Migrating the collection server component
Applies To: Forefront Client Security
Checklist
The following is a checklist of the high-level tasks required for you to successfully migrate the Client Security collection server component. This checklist is included to help you perform the migration procedures. Detailed steps follow the checklist.
| Server | Task | Your notes |
|---|---|---|
Source collection server |
Documenting the DAS account |
|
Source collection server |
Documenting the MOM Action account |
|
Target collection server |
Removing MOM or System Center Operations Manager components |
|
Target collection server |
Installing the Client Security collection server component |
|
Management server |
Configuring the management server to use the new collection server |
|
Collection database server |
Updating the MOM computer discovery rules |
|
Management server |
Updating Client Security policies |
|
Management server |
Verifying communication |
|
Source collection server |
Uninstalling the Client Security collection server component |
|
Before you can move the collection server component from one server to another, you must first prepare the target server and other dependent components. To do this, you must know the names of the DAS account and the MOM Action account.
Collecting information
To find the DAS account, you must have access to the existing collection server.
To find the DAS account
On the source collection server, in Administrative Tools, open Component Services.
In the tree, expand Component Services, expand Computers, expand My Computer, and then click COM+ Applications.
In the right pane, right-click Microsoft Operations Manager Data Access Server, and then click Properties.
Click the Identity tab and record the value in the User text box. This is the Client Security DAS account.
To find the MOM Action account, you first must determine the MOM Management Group name, and then input that into a command line which returns the MOM Action account.
To find the MOM Action account
On the source collection server, click Start, click Run, type regedit, and then click OK.
Browse to the following location in the registry: HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft Forefront\Client Security\1.0\Config\MOMServer.
In the right pane, find the GroupName value and record the data for it. This is the Management Group Name.
In the Run dialog box, type cmd, and then click OK.
In the Command Prompt window, change to the following directory:
% installationdirectory %\Server\Microsoft Operations Manager 2005
In the Command Prompt window, type the following command, and then press ENTER:
SetActionAccount.exe groupname -query
Where *groupname* is the MOM Management Group name.
The command outputs the MOM Action account value. Record this account name.
Preparing the target computer
To prepare the target system, you must first remove any previously installed MOM or System Center Operations Manager agents.
To uninstall MOM or System Center Operations Manager components
On the target collection server, in Add or Remove Programs, select either Microsoft Operations Manager 2005 Agent or System Center Operations Manager 2007 Agent and click Remove.
In the Add or Remove Programs dialog box, click Yes.
Click Finish.
You must then install the Client Security collection server component.
To install the Client Security collection server component
For instructions on installing the Client Security collection server component, see "To install Client Security on the collection server" in Installing Client Security on a six-server topology.
During the installation of the Client Security collection server component, specify the existing collection database server and reporting database.
When asked for the DAS account and the MOM Action account information, specify the information gathered from the source collection server.
Note
After completing this step, you may see alerts on the management server in the MOM Operator console. These alerts reference cross MOM Management Server heartbeat detection. These alerts are temporary and will resolve themselves once the migration procedure is complete.
Configuring the management server
You must configure the management server with the location of the new collection server. To do this, run the Client Security Configuration wizard.
Configuring the management server
In the Client Security console, click Action, and then click Configure.
On the Before You Begin page, click Next.
On the Collection Server and Database page, do the following:
In the Collection server box, enter the name of the new collection server.
In the Collection database box, enter the name of the collection database server, and then the SQL Server instance, if necessary.
In the Management group name box, enter the name of the management group you specified during the Setup wizard.
On the Reporting Database page, do the following:
In the Reporting database box, verify that the name of the reporting database server is correct, and, if necessary, that the SQL Server instance name is correct.
In the Reporting account box, enter the user name and password for the reporting account.
Click Next.
On the Reporting Server page, do the following:
In the Reporting server box, ensure that the name of the reporting server is correct.
In the URL for Report Server and URL for Report Manager boxes, ensure the default values are entered.
Click Next.
On the Verifying Settings and Requirements page, verify your system requirements, and then click Next. If you receive an error, you cannot continue configuring Client Security. If you receive a warning or error, see the following resources for more information:
Configuration log file. (To view, click View Log.) For more information about the configuration log file, see Overview of log files in the Troubleshooting Guide (https://go.microsoft.com/fwlink/?LinkId=82466).
Setup issues in the Troubleshooting Guide (https://go.microsoft.com/fwlink/?LinkID=86102).
On the Completing the Configuration Wizard page, verify that you have successfully configured Client Security, and then click Close. If you receive an error, you cannot continue configuring Client Security. If you receive a warning or error, see the following resources for more information:
Configuration log file. (To view, click View Log.) For more information about the configuration log file, see Overview of log files in the Client Security Troubleshooting Guide (https://go.microsoft.com/fwlink/?LinkId=82466).
Setup issues in the Client Security Troubleshooting Guide (https://go.microsoft.com/fwlink/?LinkID=86102).
In Administrative Tools, click Services.
In the service listing, right-click Microsoft Forefront Client Security Management Service, and then click Start.
Configuring the collection database server
To configure the collection database server with the information for the new collection server, you must update the MOM computer discovery rules. To do this, download the Forefront Client Security Migration tool (https://go.microsoft.com/fwlink/?LinkID=92665). Running the downloaded Windows Installer file (FCSmigrationpackage.msi) extracts the ComputerDiscoveryMigration.exe file to the Client Security installation folder under the MigrationPackage folder.
Note
To perform the following steps, you must have db_owner privileges on the collection database, listed in the SQL Server Management Studio as the OnePoint database.
To update the MOM computer discovery rules
On the collection database server, click Start, select Run, type cmd, and then click OK.
Type the following command and press Enter:
ComputerDiscoveryMigration.exe /Source *sourceCollectionServerName * **/Target ** targetCollectionServerName
On the target collection server, in the MOM 2005 Administrator Console, in the tree pane, right-click Computer Discovery Rules, and then click Run Computer Discovery Now.
On the target collection server, in the tree pane, click Agent-managed Computers and in the details pane verify that the new collection server name appears in the Management Server column.
On the target collection server, right-click the agents and click Update Agent Settings, and then click OK.
Manually installed agents that have Full in the Control Level column can be updated using the preceding steps.
Agents that have None in the Control Level column must be modified on the agent.
On the agent, open Add or Remove Programs, and then, under the Microsoft Operations Manager 2005 Agent,click Change.
Click Next, ensure that Modify is selected, and then click Next.
Select Modify Management Group, and then click Next.
In the Management Server text box, type the name of the target collection server, and then click Next.
Click Finish.
If there are no errors, the Client Security Migration tool will produce no output. If the Client Security Migration tool encounters an error while performing the rule migration, it will output an error message with a number at the top of the message. The following table lists the possible Client Security Migration tool error codes and their meanings.
| Error code | Meaning |
|---|---|
1 |
Usage error. Usage: ComputerDiscoveryRuleMigration.exe /Source <Source MOM Management Server Machine Name> /Target <Target MOM Management Server Machine Name> |
2 |
The source computer, <source machine name>, was not found in the database. Verify the source computer's name and try again. If this error recurs, update the computer discovery rules manually. For more information, see "Migrating Client Security topologies" in the Client Security Deployment Guide. |
3 |
The target computer, <target machine name>, was not found in the database. Verify the target computer's name and try again. If this error recurs, update the computer discovery rules manually. For more information, see "Migrating Client Security topologies" in the Client Security Deployment Guide. |
4 |
The source computer, <source machine name>, is not identified as a MOM Management Server. Verify the source computer's name and try again. If this error recurs, update the computer discovery rules manually. For more information, see "Migrating Client Security topologies" in the Client Security Deployment Guide. |
5 |
The target computer, <target machine name>, is not identified as a MOM Management Server. Verify the target computer's name and try again. If this error recurs, update the computer discovery rules manually. For more information, see "Migrating Client Security topologies" in the Client Security Deployment Guide. |
6 |
The computer discovery rules could not be updated. You may need to update the computer discovery rules manually. For more information, see "Migrating Client Security topologies" in the Client Security Deployment Guide. |
If you encounter any of the preceding errors, perform the following steps on the collection server.
To manually update the Computer Discovery Rules and update the agents
On the target collection server, in the MOM 2005 Administrator Console, in the tree, expand Administration, expand Computers, and then click Computer Discovery Rules.
In the details pane, for each client computer discovery rule (indicated by a monitor icon in the Rule type column), perform the following steps:
Right-click on the rule, and then click Properties.
In the Management Server list box, ensure the computer listed is the target collection server. If the computer listed is the source collection server, click the down-arrow button, select the target collection server name, and then click OK.
On the target collection server, in the MOM 2005 Administrator Console, in the tree pane, right-click Computer Discovery Rules, and then click Run Computer Discovery Now.
On the target collection server, in the tree pane, click Agent-managed Computers and in the details pane verify that the new collection server name appears in the Management Server column.
On the target collection server, in the details pane, select all agents, right-click the agents, click Update Agent Settings, and then click OK.
Manually installed agents that have Full in the Control Level column can be updated using the preceding steps.
Agents that have None in the Control Level column must be modified on the agent.
On the agent, open Add or Remove Programs, and under the Microsoft Operations Manager 2005 Agent,click Change.
Click Next, ensure that Modify is selected, and then click Next.
Select Modify Management Group, and then click Next.
In the Management Server text box, type the name of the target collection server, and then click Next.
Click Finish.
Configuring the management server
Policies on the management server must be modified to cause them to be updated with the new collection server information.
To update the Client Security policies
On the management server, launch the Client Security console and click on the Policy Management tab.
For each policy listed, perform the following steps
Right-click the policy and click Edit
In the Comments text box, type a comment and click OK. This modification to the policy is necessary to mark the policy as changed so it will be re-deployed.
Click the Deploy button, and then on the dialog box that opens, click Deploy.
To verify that the new collection server can communicate with the collection database server, perform the following steps.
To verify communication
Start the Client Security console, and then click Scan Now.
Select Scan a specific computer, and then enter the name of that computer in the Name box.
Note
You cannot specify the computer by IP address. You must use the computer name.
Select the type of scan you want to perform: Quick scan or Full scan.
Click the Scan Now button.
After the scan has completed, start Internet Explorer and browse to https://reportservername/Reports
On the SQL Server Reporting Services Home page, click Microsoft Operations Manager Reporting, click Microsoft Forefront Client Security, and then click Computer Detail.
In the Computer Name text box, type the name of the computer you just scanned, and then click View Report.
If any of the verifying communication steps fail, verify that you have performed all previous steps. If communications continue to fail, contact Microsoft product support.
The final step in the migration of the Client Security collection server component is to uninstall the collection server component from the source server. This should be done only after successful verification of communication.
To uninstall the collection server component
- Follow the instructions for uninstalling the collection server component in Removing an existing installation of Client Security.
If the source collection server will continue to host the Client Security management server component, you must reinstall the MOM Server portion of the management component.
To reinstall MOM Server for the management component
Click Start, click Run, and then type the following command:
Msiexec /i sourcefilelocation\server\momserver.msi
In the Microsoft Operations Manager 2005 Setup wizard, click Next.
Accept the terms in the license agreement, and then click Next.
On the Product Registration page, click Next.
On the Installation Options page, select Custom, and then click Next.
In the list, click all options except MOM 2005 User Interfaces, select This component will not be available, and then click Next.
On the Prerequisite Check Passed page click Next.
When the installation is completed, click Finish.