search cancel

How to move the SEE-MS SQL database from one server/instance to another

book

Article ID: 152340

calendar_today

Updated On:

Products

Endpoint Encryption Desktop Email Encryption Drive Encryption Encryption Management Server File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

Symantec Endpoint Encryption Management Server (SEE MS) uses MS SQL as the backend infrastructure.  Backing up the database will use incorporate all previous steps and we do recommend making regular backups of the SEE Database.

If you need to move the SEE Database from one server to another, the method is going to be the same as any MS Database.

This article will go over the general guidance to move the SEE Database from one MS SQL Server to another (different physical locations).

Resolution

As mentioned above, Symantec always recommends having a backup of the SEE Database located at a different location so that if the current database server/location is not available a recovery method can be incorporated to bring the server back up. 

This same logic can be applied to easily move the SEE MS Database from one SQL Server to another and then the SEEMS Configuration Manager can be used to update this information.

It is also possible to simply move from one instance to another instance and just reconfigure the SEEMS Configuration Database page.

TIP: Before you start, take a screenshot of the Database screen on the SEEMS Configuration Manager as a reference.  Be ready to revert the changes if needed.

 

 

Scenario 1 of 3: Move the SEE MS Database to another location/instance - Use SEEMS Configuration Manager to Update database location/instance

Steps to Change the Database:

Step 1: Backup the existing SEE database using the MS SQL backup process.
Step 2: On the new MS SQL Server make sure to include all the same users and permissions from the original server.
Step 3: Restore the database on the new MS SQL server using the MS SQL database restore process.
Step 4: On the SEE Management Server, run the SEEMS Configuration Manager.
Step 5: Change the database server name to the new server\instance and port with the appropriate login and password.
Step 6: Update all systems that are running the SEE-MS console with the new DB server\instance.

The SEE Online Help file offers the following information:

"This option displays the NetBIOS name of the computer that hosts the Symantec Endpoint Encryption database. If you use a named instance, this field displays the NetBIOS name and the instance name. For example, SEEDB-01\NAMEDINSTANCE.
You should edit this option if you moved the Symantec Endpoint Encryption database to a different computer, or if you renamed the computer.
To enable TLS/SSL, this name must match the common name (CN) in the server-side TLS/SSL certificate."

 

Validate the change was successful:

Once you make the change, wait for a few minutes, and then check the following:

*Have several SEE clients check in via the SEE Management Agent.
*Look at the Computer Status Report and ensure other clients are checking in.
*Login to the SEE Web Portal and ensure you are able to login, and then search in the reporting (On SEE 11.4) and look for recovery keys.

 

 

Scenario 2 of 3: Perform a new SEE Management Server Installation and reference the new location/instance of the SEE MS database (Same Server hostname)

If you reinstall the SEE Management server, during the Database portion of the setup, you can then enter the new MS SQL server\instance at this time.

To check that these values were updated properly, you can check the following registry keys:

 
HKLM\Software\Encryption Anywhere\Management Console\Framework

The SQLServer value should reflect the new Server\Instance

 

In this scenario, you are keeping the same hostname of the SEE Management Server.  This is necessary so that SEE Clients communicating with this particular hostname will continue to do so.

SEE Clients are agnostic to the actual location/instance of the SEE MS database as the server is the only component aware of this situation.  The SEE Client is aware of the SEE MS hostname, so be careful if you are considering changing hostnames.

 

 

Scenario 3 of 3: SEE Management Server and Database need to be migrated to new Windows Servers for both components (Keep servers operating independently)

In this scenario, we will have the following servers and conditions:

*The SEE Management Server called, "SEEMS-Server-Existing", has a database that resides on a different Windows server called "WinSQLServer-Existing".

*All SEE Clients point to "SEEMS-Server-Existing" for server-client communications.

*A New Windows Server has been designated where the SEE Management Server should be migrated to called, "SEEMS-Server-New"  .

*A New Windows Server has been designated where the SEEMS Database should be migrated to called, "WinSQLServer-New".

*The existing SEE Clients will need to talk to the new SEE Management Server.

 

Based on all of the above, the following steps may be considered:

*Copy the Database from the "WinSQLServer-Existing" to the new server ""WinSQLServer-New".

*Install SEE Management Server on "SEEMS-Server-New" and during the installation, point to the database you copied and reference the new "WinSQLServer-New" instance/location.

Once this has been done, the end result will be two SEE Management Servers are now available for SEE Clients to communicate with.

 

When you build a SEE client, you will then have two Management Server hostnames to choose from.  

If you would like to have all SEE Clients as well as net-new clients communicating with the new SEE Management Server, create a new Client and ensure the new hostname is configured.

*Make sure the TLS Certificate is provided in the SEEMS Configuration Manager and has the proper hostname configured for resolution to happen. Self-Signed Certs are not recommended.  
See article 178609 for general guidelines on certificates or reach out to Symantec Support for further advice.

To test if the above works, create a client on "WinSQLServer-Existing" and have it check in.  Then create a SEE Client on "WinSQLServer-New" and make sure it checks in.

To get all existing clients currently pointed to the "Existing" SEE Management Server to start communicating with the new SEE Management Server, then install the SEE Client from the "New" SEE Management Server over the top.

Tip: This is a great opportunity to upgrade your SEE Clients to the latest versions as this will also require deploying a new SEE Client to all machines.

 

The old SEE Management Server could then be shut down if all clients are now pointed to the new server "WinSQLServer-Existing".  

 

 

If you run into any troubles with this, feel free to reach out to Symantec Encryption Support and always be ready to revert the changes back to what it was before.

Additional Information

Scenario 1: Moving SEE Client from Old SEE Management Server to New SEE Management Server
163292 - Migrating from one SEE Management Server to another (Completely new SEE Database)

Scenario 2: (Moving from PGP client/sever to SEE client/server)
227509 - Migrating from Symantec Encryption Desktop to Symantec Endpoint Encryption (Drive Encryption components)

Scenario 3: Moving SEE Clients from the same database to another SEE Management Server with the same Database
154122 - How to Migrate Symantec Endpoint Encryption Management Console and all the clients from one Server to another Server, without moving the existing SQL Server

Scenario 4: Moving same SEE database from one DB instance to another
152340 - How to move the SEE-MS SQL database from one server/instance to another

Scenario 5: Update which hostname the SEE Clients use for communications (Keeping same database)
249333 - Changing Web Access for SEE Clients on Symantec Encryption Management Server