We’re currently upgrading our Windows 2012 detection servers to Windows 2019 – this is the vast majority of boxes, including eventually Enforce.
For the detection servers we are trying to keep FQDN & IPs the same, particularly in the case of the Endpoint boxes where the EP clients reference FQDNs in their respective configs.
What is the best way to remove the “old” servers from the console when there may be thousands of incidents associated with them, how do we manage those incidents?
We have tried to keep the respective IPs & FQDNs the same on the old and new boxes but is this the best approach; I’m wondering whether this creates any issues on the console with the existing legacy incidents?
Release : 15.7
Removing/deleting or replacing the detection servers does not impact the current incidents stored in the database; they should remain intact and unaffected. You don't need to do anything with those incidents.
The only place where you might encounter an issue is trying to run a report filtered on the particular server which was removed from the console and no longer exists but the incidents are still present.
We should also note that if you remove a server and re-add it back into the console the server ID in the database will have changed so it is almost considered a new server but with the same name and IP.
Yes, keeping the same IPs & FQDNs is the best approach, there would be no additional changes in the console or to the agents required then so there is minimal impact.