Replacing NTP console

Products Threat Prevention Discussions & Questions
,
1

We are in the process of replacing all 2016 servers with 2022 and as a part of that, we have to replace our NTP console. I’m curious if someone has figured out a relatively painless way to move the agents from one console to another. My first thought is we need to run a script to update the host/ip in each agent’s config. If there’s a easier way, please let me know.

2

Hi Art,
The easiest way is to use ‘Update Agent Settings’ in the Agents list.

There you can set address of your new EM Server.

3

Here’s some steps that I was given for the same process.

  1. Performing a backup/restore process of the NvMonitor and NvData databases from the old SQL server to the new SQL server.
  2. Performing backups of the NTP policies.
  3. Performing backups of the SI Enterprise Manager and SI WinConsole certificates. These will need to be moved to the new app server.
  4. Unharden all agents and verify that the versions are all the same.
  5. Stop and disable the Enterprise Manager service within the windows services console.
  6. Verify that the service account used to run the Enterprise Manager service has the same access and permissions as the previous account.
  7. Run the 7.5.x.x (or whatever version you have) server installer on the new application server.
  8. Import the contents of the old CertsInfo folders into the new folders for the Enterprise Manager and the WinConsole. This must be done before opening the new NTP admin console.
  9. Once the certificates has been imported open the admin console on the new server. You will prompted with the option to update the policy templates. Please select yes.
  10. Allow for the agents to populate the console.
  11. Right-click on any agent and perform an “Update Agent Settings” This will update the agent configuration file with the new application server IP address which should establish an active connection. Repeat this process for all agents.
2 Likes
4

For our migration, we will use the same SQL cluster so no changes there and we’re using the same service account as well. Would we want both old and new consoles online at the same time? Is the cert backup just a copy or an actual export? Would we run the Update Agent Settings from the new console or the old one? Just want to make sure we do everything in the right order.

5

I’m wondering if you all can help me put together a detailed plan to move from console1 to console2 (different hostnames/ip) assuming we’re using the same SQL and the same service account. I assume some of the steps will include migrating the agents and migrating the certificates. I’m assuming we can’t have both consoles running at the same time as well.

6

Hello Art - The following steps should do what you want.
-Tony
7.4 or 7.5 relocate EM/Console

  1. Install NTP Server to new box point to existing DB
  2. Stop new EM Service post installation
  3. Copy files EXCEPT “secret.dpapi” from original EM Certsinfo folder to certsinfo folder of new EM box - replacing files created by new install. We dont want the “new” certs.
  4. Export / Import “secret.dbapi from old to new EM
    a. On original EM: “SecretMgr.exe –e myOutFile”
    b. Up to user to place “myOutFile” on 2nd EM machine in a secure way
    c. On 2nd EM : “SecretMgr.exe –i myOutFile”
  5. Update agents EM address using original EM console
    a. From agent panel multiselect all agents
    b. Right click and pick “Update Agent Settings” then click next
    c. Fill in left side of dialog being sure to enter IP of the NEW EM box
    d. Select “Keep existing settings” on right side of dialog
    e. Press next to apply the change
    f. NOTE: If any agents don’t get the new EM IP will need to edit agents local SIWindowsAgent.exe.config entry for “managerAddress” then restart agent service
  6. Stop original EM service
  7. Start EM service on new machine
  8. Within 5 minutes agents should start to show up in console on new EM/Server machine (may need to restart NTP Agent service on DC’s if they do not switch over on own – first ensure current value for “managerAddress” in agents SIWindowsAgent.exe.config file. If you manually edit the .config file then the agent service does have to be restarted to see the change.
2 Likes
7

Per comments from Jay - If you have hardend agents be sure to ‘soften’ them before doing ANYTHING else. Can re harden after all confirmed working with new EM.