Video Screencast Help

Duplicate SEP clients appear in the Symantec Endpoint Protection Manager console

Created: 21 Jun 2012 • Updated: 21 Jun 2012 | 17 comments
Language Translations
Mithun Sanghavi's picture
+5 5 Votes
Login to vote

Problem:

Duplicate clients are appearing in Symantec Endpoint Protection Manager (SEPM) console.

Environment:

Symantec Endpoint Protection 11.x and 12.1

SQL Server 2005 and 2008

Windows Server OS

Cause:

There are two causes for this issue:

Current Theory: The first possible cause for this is when an Endpoint has been re-imaged (whether in a virtual machine or on a physical system).

Things we know: Each installation of Symantec Endpoint Protection (SEP) randomly creates a "Unique Identifier" for the client. So if this changes and the re-imaged system checks in, it is recognized as a new client.

Example: The IP and computer name are the same, yet the database still shows a different Unique ID.

The second cause for this is related to an issue with moving clients to a different OU in Active Directory.

Solution

There are 2 solutions for this issue as it relates to systems or sessions that have been re-imaged/reloaded.

Solution 1: Remove the client from SEPM if it is going to be rebuilt or re-imaged.

  1. If you know in advance that a group of systems are going to be re-imaged, you can remove those clients from the console ahead of time.
  2. If you have clients that are strictly running on virtual machines which are reloaded or re-imaged on a regular basis, create a separate client group for those clients. When it comes time to re-image them, they will be easier to locate when placed in their own group.

More Info in the Articles below: 

1) How to prepare a Symantec Endpoint Protection 12.1 client for cloning (image)

http://www.symantec.com/docs/HOWTO54706

2) How to repair duplicate IDs on cloned Symantec Endpoint Protection 12.1

http://www.symantec.com/docs/TECH163349 

Solution 2: Configure SEPM to remove clients which have not connected within a specific number of days.

  1. Open SEPM and select the Admin panel.
  2. Click on Servers
  3. Right click on the Site where your management servers are located and choose Edit Properties
  4. Check "Delete Clients that have not connected for __ Days"
  5. Enter a value for Days.
  6. Click OK.

NOTE: In version 12.1 of the SEPM, the location for adjusting the setting to delete clients which have not connected for X number of days has moved:

  1. In the SEPM, go to the Admin page.
  2. Select Domains.
  3. Under Tasks, select Edit Domain Properties
  4. In the Edit Domain Properties window, on the default General tab, note the option to "Delete clients that have not connected for specified time."

Configuring a low value for this setting would clear up the duplicates more quickly. 

It is important to consider clients that are offline over the weekend. Setting this value to 1 or 2 will likely cause all your clients to be removed after a weekend.
A recommended value for large enterprise environments would be 7 to 14 days.

Comments 17 CommentsJump to latest comment

Srikanth_Subra's picture

Hi,

Thanks for the article..iam having one doubt in this now i manually removing the duplicate clients?? by setting the client status to less days my client licensing will affect?

Thanks & Regards,

 Srikanth.S

"Defeat the Defeat before the Defeat Defeats you"
(Swami Vivekananda)

0
Login to vote
Mithun Sanghavi's picture

Hello,

Incase, if you are manually removing the Enteries from SEPM then it would not affect the licenses.

However, when you work on the steps above, the enteries would be deleted from the database would in return affect your Licenses.

For example, In the Symantec Endpoint Protection Manager (SEPM) the license status shows "Attention Required" on the Home Page, with an incorrect notification that licenses are overdeployed.

This is despite there being less clients actually deployed than there are license allocations.

Here, It is suspected that this issue is caused by duplicate entries in the database.

The following solution has been reported to resolve the issue.

For SEP 12.1 RTM:

  • From the console, navigate to Admin -> Servers.
  • Under Servers, Expand the Local Site.
  • Select the entry for the Database Server.
  • Under Tasks, click on Edit Database Properties.
  • Set the option to Delete clients that have not connected for to a very low number. For example, 10.
  • Click OK.

For SEP 12.1 RU1 and Later:

  • From the console, navigate to Admin -> Domains.
  • Under Domains, Select the Default Domain (or the relevant domain you are working with. Most SEPMs will only have the Default).
  • Under Tasks select Edit Domain Properties.
  • On the General Tab, Set the option to delete clients that have not connected for specified time to a low number, such as 10.
  • Click OK.

In observed cases this has allowed the older duplicate entries to be removed from the database, which resolves the issue.

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

+1
Login to vote
John Santana's picture

Many thanks for the sharing here Mithun, so setting it up to 10 days after that what happened to the laptop users who have just came back from long service leave or holiday ?

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

0
Login to vote
Srikanth_Subra's picture

Thanks.

Thanks & Regards,

 Srikanth.S

"Defeat the Defeat before the Defeat Defeats you"
(Swami Vivekananda)

0
Login to vote
Dushan Gomez's picture

Thanks for theposting here Mithun, so what happened if somehow an old client suddenly turn on and connected to the network ?

would they be managed b the SEPM as long as it is installed with the proper Sylink.XML ?

Dushan Gomez
IT Manager
VCP 4 and 5 | MCITP Exchange Server | MCTS SharePoint Server | MCP Windows XP

 

0
Login to vote
Mithun Sanghavi's picture

Hello,

Correct, as soon as the old client is suddenly turned on and connected to the network, it would reconnect to the SEPM in the next heart beat interval and sylink.xml.

Hope that helps!!

 

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

0
Login to vote
ThaveshinP's picture

We running SEP 11.RU7MP2 and AD integrated...how would you remove duplicates as we have machines that are in the domain but inside the default group.

0
Login to vote
Mithun Sanghavi's picture

Hello,

The setting above to delete clients that have not connected for 'x' days applies to clients that belong to non-OU groups (not imported from Active Directory). 

If the SEPM is in Sync with AD, then to purge the old data would be by removing the clients from the Active Directory group and sync the OU within SEPM.

Hope that helps!!

 

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

0
Login to vote
PhilMcB's picture

Can Duplicate SEP clients in SEPM cause performance issues to the clients themselves?

0
Login to vote
John Santana's picture

Phil, no it will not, the only issue that I can see is that it uses more license.

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

0
Login to vote
.Brian's picture

No, both cannot be connected at the same. One is technically older and not connected.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

0
Login to vote
Brent.Noble's picture

Hi,

Can I just ask, in reference to the SEPM Repair Tool in this article http://www.symantec.com/business/support/index?page=content&id=TECH163349, is there a similar automated way to get a list of these affected clients in an 11.x environment?

Brent

 

+1
Login to vote
brentsherman1124's picture

I would really like to see an answer to Brent's question.

0
Login to vote