Endpoint Protection

I'm running RU6 in a large environment and am using the AD Sync feature.  I've come to find that we are getting bit by the Netbios 15 character limitation in AD and I'm trying to find a workaround.

So, for example, a computer is named 'xx-x-xxxx-xx-xx-x'.  The Netbios limitation truncates this to 15 characters, so the system shows up in AD as 'xx-x-xxxx-xx'.  When the SEP sync occurs, these clients with the full/correct name end up in the default 'Clients' group as an orphaned system and the same system also shows up in the proper AD group with the truncated name.  Unfortunately, the one in the proper AD group doesn't reflect the client installation -it gives no client details, such as def. date or anything and would appear to have no client installed.

I realize this is an MS limitation, but am hoping to find a workaround in SEP.  Any thoughts??

does it go to correct group if  you do a sync on your OU?

Managed Symantec Endpoint Protection (SEP) Client appears in Default Group instead of Active Directory Organizational Unit (OU) in the Symantec Endpoint Protection Manager (SEPM)

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009090119133848

Sort of. The system names that are truncated in AD sync to the proper group in SEPM with the truncated name. However, these appear in SEPM as offline with no client installed (no client info populated in SEPM).  As well, the fully named system appears in the 'Clients' group and appears as a managed/installed client with all the client info populated.

Due to the disagreement in name between AD (truncated Netbios name) and the computer's full (DNS host) name, it appears to SEPM that there are two clients. The only problem is, one is not in the correct group, and the other is not reported correctly.

use this link to delete the duplicate entry

http://127.0.0.1:9090/servlet/ConsoleServlet?ActionType=ConfigServer&action=CleanClients

Unfortunately, I've tried that many times.  I've gone through the full routine of moving the systems in AD to a non-sync'd OU, deleting the duplicate clients, sync'ing again, then moving the clients back the proper group.

I'm not sure if there's actually a way to get rid of the duplicates, since it's pulling one from AD and one from DNS.  I may just be stuck with it.

I doubt there is a workaround for this.  I don't think the Symantec Management Client has an issue reading a Netbios name longer than 15 characters.  So when SMC registers the client via secreg, it will register the client with the full Netbios name.  The client would then go to the default group with the full netbios name waiting for the AD sync process to put it in the correct group.  When you use Active Directory syncing, it just reads the objects as they are displayed in Active Directory.  So the SEPM will import the truncated netbios name from Active Directory and then see no client with that computer name in the default group.  Thus you'll end up with two entries.  Only fix would be to use supported 15 character netbios names for your clients or just not sync with active directory.