Endpoint Protection

We have a server called AV1 that was upgraded to SEP 12. We need to shut down that server eventually so I added a new server called AV2 and made it a replication partner to AV1. No problems there; the server is operational and I can deploy packages, etc. 

Now I want all the clients to default to the new AV2 server instead of the AV1 server so I can shut it down. Some clients show as online when I look at the AV2 console, but the vast majority of clients show "offline" as their Health State and don't seem to be connecting to AV2.

What do I need to do to get all clients managed by AV2 so i can shut down and get rid of AV1? How do I fully decommission  AV1?

Thanks,

Mark

• Try to connect the OLD SEPM again so all clients can show online.
• Then Change the managment list (in policies) to make the NEW SEPM as priority 1.
• Check that all clients have the new policy number.
• From the NEW SEPM, remove the OLD SEPM replication

You can export a computer status log to check that all servers are connecting to the NEW SEPM. You also check if the clients can connect to the NEW SEPM via telnet on the port 8014 (default).

P.S Make sure to replicate everything (logs, contents, policies) to the NEW SEPM before removing the replication.

Perfect-- thanks for the help. I've started to do these things now. I'll let you know how it goes.

I followed the outlined steps you posted, Yahya, and it appears I am on the right track. Both servers are still online, synchronizing, and essentially display the same data. But there are some other issues that still don't seem right to me:

1. The servers show 700+ endpoints, which is correct. But both servers show 500 of them are offline. The clients in question are not offline because we can ping them.

2. Some of these offline clients might have been deployed using version 10. Since we're in a school system, the computers were off all summer while we upgraded to version 12 on the servers. Would this cause an issue?

3. Even though I changed the Management Server list to have the new server as the top priority, I still see several clients listing "Online On Remote Site" when I view them from the new server. Will these switch over automatically when I shut down the odl server?

Thanks!

You need to assign a management server list 

http://service1.symantec.com/SUPPORT/ent-security.nsf/2326c6a13572aeb788257363002b62aa/e2ac3b646ae21969882573c20063533f?OpenDocument

Hi Rafeeq,

I had created a new management server list and then assigned all groups and locations to it. However, I am not sure I created it correctly. So what I did a few minutes ago was to reassign all locations and groups to the default server list that was automatically generated by the new management server. I figured this was the best method since it contained the new server as the top priority and would have the correct information as it was automatically configured.

I will now wait to see what occurs.  Do you think this is the underlying reason for all the problems I posted recently (500 offline clients, etc).

Thanks

many resons for it

before u come to a conclusion u need to check the sylink.xml file 

in the c:

program files \symantec\symantec endpoint protection. if it has the desired priority listed , then u can remove or delete the old one

The sylink file on the original server has the correct priority listed. I did not see one on the new server, though. Should there be one there as well?

if you have assigned new MSL to all groups then all clients should have new server info too

The management server list settings are correct and were assigned to all clients. However, the majority of clients are still listed as "offline" under Health State in both servers' SEPM consoles. I know they are on the network because I can ping them. How can I fix this?

does it work if u replace sylink from the client which has the green dot?

Now we're getting somewhere.  There are a few issues in this regard.

1. When initially installing a new server I had assigned the IP address 192.168.1.80. I later had to change this address to 192.168.1.20. I see a lot of sylink files on the offline computers that still show this old IP address. No wonder they're offline... I changed the server IP when they weren't turned on. Now I feel dumb!

2. It appears some computers have the sylink file located in c:\program files\symantec\symantec endpoint protection, while some other clients have the sylink file located in c:\program files\symantec AntiVirus.  Would this be due to a version difference?

It shold not create any issue. When you are doing a fresh installation of SEP11 it will get installed under :\program files\symantec\symantec endpoint protection. When you are doing upgrade from SAV to SEP 11,SEP will get installed under c:\program files\symantec AntiVirus

To get all these computers pointed in the right direction and back online with the serer, I plan to write a script that will run through Group Policy. The script will copy the correct SYLINK file from a network share to the appropriate directory on the client. With the proper SYLINK file in placem the clients should come back online automatically. Is this accurate?

(Edit: I tried this and it says the SYLINK file is in use and cannot be edited. It appears I'll have to find another way to do this.)

For replacing sylink file, you have to stop smc service first. You can use smc -stop command for this. For starting this service you can use smc -start command

There might be something else going on with the configuration. I had an old laptop on my desk that was not plugged in. I put the propper SYLINK file on it after booting it up and it was still showing as "offline" in the SEPM console.  It was on version 11 (servers are version 12.)  I pushed out the new package to the client using the server and then rebooted.  When the laptop booted up it had the new version 12 installed and the yellow shield icon in the lower right of the computer has the green dot on it. However, it is STILL displaying as "OFFLINE" in both server's SEPM consoles.

Okay, I've had it with this thing. It's now a complete mess. Maybe with all these details someone can figure out what's wrong:

1.Two servers: the original is HSAV1, the new one is HSAV2.

2. The two servers are replicating.

3. The Management Server List (with HSAV2 as the primary) has been assigned to all groups.

4. The servers are version 12, and the clients are all version 11. I created a package using HSAV2 and deployed it to the clients.

When I shutdown the HSAV1 server, the vast majority of the clients (600+ out of the 800 deployed) show as OFFLINE when I view the Endpoint Status window on HSAV2 management console. When I turn HSAV1 back on, they gradually come back to the "ONLINE" status. Why they are not looking at the new server I have no idea. Shouldn't the clients update their SYLINK.XML file automatically when I deploy the new package or because they are assigned it in the MSL?

Also, dozens of the clients that are ONLINE have an icon that looks like a downward-facing orange arrow and a red X. I assume this means they are disabled for some reason.

I'm working with 800 systems in 9 remote locations. There's gotta be a way to fix this without going to every system and reinstalling or replacing XML files.

use the sylink remote tool, first get all the machines under 1 server, 

once they are reporting to the console, then we can put them in groups and assign MSL etc, etc,

I think I am on the right track now. I will post back once I have finished up the initial tasks you mentioned.

Rafeeq, I can't seem to figure out how to use Sylink Remote under SEP 12. Any advice on that?

Yes, for SEP12 it changed a lot,you can script it easily

https://www-secure.symantec.com/connect/forums/sylink-replacer-not-working-sep-12#comment-5771391

I would like to see a new version of sylink remote. I know the sylink replacer tool is more supported and has more features but mostly i need only the sylink remote tool for most behaviours...

All the clients are reporting to the new server. The current Sylink.xml file on all clients lists the new server AV2 as theprimary, and the old server AV1 as the secondary. However, I noticed a line in the sylink file that says  "NameSpace="rpc"/></ServerPriorityBlock></ServerList><ServerCertList NameSpace="rpc"><Certificate Name="AV1".  The two servers are still replication partners, so perhaps it has something to do with that.

Which brings me to the next step: I know how to delete the old server, AV1, as a replication partner (On AV2 console:  Admin --> Servers --> Local Site --> Replication Partner, DELETE) but is there anything further I need to do to permanently shut down and delete the old AV1 server? Does it need to be online for any of these steps? I currently have it shut down.

Nope, just delete it.

Can I delete the remote site as well?

if not used and nothing to do , delete it :)

I think I am finally all set with everything.  Thank you so much for the guidance. The last thing I want to do is clean up the console. In the clients section, I had initially imported all the different AD containers. It appears when I did that, even computers without the protection installed are displayed in the console. What is the best way to remove all this and start creating groups from scratch? If I delete the groups, will all the existing clients report to the server and start populating in the "Default Group"?

check this document

http://www.symantec.com/business/support/index?page=content&id=TECH97371

if u remove AD OU , then cleits will report to default group

u can then create new groups and move them, if u want to delete duplicate clients in 

SEPM u can use the above doc

"Also, dozens of the clients that are ONLINE have an icon that looks like a downward-facing orange arrow and a red X. I assume this means they are disabled for some reason. "

Have/had this issue too. Any chance these are 64-bit clients?

I finally had to place 64-bit clients in to a group that contained only the 32-bit install package to get them to "green dot".