Migrate the password reset server to a new server

To migrate the password reset server to a new server, you will need to complete the below steps:


  • Check the Specops Password Reset Groups on the current server i.e. Password Reset Configuration Admins, Helpdesk Admins, Enrollment Agents, Reporting Admins and Reporting Readers and make a note of which AD users and groups are members so they can be added to the local groups on the new server (if needed).

Alt text for this image

  • Check the Specops Password Reset Scope of Management so the correct scope is selected on the new server. You can do this via the Specops Password Reset Configuration tool. Select Domains, and click Edit Selected Domain Configuration.

Alt text for this image

  • Get the Service account username and password (you can reset it if required).

Alt text for this image

  1. Download/copy the Specops Password Reset Setup Assistant on to the new server, and run setup.exe.
  2. From the Setup Assistant, select Server.
  3. Install the Windows Identity Foundation pre-requisite.
  4. Click Select user… to select the service account user.
  5. Enter the Username and Password of the user account the service was running as, and click OK.
  6. Click Select to identify the management level where the Active Directory permissions are created. This is the Scope of Management gathered in the pre-requisites.
  7. To select the certificate that will be used to secure calls to the Specops Password Reset service, click Select.
    • The name of the certificate must match the Fully Qualified Domain Name (FQDN) of the password reset server.
    • The FQDN of the certificate can be created by your internal CA, purchased from a third party provider, or from the Specops Setup Assistance Create Self-signed Certificate.
    • A wildcard or SSL certificate with an alias or different name may NOT be used.
  8. Configure the remaining settings as needed, and click Install.
  9. When installing the web component, point to the new server, and here you can use an SSL certificate with an alias or a wildcard cert.

    • If you have a SPR webserver in a DMZ or located on a different server you will need to run that installation again and point the web server installation to the new server.
    • If the server in the DMZ is totally isolated you may also need to update the HOSTS file on that server so that it can resolve the name of the new server.
    • Remember to update any firewall rules so that the DMZ server can communicate with the new Internal server. Finally make sure that the clocks are in SYNC between the DMZ and the Internal Password Reset server.
  10. Copy the statistics database file to the new server C:\programdata\specopssoft\specops password reset\SPRReporting.sdf. You might need to check the security on the file when you copy it to the new location, the SPR service account will need full access.
    Alt text for this image
  11. Update the DNS to point to the new server (if that server is hosting the website now).
  12. Uninstall the Specops Password Reset Components on the old server using Programs and Features.
    Alt text for this image
  13. Delete the Service Connection Points, or the server object, on the old server.
    Alt text for this image