Video Screencast Help

How to move SEPM from one server to another server.

Created: 31 Oct 2012 • Updated: 18 Feb 2015 | 44 comments
Language Translations
Chetan Savade's picture
+21 21 Votes
Login to vote

Hi,

There are multiple scenarios which we should consider while moving SEPM from one server to another server

1) SEPM is having same hostname and IP address

If the SEPM server keeps the same IP and host name, you can refer to "Best Practices for Disaster Recovery with the Symantec Endpoint Protection Manager"

SEP 11.x: http://www.symantec.com/business/support/index?pag....

SEP 12.1: http://www.symantec.com/docs/TECH160736

This solution is longer to implement but the new SEPM will be an exact copy of the current one.

2) SEPM server has a different IP and same hostname

OR

SEPM server has a same IP and different hostanme

In this scenario as well we need to follow disaster recovery

SEP 11.x: http://www.symantec.com/business/support/index?pag....

SEP 12.1: http://www.symantec.com/docs/TECH160736

Symantec Endpoint Protection clients will be able to reach the new SEPM using either unchanged IP or hostname. Management server list will then be updated accordingly and sent automatically to clients.

3) SEPM server has a differenet IP and different hostname.

If the new SEPM server has a different IP and host name, there are two alternatives:

1. Use replication to install a new SEPM and keep the policy the same with old SEPM. See "How to move Symantec Endpoint Protection Manager from one machine to another" 

http://www.symantec.com/business/support/index?page=content&id=TECH104389

Note: Replication is an option, if you do replication and remove the old server that is the Primary SEPM, in future if you want to do replication you will not be able to do so.

2.Follow disaster recovery method & Create a new MSL.as per following

  1. Follow "Best Practices for Disaster Recovery with Symantec Endpoint Protection" (see Related Articles below) to backup and reinstall SEPM on MACHINE_2
  2. Log in to the old SEPM on MACHINE_1
  3. Click Policies > Policy Components > Management Server Lists > Add Management Server List
  4. Click Add> Priority and a new Priority would get added named as "Priority2"
  5. Add MACHINE_1 under Priority 2 and add MACHINE_2 under Priority 1, and assign this New Management Server List to all the groups.
  6. Clients will then move from old SEPM to new one gradually
  7. Stop the "Symantec Endpoint Protection Manager" and "Symantec Embedded Database" service on MACHINE_1 to verify whether all client now report to the new SEPM on MACHINE_2
  8. Once verified that all the clients are reporting into the new SEPM, and have moved away from the old one, proceed to the next step.
  9. Uninstall SEPM from MACHINE_1
     

OR

Install a new fresh SEPM, then use the Sylink.xml file to establish the communication between new SEPM and the existing SEP clients with the help of Sylink replacer tool.

This option is effective if having limited number of clients in the network.

Helpful Publick KB Articles:

SEP 11

How to move Symantec Endpoint Protection Manager from one machine to another

http://www.symantec.com/docs/TECH104389

SEP 12.1

How to move Symantec Endpoint Protection Manager 12.1 from one machine to another

http://www.symantec.com/docs/TECH171767

Related Articles:

Best Practices guide for moving the Symantec Endpoint Protection Manager SQL Server database from one drive to another on the same machine

http://www.symantec.com/docs/TECH106213

Best Practices guide to moving the Symantec Endpoint Protection Manager SQL Server database from an existing SQL Server database to a new SQL Server database

http://www.symantec.com/docs/TECH104723

Best Practices guide to moving the Symantec Endpoint Protection Manager SQL Server database from an existing SQL Server database to a new SQL Server database

http://www.symantec.com/docs/TECH167300

How to move Symantec Endpoint Protection Small Business Edition (SEPM SBE) from one machine to another

http://www.symantec.com/docs/TECH183666

I hopt it's been informative.

Comments 44 CommentsJump to latest comment

Ashish-Sharma's picture

HI Chetan,

+1 Vote for artical

This artical will be provide good information :)

Thanks In Advance

Ashish Sharma

0
Login to vote
Chetan Savade's picture

Hello everyone,

Please share your experiences/followed methods with reference to moving SEPM from one server to another server.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

+2
Login to vote
rupesh.naik45@yahoo.in's picture

if i have server private keys of 11.6 A version and dont have database , can i do disaster recovery on 12.1 Mp 1 with using old domain id(old sylink.). it will work or not.please explain. or call 9821401895.

0
Login to vote
Chetan Savade's picture

Hi,

It will work if certificates are matching with SEP clients.

If you do not have a database backup to restore

You can perform a disaster recovery without a database backup, but the following points apply in this case:

  • All policies must be re-created, or imported from other backups i.e. exported policy files.
  • Clients will be able to communicate with the SEPM but will re-appear in the console only after their next check-in.
  • Clients will reappear in the default group as they check in, unless you enable automatic creation of client groups on the re-installed SEPM by editing "scm.agent.groupcreation=true" to the conf.properties file.
  • If you originally had multiple SEPM domains beyond the default domain, you must re-create them using domain IDs from Backup.txt.

Check this article last para for more info :http://www.symantec.com/docs/TECH160736

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

+3
Login to vote
rupesh.naik45@yahoo.in's picture

i am not understand that your point (It will work if certificates are matching with SEP clients) .

if privatekeys are letest then it work or not ? after chenge in (editing "scm.agent.groupcreation=true")

.

0
Login to vote
Chetan Savade's picture

Hi,

You should test the connection by importing certificate. It should work.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

+2
Login to vote
Chetan Savade's picture

Hi Rupesh,

You found any success with this?

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

+1
Login to vote
rupesh.naik45@yahoo.in's picture

i have checked on my one server with 70 clients but not get success.

0
Login to vote
Chetan Savade's picture

Hi Rupesh,

Thanks for the update.

You can use Sylink replacer tool to restore the communication.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

+1
Login to vote
rupesh.naik45@yahoo.in's picture

Hiiii Chetan,

i have found success on 12.1 ru2 version, i have total 65 SEP Client on 1 server and i have server sertificate of 11x version sepm server .

i have done disaster recovery with using domin id and i have change setting in conf.properties and  "scm.agent.groupcreation=true" and after that. i have update server cerificate then it is working and now around 54 SEP clients connected and online with new server ru2 version.

now my question is is there need to change setting  "scm.agent.groupcreation=true" to  "scm.agent.groupcreation=false" again.

please answer me.

0
Login to vote
Chetan Savade's picture

Hi Rupesh,

You should revert back the settings.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

0
Login to vote
raju123's picture

thanks Chetan for valuable artical +1

0
Login to vote
Chetan Savade's picture

Thanks !!!

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

0
Login to vote
John Santana's picture

many thanks Chetan for sharing the steps here.

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

0
Login to vote
BJHughey's picture

I understand this posting is over a year old...

To move from Server 2003 R2 to Server 2012 (in a 12.1 environment) IP's will remain the same, but the hostname will change.

1. I'll need to create a backup of the embedded DB

2. Stop replication

3. Restore the DB on the new server box

4. Create the replication 

That is all? It seems too easy...and if it seems that way, it usually isn't.

Thanks

+1
Login to vote
Chetan Savade's picture

If planning to migrate throgh replication method, no need to restore the database. Replication process will do the same.

I will suggest following method.

1) Install new SEPM

2) Start replication with old SEPM

3) After successfull replication, move all the client to the new SEPM by modifying Management Server List (MSL).

4) Once all the clients migrated successfully, decomission old SEPM.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

0
Login to vote
BJHughey's picture

Chetan,

Thank you for the reply.

We have not moved to 12.1.5 due to the replication issue that was reported with multiple SEPMs. Has that been resolved? I have not seen any documentation regarding that recently.

0
Login to vote
Chetan Savade's picture

Hi,

There is one knonw issue & KB article is available with solution.

Replication fails after upgrade to SEPM 12.1 RU5

http://www.symantec.com/docs/TECH225412

Total how many clients are in the network? Could you share the old server & new server details like Server OS, database size of existing SEPM, version, bandwidth etc.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

0
Login to vote
BJHughey's picture

It looks like that error is SQL related, only? So, it should not matter if we're using the embedded DB?

4,500 Clients~

Moving from Sever 2003 R2 to a Server 2012 box

Currently most of our machines are on 12.1.4. There are a few legacy machines that are being cleaned out.

SEPM console is 12.1.4104.4130

Sem5 DB size = 49GB

Our locations all have a dedicated T1

0
Login to vote
Chetan Savade's picture

Thanks for the update.

That error was for SQL only.

In your case first you will have to upgrade an existing SEPM to 12.1 RU5 because to initiate replication both the SEPM's should be on the same version.

Prior to upgrade be aware of new changes also, check this http://www.symantec.com/docs/TECH225587 

You should not face any problem however be always prepare with PLAN B to avoid undesirable situation.

Prior to start upgrade/replication take necessary backups.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

+1
Login to vote
Itchley's picture

Hi,

I'm relatively new to Symantec Endpoint Protection.

I have a case in which the clients in a new domain operate with the SEPM (on Win7) in an old domain. The DomainController of the old domain is months ago shut down.

Hostname and IP-Adress will not be changed, only the FQDN changed like:
host.domainold.local --> host.domainnew.local

Here's the same procedure as described in the article to move with different hostname?
Or I can simply add the computer to the new domain?

Thx

Itchley

0
Login to vote
Chetan Savade's picture

You can follow the article to move with different hostanme. Client should be able to resolve new FQDN with IP address.

Let me know how it goes.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

0
Login to vote
Itchley's picture

OK,

I will do it so and report here after migration.

+1
Login to vote
v_sran's picture

Realy helpful artical !!

+1
Login to vote
Lebedev Dmitriy's picture

Hello.
Thanks for this article. It's help me to migrate new server. Used 3 situation

But i have some troubles.

SEP clients doesn't want connect to new server.

I create MSL for new server

120px_sepm1.PNG

In new SEPM i see that clients connected, but the values are always changing. When i open SEP client Troubleshooting Server is disconected. Only if i replace new sylink.xml by SyLinkDrop util client connected to new server. But i have 200 clients and replace sylink very bad idea ^_^

120px_SEPM2.PNG

In Admin-Server i see old SEPM, i delete it. But it's not help me.

120px_sepm3.PNG

Where i mistake?

0
Login to vote
Srinivas Rodda's picture

Hi,

Is there a seemless way of migration keep both the existing and new servers? and slowly making the old one redundant for decommission.

Am planning to migrate my SEPM server from Windows 2003 to 2012 R2 on a new box.

My current setup is as follows:

SEPM 12.1 RU5 server hosted on Windows 2003 SP2

Database : on a different SQL box (SQL 2012)

New Server: with Windows 2012 std R2

SEPM 12.1.6 may be.

Database: use the same existing DB on different SQL box.

is this possible without disrupting my old SEPM ?

Then slowly plan to migrate the client using SYLINK drop to change the communication settings on the clients.

are there any articles that i can refer to in doing this. please help !

Thanks!

0
Login to vote
Chetan Savade's picture

Hi,

Thank you for posting in Symantec community & would be glad to assist here.

" My current setup is as follows:

SEPM 12.1 RU5 server hosted on Windows 2003 SP2

Database : on a different SQL box (SQL 2012)

New Server: with Windows 2012 std R2

SEPM 12.1.6 may be.

Database: use the same existing DB on different SQL box.

is this possible without disrupting my old SEPM ?"

--> There are couple of ways to do this.

To suggest better option need more info from your end.

1) Total number of clients in the network

2) Are there any custom policies defined?

3) This is the catch "I do not have any replication setup right now.however once i move all the client to the new server i would like to setup replication using another SEPM  server hosted in a different site."

Note : If you wish to move SEPM from one machine to another with the help of replication, Replication is an option, decide whether to go or not. Beacuse if you do replication and remove the old server that is the Primary SEPM , in future if you want to do replication you will not be able to do so, Primary Server should always be present in the network for replication it's like Primary:Secondary relation.

See this article:

How replication works

http://www.symantec.com/docs/HOWTO55328

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

0
Login to vote
harshbarger's picture

I am looking to build a new SEPM for my company. We are currently running SEPM 12.1.4 on Server 2003 and I have built a new server running Server 2012 and was thinking about installing SEPM 12.1.6 on it.

What is the best way to go about migrating this? We have roughly 3,000 client machines and other SEPMs in other countries. I plan to decommision those and use only GUPs in those locations.

Right now the server will have a different IP address and different host name. There is also a secondary server that will act as a replication server.

0
Login to vote
Chetan Savade's picture

It's a good idea to use GUP's at remote sites. Prior to setup replication just make sure both the SEPM's on the same version, in your case first need upgrade existing SEPM to 12.1 RU6 version.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

0
Login to vote
harshbarger's picture

If I upgrade the SEPM to 12.1 RU6 will that require the clients to upgrade as well and have to restart? 

0
Login to vote
Brɨan's picture

You do not have to upgrade clients but it is recommended so that everything is on the same version across the board and they can take advanage of new features.

Yes, a restart would likely be required.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

0
Login to vote
Chetan Savade's picture

Client upgrade is not required, only SEPM's to be on the same version to setup replication.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

0
Login to vote
BJHughey's picture

@Harshbarger

I did this move just a short while ago, as you can tell I was roughly in the same situation. I followed Chetan's instructions to the letter.

After installing 12.1.5 on the new server. I setup replication from the old server to the new server, I adjusted the MSL's and made sure the machines were pointing to my 2012 server as priority one. Once they were there, I was able to stop the services on the old servers to make sure everything stayed up. Once that was done, I decommed those old servers.

Best of luck!

0
Login to vote
Weslee's picture

I just made this account just to say thx for the really great article!

This really helped me in a great way!

0
Login to vote
Chetan Savade's picture

Thanks for the feedback. :)

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

0
Login to vote
amartinez5524's picture

Hello,

I fall under Scenario 3, where the new server has a different ip address and host name.

I installed the same version of SEP on the new server, 12.1.4, and follow the disaster recovery method & create a new MSL on the original server as instructed.

How long should it take for the clients to migrate to the new server? Is there a way to speed this up from the management console?

0
Login to vote
Brɨan's picture

Did you edit the MSL so that they go to the new one?

Clients should get the update on the next heartbeat in. How often is your heartbeat set for check in? This is what determines how quickly clients check in.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

0
Login to vote
amartinez5524's picture

Hello,

Yes i created a new MLS and set the new server with priority 1.

I found what my problem was, i had not assigned the list to any client groups.

For anyone that wants detailed steps...

After creating the new 'Management Server List', Click on the new list to select it

Under the 'Tasks' section in the lower left click on 'Assign the List...',

I assigned it to all client groups and after several minutes clients started to communicate with the new server.

0
Login to vote
Chetan Savade's picture

Glad to know clients are communicating with the new server. Verify all the clients are communicating with the new server priro to decomission the SEPM.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

0
Login to vote
Phoenix80's picture

Hi

I kinda have scenario kinda similar to scenario 3 in your article. However I cannot access the existing SEPM console. I don't want to lose the connectioon to the existing clients. How would you advise to proceed.

The new server will have the same version of SEPM installed but hostname and IP address will be different.

0
Login to vote
Chetan Savade's picture

Why you can't access existing SEPM console?

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

0
Login to vote
RQD's picture

Hi Chetan,

I have a similar migration path as above but slightly different. 

We currently have a SEPM 12.1.4 run on Windows 2008 with embedded DB (Server1).  I have installed SEPM 12.1.6 (as a new site Server2) on Windows 2012 R2 and connect to the remote SQL 2012 DB on a cluster server.  I also have another Windows 2012R2 server for redundancy. 

  1. Server1, Server2, and Server3 have different hostnames and IP addresses.
  2. Can the embeded DB be restore to the SQL 2012 cluster and how?  Does SEPM 12.1.4 need to be upgrad to ver 12.1.6 first before backup and restore?
  3. What is the best practice for migration from server1 to server2?
  4. How can i setup server3 as fail-over or for redundancy?

Thanks in advance for your help.

RQD

0
Login to vote
Chetan Savade's picture

Hi,

Q. Can the embedded DB be restore to the SQL 2012 cluster and how?  Does SEPM 12.1.4 need to be upgrade to ver 12.1.6 first before backup and restore?

-->  In that case you need to do a fresh install of SEPM 12.1 RU6 & need to restore Embedded database into SQL database.

This article can be a reference guide: Symantec Endpoint Protection Manager: Moving from the embedded database to Microsoft SQL Server

http://www.symantec.com/docs/TECH102547

Q. What is the best practice for migration from server1 to server2?

--> As per requirements like new IP/hostname, old IP/New hostname etc, need to take approach accordingly.

Q.How can i setup server3 as fail-over or for redundancy?

--> First decide you want SEPM fail-over only or both SEPM & Database fail over.

In fail over case same SQL database will be shared by multiple managers, in replication SQL database will also replicated. For most robust design replication can be an option.

Go through these articles: 

About fail-over and load balancing

http://www.symantec.com/docs/HOWTO26809

About installing and configuring the Symantec Endpoint Protection Manager for fail-over or load balancing

http://www.symantec.com/docs/HOWTO26808

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

0
Login to vote