Video Screencast Help

How come I got duplicated SEP client in my SEPM database ?

Created: 22 Aug 2012 • Updated: 22 Aug 2012 | 16 comments
This issue has been solved. See solution.

Hi People,

I'm curious and confuse as to why my client got listed multiple times in the SEPM database ?

the way I know it is by querying using the following SQL script:

 

SELECT computer_name, 

        Dateadd(s, CONVERT(BIGINT, [time_stamp]) / 1000, '01-01-1970 00:00:00') 

        AS 

        [Time Stamp], 

        Cast((CASE WHEN ip_addr1 < 0 THEN 0xFFFFFFFF + ip_addr1 ELSE ip_addr1 END 

        / 256 / 256 / 256) & 0xFF AS VARCHAR) 

        + '.' + Cast((CASE WHEN ip_addr1 < 0 THEN 0xFFFFFFFF + ip_addr1 ELSE 

        ip_addr1 

        END / 256 / 256) & 0xFF AS VARCHAR) 

        + '.' + Cast((CASE WHEN ip_addr1 < 0 THEN 0xFFFFFFFF + ip_addr1 ELSE 

        ip_addr1 

        END / 256) & 0xFF AS VARCHAR) + '.' 

        + Cast( CASE WHEN ip_addr1 < 0 THEN 0xFFFFFFFF + ip_addr1 ELSE ip_addr1 

        END & 

        0xFF AS VARCHAR) 

        AS LOCAL_IP_ADDRESS 

 FROM   sem_computer 

 WHERE  computer_name IN (SELECT computer_name 

                          FROM   sem_computer 

                          GROUP  BY computer_name 

                          HAVING ( Count(computer_name) > 1 )) 

 ORDER BY computer_name ASC

What should I do to rectify this issue ?

Comments 16 CommentsJump to latest comment

Dushan Gomez's picture

The computername is the same but the time stamp got different result

on other occasion the timestamp and the IP address is different due to the workstation has been reformatted into another purpose.

Dushan Gomez
IT Manager
VCP 4 and 5 | MCITP Exchange Server | MCTS SharePoint Server | MCP Windows XP

 

Ashish-Sharma's picture

Hello,

This would not clear history of the present clients which are reporting to SEPM.

 Remove duplicated SEP client on SEPM console

Configure SEPM to remove clients which have not connected within a specific number of days.

  1. Open SEPM and select the Admin panel.
  2. Click on Servers
  3. Right click on the Site where your management servers are located and choose Edit Properties
  4. Check "Delete Clients that have not connected for __ Days"
  5. Enter a value for Days.
  6. Click OK.

SEP 11

http://www.symantec.com/docs/TECH93732

SEP 12.1

http://www.symantec.com/docs/TECH176400

 

Thanks In Advance

Ashish Sharma

 

 

Mithun Sanghavi's picture

Hello,

Check these Article:

Duplicate SEP clients appear in the Symantec Endpoint Protection Manager console

https://www-secure.symantec.com/connect/articles/duplicate-sep-clients-appear-symantec-endpoint-protection-manager-console

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Dushan Gomez's picture

well, from the SQL query result, it seems that the duplicated client got two entries, one entry which is recent as at today and the other entry is more than one month.

and also by default I believe that the SEPM policy is 30 days.

 

Dushan Gomez
IT Manager
VCP 4 and 5 | MCITP Exchange Server | MCTS SharePoint Server | MCP Windows XP

 

Ashish-Sharma's picture

No,Default policy Means you can delete 30 days old sep which are ofline

Currently i think you are not apply this policy,

You can set default days as per your requirement.

This policy applied purpose Automatic delete your duplicate client are not connect your sepm last 30 days.

 

Thanks In Advance

Ashish Sharma

 

 

NRaj's picture

you can reduce the number from 30 as it suits you.

Are these any specific machines and are numerous in number? It is known to happen when you image SEP clients without removing the HWID.

Chetan Savade's picture

Hi,

Root cause is clone image, check following description for more details.

When you deploy multiple Windows computers, virtual or physical, by cloning a base hard drive image that includes Symantec Endpoint Protection 12.1, and now you have duplicate client IDs in the Symantec Endpoint Protection Manager's database.

The cloned computers are reporting as the same client to the Endpoint Protection Manager & results into duplicate hardware ids.

 

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Dushan Gomez's picture

Yes that does make sense Chetan, so in this case there is no other way to delete it to reduce the number of licensing count in the SEPM v 12.1 console ?

this duplicated entry is counted towards the license usage :-|

Dushan Gomez
IT Manager
VCP 4 and 5 | MCITP Exchange Server | MCTS SharePoint Server | MCP Windows XP

 

pete_4u2002's picture

reduce the number of days the client hasnt reported to SEPM for a day, then a day after db sweeping you can reset it back to 30 days.

this will make the license count come down becuase duplicate computers will be deleted.

Dushan Gomez's picture

Pete,

 

What happens if someone is not in the office for 4 weeks and SEPM deletes their record (non contactable for 30 days). Will SEP re-scan and install AV updates once the machine connects to the network (when the person returns to work) ?

Dushan Gomez
IT Manager
VCP 4 and 5 | MCITP Exchange Server | MCTS SharePoint Server | MCP Windows XP

 

Ashish-Sharma's picture
  • When communication mode is set to Pull, the SEP client will check in again at the next heartbeat interval.
  • When communication mode is set to Push, the SEP client does not fully disconnect, which allows any policy changes made in SEPM to occur immediately on the SEP client.

http://www.symantec.com/connect/articles/symantec-endpoint-protection-heartbeat-process

Next heartbeat interval you sep client showing in sepm console.

 

 

Thanks In Advance

Ashish Sharma

 

 

Ashish-Sharma's picture

Yes ,

You can enable Automatic Delete SEP client feature,After this feature you can save your license.

When we deploy any image HWD id are same and computername is different,But In your case Computername is same.

How to prepare a Symantec Endpoint Protection 12.1 client for cloning (image)

http://www.symantec.com/business/support/index?page=content&id=HOWTO54706

Check my "Download Image Installation System Problem "for Sep 11

https://www-secure.symantec.com/connect/downloads/image-installation-system-problem

Thanks In Advance

Ashish Sharma

 

 

SOLUTION
Dushan Gomez's picture

Many thanks people !

Dushan Gomez
IT Manager
VCP 4 and 5 | MCITP Exchange Server | MCTS SharePoint Server | MCP Windows XP

 

Dushan Gomez's picture

OK, rather than doing this regedit manually in every duplicated system, can I just push upgrade the SEP client v 12.1 RU1 ?

this duplicate was caused by SEP client is installed in the based image and then cloned or deployed multiple times.

Dushan Gomez
IT Manager
VCP 4 and 5 | MCITP Exchange Server | MCTS SharePoint Server | MCP Windows XP

 

Ashish-Sharma's picture

Yes, This Caused by installing based on clone image.

Thanks In Advance

Ashish Sharma