Video Screencast Help

Moving SEPM management console to a new server

Created: 31 Jul 2013 • Updated: 31 Jul 2013 | 16 comments

Hello! I recently tried to move SEPM management console to a new server as the old server is going to be decommissioned. I used the Disaster Recovery Method outlined in this article:

I met the criteria for the Replication Method but it was never able to connect to the old server. The old server's Endpoint service crashes often, that's one of the reasons the server is going away and the software is moving elsewhere.

The new machine has been set up as Priority 1 (and the old machine as Priority 2) since Friday, but none of the clients have moved.

When that didn't work, I thought I would use the Sylink replacement tool to update the clients instead, but I don't have a sylink.xml file in C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\outbox\agent. OK, no big deal, I thought, I'll re-export them from the new console.

So on the new server's Management Console I went to Clients, right clicked a group, and selected Export Communiations Settings, but inside the resultant XML file, the server listed is still the old server, not the new one.

If I could somehow force the new instance of the management console to claim all the client computers (or even one of them) then I could get a working sylink.xml file to use with the Sylink replacement utility, I think... just not sure how to do that. If I removed the endpoint protection client from one of my machines and added it back in using the new console, could I then replicate its sylink.xml out to all the other clients?

The other thought I had was to completely disable SEPM on the old server and see if, once that server is completely unreachable, the priority 1 server will kick in.

I'm sure I did something wrong somewhere. If anyone has any ideas how I could possbily get my clients to associate with the new server instead of the old that would be great.


Operating Systems:

Comments 16 CommentsJump to latest comment

Brɨan's picture

Yes, make sure to turn of the SEPM service on the old server. If you configured the MSL correctly, the new clients will point to the new SEPM.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Rafeeq's picture

On the client open the Sylink.xml and see if MSL indeed is reflecting on the client with priority 1.

If yes then its good to turnoff the Old one.

AlexG2490's picture

It doesn't appear that it is reflecting properly, no. Assuming this is the relevant section...

      <ServerPriorityBlock Name="Priority1">
        <Server Address="" HttpPort="8014" HttpsVerifyCA="0" VerifySignatures="1"/>
        <Server Address="" HttpPort="8014" HttpsVerifyCA="0" VerifySignatures="1"/>
        <Server Address="dmx-fs1" HttpPort="8014" HttpsVerifyCA="0" VerifySignatures="1"/>

...that says nothing about my new server. The new server is called FP-01, and neither of those IP addresses are correct for that server.

Rafeeq, your answer seems to be that I should only shut off the old service if this setting is correct. Brian, yours seems to be that I should deactivate it because these aren't correct, forcing the new server to take over. So, one vote either direction... what should I ultimately do?

Brɨan's picture

Go to Policies >> Policy Components >> Management Server Lists and edit it.

Under Priority 1, add the new SEPM and set the old SEPM to Priority 2. Make sure the client take the policy update. once that happens you can turn off the old SEPM.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Rafeeq's picture

Make sure that you applied to all the groups.

click on the client group on the right hand side click on policies

cInder settings, click on communication settings, check the Management server list assigned.

to force the client. You can go to select update policy on the SEP which shows up in the system tray 

AjinBabu's picture


Add the New server MSL properly on Management server list and apply the policy on computers and verify that it is getting reflected?



SameerU's picture


For replication the connectivity between the Old and New server should be always there


pete_4u2002's picture

for priority to set, you should have replication or loadbalance of SEPM.

AlexG2490's picture

I've double checked the Management Server List to make sure the priorities are correct - they are.

I also checked to ensure I'd applied the policy to all the clients, and I had.

However, there is no replication between the two servers; I have not been able to successfully establish replication, which is why I used the disaster recovery method in the first place. The Symantec Endpoint Protection Manager service continues to crash on the old server. I restart it, I connect to the management console, and within 5 minutes, usually less, the service has stopped again and I lose my connection to the management console. I assume that's also why replication won't work, yes?

The old server has proved itself unreliable - that's why I moved to the new one to begin with. Can we for all intents and purposes forget the old server exists at all therefore?

Hypothetically, let's say I've just done a disaster recovery, from my preexisting backup, to a brand new server and want to reconnect my clients. The old server doesn't exist anymore. How can I do this?

Rafeeq's picture

Use the communication deployment wizard

How to deploy/update communication settings from your SEPM to your SEP clients machines with SEP 12.1 RU2

if its 11 use sylink replacer...

AlexG2490's picture

It is indeed version 11. As I said in my original post, I tried the sylink replacer. The instructions in the included PDF say:

The user is prompted to select the "Sylink.xml" file which will be the new sylink.xml copied over to the clients. This can be selected by navigating to the C:\Program Files\Symantec\Symantec Endpoint Protection Manager\data\outbox\agent\"alpha numeric folder for the group."

My agent folder contains 3 subfolders: command, default, and whitelist. There are no "alpha numeric folders" for the groups. Which is why I said:

If I could somehow force the new instance of the management console to claim all the client computers (or even one of them) then I could get a working sylink.xml file to use with the Sylink replacement utility, I think... just not sure how to do that.

Can I force the new console to make a connection of some kind so that I can create a sylink file to replicate out?

Rafeeq's picture

Its on the SEPM server. Whatever the group you create in SEPM, it will have one corresponding alpha numberic folder. C:\Program Files\Symantec\Symantec Endpoint Protection Manager\data\outbox\agent\

Check where you have SEPM installed if its on D, check on that drive.



click on clients tab, at the bottom you will see Export Communciation settings. thats the sylink file. Just export and use  it.

I dont have SEPM here, right click on group and check if export communication setting is available.

AlexG2490's picture

We're getting closer, I think. I was indeed looking at the agent folder on the server. There's still nothing there, but when I did Export Communication Settings, an XML file was produced. I made one for each of our four groups. I had done that step before on the new server but the resultant files still listed FS1 as the certificate server, not FP-01. This time, it's at least listing both, and listing FP-01 as the priority 1 server. So hopefully I can use the sylink replacer, point it at one of the XML files I exported, and that should finally roll everyone over to the new server, right? Then, I assume, once that's done I can remove FS1 from the MSL and that change will roll out to everyone automatically when they sync with the server.

Is that all correct? If so, I'll try it this afternoon and then report back in a couple days with the results.

Rafeeq's picture

Yes that would be it. Please keep us posted. 

Alternately you can create a new group. export the sylink file. new groups will have Default management server list and should list only 1 server. check the sylink.  if it reflects only 1 then you assign the default mangaemetn server list to all your other groups. restart sepm service. export sylink and check..

DMXDirect's picture

Alright, I tried the sylink replacer. It prompted for a password on each of the machines over the weekend and when it didn't get it in time, it moved on and failed. Therefore, the only machine that actually completed the replacer correctly was mine. However, it doesn't appear to have made any difference; my machine is still trying to query the old server for its updates.