Endpoint Protection

As per the Symantec, There is no need to appply the exclusoins for Active directory, it will automatically create the exlcusions for important files and folder that need to be exclude. The client monitors the applications that are installed on the client computer. If the software detects
Active Directory on the client computer, the software automatically creates the exclusions. But it is also mentioned in the another document, if a server is a promoted to DC, SEP will not detect the changes and exclusion will not create automatically. We have to create it manually.

My question is in regards to prmototion of DC scanario, What is it?

If the server is promoted to DC, exclusions will not automatically be created. You will need to do this manually or uninstall/reinstall the SEP client.

Exclusions will only be done automatically if the server is already a DC and SEP has been installed after promotion has taken place.

About the automatic exclusion of Active Directory files and folders

http://www.symantec.com/business/support/index?page=content&id=HOWTO27179

Does the upgrade of a Server to a Domain Controller Automatically create the necessary exception for the Active Directory ?

http://www.symantec.com/business/support/index?page=content&id=TECH95886

About the automatic exclusion of Active Directory files and folders

The client software creates file and folder exclusions for the Active Directory domain controller database, logs, and working files. The client monitors the applications that are installed on the client computer. If the software detects Active Directory on the client computer, the software automatically creates the exclusions.

Hello,

The client automatically creates file and folder exclusions for the Active Directory domain controller database, logs, and working files. The client monitors the applications that are installed on the client computer. If the software detects Active Directory on the client computer, the software automatically creates the exclusions.

There are 2 cases - 

1) Installing SEP on a DC machine --- In this case, the Exclusion would be created Automatically because while installing the SEP client monitors the applications that are installed on the client computer. If the software detects Active Directory on the client computer, the software automatically creates the exclusions.

2) Creating a DC after Installing SEP ---- In this case, the Exclusion would be created Manually because while installing the SEP client detected no Active Directory on the client computer.

Check this Article:

About the automatic exclusion of Active Directory files and folders

http://www.symantec.com/business/support/index?page=content&id=HOWTO27179

Hope that helps!!

Querying the registry values on each of every DC on a regular basis to ensure this configuration doesn’t seem scalable or very supportable.  So there is no way to make sure they are for sure all consistent then?  Open to any ideas you may have.

Aside from the above suggestions, I don't believe there is a non scriptable way.

What if I create a group in SEPM and place all the DC' in it. Also on that group, if I include all the centralized excpetion mandatory for the DC's. Will this exclusion will conflit with those manual exclusion added by the SEP client during installation.

What will be impact of it?

You can do that.

If the exclusion already exists it won't be added.

Ok. Let me try this. In the lab.

I have created a lab of three servers.

1. Server configured with Active Directory

2. SEP Server

3. Normal Server -Only SEP is installed on it. No AD configured till now

I performed the following test in the labs

1)  I deployed the SEP on the first server that has AD configured on it and found SEP client has automatically added the exclusion for AD's. I was able to see the exclusion in the registry

2) I depoyed the SEP on the third server and found SEP client has installed and added on exclusion.

3) I promote the third server as a DC and results are very strange. Exclusions are added automatically by SEP client in the registy.

4) I created a new group in the SEPM for DC's and create all Mandatory exclusion required for them. then move the first DC's into that group. Result was same, There was no change in the exclusion list.

Now, My question remains the same, what is promotion of DC in symantec Case.

From that it seems as if the client adds them even after promotion, which contradicts the article. May need to call suport for further investigation.

I have already raised the ticket with Symantec Support. As per them, They are saying the same thing.

They also don't have clear picture about it.