0.13 Server Database Maintenance

2013 McAfee, Inc. All Rights Reserved.
ePolicy Orchestrator 5.1 Essentials
This module covers the essential information on maintaining an ePO Server and database. The
information presented in this module is not all inclusive. Enterprise customers most often just need
to know where the must preserve data is located. From there, theyll usually throw the new setup
into their existing backup and recovery plan, already set forth by the organization.
The most crucial data for ePO is obviously the database. The entire system can be restored with a
recent copy of the database. But there is other data that can ease the process greatly in the event a
restoration is needed. Students will be shown how to manage ePO Security Keys, and review
important logs, along with utilizing database maintenance tools.
ePO is not an appliance-based solution. It is installed to the customers hardware. Therefore,

customers need to maintain and protect their ePO Server and database. Obviously, failure to do so
will cost them a lot of downtime and headaches. They need to keep the server up-to-date on patches
and updates. This includes not only McAfee ePO patches, but also Microsoft patches for the
operating system and the SQL database and some sort of malware protection application (i.e.
VirusScan Enterprise).
Several of the available ePO Server Tasks can assist with periodic server maintenance tasks like
maintaining System Tree synchronization, managing product licenses, purging old data, maintaining
repositories, and maintaining Rogue System Sensors.
Security Keys
ePolicy Orchestrator uses security keys to secure the agent-to-server communication, and to sign and
validate packages.
Agent-to-server secure communication keys
Agent-to-server secure communication (ASSC) keys are used by the agents to communicate securely
with the server. You can make any ASSC key pair the master, which is the one currently assigned to
agents deployed in the environment. The ePO agent key Updater needs to exist in Master repository,
and the McAfee Agent agent update task has to have the ePO agent key updater selected. Existing
agents using other keys in the list will change to the new master after their next update. It is
important to be sure to wait until all agents have updated to the new master before deleting any
older keys.
Master repository key pair
The master repository private key signs all unsigned content in the master repository. Agents use the
public key to verify the repository content originating from the master repository on the ePO server. If
the content is unsigned, or signed with an unknown repository private key, the downloaded content
is considered invalid and deleted.
This key pair is unique to each server installation. However, by exporting and importing keys, you can
use the same key pair in a multi-server environment.
Other repository public keys
These are the public keys that agents use to verify content from other master repositories in the
environment or McAfee source sites. Each agent reporting to this server uses the keys in this list to
verify content that originates from other ePO servers in the organization, or from McAfee owned
sources. If an agent downloads content that originated from a source for which the agent
does not have the appropriate public key, the agent will discard the content.
Customers in multi-server environments can choose to use the same ASSC key pair for all servers and
agents. You can export ASSC from on McAfee ePO server to a different ePO server, to allow agents to
access the new ePO server.
You can choose to make any ASSC key pair the master, which is the key pair currently assigned to all
deployed agents.
They can also choose to use a different ASSC key pair for each McAfee ePO server to ensure that all
agents can communicate with the required McAfee ePO servers in an environment where each server
must have a unique agent-to-server communication key pair.
NOTE: Agents can communicate with one server at a time. The ePO server can have multiple keys to
communicate with different agents, but the opposite is not true. Agents cannot have multiple keys to
communicate with multiple ePO servers.
ASSC Keys in Multi-Server Environments

You can have both a 2048 and a 1024 bit key set as master. The ePO will talk to McAfee Agent 4.8
with the stronger key.
You can view which systems are using a key-pair, when editing security keys, by highlighting the key
and selecting the View Agents button.
Before deleting the previous master key pair from the list, wait until all agents begin using the new
master key pair. Agents begin using the new key pair after the next update with ePO agent key
updater selected task the agent completes. At any time, you can see which agents are using any of
the ASSC key pairs in the list.
CAUTION: Do not delete any keys that are currently in use by any agents, or those agents are not able
to communicate with the server.
You cannot delete a key designated as a Master Key. You must make another key the Master before
deleting the old key.
In ePO 5.x you cannot delete a key that an agent is using.
10
The master repository key pair is unique for each installation. If you use multiple servers, each uses a
different key. If the agents are configured to allow the download of content that originates from
different master repositories, you must ensure that agents recognize the content as valid. You can
ensure this in two ways:
Use the same master repository key pair for all servers and agents
Ensure agents are configured to recognize any repository public key used in the environment
11
It is recommended that you back up all keys before making any changes to the key management
settings.
12
After installation you can change only two ports; Agent wake-up communication port, and Agent
broadcast communication port. If you need to change other ports, you must either reinstall the
server and reconfigure the ports in the installation wizard, or refer to available KnowledgeBase
articles.
13
Purge the Audit Log

The Audit Log page is used to find and view actions taken by all users. Here, you can maintain and
access records of all McAfee ePO user actions. The entries are displayed in a sortable table.
Customers can delete entries from the Audit Log based on a user-specified age. This action purges all
audit log entries older than the specified age.
14
Purge the Threat Event Log

The Threat Event Log page allows you to view and manage the event files in the database. You can
purge events from the log based on a user-specified age. The action deletes the all the event log
entries older that the specified age.
15
Purge Old Data

The idea is that customers should be purging data on a regular basis. Heres an example of a task that
they should run every single day.
Review the 9 actions setup in this example server task. Notice the 8th action is configured to purge by
query. This is just an example, but it illustrates the power behind server tasks, and represents a
modest approach to keeping the database clean.
16
Customers may find themselves needing to migrate the database to another server, or they may want
to upgrade the hardware on the existing server. Before performing any migration, the first step is to
back up the database.
The steps involved in the migration process depend on many factors. Are they keeping the server
name and IP the same? Is one changing but not the other? Will there be any network
communication boundaries that need to be acknowledged and dealt with? Etcetera.
Additional information:
KB67605 - How to change the ePO 4.5.0 and 4.6.0 Agent-to-Server communication port 80
KB72936 - How to change ePO Agent-to-Server Communication secure port 443
KB52141 - How to change the ePolicy Orchestrator 4.x Console-to-Application Server
communication port 8443
KB68963 - How to change the ePolicy Orchestrator 4.x Client-to-server authenticated
communication Port 8444
17
Customer may also need to migrate their ePO server. This topic explains the process of migrating an
existing ePO Server to a new hardware platform according to recommended procedure. This
information is intended for use by network and ePO administrators only. These instructions are
intended guidelines for migration. All liability for use remains with the user.
The instructions in this topic can also be used for disaster recovery.
NOTE: The Agent uses either the last known IP address, DNS name, or NetBIOS name of the ePO
server. If you change any one of these, ensure that the Agents have a way to locate the server. The
easiest way to do this would be to retain the existing DNS record and change it to point to the new IP
address of the ePO server. After the Agent is able to successfully connect to the ePO server, it
downloads an updated SiteList.xml with the current information. The procedure can also be used by
customers who want to migrate the ePO server to another system. For ePO 5.x users, it is preferable
to use the built-in Disaster Recovery feature to migrate the ePO server to another system.
18
In preparation for server migration, you will want to backup the folders shown here on the server.
There are multiple KB articles available on how to backup the SQL database.
19
It is important to back up the ePO Key-Store pairs.

The task shown here backs up the repository and agent communication keys.
These are stored in the following folder by default: ...\Program Files\McAfee\ePolicy
Orchestrator\DB\Keystore\
20
You must reinstall ePO to the exact same directory path as the previous installation or the
initialization of extensions will fail when the restore is complete.
The server.ini file located in the previous installation (\Program Files (x86)\McAfee\ePolicy
Orchestrator\DB) stores the following information:
HTTPPort= 80 (Agent-to-Server communication port)
AgentHttpPort= 8081 (Agent Wake-Up communication port)
SecureHttpPort= 8443 (Console-to-Application Server communication port)
BroadcastPort= 8082 (Agent Broadcast communication port)
If you use the original SQL server, the installer will attempt to create a database called
ePO_<epo_servername>. Because the name of the original ePO server is retained, the original
database has to be backed up and detached. Otherwise, the installer prompts you to overwrite the
existing database.
21
1. Log on to the new ePO server.

2. On the new ePO server, click Start, Run, type services.msc, and click OK.
Right-click each of the following services and select Stop:
McAfee ePolicy Orchestrator 5.1.0 Application Server
McAfee ePolicy Orchestrator 5.1.0 Event Parser
McAfee ePolicy Orchestrator 5.1.0 Server
3. Click Start, Run, type cmd and click OK.
4. If you backed up the database using OSQL commands, to restore the ePO database type the
following command and press ENTER:
sqlcmd -E -S servername\instancename -Q "RESTORE DATABASE ePO4_servername FROM DISK
= 'c:\backupdirectory\test
NOTE: Where c:\backupdirectory\test is the location where the database backup is located.
5. Close the command prompt window.
22
Replace the existing folders for the paths listed above with the contents of the backed up copies.
23
1. Before you enable and start the ePO services, ensure that the contents (version numbers) of the
C:\Program Files\McAfee\ePolicy Orchestrator\server\extensions\installed folder match the
extensions listed in the OrionExtensions table.
To check the contents of the OrionExtensions table, access the SQL Tools and run the following TSQL command:
Select * from OrionExtensions
If there is a mismatch on server startup, the server removes each extension not listed in the
OrionExtensions table. If this happens, check in these extensions again and also restore the
database again.
2. Start the McAfee ePolicy Orchestrator 5.1.0 Application Server service.
NOTE: You must start this service for RunDllGenCerts to work.
3. Rename the SSL.CRT folder (see path below) to SSL.CRT.OLD and manually create an empty folder
named SSL.CRT in the same path, otherwise the setup will fail to create a new Cert:
"C:\Program Files\McAfee\ePolicy Orchestrator\APACHE2\CONF\SSL.CRT"
Continued on next page
24
4. Click Start, Run, type cmd, and click OK.

5. Change directories to your ePO installation directory.
Default paths:
Program Files\McAfee\ePolicy Orchestrator\
6. Run the following command:
IMPORTANT:
- This command will fail if you have enabled User Account Control (UAC) on this server. If this is a
Windows Server 2008 or later, disable this feature. You can find more information about UAC
at: http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspx.
- This command is case-sensitive. The ahsetup.log (found in <installdir\Apache2\conf\ssl.crt>)
provides information about whether the command succeeded or failed and will state if it used the
files located in the ssl.crt folder
Rundll32.exe ahsetup.dll RunDllGenCerts <eposervername> <console HTTPS port> <admin
username> <password> <"installdir\Apache2\conf\ssl.crt">
where:
<eposervername> is your ePO server NetBIOS Name
<console HTTPS port> is your ePO Console Port (default is 8443)
<admin username> is admin (use the default ePO admin account)
<password> is the password to the ePO Admin console account
<installdir\Apache2\conf\ssl.crt> is your installation path to the Apache folder; Default
installation path:
64-bit: "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\APACHE2\CONF\SSL.CRT"
Example:
Rundll32.exe ahsetup.dll RunDllGenCerts eposervername 8443 administrator password
"C:\Program Files (x86)\McAfee\ePolicy Orchestrator\APACHE2\CONF\SSL.CRT"
7. Start the following services:
McAfee ePolicy Orchestrator 5.1.0 Event Parser
McAfee ePolicy Orchestrator 5.1.0 Server
25
Before backing up
If possible, shut down the McAfee ePolicy Orchestrator 5.1.0 Application Server service (Tomcat)
entirely when doing the backup. Otherwise just make sure no one is installing, uninstalling, or
upgrading an extension during the backup. Normally backups occur during non-peak times (which is
at night usually), so this shouldnt be a big concern.
26
McAfee advises that customers place the ePO Server and database into their backup
routines/schedules.
The folder paths shown here should be backed up on the ePO Server:
C:\Program Files\McAfee\ePolicy Orchestrator\SERVER\
All installed extensions and configuration information for the ePO Application Server service is found
here. Failure to backup and restore this directory results in a re-installation of ePO to create new ones
using a clean database installation.
C:\Program Files\McAfee\ePolicy Orchestrator\DB\SOFTWARE\
All Products that have been checked into the Master Repository are located here.
C:\Program Files\McAfee\ePolicy Orchestrator\DB\KEYSTORE\
The agent, Server, and Repository Keys that are unique to the installation are located here. Failing to
restore this folder, results in re-pushing the agent to all the systems, and checking in all of the
deployable packages again.
C:\Program Files\McAfee\ePolicy Orchestrator\APACHE2\CONF
The Server configuration settings for Apache, the SSL Certificates needed to authorize the server to
handle agent requests, and Console Certificates are located here.
27
If the customer is concerned about the amount of data being backed up, or if the customer simply
wants to reduce the number of items to back up they can exclude the following subfolders from the
\SERVER folder:
C:\Program Files\McAfee\ePolicy Orchestrator \server\logs (server log files)
C:\Program Files\McAfee\ePolicy Orchestrator\server\cache (contains cached information
created and used by ePO, such as generated chart images)
C:\Program Files\McAfee\ePolicy Orchestrator\server\work (contains cached information
about web applications registered with Tomcat; Tomcat will regenerate that information, if
deleted)
28
A feature introduced in ePO 5.0 is Disaster Recovery. This feature will save to the database all the
required content needed for backup and restoration.
Disaster Recovery
The ePolicy Orchestrator Disaster Recovery feature uses a Snapshot process to save specific McAfee
ePO server database records to the ePolicy Orchestrator Microsoft SQL database.
The records saved by the Snapshot contain the entire ePolicy Orchestrator configuration at the
specific time the Snapshot is taken. Once the Snapshot records are saved to the database, you can
use the Microsoft SQL backup feature to save the entire ePolicy Orchestrator database and restore it
to a another SQL server for an ePolicy Orchestrator restore.
29
When the installation wizard starts, you can choose to restore ePO from an existing database
snapshot.
What is a snapshot?
ePO 5.x comes with a supported mechanism for disaster recovery which helps you quickly recover, or
reinstall the ePolicy Orchestrator software.
Disaster Recovery uses a Snapshot process that periodically saves the ePolicy Orchestrator
configuration, extensions, keys, and more, to Snapshot records in the ePolicy Orchestrator database.
30
Using the restored ePolicy Orchestrator SQL database server, that includes the Disaster Recovery
Snapshot, you can connect it to:
- Restored McAfee ePO server hardware with the original server name and IP address This allows
you to recover from, for example, a failed ePolicy Orchestrator software upgrade.
- New McAfee ePO server hardware with the original server name and IP address
- New McAfee ePO server hardware with a new server name and IP address This allows you to,
for example, move your server from one domain to another.
- This example can provide a temporary network management solution while you rebuild
and reinstall the McAfee ePO server hardware and software back to its original domain.
- Restored or new McAfee ePO server hardware with multiple network interface cards (NICs) You
must confirm the correct IP address is configured for the McAfee ePO server NIC.
The Snapshot is configured, depending on your SQL database version, to automatically run every day.
If you configure a script to automatically run the SQL Backup and to copy the SQL backup file to your
restore SQL database server, then you can more easily restore your McAfee ePO server. In addition,
you can manually take a Snapshot or run your scripts to quickly save and backup particularly complex
or important ePolicy Orchestrator changes.
31
The ePolicy Orchestrator software installation using the Disaster Recovery Snapshot file includes
these general steps performed on the McAfee ePO restore server:
1. Find the SQL database backup file, copied in step 3, of the previous section, and use either the
Microsoft SQL Server Management Studio or the RESTORE (Transact-SQL) command-line process
to restore the primary SQL server configuration to the restore SQL server.
2. During the ePolicy Orchestrator database software installation:
a. On the Software Welcome dialog box, click Restore ePO from an existing Disaster Recovery
database Snapshot.
b. Select Microsoft SQL Server to link the ePolicy Orchestrator software to the restore SQL
database that had the primary McAfee ePO server configuration restored in step 1.
After the ePolicy Orchestrator software installation is started, the database records saved during the
Snapshot process are used in the software configuration instead of creating new records in the
database.
3. If you changed the last known IP address, DNS name, or NetBIOS name of the primary McAfee
ePO server, when creating the restore McAfee ePO server the McAfee Agents will not be able to
connect to the restored McAfee ePO server. The easiest way to do this is to create a CNAME
record in DNS that points requests from the old IP address, DNS name, or NetBIOS name of the
primary McAfee ePO server to the new information for the restore McAfee ePO server.
Now the McAfee ePO restore server is running with the exact same configuration as the primary
server. The clients can connect to the restore server and you can manage them exactly as before the
32
primary McAfee ePO server was removed.
To quickly reinstall a McAfee ePO server, configure a Disaster Recovery snapshot to save, or confirm a
snapshot is being saved to the SQL database. Then back up that SQL database, which includes the
snapshot, and copy the database backup file to a restore SQL Server.
Disaster Recovery can be performed via:
Dashboard monitor
Scheduled Server Task
The ePO Server Snapshot monitor, found on your ePolicy Orchestrator dashboard, allows you to
manage and monitor your Snapshots in one place.
Using the Server Snapshot monitor allows you to:

Click Take Snapshot to manually save a McAfee ePO server Snapshot.
33
Click See details of last run to open the Server Task Log Details page.
Continued on next page
34
This page displays information and log messages about the most recent Snapshot saved.
35
Confirm the date and time the last Snapshot was saved to the SQL database, next to Last Run At.
36
Click the Disaster Recovery link to launch the Help page with Disaster Recovery information.
37
The color and title of the Snapshot monitor tells you the status of your latest Snapshot.
For example:
- Green, Snapshot Saved to Database Snapshot process completed successfully and it is up to
date.
- Blue, Saving Snapshot to Database Snapshot process is in progress.
- Red, Snapshot Failed An error occurred during the Snapshot process.
- Orange, Snapshot Out of Date Changes to the configuration have occurred and a recent
Snapshot has not been saved. Changes that trigger a Snapshot Out of Date status include:
Any extension changed. For example updated, removed, deleted, upgraded, or downgraded
The "Keystore" folder changed.
The "conf" folder changed.
The Disaster Recovery passphrase changed in Server Settings.
And finally the - Grey, No Snapshot Available No Disaster Recovery Snapshot has been saved.
38
You can use the Disaster Recovery Snapshot Server Task to disable and enable the Snapshot server
task schedule.
The Snapshot server task schedule is enabled, by default, for the Microsoft SQL Server database and
disabled, by default, for the Microsoft SQL Server Express Edition database.
39
Using Disaster Recovery to restore the ePolicy Orchestrator software requires certain hardware,
software, access privileges, and information.
You need two hardware server platforms:
- The existing McAfee ePO server hardware, referred to as the "primary" McAfee ePO server.
- Duplicate ePO server hardware, referred to as the "restore" server, running Microsoft SQL that
matches the primary McAfee ePO server database.
- This restore server should be kept up to date with the latest primary McAfee ePO SQL database
server configuration using Snapshot and Microsoft SQL backup processes.
To avoid backup and restore problems, the primary and restore server hardware and SQL versions
should closely match.
40
Hardware Requirements
1. The server hardware requirements are determined by the number of systems managed
2. This server hardware should closely mirror your primary McAfee ePO server hardware.
3. This primary server should be up and running correctly with a recent Snapshot saved in the SQL
database.
4. The primary SQL database, stores the McAfee ePO server configuration, client information, and
Disaster Recovery Snapshot records.
Software Requirements
1. Using either the Microsoft SQL Server Management Studio or the BACKUP (Transact-SQL)
command-line, you can create a backup file of the primary database including the Snapshot
records.
2. Using either the Microsoft SQL Server Management Studio or the RESTORE (Transact-SQL)
command-line, you can restore the primary database including the Snapshot records on the
restore SQL database server to duplicate the configuration of the primary SQL database.
3. This software, downloaded from the McAfee website, is used to install and configure the restore
McAfee ePO server.
Information Requirements
1. This passphrase was added during the initial installation of the ePolicy Orchestrator software and
decrypts sensitive information stored in the Disaster Recovery Snapshot.
2. You must be able to access both the primary and restore servers and the SQL database as, for
example, DBOwner and DBCreator.
3. If you change any one of these during the McAfee ePO server restore, ensure that the McAfee
Agents have a way to locate the server. The easiest way to do this is to create a Canonical Name
(CNAME) record in DNS that points requests from the old IP address, DNS name, or NetBIOS name
41
of the primary McAfee ePO server to the new information for the restore McAfee ePO
server.
Using Disaster Recovery to create an ePolicy Orchestrator server Snapshot provides you with a quick
recovery method for the McAfee ePO server.
Configure Disaster Recovery Server Settings
You can change the Keystore encryption passphrase used when you installed the ePolicy Orchestrator
software and link it to an SQL database restored with Disaster Recovery Snapshot records.
42
McAfee recommends making specific maintenance settings to ePolicy Orchestrator databases.

Depending on the customers deployment of ePolicy Orchestrator, they should plan on spending a
few hours each week on regular database backups and maintenance. The tasks discussed in this
section should be performed on a regular basis, either weekly or daily.
NOTE: The customer should be advised to review their SQL documentation or seek advice with their
Database Administrator for details on maintaining their ePO database.
McAfee recommends having a database maintenance plan that performs a backup of the ePO
database, together with "Simple Recovery." In this way, once a backup is successfully created, the
portion of the transaction log in the active database is dropped; it is no longer needed because a
backup file exists.
The Simple recovery mode is recommended by McAfee because the transaction log is not essential in
simple recovery mode and does not swell during backup. If you have multiple databases with
different recovery models, you can create separate database maintenance plans for each recovery
model. In this way, you can include a step to back up the transaction logs only on the databases that
do not use the simple recovery mode.
In simple recovery, once a checkpoint is complete, the transaction logs for the time before the
checkpoint are dropped from the active database. A checkpoint automatically occurs when the
43
backup is made.
Every database in SQL is made up of MDF and LDF files. The ePO database will have its own MDF and
LDF files.
The MDF file contains the actual database content.
The LDF file records all transactions that occur. Each data modification in a SQL Server database is
immediately recorded to disk in a transaction log file with an LDF extension. In the event of a server
problem, such as the server losing power, SQL Server can scan its logs for any data modifications that
were committed and write them to permanent storage in the database. It also rolls back or undoes
any modifications that were not committed by the client program. This architecture ensures that the
data in the database remains consistent.
44
The ePO databases require regular maintenance to promote optimal performance and to protect the
data. Use the Microsoft management tool appropriate for the version of SQL being used:
SQL 2008 and 2012: SQL Server Management Studio
SQL Express: SQL Server Management Studio Express
Depending on the deployment of the ePolicy Orchestrator software, customers should plan on
spending a few hours each week on regular database backups and maintenance. Perform these tasks
regularly, either weekly or daily. However, these tasks are not the only maintenance tasks available.
See the SQL documentation for details on what else you can do to maintain the database.
Important: Use the ePO Disaster Recovery Snapshot feature to periodically save the ePO
configuration, extensions, keys, and more to Disaster Recovery Snapshot records in the SQL database.
This allow you to quickly recover if the hardware hosting the McAfee ePO server ever fails.
45
When ePO is installed it creates a primary data file that represents the ePO database and a
transaction log file. The Primary file name is ePO_<ServerName>.MDF. Customers should monitor
the size of this file to determine how large the ePO database is growing.
The transaction log file is named ePO_<ServerName>_log.LDF. As transactions are sent to the SQL
Server it records every transaction in a transaction log to maintain database consistency and aid in
recovery. The log is a storage area that automatically tracks changes to a database. As modifications
are executed they are written to disk within this log, before they are written to the database.
It is extremely important that you backup the database in order to reduce the size of the transaction
log file, otherwise it continues to expand and fill up the hard drive.
You can find these files on the database server.
The default location is: C:\Program Files\Microsoft SQL Server\MSSQLx.x\MSSQL\DATA\
46
You must have a proper database maintenance plan configured to ensure that the ePO database
performance is healthy. There are two ways to create a maintenance plan:
Maintenance Plan Wizard: Recommended for creating basic maintenance plan.
New Maintenance Plan: Allows you to utilize enhanced workflow.
To create or manage Maintenance Plans, you must be a member of the sysadmin fixed server role.
Note that this section provides a high-level view of how to create a basic Maintenance Plan for the
ePO SQL database. For detailed information, including supported procedures, refer to the
documentation or help for the
SQL Server edition installed for your ePO environment, as well as the Microsoft TechNet site
(http://technet.microsoft.com).
47
To create a maintenance plan for the ePO database, complete the following steps. For demonstration
purposes, the SQL Server instance hosting the ePO database in this example, is running SQL Server
2008 R2.
1. Click All Programs > Microsoft SQL Server <version >.
2. Expand the Microsoft SQL Server <version > folder, then click SQL Server Management Studio.
A Connect to Server dialog opens.
3. Make sure Authentication is set to Windows Authentication, then click Connect. Note that the
User Name and Password fields are grayed out, when Windows Authentication is select.
48
Creating Maintenance Plan (Continued)

4. Launch the Maintenance Plan Wizard, which guides you through creation of a plan, customized
to meet your maintenance requirements.
Expand the server (for example, MLD-EPO\EPOServer).
Expand the Management folder.
Right-click on Maintenance Plans.
Select Maintenance Plan Wizard.
5. When prompted, click Next to continue.
49

6. In the Name box, type a meaningful name; for example, ePO SQL Database Maintenance Plan.
Optionally, enter a Description.
7. Keep the Single schedule for the entire plan or no schedule setting.
8. Click the Change button to define a schedule for when maintenance plan executes. The default
is Not Scheduled (On Demand).
NOTE: Maintenance plans can contain multiple sub-plans, hold collections of tasks. Each sub-plan can
be scheduled to run its tasks at different times.
50

9. You are prompted to define Job Schedule Properties. Note the name field is prepopulated,
based on your entry on the previous dialog.
10. For Schedule type, select one of the options from the drop list; for example, Recurring. Other
options are:
Start automatically when the SQL Server Agent launches
Start whenever the CPUs become idle
One time
NOTE: The fields on the dialog change, depending on the selected Schedule Type.
If you select Recurring, define the Frequency and Duration.
If One time is selected, define the Occurrence (date and time).
If you select one of the Start options, then there are no fields to define.
11. To ensure the task runs, make sure Enabled is selected (check, tick).
12. After completing the dialog to meet your scheduling needs, then click OK. You are returned to
the Select Plan Properties dialog.
51

13. Verify the Schedule field is correct, then click Next.
52

14. Select the following maintenance tasks, then click Next.
Check Database Integrity: Performs internal consistency checks of data and index pages
within the database.
Rebuild Index: Reorganizes data on the data and index pages by rebuilding indexes. This
improves performance of index scans and seeks. This task also optimizes the distribution of
data and free space on the index pages, allowing faster future growth.
Back Up Database (Full): Allows you to specify the source databases, destination files or tapes,
and overwrite options for a full backup.
Important: Avoid Shrinking Database, as much as possible. This introduces logical fragmentation
(physical order of the pages in the leaf level of an Index is not the same as the logical order of the
pages). Effectively, the disk head has to go back and forth in reading the pages, thus performing more
I/O operations and degrading performance. When you perform a shrink of the data file, pages at the
end of the data file are moved to the beginning of the file, disregarding any potential fragmentation
that is introduced in this process.
53

15. Use the Move Up/Move Down buttons to define order for the tasks to execute as follows, then
click Next:
First: Check Database Integrity
Second: Back Up Database (Full)
Third: Rebuild Index
NOTE: These tasks can be interchangeable in terms of the order in which they execute. McAfee
recommends a database backup before the index rebuild process.
This is to ensure there is a working backup copy of the database in case of an issue during the rebuild
process.
54

16. Click the down arrow by the Databases drop list. A popup menu opens.
17. Click the These Databases radial button, select Databases: ePO_<servername> (check, tick
box), then click the OK button.
18. Click Next to continue.
55

20. Click the These Databases radial button, select Databases: ePO_<servername> (check, tick
box), then click the OK button.
21. Again, click the These Databases radial button, select Databases: ePO_<servername> (check,
tick box), then click the OK button to return to the Define Backup Database (Full) Task.
See the dialog continuation on the next page.
56

tick box), then click the OK button to return to the Define Backup Database (Full) Task. In the
Folder box, type the backup path location.
24. In the Set backup compression drop down, select Compress backup.
57

tick box), then click the OK button to return to the Rebuild Index Task.
28. For Object, select Tables and Views.
29. For Free space options, click the Change free space per page percentage radial button, then
type 10 in the % (percentage) box.
30. For Advanced options, select Keep index online while reindexing.
NOTE: Online Index rebuild is not supported by all editions of SQL Server. For more details on which
editions support the Online Index rebuild, refer to SQL Server Books Online documentation. For index
types that do not support online index rebuilds, select the option Rebuild Indexes offline.
NOTE: An Index Rebuild task causes the statistics to be updated as part of the rebuild (effectively with
full scan) so an Update Statistics task is not needed after a Rebuild Index.
58

32. Select Write a report to a text file, and type the desired folder location in the box.
NOTE: To use the E-mail report option, you must have Database Mail enabled and correctly
configured with MSDB as a Mail Host Database, and have a Microsoft SQL Server Agent operator with
a valid e-mail address. The mail part of this task uses the sp_notify_operator statement.
59
McAfee recommends that customers back up their ePO SQL databases regularly, to protect data and
guard against hardware and software failure.
Archiving Data
One successful strategy adopted by customers is to refresh their database every 6 months in the
following way:
1. Back up the database according to their requirements for being able to restore data (e.g.
every week, two weeks etc.).
2. Every six months, restore a copy from the most current backup, (typically the night before),
but restore it under a different name, (e.g. ePO_JanJun13, ePO_JulDec13 or similar.
3. Verify that the restored database is working correctly, (i.e. reports function, etc.)
4. Delete all events from the live database from January to June (or July to December if the
backup represents the second half of the year).
5. Then detach the database and bring it up when required.
Using this method ensures that the backups are functional and that the backup plan is working
appropriately.
60
Changing SQL Server information in ePO

Use this task to edit the SQL Server connection configuration details. This is useful for making changes
to the user account information in ePolicy Orchestrator when you have made changes to the SQL
Server authentication modes in another program, for example, SQL Server Enterprise Manager. You
can also do this if you need to use a privileged SQL user account for added network security.
Things to know about this page:
Authentication If the database is running, use normal ePO user authentication and only a
global administrator is allowed access. If the database is down, a connection is required from the
system running the server.
The ePO server must be restarted for any configuration changes to take effect.
Use the steps below to open the Database Configuration page for ePO using a web connection:
1. Launch Browser
2. Navigate to the URL below to open the Configure Database Settings page:
https://<servername>:<console-to-server port>/core/config
3. Under Configure Database Settings, modify entries as needed:
NOTE: If any changes are made to the entries on this page, ensure that you click Test Connection
(bottom right corner) to verify the connection to the database is successful with the new settings
before continuing. Once you are satisfied with the new settings, click Apply.
61
The following, are steps for using test.udl to confirm the database credentials outside of ePO:
1. Create a file on the ePO server called test.udl.
2. Double-click the test.udl file.
3. Click the Provider tab.
4. Select Microsoft OLE DB Provider for SQL Server.
5. Click Next.
6. On the Connection tab, enter the same information entered in ePO's core/config page for the
database connection:
In the Select or enter a server name field, type the SQL server name in the
following format: <servername>\<instancename>,<port>
NOTE: If no named instance is in use, use the following format: <servername>,<port>
62
You should be aware that Microsoft recommends using Windows Authentication for best security.
McAfee recommends however, in utilizing SQL authentication, if using Remote Agent Handlers.
As always, http://technet.microsoft.com is an excellent resource for information and articles for all
versions of MS SQL Server.
63
sqlcmd Utility
The sqlcmd utility lets you enter Transact-SQL statements, system procedures, and script files at the
command prompt, in Query Editor in SQLCMD mode, in a Windows script file or in an operating
system (Cmd.exe) job step of a SQL Server Agent job. This utility uses OLE DB to execute Transact-SQL
batches.
sqlcmd replaces osql for initiating command-line transactions in SQL server and can be used to
perform such actions as initiating a backup from a command line.
For detailed information please see:
sqlcmd Utility http://technet.microsoft.com/en-us/library/ms162773(SQL.90).aspx
Transact-SQL Syntax Conventions (Transact-SQL) (SQL 2008 and SQL 2012)
http://technet.microsoft.com/en-us/library/bb510741.aspx
64
65

0.13 Server Database Maintenance

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

0.13 Server Database Maintenance

Загружено:

Авторское право:

Доступные форматы

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

ePO is not an appliance-based solution. It is installed to the customers hardware. Therefore,

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

ePolicy Orchestrator 5.1 Essentials

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

ASSC Keys in Multi-Server Environments

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

Purge the Audit Log

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

Purge the Threat Event Log

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

Purge Old Data

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

It is important to back up the ePO Key-Store pairs.

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

1. Log on to the new ePO server.

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

ePolicy Orchestrator 5.1 Essentials

4. Click Start, Run, type cmd, and click OK.

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials