Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrade.
Please accept our apologies in advance for any inconvenience this might cause.

Migration of clients on other server SEPM

Created: 25 Feb 2011 • Updated: 18 Mar 2011 | 20 comments
This issue has been solved. See solution.

Greetings!
The help in transfer of clients from one server SEPM on another is necessary to me.
Now we have a virtual server with installed SEPM 11 RU6 MP2 with embedded database. (OS Windows 2003 Std) to it are connected about 200 clients SEP.

Recently have installed new "hard" server Windows 2008R2 Std. It is necessary to transport on it clients from a virtual server.

Prompt how most correctly to carry out moving of clients? Perhaps who similar already did?

Any help is welcomed!

 

Comments 20 CommentsJump to latest comment

Chetan Savade's picture

Hi,

There are two methods to move Symantec Endpoint Protection Manager (SEPM) from one machine to another:

Method 1: if the SEPM server keeps the same IP and host name, you can refer to "Best Practices for Disaster Recovery with the Symantec Endpoint Protection Manager"

http://www.symantec.com/business/support/index?pag....

Method 2: if the new SEPM server has a different IP and host name, there are two alternatives:

1. Use replication to install a new SEPM and keep the policy the same with old SEPM. See "How to move Symantec Endpoint Protection Manager from one machine to another" 

2. Install a new SEPM, then use the Sylink file to establish communication between the new SEPM and the existing SEP client.

Few helpful links:

http://www.symantec.com/business/support/index?pag...

http://www.symantec.com/business/support/index?pag...

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

RayWagner's picture

Hi!

 I can not use SylinkReplacer - there is no access to a subnet of clients (clients - ATM)

I want to use methods as it is told here: http://www.symantec.com/business/support/index?page=content&id=TECH104389
 In my case new SEPM differs from old SEPM - IP address and host name.
 Transfer by a replication method doesn't approach - as in the future is planned to add to new SEPM the partner in replication.

I want to use a method Disaster Recovery method - "Best Practices for Disaster Recovery with the Symantec Endpoint Protection Manager" - http://www.symantec.com/business/support/index?page=content&id=TECH102333

Confuses the paragraph-  >>If you had a catastrophic hardware failure, you may need to rebuild the computer. If you rebuild the computer, you must assign it the original IP address and host name....

How to me to be in this case? It is possible to tell about necessary actions more in detail? 

Rafeeq's picture

its not necessary to run sylink replacer on the same machine (SEPM)

you can log in to any one of the ATM machines and then run it..hope from that subnet u have access to all machines.

RayWagner's picture

No, I can not make it. It is forbidden by safety rules. Everyone АТМ is isolated.

Rafeeq's picture

easiest thing is to use the sylink replacer tool

install a new sepm...then use the tool, pretty easy will take only ten mins

https://www-secure.symantec.com/connect/downloads/sylink-remote

cemilebaşak's picture

Hi;

 

I used sylinkreplacer for this issue. And work fine. I attached it. You must use this tool with an user which have administrave credatials on clients.

Regards.

AttachmentSize
sylinkreplacer.zip 1.58 MB

Regards;

Cemile Denerel BAŞAK

Note: Please mark as solution if its help you.

Mithun Sanghavi's picture

Hello,

You don't need to configure the clients incase, the new server where the Symantec Endpoint Protection Manager is going to be installed has the same ip and servername.

However, incase of worst incidents where the clients don't report back to the new Symantec Endpoint Protection Manager; you always can use Sylink Replacer as the Best Tool which will replace the sylink file on all Symantec Endpoint Protection machines and make them report back to the new Symantec Endpoint Protection Manager.

'Using the "SylinkReplacer" Utility'
> Web URL: http://www.symantec.com/business/support/index?pag...

Restoring communication to clients with a new Sylink.xml file

http://www.symantec.com/business/support/index?page=content&id=TECH106288&locale=en_US 

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

SOLUTION
AravindKM's picture

The best way is install new server.Shutdown the old one.Provide the old server IP address and name to new server.Install SEPM.Follow the disaster recovery procedure....

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

RayWagner's picture

Name of the new server and IP address should be others! In it a problem...

Chetan Savade's picture

Hi

Could you please rephrase it "Name of the new server and IP address should be others! In it a problem..."

I am sorry I am not getting exact meaning of it.

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

AravindKM's picture

I think you can go with this procedure

  1. Follow "Best Practices for Disaster Recovery with Symantec Endpoint Protection" (see Related Articles below) to backup and reinstall SEPM on MACHINE_2
  2. Log in to the old SEPM on MACHINE_1
  3. Click Policies > Policy Components > Management Server Lists > Add Management Server List
  4. Click Add> Priority and a new Priority would get added named as "Priority2"
  5. Add MACHINE_1 under Priority 2 and add MACHINE_2 under Priority 1, and assign this New Management Server List to all the groups.
  6. Clients will then move from old SEPM to new one gradually
  7. Stop the "Symantec Endpoint Protection Manager" and "Symantec Embedded Database" service on MACHINE_1 to verify whether all client now report to the new SEPM on MACHINE_2
  8. Once verified that all the clients are reporting into the new SEPM, and have moved away from the old one, proceed to the next step.
  9. Uninstall SEPM from MACHINE_1

Ref:How to move Symantec Endpoint Protection Manager from one machine to another

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

RayWagner's picture

I already wrote earlier here - new server SEPM should have another IP the address and host name, to save possibility of adding of the replication  partner in the future.

In article "Best Practices for Disaster Recovery with Symantec Endpoint Protection" - confuses the paragraph: 

...If you had a catastrophic hardware failure, you may need to rebuild the computer. If you rebuild the computer, you must assign it the original IP address and host name....

AravindKM's picture

Can you go through the link which I provided?

It says

There are two different situations:

 (1) MACHINE_2 will have at least either same IP or hostname than MACHINE_1

 (2) MACHINE_2 will have both IP and hostname different from MACHINE_1

(B) Disaster Recovery: this solution is longer to implement but the new SEPM will be an exact copy of the current one. Moreover, the use of replication in the future will still be possible. This solution will be appropriate for both situation 1 and 2 (see Environment section above).

IMPORTANT NOTE: SEPM installed on MACHINE_2 must be the same version as on MACHINE_1 (same release and same language)

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

RayWagner's picture

I read this article.

In article "Best Practices for Disaster Recovery with Symantec Endpoint Protection" - confuses the paragraph: 

...If you had a catastrophic hardware failure, you may need to rebuild the computer. If you rebuild the computer, you must assign it the original IP address and host name.... 

 I write it in the fifth time. More detailed help is necessary to me on Disaster Recovery. You understand me?

AravindKM's picture

Yes I am getting you.As far as I know it is like this.The disaster recovery aticle is basicaly made for a situation that SEPM got crashed and needs to rebuild from backups.Here there is no second SEPM and clients having the infomation (IPaddress ,Name) and certificates of old SEPM.So the new SEPM shold have same IP address and Name as old one.In the article which I provided the link we are overcoming this dificulty by adding the new server details to MSL.So the clients will get the information about the new SEPM also.Is it clear now? 

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

RayWagner's picture

Yes, thanks for your help . ..

 So,
1. I install SEPM on the new server.
2. I recover the server certificate.
3. I recover embedded database.

Further:  

4.Log in to the old SEPM on MACHINE_1
 5.Click Policies > Policy Components > Management Server Lists > Add Management Server List
 6.Click Add> Priority and a new Priority would get added named as "Priority2"
 7.Add MACHINE_1 under Priority 2 and add MACHINE_2 under Priority 1, and assign this New Management Server List to all the groups.
 8.Clients will then move from old SEPM to new one gradually
 9.Stop the "Symantec Endpoint Protection Manager" and "Symantec Embedded Database" service on MACHINE_1 to verify whether all client now report to the new SEPM on MACHINE_2
 10.Once verified that all the clients are reporting into the new SEPM, and have moved away from the old one, proceed to the next step.
 11.Uninstall SEPM from MACHINE_1

 

AravindKM's picture

Steps are like this

1.Install SEPM in new server

2.Restore the Data Base backup and certificates.

3.Reconfigure the server using managemant server configuration wizard

Further

4.Log in to the old SEPM on MACHINE_1
 5.Click Policies > Policy Components > Management Server Lists > Add Management Server List
 6.Click Add> Priority and a new Priority would get added named as "Priority2"
 7.Add MACHINE_1 under Priority 2 and add MACHINE_2 under Priority 1, and assign this New Management Server List to all the groups.
 8.Clients will then move from old SEPM to new one gradually
 9.Stop the "Symantec Endpoint Protection Manager" and "Symantec Embedded Database" service on MACHINE_1 to verify whether all client now report to the new SEPM on MACHINE_2
 10.Once verified that all the clients are reporting into the new SEPM, and have moved away from the old one, proceed to the next step.
 11.Uninstall SEPM from MACHINE_1

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

Farzad's picture

Please cast a look at the below video and check the notes under it:

https://www-secure.symantec.com/connect/videos/changing-sepm-server-name-and-ip-address#comment-5313881

ESET Certified Specialist \ Symantec Certified Specialist  \  MCSE +Security  \  CCNSE

Mark786's picture

I have used the Disaster Recovery method to perform a migration.

Section B) http://www.symantec.com/business/support/index?pag...

which leads to the disaster recovery method here:

http://www.symantec.com/business/support/index?pag...

 

The result of this is that the new SEPM server can see the clients and they are active (green dots).

However, the new server is unable to distribute content to the clients.

Examining the sylink.xml file on a client reveals that the 'new management server list' is correct, ie it shows the new server as the priority 1 and the old server as priority 2. The problem is that the certificate is from the old server instead of the new one.

Support have so far recommended using the SylinkReplacer tool which is a workaround. The obvious downside being that all the clients must be online (though this can also be added as part of a login script).

Either way, it doesn't seem a great way to migrate SEPM. Using the replication method is not useful either since it's a one way process (the new replica cannot be then set to replicate to a 'newer' server later on).