Endpoint Protection

SEP 11.0 is end of life since long time so plan to upgrade those clients on priority & It's not possible to setup a scheduled task on the new SEPM to run check every 30 minutes & push out packages accordingly.

I have an issue with the new server, maybe this is due to creating a new cert on the new server or corruption in the policies or embedded database.

Many of the clients, consisting of versions 11.0 through 12.1.6608, most of them laptops which connect remotely and infrequently over VPN are connecting to the new server and getting green dots but the Policy serial number in the SEP Manger clients tab remains from the old server.  I am using the Policy serial number to determine which clients are successfully migrated as this number should match the new server.  I perform a Remote push of a new Communication package daily and the clients which receive this package are soon fixed (Policy serial number matches the new server at next heartbeat interval).

The problem is, many clients are not online during the push.

Is it possible to setup a scheduled task on the new server to run every 30 minutes or so that pushes the communication package to all clients listed in a text file?

If not, is there another solution?

Many Thanks!

Hex

There isn't a hardware failure however my original server will be powered off so I can give the new server the same IP address.

Is there any hardware failure? If not then I don't think you should follow step 3.

Hi,

I am following option 2 where my new SEPM server has the same IP, but different hostname of the original SEPM server.

i.e.

Original Server:
SRV-SEP
192.168.1.100

New Server:
SRV-AV
192.168.1.100

I am therefore following the disaster recovery procedure for 12.1

Can you confirm if I should follow step 3 within the disaster recovery procedure and create the SEPBackup.txt file? If so, should I:

• Include the IP address and hostname of the original server (SRV-SEP)?
• Include the IP address and hostname of the new server (SRV-AV)?

Thanks.

Follow disaster recovery method & Create a new MSL.as per following. In case clients lost the connectivity can restore it by replacing Sylink.xml. 

1. Follow "Best Practices for Disaster Recovery with Symantec Endpoint Protection" (see Related Articles below) to backup and reinstall SEPM on MACHINE_2
2. Log in to the old SEPM on MACHINE_1
3. Click Policies > Policy Components > Management Server Lists > Add Management Server List
4. Click Add> Priority and a new Priority would get added named as "Priority2"
5. Add MACHINE_1 under Priority 2 and add MACHINE_2 under Priority 1, and assign this New Management Server List to all the groups.
6. Clients will then move from old SEPM to new one gradually
7. Stop the "Symantec Endpoint Protection Manager" and "Symantec Embedded Database" service on MACHINE_1 to verify whether all client now report to the new SEPM on MACHINE_2
8. Once verified that all the clients are reporting into the new SEPM, and have moved away from the old one, proceed to the next step.
9. Uninstall SEPM from MACHINE_1

Hi chetan,

Thanks for your respond.

Here is the outline that i want to implement:

I have a server 2008 that has been installed by SEPM 11. I want to migrate SEPM 11 to a new server (different IP and different host name) through DR without losing client communication and then after migration, upgrade SEPM 11 to SPM 12.1.

However, as my frist experience i am not quite sure about the DR process:

The link below shows me how to prepare for DR

https://support.symantec.com/en_US/article.TECH102333.html

but i am not sure DR process

Please make sure it's SEPM 11 OR SEPM 12.1 because SEPM 11 is end of life from long time. 

Also to suggest best option to go please provide following details

1) Total number of Clients per SEPM?

2)  Is there any existing Failover/loadbalancing or Replication in place between both the SEPM's?

3)  SEPM version details.

Hi Chetan,

I need couple of your advices. We have 2 servers 2008, one is SQL database and SEPM 11 and another server is failover cluster. We are going to migrate them into a server 2012R2. However, i have some doubts:

which of these scenarios can work

Login to the new SEPM console, under clients tab should have a list of all thh connected machines, if it's AD synch check particular Synch OU's.

@Hexnut

When you're logged into the new server SEPM console, under clients, you should have a list of all the machines in your environment. If they have a green dot next to them, they're checking into that server, it it's a red arrow, they're checking into another server.

See this link for a breakdown of all the icons in SEPM.

https://support.symantec.com/en_US/article.TECH106286.html

Is there a way to see from the new server which clients have connected without looking at the client machines?

Thanks.

Hello Hex,

Actually in both the SEPM console should see clients with Green dots because they are directly connected. You just have to make sure all the clients have received latest policy which contains updates MSL list.

Q,In the event that I turn off services on the old server and an old client is turned on, will a DNS CNAME on the ner server allow this client to migrate gracefully?

--> If clients have received latest policy sylink.xml will be updated. Those clients will receive migrate gracefully. If clients haven't received latest policy won't migrate through DNS CNAME.

Will there be any issues on the clients when I enable secure communications in the future?

--> Ideally there shouldn't be but test it prior to decommision old SEPM 

Hi Chetan,

I am using your method to move my SEPM 12.1.6 MP3 on server 2003 to the same SEPM version on server 2012 R2 with a different hostname and different IP.  My business is 24 x 7 x 365.  I have nearly 500 SEP clients, many are laptops, some don't connect for 2 or 3 weeks at a time due to vacations, schedules etc.  Users do not have administrator rights on their machines. 

I have created the new MSL on the old server and created a new Test OU in AD to place test machines.  and assigned the new MSL to thie test AD group.  Once testing is done I will assign this MSL to all groups.  I have generated a new cert on the new server to allow the cert to match the hostname.  I've disabled secure communiction temporarily until all clients are communicating to the new server.  So far this is working very nicely.

Is there a way to determine from the SEPM server which server the client is connecting to?  I don't want to turn off the services on the old machine until I am certain that all of the clients are connecting to the new server. 

In the event that I turn off services on the old server and an old client is turned on, will a DNS CNAME on the ner server allow this client to migrate gracefully?

Will there be any issues on the clients when I enable secure communications in the future?

Many Thanks for this very helpful article!

Hex

Did you create new MSL & assign it to all the clients? Open Sylink.xml file through Notepad to see the MSL listing.

All the clients should have new SEPM listed against priority 1.

Sylink file location is listed here:

http://www.symantec.com/docs/TECH165055

Thanks for the reply! I already done that.

Where can I see to witch server a client is connecting?

Thanks for the feedback.

On the old SEPM, create a new MSL & set the priority 1 & 2.

It should look like

Priority 1 --> New SEPM IP

Priority 2 --> Old SEPM IP

It means both the SEPM's will have the same priority. In short we are telling clients they should connect to the new SEPM. Once all the clients received latest MSL can stop SEPM service on old SEPM & let the client talk with the new SEPM.

Once everything verified can decommission old SEPM.
 

Hi,

Nice article!

We are migrating to a server with a differenet IP and different hostname (Option 3)

We used the methode: 2. Follow disaster recovery method & Create a new MSL.as per following

The clients are visible and online on both servers.

I’m stuck at step 6 of the description.

When we shutdown the old server the clients go offline.

The green dot on the SEP-icon in the tray of the client isn’t visible anymore. Also on the new server the appear to be offline.

Any suggestions?

Can you check MSL list on 1-2 clients by opening Sylink.xml file.

Try to stop SEPM service on the old SEPM and see if it makes any difference.

I have added the policy. It has been 2 days and nothing has moved over. Has something been done wrong?

Upgrade is a different thing. Either you can push out new package or easiest way could be use of Auto upgrade feature.

Can refer the below article:

https://www-secure.symantec.com/connect/articles/sepm-121-auto-upgrade

What did you do about upgrading the client on the machines? Is it done automatically or do you have to push it.

Most of the clients should migrate at new SEPM & after that stop SEPM services on old SEPM only.

Once all the clients migrated can decommission old SEPM.

Like Chetan said...once you create the new MSL and your machines check in* they will start pointing to the new server. When I did the migration, it probably took a few days for most of the machines to show up on the new server. I just let them do their thing. I then found ones that weren't moving over for one reason or another, and manually remediated those before decomissioning the old server.

The MSL doesn't define groups, only what server the clients are pointing to.

Great. I found the list. Once I assign new address. That will make all machines look at the new server. Will they begin showing there all the time? Then i can just kill the old server once they are all checking in?

Also will it put them in the same group or will I need to manage that on the new SEPM?

Harshbarger,

You'll want to go to Policies, expand policy components, and then Management Server Lists. You should see your sites listed there, and you can add/remove management servers there.

That's correct. Default MSL won't change. Create new MSL in the old SEPM & Assign new server IP address as a priority 1.

So. to be clear, I need to goto the old SEPM, and change the MSL to look at the new server as priority 1?

For the MSL, is that located under Admin -> Servers -> Local Site (AV)

It looks like there is a default. How would I change it?

But if we are installing the new SEP client  that points to the new server on the the image, why is it even looking back to the old? 

Make sure both the SEPM's have new server listed as a priority 1 under MSL (Management Server list).

I ended up building a new server and have just been migrating all the machines over to the new one.

We are running into an issue now where if we put our citrix environment on it, it works for a couple days then starts looking back at the old server. Is there an explanation as to why this is happening?

Hi,

Try to create those string values manually. Also make sure Liveupdate is not running on primary SEPM while intiating replication.

If still not helped gather “Install Error” logs from New Site. Logs should be present under tomcat\logs folder on new site.

Hi Chetan,

I went through the article provided and I am not able to adjust SEPM heap size. I only see the below in the specified location.

Thanks,

Thanks for sharing screenshot, please follow the steps given in the following article:

"Unable to connect to the server specified" error during the replication of Symantec Endpoint Protection Manager

http://www.symantec.com/docs/TECH106224

Above article is actually applicable for SEP 11.x product but no harm to try steps for 12.1 as well. Let me know how it goes or else can try to start look into the logs.

I have cross checked everything is correct as per article.

Pleae see the screenshot.

Thanks,

Replication Server Name - The name or IP address of the remote Symantec Endpoint Protection Manager.

Replication Server Port - The default is 8443.

Administrator Name - The name that is used to log on to the console.

Password - The password that is used to log on to the console.

Refer this guide: http://www.symantec.com/docs/TECH104455

If still faced an issue post the screen-shot.

Hi Chetan,

We have currently SEPM 12.1.6 (recently upgraded)on windows 2003 server. And now we would like to move it on 2012 R2 server with a new IP and host name. We created the new 2012 server, and trying to make it as Replication server.

 After entering the details like replication server name, default port, administrator username and password, As soon as I click Next, I get this error "Unable to connect to the server".

Could you please help me out to find the cause?

That's right.
 

Thank you for the reply! Don't mean to be stupid, but to clarify. I will setup the new server with no data in it. Then assoticate it to the existing server and replicate all the data over, correct? This in theory should push all the policies, database contents, etc from the existing server to the new one. This means I DO NOT do the DR method because I need both servers online because I am not yet ready to fully decomission the original server. Right?
 

DR should be performed if there is a hardware failure OR If planning to perform DR on another machine need to remove existing machine from the network to avoid IP conflict.

To perform replication new server can be place at new site & existing site as well. It depends upon business requirements.

Chad,

You stated: 

"Do I restore both the Recovery File AND the database? It seems to me that if I restore both those items that I will be essentially duplicating the server I already have online."

Is this not what you want to do anyways? Although you're moving to a new server, you want the DB and all the information that's on the old one to be maintained so you're not starting over, right?

When I did this earlier this year, I installed SEPM on the 2012 VM and set up replication. I let that copy everything over to my new SEPM server and then I used an MSL to have all the machines point to that new server. Once I saw all the machines checking into the new SEPM server, I went and checked for legacy machines and machines that did not move over properly and remediated them manually. Once that was completed, I stopped the services on the old SEPM(s) that we had and made sure everything was on the up and up before decomissioning.

So I 've gone through this 5 times and I am still not doing it correctly. I am trying to migrate SEPM from a 2008 server to a new 2012R2 VM; different IP and Hostname. I am following the instructions "Moving SEPM from one machine to another" https://support.symantec.com/en_US/article.TECH104389.html. But in the DR instructions for 12.1, I am confused as to what steps I should be doing. Do I restore both the Recovery File AND the database? It seems to me that if I restore both those items that I will be essentially duplicating the server I already have online. I also can't figure out where I actually configure the replication. Do I install the new server into it's own site or as an additional server but in a new site, then setup the replication.

Hoping to get some clarification because I am just frustrated being at this for two days.

Thanks for the great article and all the help

Chad

Thank you!

Not necessary to unisntall and redeploy to those clients.

Can refer this guide: How do I replace the client-server communications file on the client computer?

• http://www.symantec.com/docs/HOWTO81116

I recently finished migrating SEPM from a Windows 2003 server to a new Windows 2012 server through the replication process.  I have a few laptops that are rarely onsite, so they obviously have not started reporting to the new server yet.  What will happen if I remove the old SEPM before some of these start reporting to the new SEPM?  Would I need to uninstall and redeploy to those clients?

Hi,

Q. Can the embedded DB be restore to the SQL 2012 cluster and how?  Does SEPM 12.1.4 need to be upgrade to ver 12.1.6 first before backup and restore?

-->  In that case you need to do a fresh install of SEPM 12.1 RU6 & need to restore Embedded database into SQL database.

This article can be a reference guide: Symantec Endpoint Protection Manager: Moving from the embedded database to Microsoft SQL Server

http://www.symantec.com/docs/TECH102547

Q. What is the best practice for migration from server1 to server2?

--> As per requirements like new IP/hostname, old IP/New hostname etc, need to take approach accordingly.

Q.How can i setup server3 as fail-over or for redundancy?

--> First decide you want SEPM fail-over only or both SEPM & Database fail over.

In fail over case same SQL database will be shared by multiple managers, in replication SQL database will also replicated. For most robust design replication can be an option.

Go through these articles: 

About fail-over and load balancing

http://www.symantec.com/docs/HOWTO26809

About installing and configuring the Symantec Endpoint Protection Manager for fail-over or load balancing

http://www.symantec.com/docs/HOWTO26808

Hi Chetan,

I have a similar migration path as above but slightly different. 

We currently have a SEPM 12.1.4 run on Windows 2008 with embedded DB (Server1).  I have installed SEPM 12.1.6 (as a new site Server2) on Windows 2012 R2 and connect to the remote SQL 2012 DB on a cluster server.  I also have another Windows 2012R2 server for redundancy. 

1. Server1, Server2, and Server3 have different hostnames and IP addresses.
2. Can the embeded DB be restore to the SQL 2012 cluster and how?  Does SEPM 12.1.4 need to be upgrad to ver 12.1.6 first before backup and restore?
3. What is the best practice for migration from server1 to server2?
4. How can i setup server3 as fail-over or for redundancy?

Thanks in advance for your help.

RQD

Why you can't access existing SEPM console?

Hi

I kinda have scenario kinda similar to scenario 3 in your article. However I cannot access the existing SEPM console. I don't want to lose the connectioon to the existing clients. How would you advise to proceed.

The new server will have the same version of SEPM installed but hostname and IP address will be different.

Glad to know clients are communicating with the new server. Verify all the clients are communicating with the new server priro to decomission the SEPM.

Hello,

Yes i created a new MLS and set the new server with priority 1.

I found what my problem was, i had not assigned the list to any client groups.

For anyone that wants detailed steps...

After creating the new 'Management Server List', Click on the new list to select it

Under the 'Tasks' section in the lower left click on 'Assign the List...',

I assigned it to all client groups and after several minutes clients started to communicate with the new server.

Did you edit the MSL so that they go to the new one?

Clients should get the update on the next heartbeat in. How often is your heartbeat set for check in? This is what determines how quickly clients check in.

Hello,

I fall under Scenario 3, where the new server has a different ip address and host name.

I installed the same version of SEP on the new server, 12.1.4, and follow the disaster recovery method & create a new MSL on the original server as instructed.

How long should it take for the clients to migrate to the new server? Is there a way to speed this up from the management console?

Thanks for the feedback. :)

I just made this account just to say thx for the really great article!

This really helped me in a great way!

Client upgrade is not required, only SEPM's to be on the same version to setup replication.

You do not have to upgrade clients but it is recommended so that everything is on the same version across the board and they can take advanage of new features.

Yes, a restart would likely be required.

If I upgrade the SEPM to 12.1 RU6 will that require the clients to upgrade as well and have to restart? 

It's a good idea to use GUP's at remote sites. Prior to setup replication just make sure both the SEPM's on the same version, in your case first need upgrade existing SEPM to 12.1 RU6 version.

@Harshbarger

I did this move just a short while ago, as you can tell I was roughly in the same situation. I followed Chetan's instructions to the letter.

After installing 12.1.5 on the new server. I setup replication from the old server to the new server, I adjusted the MSL's and made sure the machines were pointing to my 2012 server as priority one. Once they were there, I was able to stop the services on the old servers to make sure everything stayed up. Once that was done, I decommed those old servers.

Best of luck!

I am looking to build a new SEPM for my company. We are currently running SEPM 12.1.4 on Server 2003 and I have built a new server running Server 2012 and was thinking about installing SEPM 12.1.6 on it.

What is the best way to go about migrating this? We have roughly 3,000 client machines and other SEPMs in other countries. I plan to decommision those and use only GUPs in those locations.

Right now the server will have a different IP address and different host name. There is also a secondary server that will act as a replication server.

Hi,

Thank you for posting in Symantec community & would be glad to assist here.

" My current setup is as follows:

SEPM 12.1 RU5 server hosted on Windows 2003 SP2

Database : on a different SQL box (SQL 2012)

New Server: with Windows 2012 std R2

SEPM 12.1.6 may be.

Database: use the same existing DB on different SQL box.

is this possible without disrupting my old SEPM ?"

--> There are couple of ways to do this.

To suggest better option need more info from your end.

1) Total number of clients in the network

2) Are there any custom policies defined?

3) This is the catch "I do not have any replication setup right now.however once i move all the client to the new server i would like to setup replication using another SEPM  server hosted in a different site."

Note : If you wish to move SEPM from one machine to another with the help of replication, Replication is an option, decide whether to go or not. Beacuse if you do replication and remove the old server that is the Primary SEPM , in future if you want to do replication you will not be able to do so, Primary Server should always be present in the network for replication it's like Primary:Secondary relation.

See this article:

How replication works

http://www.symantec.com/docs/HOWTO55328

Hi,

Is there a seemless way of migration keep both the existing and new servers? and slowly making the old one redundant for decommission.

Am planning to migrate my SEPM server from Windows 2003 to 2012 R2 on a new box.

My current setup is as follows:

SEPM 12.1 RU5 server hosted on Windows 2003 SP2

Database : on a different SQL box (SQL 2012)

New Server: with Windows 2012 std R2

SEPM 12.1.6 may be.

Database: use the same existing DB on different SQL box.

is this possible without disrupting my old SEPM ?

Then slowly plan to migrate the client using SYLINK drop to change the communication settings on the clients.

are there any articles that i can refer to in doing this. please help !

Thanks!

Hello.
Thanks for this article. It's help me to migrate new server. Used 3 situation

But i have some troubles.

SEP clients doesn't want connect to new server.

I create MSL for new server

In new SEPM i see that clients connected, but the values are always changing. When i open SEP client Troubleshooting Server is disconected. Only if i replace new sylink.xml by SyLinkDrop util client connected to new server. But i have 200 clients and replace sylink very bad idea ^_^

In Admin-Server i see old SEPM, i delete it. But it's not help me.

Where i mistake?

Realy helpful artical !!

OK,

I will do it so and report here after migration.

You can follow the article to move with different hostanme. Client should be able to resolve new FQDN with IP address.

Let me know how it goes.

Hi,

I'm relatively new to Symantec Endpoint Protection.

I have a case in which the clients in a new domain operate with the SEPM (on Win7) in an old domain. The DomainController of the old domain is months ago shut down.

Hostname and IP-Adress will not be changed, only the FQDN changed like:
host.domainold.local --> host.domainnew.local

Here's the same procedure as described in the article to move with different hostname?
Or I can simply add the computer to the new domain?

Thx

Itchley

Thanks for the update.

That error was for SQL only.

In your case first you will have to upgrade an existing SEPM to 12.1 RU5 because to initiate replication both the SEPM's should be on the same version.

Prior to upgrade be aware of new changes also, check this http://www.symantec.com/docs/TECH225587 

You should not face any problem however be always prepare with PLAN B to avoid undesirable situation.

Prior to start upgrade/replication take necessary backups.

It looks like that error is SQL related, only? So, it should not matter if we're using the embedded DB?

4,500 Clients~

Moving from Sever 2003 R2 to a Server 2012 box

Currently most of our machines are on 12.1.4. There are a few legacy machines that are being cleaned out.

SEPM console is 12.1.4104.4130

Sem5 DB size = 49GB

Our locations all have a dedicated T1

Hi,

There is one knonw issue & KB article is available with solution.

Replication fails after upgrade to SEPM 12.1 RU5

http://www.symantec.com/docs/TECH225412

Total how many clients are in the network? Could you share the old server & new server details like Server OS, database size of existing SEPM, version, bandwidth etc.

Chetan,

Thank you for the reply.

We have not moved to 12.1.5 due to the replication issue that was reported with multiple SEPMs. Has that been resolved? I have not seen any documentation regarding that recently.

If planning to migrate throgh replication method, no need to restore the database. Replication process will do the same.

I will suggest following method.

1) Install new SEPM

2) Start replication with old SEPM

3) After successfull replication, move all the client to the new SEPM by modifying Management Server List (MSL).

4) Once all the clients migrated successfully, decomission old SEPM.

I understand this posting is over a year old...

To move from Server 2003 R2 to Server 2012 (in a 12.1 environment) IP's will remain the same, but the hostname will change.

1. I'll need to create a backup of the embedded DB

2. Stop replication

3. Restore the DB on the new server box

4. Create the replication 

That is all? It seems too easy...and if it seems that way, it usually isn't.

Thanks

many thanks Chetan for sharing the steps here.

Thanks !!!

thanks Chetan for valuable artical +1

Hi Rupesh,

You should revert back the settings.

Hiiii Chetan,

i have found success on 12.1 ru2 version, i have total 65 SEP Client on 1 server and i have server sertificate of 11x version sepm server .

i have done disaster recovery with using domin id and i have change setting in conf.properties and  "scm.agent.groupcreation=true" and after that. i have update server cerificate then it is working and now around 54 SEP clients connected and online with new server ru2 version.

now my question is is there need to change setting  "scm.agent.groupcreation=true" to  "scm.agent.groupcreation=false" again.

please answer me.

Hi Rupesh,

Thanks for the update.

You can use Sylink replacer tool to restore the communication.

i have checked on my one server with 70 clients but not get success.

i will update you soon.

Hi Rupesh,

You found any success with this?

Hi,

You should test the connection by importing certificate. It should work.

i am not understand that your point (It will work if certificates are matching with SEP clients) .

if privatekeys are letest then it work or not ? after chenge in (editing "scm.agent.groupcreation=true")

.

Hi,

It will work if certificates are matching with SEP clients.

If you do not have a database backup to restore

You can perform a disaster recovery without a database backup, but the following points apply in this case:

• All policies must be re-created, or imported from other backups i.e. exported policy files.
• Clients will be able to communicate with the SEPM but will re-appear in the console only after their next check-in.
• Clients will reappear in the default group as they check in, unless you enable automatic creation of client groups on the re-installed SEPM by editing "scm.agent.groupcreation=true" to the conf.properties file.
• If you originally had multiple SEPM domains beyond the default domain, you must re-create them using domain IDs from Backup.txt.

Check this article last para for more info :http://www.symantec.com/docs/TECH160736

if i have server private keys of 11.6 A version and dont have database , can i do disaster recovery on 12.1 Mp 1 with using old domain id(old sylink.). it will work or not.please explain. or call 9821401895.

Hello everyone,

Please share your experiences/followed methods with reference to moving SEPM from one server to another server.

HI Chetan,

+1 Vote for artical

This artical will be provide good information :)