3/13/13

McAfee ServicePortal

ePO 4.5 and 4.6 server backup and disaster recovery procedure
Printer Friendly Rate this Page

Corporate knowledgebase ID: KB66616 Published:

Feb 15, 2013

Environment
McAfee ePolicy Orchestrator 4.x IMPORTANT: ePolicy Orchestrator (ePO) 4.0 reached End of Life (EOL) on September 30, 2011. ePO 4.0 will no longer be tested with new releases of related products or utilities. Therefore, McAfee recommends that you upgrade to the latest supported version. See also: McAfee EOL List and EOL Policy at: http://www.mcafee.com/us/support/supporteol.aspx KB69534 - End of Life for ePolicy Orchestrator 4.0

For details of all supported operating systems, see KB51109.

Solution
IMPORTANT: This procedure is intended for use by network and ePolicy Orchestrator (ePO) administrators only. McAfee does not assume responsibility for any damage incurred because they are intended as guidelines for disaster recovery. All liability for use of the following information remains with the user. The procedure is for use with ePO 4.5 and 4.6 servers only. This will not work if you rename the ePO server. See KB66620 for steps on handling this situation. The Operating System (OS) must be the same if you are going to re-install the OS. You must reinstall ePO to the exact same directory path as the previous installation or initialization of extensions will fail when the restore is complete. See KB70685 for a Product Management statement regarding this limitation. NOTES: The Agent uses either the last known IP address, DNS name, or NetBIOS name of the ePO server. If you change any one of these, ensure that the Agents have a way to locate the server. The easiest way to do this would be to retain the existing DNS record and change it to point to the new IP address of the ePO server. After the Agent is able to successfully connect to the ePO server, it downloads an updated SiteList.xml with the current information. The procedure can also be used by customers who want to migrate the ePO 4.5 or 4.6 server to another system. Preparation To ensure a smooth recovery, do not perform a backup while the server is in the middle of installing an extension. Before backing up If possible, shut down the ePO 4.x.0 Application Server service (Tomcat) entirely when doing the backup, where 4.x.0 applies to both ePO 4.5 and 4.6 (example, ePO 4.6.0 Application Server). Otherwise, ensure that no one is performing the following actions during the backup: Installing, uninstalling, or upgrading an extension Updating the ePO database configuration
https://mysupport.mcafee.com/Eservice/article.aspx?page=content&id=KB66616 1/8

3/13/13

McAfee ServicePortal

Backing up Use the following to back up the SQL database (normally named ePO4_<ServerName>, where the <ServerName> is your ePO 4.5 / 4.6 server name): See article KB59562 - How to back up the ePO database using OSQL commands, or KB52126 - How to back up and restore the ePO database using Enterprise Manager/ Management Studio. DBBAK utility SQL Enterprise Manager You must also backup the following folder paths (the default installation path is used - your installation might differ): C:\Program Files\McAfee\ePolicy Orchestrator\SERVER\ All installed extensions and configuration information for the ePO Application Server service is found here. NOTE: If you want to reduce the number of items to back up from the \SERVER folder backup, consider excluding only the following: C :\Program Files\McAfee\ePolicy Orchestrator \server\logs (server log files) C :\Program Files\McAfee\ePolicy Orchestrator\server\cache (C ontains cached information that ePO creates and uses, such as generated chart images. ePO will regenerate that information, if deleted.) C :\Program Files\McAfee\ePolicy Orchestrator\server\work (C ontains cached information about web applications registered with Tomcat. Tomcat will regenerate that information, if deleted.) C:\Program Files\McAfee\ePolicy Orchestrator\DB \SOFTWARE\ All Products that have been checked into the Master Repository are located here. C:\Program Files\McAfee\ePolicy Orchestrator\DB \KEYSTORE\ The Agent to Server C ommunication and Repository Keys that are unique to your installation are located here. Failing to restore this folder results in re-pushing the agent to all your systems, and checking in all of your deployable packages again. C:\Program Files\McAfee\ePolicy Orchestrator\APACHE2\CONF The Server configuration settings for Apache, the SSL C ertificates needed to authorize the server to handle agent requests, and C onsole C ertificates are located here. Failure to back up and restore this directory results in a re-installation of ePO to create new ones and possibly using a clean database installation. Recovery 1. Delete or rename the ePO database on the SQL server. If you do not know how to perform the MSSQL operation, contact Microsoft Support. 2. Reinstall ePO 4.5 / 4.6. IMPORTANT: You must reinstall ePO to the exact same directory path as the previous installation or initialization of extensions will fail when the restore is complete. Also, you do not have to specify the same port configuration except for the database. The ports are restored to the previous installation values during the restore. 3. Apply any patches to ePO 4.5 / 4.6 that had been previously applied. - If you have previously installed Policy Auditor 5.x for use with ePO, install the same version of Policy Auditor (including the hotfix release) that had been installed before. - If you have previously installed McAfee NAC 3.x or McAfee NAC 4.0 for use with ePO, install the same version of McAfee NAC (including the hotfix release) that had been installed before. NOTE: You can verify the ePO 4.5/4.6 patch level by looking at the Version field in the backed up Server.ini file (C:\Program Files\McAfee\ePolicy Orchestrator\DB\) and cross referencing it with article KB59938 - Version information for the ePO 4.x server.
https://mysupport.mcafee.com/Eservice/article.aspx?page=content&id=KB66616 2/8

3/13/13

McAfee ServicePortal

4. After installing, stop and disable all ePO 4.5 / 4.6 services: a. C lick Start, Run, type services.msc, and click OK. b. Right-click each of the following services and select Stop: McAfee ePolicy Orchestrator 4.x.0 Application Server McAfee ePolicy Orchestrator 4.x.0 Event Parser McAfee ePolicy Orchestrator 4.x.0 Server c. Double-click each of the following services and change Startup type to Disabled: McAfee ePolicy Orchestrator 4.x.0 Application Server McAfee ePolicy Orchestrator 4.x.0 Event Parser McAfee ePolicy Orchestrator 4.x.0 Server 5. Restore the database. NOTE: Restore the database so that you do not require the ePO database configuration to be updated (for example, same name, host, port, and so on). Otherwise, you have to update the restored DB.PROPERTIES file in C:\Program Files\McAfee\ePolicy Orchestrator \server\conf\Orion with the new information before starting up the server. 6. Delete the following folders, replacing them with the corresponding folders that were backed up earlier: C :\Program C :\Program C :\Program C :\Program Files\McAfee\ePolicy Files\McAfee\ePolicy Files\McAfee\ePolicy Files\McAfee\ePolicy Orchestrator\SERVER\ Orchestrator\APAC HE2\C ONF Orchestrator\DB \SOFTWARE\ Orchestrator\DB \KEYSTORE\

7. Before you enable and start the ePO 4.5 / 4.6 services, ensure that the contents (version numbers) of the C:\Program Files\McAfee\ePolicy Orchestrator\server\extensions\installed folder match the extensions listed in the OrionExtensions table. To check the contents of the OrionExtensions table, access the SQL Tools and run the following T-SQL command: Select * from OrionExtensions If there is a mismatch on server startup, the server removes each extension not listed in the OrionExtensions table. If this happens, check in these extensions again and also restore the database again. 8. Start the McAfee ePolicy Orchestrator 4.x.0 Application Server service. NOTE: You have to start this service for RunDllGenCerts to work. 9. Rename SSL.C RT folder (see path below) to SSL.C RT.OLD and manually create an empty folder named SSL.CRT on the same path, otherwise the setup will fail to create a new C ert: 32-bit: "C :\Program Files\McAfee\ePolicy Orchestrator\APAC HE2\C ONF\SSL.C RT" 64-bit: "C :\Program Files (x86)\McAfee\ePolicy Orchestrator\APAC HE2\C ONF\SSL.C RT" 10. C lick Start, Run, type cmd, and click OK. 11. C hange directories to your ePO installation directory. Default path: 32-bit: Program Files\McAfee\ePolicy Orchestrator\ 64-bit: Program Files (x86)\McAfee\ePolicy Orchestrator\ 12. Run the following command:

https://mysupport.mcafee.com/Eservice/article.aspx?page=content&id=KB66616

3/8

3/13/13

McAfee ServicePortal

IMPORTANT: - This command will fail if you have enabled User Account C ontrol (UAC ) on this server. If this is a Windows Server 2008 or later, disable this feature. You can find more information about UAC at: http://technet.microsoft.com/enus/library/cc709691(WS.10).aspx. - This command is case-sensitive. The ahsetup.log (found in <installdir\Apache2\conf\ssl.crt>) provides information about whether the command succeeded or failed and will state if it used the files located in the ssl.crt folder Rundll32.exe ahsetup.dll RunDllGenCerts <eposervername> <console HTTPS port> <admin username> <password> <"installdir\Apache2\conf\ssl.crt"> where: <eposervername> is your ePO server's NetBIOS Name <console HTTPS port> is your ePO C onsole Port (default is 8443) <admin username> is admin (use the default ePO admin account) <password> is the password to the ePO Admin console account <installdir\Apache2\conf\ssl.crt> is your installation path to the Apache folder; Default installation path: 32-bit: "C :\Program Files\McAfee\ePolicy Orchestrator\APAC HE2\C ONF\SSL.C RT" 64-bit: "C :\Program Files (x86)\McAfee\ePolicy Orchestrator\APAC HE2\C ONF\SSL.C RT" Example: Rundll32.exe ahsetup.dll RunDllGenC erts eposervername 8443 administrator password "C :\Program Files\McAfee\ePolicy Orchestrator\APAC HE2\C ONF\SSL.C RT" 13. Start the following services: McAfee ePolicy Orchestrator 4.x.0 Event Parser McAfee ePolicy Orchestrator 4.x.0 Server 14. Look in the DB/logs/server.log to ensure that the Agent Handler (Apache server) started correctly. It should state something similar to the following: 20090923173647 started. I #4108 NAIMSRV ePolicy Orchestrator server

If it does not, there will be an error similar to: 20090923173319 information. E #4736 NAIMSRV Failed to get server key

Corporate KnowledgeBase Information

Categories ePolicy Orchestrator 4.5 ePolicy Orchestrator 4.6

Related Information
KB51438 - Recommended steps for migrating or moving the ePO 4.0 server to a new system

Rate this page

Please take a moment to complete this form to help us serve you better. Rate this document 1 2 3 4 5(Best)

Glossary of Technical Terms

Please take a moment to browse our Glossary of Technical Terms

Did this article resolve your issue?

Yes

No

Please provide any comments related to this content. NOTE: Please do not request support through
https://mysupport.mcafee.com/Eservice/article.aspx?page=content&id=KB66616 4/8

3/13/13

McAfee ServicePortal

this form. Your response will be used to improve our document content. Request for assistance should be submitted through your normal support channel as we cannot respond from this site. Rate Content

https://mysupport.mcafee.com/Eservice/article.aspx?page=content&id=KB66616

5/8

3/13/13

McAfee ServicePortal

https://mysupport.mcafee.com/Eservice/article.aspx?page=content&id=KB66616

6/8

3/13/13

McAfee ServicePortal

https://mysupport.mcafee.com/Eservice/article.aspx?page=content&id=KB66616

7/8

3/13/13

McAfee ServicePortal

https://mysupport.mcafee.com/Eservice/article.aspx?page=content&id=KB66616

8/8