Server Backup

How to back up the BigFix Server on Windows.

Consider backing up to a remote system to allow for higher fault tolerance. Perform the following steps:

  1. Stop all the BigFix services, including running plug-ins if any. The main BigFix services should be stopped in the following order.
    BES WebUI
BES Web Reports Server
BES Client
BES GatherDB
BES FillDB
BES Root Server
  2. If you have remote processes that may access the BigFix databases, like a remote BigFix WebUI, stop them as well.
  3. Back up the BFEnterprise and BESReporting databases.

    For example, you can use SQL Server Management Studio to connect to the instance hosting your BigFix databases and run the following commands:

    BACKUP DATABASE BFEnterprise
TO DISK = 'C:\Path\To\ExistingFolder\BFEnterprise.bak';
GO
BACKUP DATABASE BESReporting
TO DISK = 'C:\Path\To\ExistingFolder\BESReporting.bak';
GO
  4. Back up the following files and folders used by the BigFix Server and Web Reports:
    • [BigFix Server folder]\BESReportsData. Web Reports data folder.
    • [BigFix Server folder]\BESReportsServer\wwwroot\ReportFiles. Support files for Web Reports custom reports.
    • [BigFix Server folder]\Encryption Keys. Private encryption keys (if using Message Level Encryption).
    • [BigFix Server folder]\Mirror Server\Inbox. Information for BigFix Clients to get actions and Fixlets.
    • [BigFix Server folder]\Mirror Server\Config\DownloadWhitelist.txt. White list for BigFix dynamic download.
    • [BigFix Server folder]\UploadManagerData. Files uploaded by the BigFix Clients.
    • [BigFix Server folder]\wwwrootbes. Various information about actions, Fixlets, uploads and downloads.

    [BigFix Server folder] is the BigFix Server installation path, by default C:\Program Files (x86)\BigFix Enterprise\BES Server. The locations of your BigFix Server wwwroot folder and of your Web Reports wwwroot folder might be different if you customized them at installation time.

  5. Back up your license key, license certificate, and masthead file.

    The license.pvk and license.crt files are critical to the security and operation of BigFix. If the private key (pvk) files are lost, they cannot be recovered.

    The masthead (afxm) file is an important file that contains information about the BigFix Server configuration. To back it up, you can copy the [BigFix Server folder]\actionsite.afxm file and rename it to masthead.afxm.

  6. Decrypt and save the encrypted keys.

    The encrypted keys are files named like Encrypted...Key and, by default, they are located in the [BigFix Server folder]. Depending on the version of the BigFix Server and on what BigFix components are installed on you environment, you will have a slightly different set of encrypted keys. The possible key files are:

    • EncryptedAPIServerKey
    • EncryptedClientCAKey
    • EncryptedCustomClientCAKey
    • EncryptedCustomServerTLSKey
    • EncryptedExplorerCAKey
    • EncryptedPlatKey
    • EncryptedServerSigningKey
    • EncryptedWebUICAKey

    Use the ServerKeyTool.exe tool and run the steps documented in this page to decrypt the keys. For example:

    ServerKeyTool.exe /decrypt
    /dirIn:"C:\Path\To\BigFix Server folder"
    /dirOut:"C:\Path\To\Backup folder"
    /sitePvkLocation:"C:\Path\To\license.pvk"
    /sitePvkPassword:"*****"

    All the existing encrypted keys stored in the input folder are backed up at once, and the files containing the decrypted keys are stored in the specified destination folder with the filename prefix Decrypted*.

  7. Analyze the BigFix Server database tables named DBINFO and REPLICATION_SERVERS. 
    SELECT * FROM [BFEnterprise].[dbo].[DBINFO];
SELECT * FROM [BFEnterprise].[dbo].[REPLICATION_SERVERS];

    Record all the rows in those tables for verification purposes.

    If DNS aliases are being used instead of the actual hostnames of your BigFix Server computers, the field values of those tables should remain the same after a restore procedure. If they contain hostnames, and the hostnames of your BigFix Server computers change, those fields may need manual modification after the restore. If you want to update the CN on the BigFix internal certificates, see How to change the Common Name (CN) on BigFix internal certificates.

  8. To avoid the duplication of the BigFix Server computer entry on the BigFix Console, run the steps described in the Client data backup section in Avoiding duplicates when a Client is restored.
  9. Any configuration involving registry keys is neither saved nor restored. After completing a restore procedure, you will have to perform those configurations again. You should only edit a BigFix registry key if a documented configuration step explicitly calls for it. However, for verification purposes, you should export the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BigFix.