Hi,

      Before you proceed, you should back up the database.  Please read "Best Practices for Disaster Recovery with Symantec Endpoint Protection" at:
http://service1.symantec.com/SUPPORT/ent-security....

 Follow the steps below to move Symantec Endpoint Protection Manager from one server to another with a different IP address and host name:

Install Symantec Endpoint Protection Manager on the new server
NOTE: The version installed to the new server must be the same version as on the old server.  The new management console can be migrated to a newer version once the transition is complete.
In the Management Server Configuration Wizard panel, check Install an additional site, and then click Next
In the Server Information panel, accept or change the default values for the following boxes, and then click Next

Server Name
Server Port
Server Data Folder

In the Site Information panel, accept or change the name in the Site Name box, and then click Next
In the Replication Information panel, type values in the following boxes:
Replication Server Name
The Name or IP address of the old Symantec Endpoint Protection Manager.
Replication Server Port
The default is 8443.
Administrator Name
The Username used to log on to the old console.
Password
The password used to log on to the old console.

Click Next
In the Certificate Warning dialog box, click Yes
In the Database Server Choice panel, do one of the following, and then click Next
Check Embedded database or Microsoft SQL server (whichever database type you'd prefer to install), then complete the installation.
Log in to the new Symantec Endpoint Protection Manager (SEPM) and ensure that all the clients and policies have Migrated successfully.
Click Policies > Policy Components > Management Server Lists > Add Management Server List
Click Add> Priority and a new Priority would get added named as "Priority2"
Add the Old server under Priority 2 and add the new one under "Priority 1", and assign this New Management Server List to all the groups
Stop the "Symantec Endpoint Protection Manager" and "Symantec Embedded Database" service on the old Management Console to verify whether all client now report to the new Management Console
Once verified that all the clients are reporting into the new Management Console, and have moved away from the Old Management Console, proceed to the next step.
After the successful Migration uninstall the old "Symantec Endpoint Protection Manager (SEPM)"

WARNING: If Replication is used to "move" the SEPM server to another machine and the original SEPM is uninstalled, you will never be able to configure replication with the new SEPM ever again.  The original SEPM is like the "Master" server in the replication setup, and if it is uninstalled, the second SEPM has no ability to configure another replication partner.

http://service1.symantec.com/support/ent-security....

http://service1.symantec.com/SUPPORT/ent-security....

Thanks guys!  Sounds fairly straight forward. I will give it a shot tonight.....

Any issues I should be aware of knowing that the new server is Hyper-V 2008 R2?

Charlie

No issues with SEPM on 2k8 R2 as it is fully supported in RU/MR5.

1.Download MR5/RU5 from https://fileconnect.symantec.com
2.Upgrade existing SEPM to MR5
3..Install IIS with these features included chk this article https://www-secure.symantec.com/connect/articles/how-install-iis-70-2008
4. Install MR5 on 2k8 R2 using add replication parter then follow the doc. i gave above

Thanks.

I was already running the latest version 11.05 from 9/22 I think.

I added IIs and everything else that the installer requested. Install went well.

At this point I have stopped the suggested services on the old server. I still have green dots on my client shields. Is that proof enough that the new server is in charge?

Also, when I open SEPM on the new server and look at the clients under "view clients".... instead of seeing a green dot, the client names have a superimposed blue arrow (aimed at 45 degrees) instead of the green dot. what is that all about?

You have really gotten me to the 10 yard line. I couldn't have gotten this down without the advice.

Thanks again.

 the RED arrow means the client does not belong to this SEPM it belongs to the other SEPM.

On the 2k8 SEPM when you go to view clients you should see clients in all green if not then you need to assign the Management server list of the new server to all the groups in both sepm ( for faster results)

Open SEPM2k3-go to policies-policy components-Management server list--
you will see a default management server list for new SEPM2k8 right click and assign this management server list on all the groups.
Go to Clients tab-right click on My Company--run command on groups-update content.

Do the same thing on SEPM2k8
Assign the Default Management server list for sepm2k8 to all the groups.
then go to client right-click my company--run comm...-update contents..wait for 10-15 minutes

All the clients should show green dot in 2k8 sepm.

Thats right

I am an idiot! Color was Red... on a blue monitor icon!  You were right once again.

I have all green dots now on the Win2k8 box SEPM. The RED arrows have moved to the Win2K3 SEPM........ ahhh success. Your advice has been perfect!

Just a few more questions....

I was able to install several clients on servers from the new SEPM on Win2k8r2..... all Hyper-V 2008r2 servers. The only server that failed installation was a Hyper-V 2008r2 server that is also a DC (going to end up as the PDC eventually). When I tried to push the client install from the old SEPM on Win2K3, it worked fine. Why???

When can we take down (uninstall) the original SEPM. Anytime? I was gonna leave it up for a while to see if any more bugs pop up.

Is there any other downside to how we have deployed the new SEPM . . . other than not being able to move SEPM a second time? I assume if that ever became a requirement (like if a box dies), we can just do a fresh install and start all over again. Right?

JFTR, We have one 2008r2 core server hosting 5 Hyper-V virtual 2008r2 servers. The new SEPM and the new DC (that refused the new SEPM "push") are both on this Hyper-V platform. Not perfect, but it works for now.

 Well..The Server which failed to install SEP might be bcoz of diffrent reason so again we will have to dig down and find why it failed.
It doesn't matter from where you push because when you push a install it actually copies the files on the target computer and then the target computer does the installation locally.

it might be firewall,port issue that y you were not able to push anyways..

The other question..what if the SEPM server dies and you have rebuilt the SEPM..
there is a tool called SylinkReplacer by which you can connect all your clients to new Server its just that you will have to create your groups and policies thats it..
Here is the tool with a pdf on how to use it..you can keep this for your future reference..
https://www-secure.symantec.com/connect/downloads/sylinkreplacer-tool-connecting-sep-clients-sepm

Thanks Vikram. You have been a huge help.

I don't think the install failure could be firewall or a port issue because the Win2003 server (which is the PDC) would face the same issues.... and it did work/install. Not a big deal, but like you, I always want to understand what is going on under the hood, so to speak. I am especially concerned since I plan to uninstall the older SEPM and demote and decommission this PDC.

I am thinking the problem had/has something to do with the DC and SEPM servers sitting on the same Hyper-V host..... or, the fact that this was a DC rather than just a domain member..... oh well, I have not a clue.

I'll check out the Skylink replacer .... just in case :-)

Charlie

Being a DC or a member server won't affect the SEP install.However there are many reason of install failure if we would have looked at the install log at that time we would have exact answer..
Anyways if all the clients are showing green dot in SEPM2k8 server you can remove SEPM2k3. 

If you say it is OK . . . then consider it done :-)

Thanks again . . . you have go way beyond the call of duty with this help. I very much appreciate you taking all the time to advise me/us!!!

Charlie