Steps to minimize recovery time in the event of a server failure

Article:TECH101191  |  Created: 2005-01-05  |  Updated: 2010-08-13  |  Article URL http://www.symantec.com/docs/TECH101191
Article Type
Technical Solution

Product(s)

Environment

Issue



You created one or more Symantec Client Security 3.x or Symantec AntiVirus Corporate Edition 10.x server groups and need to know what to do to minimize recovery time in the event that your primary server becomes unavailable.


Solution



Symantec Client Security communication uses the Secure Sockets Layer (SSL) protocol to conduct secure transactions between parent servers and clients. SSL uses a Public Key Infrastructure (PKI), digital certificates, and cryptography. As a result, if your primary server becomes unavailable, you will be unable to immediately restore communications with secondary servers and managed clients unless you have taken steps to secure the information required for secure communications. You should always have a secondary server in each server group to help maintain communication with clients.

Here are steps that you can take to minimize the recovery time in the event that the primary server fails or becomes unavailable:

  • Make sure that you have a secondary server in each server group.
  • Make a backup of the primary server's pki folder.
    You must make a new backup of the pki folder any time you change a server group's primary server.


The following sections explain how to back up the pki folder and how to restore communications with or without backup copies of this data.


Back up the pki folder
Following these steps will minimize recovery time in the event of a primary server failure.

To back up the pki folder
The pki folder is located in the primary server's Symantec AntiVirus program folder. The default location depends on your operating system and whether you installed Symantec AntiVirus or Symantec Client Security:

  • When Symantec AntiVirus Corporate Edition server is installed on Windows, the default program folder is <OS drive>:\Program Files\SAV.
  • When Symantec Client Security server is installed on Windows, the default program folder is <OS drive>:\Program Files\SAV\Symantec AntiVirus.
    For help with this, read the "To find the Symantec AntiVirus program folder" section in the Technical Information section of this document.


After you locate the pki folder, make a copy of it and secure it in a safe location such as a removable hard drive in a vault or alternate location.

Interactive Tutorial


Restore communication with a backup copy of the pki folder
If you have a backup copy of the pki folder, you can restore communication by restoring the folder to its original location on the primary server.

To restore communication on a Windows server

  1. Reinstall the primary server using the same IP address and computer name.
  2. In Symantec System Center, right-click the primary server, and then click Make Server a Primary Server.
  3. Stop the Symantec AntiVirus service.
  4. Restore the pki folder to the Symantec AntiVirus Program folder.
    For help with this, read the "To locate the Symantec AntiVirus program folder" section in the Technical Information section of this document.
  5. Follow the directions in the "To set the DomainGUID value on a Windows server" section in the Technical Information section of this document.
  6. Restart the Symantec AntiVirus service.
    Interactive Tutorial

 


Notes: Following these steps may create a duplicate server group in the Symantec System Center. To fix the problem, clear the cache.

After you restore the pki folder, you may need to use the Password Reset Utility to reset the admin user's password.
For directions, read Symantec System Center password management in Symantec Client Security 3.x and Symantec AntiVirus Corporate Edition 10.x.




Restore communication without a backup copy of the pki folder
If you do not have a backup copy of the primary server's pki folder, you must perform the following steps:

  1. Reinstall Symantec AntiVirus on the primary server.
  2. Make the server a primary server in Symantec System Center.
  3. Delete old certificates on the server's managed clients
  4. Copy the server's new certificates and Grc.dat file to its managed clients.


To restore managed client communication after reinstalling Symantec AntiVirus server

  1. On the managed client, stop the Symantec AntiVirus service.
  2. Delete all certificates in the pki\roots folder in the client's Symantec AntiVirus program folder.
    The following is the default path to the Symantec AntiVirus program folder:

    <OS drive>\Program Files\Symantec Client Security\Symantec AntiVirus

  3. On the Windows taskbar, click Start > Run.
  4. In the Open box, type the following text, where is <server name> the name of the Symantec AntiVirus server:

    \\<server name>\vphome

  5. Click OK.
  6. Copy the Grc.dat file from the vphome folder to the following folder:

    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\
  7. Copy the xxx.x.servergroupca.cer file from the vphome\pki\roots folder to the \pki\roots folder on the client.
    The following is the default location of the \pki\roots folder on the client:

    \Program Files\Symantec Client Security\Symantec AntiVirus\pki\roots\
  8. Start the Symantec AntiVirus service on the client.





References
For information about certificates, read Chapter 8 of the Symantec AntiVirus Corporate Edition Reference Guide (Savcref.pdf). The file is located on CD 1, in the Docs folder.



Technical Information
To find the Symantec AntiVirus program folder

  1. On the Windows taskbar, click Start > Run.
  2. In the Run dialog box, type the following:

    cmd

  3. Click OK.
  4. At the command prompt, type the following:

    net share
  5. Under Share name, find the VPHOME listing.
    The folder listed in the Resource column is the Symantec AntiVirus program folder and contains the Grc.dat file.


To set the DomainGUID value on a Windows computer

  1. Start Windows Explorer.
  2. Go to the Symantec AntiVirus program folder.
  3. Open the pki\private-keys folder.
  4. Find the file that has this format:

    <computer name>.<key>.0.loginca.pvk

  5. Write down or copy the <key> portion of the file name.
  6. Start the Registry Editor.
  7. Go to the following registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion
  8. In the right pane, double-click DomainGUID.
  9. Delete the data, and replace it with the <key> text that you copied in step 5.
  10. Go to the following registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion\DomainData
  11. In the right pane, double-click DomainGUID.
  12. Delete the data, and replace it with the <key> text that you copied in step 5.
  13. Exit the Registry Editor.




Legacy ID



2005040513373748


Article URL http://www.symantec.com/docs/TECH101191


Terms of use for this information are found in Legal Notices