MBAM server 2.5 SP1 move to another server with new hostname and different IP - how to achieve minimal MBAM client impact. RRS feed

  • Question

  • Hi all,

    We need to move MBAM server (2.5 SP1) to a new server, the existing one will be decommissioned.

    Microsoft documentation recommends these steps -

    • Move Recovery Database

    • Move Compliance and Audit Database

    • Move Reports

    • Move Administration and Monitoring Website - this does not mention changing the client GPO to point to the SVC services in the new MBAM server.

    • Move Self-Service Portal

    Thinking of minimal impact on end users and MBAM clients deployed I have few questions:

    1 - Will this process also move SVC web services to the new server, or is there any additional steps needed? These services are the key to MBAM client communication to the MBAM server for recovery keys and compliance status, we do not want to loose MBAM client keys or compliance data.

    2 - The GPO policy "Windows Components/MDOP MBAM (BitLocker Management)/Client Management\MBAM Recovery service endpoint" and "MBAM Status reporting service endpoint" will need to be changed to the new server CoreService.svc and StatusReportingService.svc URLs. Is this correct - I am asking as this will be quite a change and a bit risky until MBAM clients report normally to the new server.
    If installation is done correctly will then recovery keys and compliance status be saved in the new databases that are backups of existing databases in old server? Are there other risks in the move process? Last think we need is clients not being able to get their recovery keys in case the go to MBAM/BitLocker recovery mode.

    Thank you in advance for any recommendations.

    Kind regards,

    Petrika P.

    Tuesday, April 16, 2019 10:39 PM

All replies

  • Just popping in here because I am soon going to need to know the same thing. 

    Thomas Faherty

    Tuesday, April 16, 2019 11:17 PM
  • Migration worked well, no problem. Backing up the database and restoring went without issues.

    Be careful with "Register service principal names (SPNs) for the application pool account for the websites. You need to do this step only if you do not have administrative domain rights in Active Directory Domain Services (AD DS). If you do have these rights in AD DS, MBAM will create the SPNs for you."

    In a corporate environment applications like MBAM are not allowed to create SPNs. The engineer that is moving MBAM to new servers will need to work with AD admins to register SPN.
    If this step is not done correctly the web services will not work well.

    In case of issues and if a user needs recovery key before MBAM is set up, an engineer can query the database directly and get it for the user.

    Wednesday, October 2, 2019 7:34 PM