If you need to make a copy of an existing production repository (for example, an idle repository for auditors' use or for Quest Support), do not use conventional file copying or regular file managers. These methods may fail, because the hierarchical file structure in InTrust repositories uses very long names. Instead, use specialized replication software such as Microsoft Robocopy, which has been shipped with Windows since Vista and was available as part of the Windows Resource Kit before Vista.
If the repository you want to clone is indexed, take the following steps:
Alternatively, if you are retiring a production repository and want to relocate it, you can do the following:
If you want to convert the idle clone into a production repository, create a new repository in InTrust, and in the New Repository wizard, specify the location of the cloned repository.
The following command-line utilities provide additional capabilities when working with repositories:
This tool places events from an event log file to a repository without actually gathering data. Run the tool on a computer with InTrust Server installed.
Evt2Repository.exe is located in <InTrust_installation_folder>\Server\InTrust.
The following table lists the required parameters.
|/FILE||Full path to the source EVT file. UNC paths are accepted.|
|/DOMAIN||NetBIOS name of the domain that contains the computer to which the events in the EVT file are related.|
|/COMPUTER||NetBIOS name of the computer from which the EVT file is retrieved.|
|/LOGNAME||Name of the Windows event log that the EVT file contains.|
|/REPOSITORY||UNC path to the InTrust repository where the events must be stored.|
Evt2repository.exe /file=\\SERVER\TEMP\security01.evt /domain=RND /computer=SERVER /logname=Security /repository=\\Server01\InTrustRepository\Default
The following table lists optional parameters.
|/VERSIONMAJOR||Major OS version for the computer from which the EVT file is retrieved.|
Minor OS version for the computer from which the EVT file is retrieved.
Type of the computer from which the EVT file is retrieved, as returned by LAN Manager. Only numeric values are accepted.
Positive or negative difference in minutes between GMT and the local time of the computer from which the EVT file is retrieved. For example, “/timezone=-180” will return the GMT-3 time zone.
If some of the optional parameters are not specified, this key defines in what order to retrieve these parameters. The following sources are available:
If this parameter is not specified, the “repository, currentcomputer” sequence is assumed.
Specifies whether to resolve event descriptions and where to take the information. Possible values are as follows:
The Category field is resolved for events only if you use the /RESOLVEDESCRIPTIONS option.
Specifies whether to resolve GUIDs found in event insertion strings into object names (user names, GPO names and so on).
If you need to delete a repository physically, use the specially designed ITRepositoryRemover.exe command-line utility shipped with InTrust. (Windows tools do not let you delete a repository easily.) The utility resides in <InTrust_installation_folder>\Server\InTrust.
Before you run the repository removal utility, remove the repository from the InTrust configuration. For that, delete it in InTrust Manager or InTrust Deployment Manager. You may have to wait until the repository services to stop working with the repository and unlock all the locked files in it. How long you need to wait depends on the repository size and how many other repositories there are.
Next, launch the utility:
If you start ITRepositoryRemover.exe without any parameters, it will display information about the correct usage of the utility.