Orchestrator\bin\Server\conf
    S:\ePolicy Orchestrator\bin\Server\keystore
    S:\ePolicy Orchestrator\DB\Software
    S:\ePolicy Orchestrator\DB\Keystore
    S:\ePolicy Orchestrator\Apache2\conf
      
  8. Set only the McAfee ePolicy Orchestrator Application Server Service resource to online
     
  9. Open the Configure Database Settings page at: https://<servername>:8443/core/config. If you do not use the default port (8443), substitute your correct console login port.
     
  10. Under Configure Database Settings, verify the following entries:

    Database server name
    Database server instance
    Database server port
    Database name
    User name
    User domain
    User password

    If you make any changes to these entries, ensure that you click Test Connection (bottom-right corner) to verify the connection to the database is successful with the new settings before continuing.
     
  11. If you made any changes on the Configure Database Settings page, do the following:
    1. Click Apply (to save the changes).
    2. Restart the McAfee ePolicy Orchestrator Application Server Service.
     
  12. Attempt to log on to the ePO console. If you are unable to log on, review all of the steps performed in this article and ensure that they have been properly completed. If you cannot resolve the console logon issue, contact Technical Support for further assistance before proceeding.
    To contact Technical Support, log on to the ServicePortal and go to the Create a Service Request page at https://support.mcafee.com/ServicePortal/faces/serviceRequests/createSR:
    • If you are a registered user, type your User Id and Password, and then click Log In.
    • If you are not a registered user, click Register and complete the required fields. Your password and logon instructions will be emailed to you.

    NOTE: You must be able to log on for the rest of the recovery steps to work.
     
  13. Rename the SSL.CRT folder (see the following path) to SSL.CRT.OLD and manually create an empty folder named SSL.CRT in the same path; otherwise, the setup will fail to create a new certificate: 

    S:\ePolicy Orchestrator\Apache2\conf\ssl.crt
     
  14. Click Start, Run, type cmd, and click OK.
     
  15. Change directories to your ePO installation path (default is S:\ePolicy Orchestrator\).
     
  16. In the ePO directory, run the following command:

    Rundll32.exe ahsetup.dll RunDllGenCerts <ePO_server_name> <console_HTTPS_port> <admin_username> <password> <"installdir\Apache2\conf\ssl.crt">

    where:
    <ePO_server_name> is the ePO server NetBIOS name
    <console_HTTPS_port> is the ePO console port (default is 8443)
    <admin_username> is admin (use the default ePO admin console account)
    <password> is the password to the ePO admin console account
    <installdir\Apache2\conf\ssl.crt> is the installation path to the Apache folder (default installation path: S:\ePolicy Orchestrator\Apache2\conf\ssl.crt)

    Example
    Rundll32.exe ahsetup.dll RunDllGenCerts eposervername 8443 administrator password "S:\ePolicy Orchestrator\Apache2\conf\ssl.crt"
     
    IMPORTANT:
    • This command will fail if you have enabled User Account Control (UAC) on this server. If the server is running Windows Server 2008 or later, disable this feature. You can find more information about UAC at: http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspx.
    • This command is case-sensitive. The ahsetup.log (found in <installdir\Apache2\conf\ssl.crt>) provides information about whether the command succeeded or failed and will state whether it used the files located in the ssl.crt folder.
     
  17. Set the following service resources to online, and then start them:
     
    • McAfee ePolicy Orchestrator Event Parser
    • McAfee ePolicy Orchestrator Server
 

Rate this document

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.