Question about remote sites and replication partners
HI folks,
I have a question on best practice i think. I have 2 SEPM servers which use a SQL database for the clients. The geographic location of the 2 SEPM servers and the SQL database are the same. I also have about a dozen remote sites along the NW i need to have managed. Previously we had a central parent server and physical child servers at each remote location. Each remote site has a limited AV admin. In order to preserve the management model of the previous version(SAV CE 10.2.2) with SEP could it be done by setting up folders named after each remote site,under the existing SEP site, creating replication partners at each site and making the regional admin user a limited administrator of the SEP folder named after the remote site?
Example:
Admins->Servers tab:
-LocalSite
-SEPM server1
-SEPM server2
-SQL server1
-replication partner server - site1
-replication partner server - site2
-replication partner server - site3
Clients tab:
-My Company
-Default Group
-Office Clients
Site1(custom install package)
Site2(custom install package)
Site3(custom install package)
Could I then set each site admin as a limited admin of their sites group(My Company\Office Clients\Site1) and have central reporting and management still? Does these seem to be the best model for my situation? Open to suggestions.
That is basically what we do
That is basically what we do where I work. We have multiple SEPM domains and give admins rights to those. Some of these SEPM admins may give additional rights to other users via a limited administrator. The decision to use SEPM domains vs. limited Administrators is probably something you want to consider. Separate SEPM domains would give your remote site admins more rights and flexibilities. With SEPM domains, they can do just about everything in their domain without effecting the other domains. With the limited administrators, you can force certain settings on them. We end up using both.
Regardless, if you are the full SEPM administrator you get full reporting and rights to change everything, regardless of the SEPM domain or group it resides in.
Eric C. Lukens
IT Security Policy and Risk Assessment Analyst
University of Northern Iowa
Will the HOME summary screen
Will the HOME summary screen include all data from all domains ? Do you have a replication partner for those Domains or do they all get updated from a central SEPM server?
Hi There, Just as Snekul
Hi There,
Just as Snekul suggested you shall create groups for your dozen remote sites and create equal number of Limited administrators, and configure Access Rights for each limited admin in a way that each limited admin will manage only his site.
Check out the following links,
http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/0f2ae015671c87a28825756d00677d58?OpenDocument
http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/499a1f023ae6c1a6882575680059e669?OpenDocument
Thanks for the links Swam,
Thanks for the links Swam, happen to have any on how replication partners work? I only have this one. I think this is the correct model but need to determine how to distribute updates across all sites. Is the practice to make distribution partners for each remote site and then setup Live Update policies for them to be used as Group Update Providers? I am just starting to read about these replication partners so it may be a dumb question. I am getting the impression that they replicate the SQL database however you specify but the clients report more or less to the replication partner but dont have alot of info yet outlioning the correct usage of them.
What do the local admins need
What do the local admins need to do in the SEPM console? How many computers are at your remote sites?
Each regional admin will need
Each regional admin will need to have the ability to add groups and policies to that region(domain) but will be working off of a standard policy template for all other clients and should not have the ability to change "shared" policies. Each region will have their own Exception Groups and test groups but we also need astandard for public access and autlogon devices that have to be standard across the board that only I can modify and are inherited across all domains. Is that possible? I think I need to find more documentation on sites vs. domains?
Would you like to reply?
Login or Register to post your comment.