Endpoint Protection

So I have a SEPM on a network with very few (< 50) clients (all servers).

The SEPM is running 12.1.6 with an embedded DB and is synced to AD.

The clients are running a mix of RU5 and RU6.

Of the 50 machines on this network, about half appear in the SEPM as is they have never connected. But on the client I not only have a green dot, but SECARS works, in troubleshooting it shows me connected to the server with a "Last Connected" of under ten minutes. Also, if I make a change to the policy on the SEPM, it is soon reflected on the client.

So the client thinks everything is just peachy...but still, the SEPM will not show any thing other than the object it found when syncing with AD.

I dug into the embedded database and can see that it "sees" my client in the Default Group, but it does not show up on the SEPM in the Default Group either.

I just don't get it...all I can guess is that the DB is corrupt in some way, that is why I am thinking that a Disaster Recovery rebuild (I have all the files and cert backed up) and a fresh DB may be the easiest fix.

Before I do that, any other suggestions?

Thanks!!

-Mike

Can you run the symhelp tool on it and see if it shows any errors?

On the SEPM or the client?

Actually it could be possible the client has a duplicate HWID, may be try deleting it and re-creating:

http://www.symantec.com/docs/TECH97626

I've dealt with this before.

I wrote a utility (front end for RepairClonedImage.exe) for deleting/regenerating the HWID...ran it with no change on the SEPM. Typically the dupe HWID machines will connect to the SEPM, just not maintain the green dot. I've also cleanwiped the client (including a manual reg cleanup after the cleanwipe finished). Also used Ghostbuster to delete old EraserUtilDrv's (very handy tool).

As far as SymHelp goes:

On the server, the only error is: The process dbsrv16 is listening on the Symantec Endpoint Protection Manager default port 2638.

On the client: There are no unexpected errors.

Thanks for the suggestion,

-Mike

Interesting. What I've seen with 12.1 is they have a duplicate HWID but the client has the green dot and it appears all it working. It updates and grabs policy changes. But sounds like you've already looked at this extensively.

Had I not cleanwiped and re-installed RU6 on the client the machine I'm testing with, I would have said that maybe my HWID reset process is not functioning, but with the new client I should also have gotten a new HWID and ClientID.

Yeah, it's got me boggled and with the complexity of our environment, I didn't think a support case would be worthwhile. I guess a fresh DB via the DR process is my next step.

Thanks for the suggestions amigo,

-Mike

I ran through a similar issue a while ago. The case of that issue was AD integration and importing the group from AD. If possible, try the following steps. It worked for me.

1) Delete the groups in SEPM that are imported from AD.

2) Set the option "Delete clients that are not connected for X days" to "1".

3) Wait for 2 days.

4) Import the groups from AD again.

Thanks for the tip Seyad...I tried some of what you suggested already.

I set the "Delete clients that have not connected..." to 1 day, rebooted the SEPM and gave it about 6 hours...there was no change.

I will instead follow your steps above and give it until Monday before I re-sync/re-join with AD.

-Mike :-)

By any chance are you running the SEPM on a client O/S like WIN XP or WIN 7 ?

Nope, none of my SEPM's are on workstation class machines or OSes...this particular box is running Server 2008R2.

OK, just out of curiosity are there more than one SEPM domain in your SEPM ?

Ha, interesting question...why yes. On this one SEPM there was a primary domain and a sub (second) domain.

Up until yesterday there was also a second SEPM being used as a replication partner...but with the client issues I was seeing, I broke the replication and shut it down.

The primary SEPM was set to priority 1, and the second SEPM was at priority 2...so esentially all the clinets were/are reporting to the primary SEPM.

Sounds like you may have some wisdom for me... :-)

could you please try switching to the other domain in this SEPM and make sure the client is not report there, this could very well be a possibility 

Mike,

The "Delete clients that have not connected" option will not work effectively on clients that are imported from AD. That is why we need to delete the imported groups first. Please try the steps and hopefully that will work.

Note: Beware that when you remove the groups imported from AD, all the clients will start reporting to the "Default group". So, make sure that you set the policies in the default group as per your needs before deleting the AD imported groups.

Well slap me with bread and call me a sandwich! Sure enough, the missing machines which are joined to domain one are appearing in the Default Group of domain two...now how the heck is that happening?? And I wonder if I delete those machines from domain two, if they will then migrate back over to domain one.

Weird?!?

I guess I don't "have" to wipe out the DB and start fresh, but weirdness like this make me want to...

Thanks Praveen, I really appreciate the help.

-Mike