MDM Backup and Recovery

  • Article

10/3/2008

You must regularly back up the underlying operating system for the System Center Mobile Device Manager (MDM) system, Windows Server® 2003. You must also regularly back up the MDM system components: MDM Device Management Server, MDM Enrollment Server and MDM Gateway Server; and the supporting components: domain controllers, Microsoft enterprise certification authority and computers that are running Microsoft® SQL Server®, according to the best practices for Windows Server 2003.

This includes, but is not limited to full system backups, incremental backups and system state. For more information about how to back up the Windows Server 2003 Standard Edition and Enterprise Edition operating systems, see this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=108410.

For more information about how to back up and restore keys and certificates in the enterprise certification authority, see this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=108411.

For more information about how to back up and restore SQL Server 2005, as well as other administrative tasks, see this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=108412.

Backing Up Your SQL Server Databases for MDM

To move MDM databases onto another SQL Server computer, or for general database backup and restore operations, restore the full databases onto a new SQL Server computer:

  1. Stop all 5 of the MDM services:
    • SCMDM ADGP Service
    • SCMDM Enrollment Service
    • SCMDM GCM Service
    • SCMDM Software Distribution Service
    • SCMDM Wipe Service
  2. Start Microsoft SQL Server Management Studio and connect to the local SQL Server.
  3. In SQL Server Management Studio, expand the local server, expand Databases, right-click AdminServices, point to Tasks, and then select Backup.
  4. In the Back Up Database - AdminServices dialog box, make sure that the Backup type is set to Full, note the backup Destination folder, and then select OK.
  5. In the Microsoft SQL Server Management Studio dialog box informing you that the backup completed successfully, select OK.
  6. Repeat steps 3 through 5 for each of the MDM databases.
  7. In SQL Server Management Studio, expand SQL Server Agent, and then select Jobs.
  8. Right-click ExecutionResultProcessingTimeout, point to Script Job as, point to CREATE To, and then select File.
  9. In the Select a file dialog box, select a folder on the local computer to store the SQL Server scripts, and then select Save.
  10. Right-click TEEDB_Cleanup, point to Script Job as, point to CREATE To, and then select File.
  11. In the Select a file dialog box, select a folder on the local computer to store the SQL Server scripts, and then select Save.

Restoring Your SQL Server Databases for MDM

To restore the databases for MDM, follow these steps:

  1. On the new SQL Server computer, start Microsoft SQL Server Management Studio and connect to the local SQL Server.
  2. In SQL Server Management Studio, expand the local server, right-click Databases, and then select Restore Database.
  3. In the Restore Database dialog box, in the Destination for restore section, in the To database box, type the exact name of the database that you want to restore, for example AdminServices.
  4. In the Source for restore section, select From device, and then select the ellipsis button ().
  5. In the Specify Backup dialog box, select Add.
  6. In the Locate Backup File dialog box, navigate to the backup destination folder that you noted in step 4 of the "Backing Up Your SQL Server Databases for MDM" section above, and then select OK.
  7. In the Specify Backup dialog box, select OK.
  8. In the Restore Database dialog box, select OK.
  9. Repeat steps 2 through 6 for each of the MDM databases.
  10. In SQL Server Management Studio, make sure that the following security logins exist:
    • <domain>\SCMDM2008DeviceManagementServers
    • <domain>\SCMDM2008EnrollmentServers
    • <domain>\SCMDM2008ServerAdministrators
  11. If these logins do not exist, then follow steps 12 through 18. Otherwise, skip to step 19.
  12. In SQL Server Management Studio, expand the local server, expand Security, right-click Logins, and then select New Login.
  13. In the Login - New dialog box, select Search.
  14. In the Select User or Group dialog box, select Object Types.
  15. In the Object Types dialog box, select the Groups check box, and then select OK.
  16. In the Select User or Group dialog box, in the From this location box, make sure that Entire Directory is selected. Otherwise, select Locations to specify the entire directory.
  17. In the Enter the object name to select box, type SCMDM2008DeviceManagementServers, and then select OK.
  18. Repeat steps 12 through 17 to add the SCMDM2008EnrollmentServers and SCMDM2008ServerAdministrators security logins.
  19. In SQL Server Management Studio, right-click the local server, and then select New Query.
  20. Copy the script for the ExecutionResultProcessingTimeout job from the above stored SQL Server script file, and paste it into the query pane.
  21. Select Query, and then select Execute.
  22. Repeat steps 19 through 21 to run the script query for the TEEDB_Cleanup job.

Verifying Database Restoration

After running the script queries, you should verify that the databases were restored properly by making sure that the accounts and permissions are intact.

Remote Databases

When installed with remote databases, MDM setup configures the following user accounts and roles for each database.

Database User account Database Roles

AdminServices

<domain>\SCMDM2008DeviceManagementServers

ServiceAdmin, ServiceDriver, VPNAdmin, VPNPowerUSer

<domain>\SCMDM2008EnrollmentServers

ServiceAdmin, ServiceDriver

<domain>\SCMDM2008ServerAdministrators

ServiceAdmin

MobileEnrollment

<domain>\SCMDM2008EnrollmentServers

EnrollmentServer

NT AUTHORITY\ANONYMOUS LOGON

EnrollmentWebService

TEEDB

<domain>\SCMDM2008DeviceManagementServers

PublicAPI, TEE

Local Databases

When installed with local databases, MDM setup configures the following user accounts and roles for each database.

Database User account Database Roles

AdminServices

<domain>\SCMDM2008ServerAdministrators

ServiceAdmin

NT AUTHORITY\NETWORK SERVICE

ServiceAdmin, ServiceDriver, VPNAdmin, VPNPowerUser

MobileEnrollment

NT AUTHORITY\LOCAL SERVICE

EnrollmentWebService

NT AUTHORITY\NETWORK SERVICE

EnrollmentServer

TEEDB

<domain>\SCMDM2008DeviceManagementServers

PublicAPI, TEE

NT AUTHORITY\NETWORK SERVICE

PublicAPI, TEE

Database Service Connection Points

To verify the database service connection points (SCP), follow these steps.

  1. Download the Active Directory Service Interfaces tool at this Microsoft Web site:
    https://go.microsoft.com/fwlink/?LinkId=109940
  2. Open a Microsoft Management Console (MMC) window.
  3. Add the ADSIEdit snap-in.
  4. Connect to the domain.
  5. Expand the domain, expand DC=domain,DC=company name,DC=com, expand CN=System, expand CN=SCMDM2008, right-click CN=SCMDM2008Dependencies, and then select Properties.
  6. In the CN=SCMDM2008Dependencies Properties dialog box, on the Attribute Editor tab, in the Attributes box, scroll down and select keywords, and then select Edit.
  7. In the Multi-valued String Editor dialog box, in the Values box, select database=<old SQL Server>, select Remove. If only the SQL Server instance was changed and SQL Server still runs on the same computer, then select sqlinstance=<old SQL Server instance> instead of database=<old SQL Server>.
  8. In the Value to add box, change the old SQL Server to the new SQL Server, select Add, and then select OK.
  9. In the CN=SCMDM2008Dependencies Properties dialog box, select Apply, and then select OK.
  10. Start all 5 of the MDM services:
    • SCMDM ADGP Service
    • SCMDM Enrollment Service
    • SCMDM GCM Service
    • SCMDM Software Distribution Service
    • SCMDM Wipe Service