Houston Security User Group

I installed a new SEPM (v12.1 RU4) on a new server (2008 R2 SP1). SQL Server is 2008 R2 on a different server.

Server clients appeared to have moved without issue. However, in moving some PC clients, I've had several strange things happen:

• Using the SEPM Client Deployment Wizard, some PC clients move and others do not. Some that do move to the new server, actually move back to the old server after about 15 minutes or so.
• Some PC clients stay connected, but do not display a Policy Serial Number in the SEPM. When I remote control the client, it shows the correct Policy Serial Number.
• When I sort the client listing by Name, Health State or Logon User or Computer, I get one listing of computer names. If I sort the same group by any other column, I get a different listing of computer names. It has only been a couple of different clients that I've noticed, but it's enough to cause concern. The number of computers doesn't change on the details page.

Did you use replication method to move the clients ? and then assigned Management server list?

or just used communication deployment wizard?

In the package you created, did you reset the communication/policies, etc? Did you configure your MSL to point to the new server?

Force the client to check in again and see what the result is. Some times it just a little longer to properly reflect.

Can you share a screenshot?

No. No replication. We are not moving all clients to the new server, so I tried using the CDW. When that failed, I also tried using Altiris to deploy SylinkDrop and import the Sylink.xml for their new server. Some went. Some didn't. Some went, but apparently didn't like it there so they didn't stay.

Not moving all clients, so no replication, and no MSL to select.

When you select to update communications, there are no options to reset anything. There is only the option to select the group in which you want to place the computer.

I've done this several times in the past and haven't had this many issues before. Usually I'll just use Altiris to deploy SylinkDrop and a new sylink.xml.

What do you want for a screenshot? The computer listing?

Hi,

Thank you for posting in Symantec community.

* Using the SEPM Client Deployment Wizard, some PC clients move and others do not. Some that do move to the new server, actually move back to the old server after about 15 minutes or so.

--> Need to verify Sylink.xml file for those clients.

* Some PC clients stay connected, but do not display a Policy Serial Number in the SEPM. When I remote control the client, it shows the correct Policy Serial Number.

--> Could you run the management server confugration wizard again.

* When I sort the client listing by Name, Health State or Logon User or Computer, I get one listing of computer names. If I sort the same group by any other column, I get a different listing of computer names. It has only been a couple of different clients that I've noticed, but it's enough to cause concern. The number of computers doesn't change on the details page.

--> Make sure SQL database maintenance is happening regulary. Especially make sure after new install of SEPM database maintenance has taken place.

See this articles does help you

http://www.symantec.com/business/support/index?page=content&id=TECH93617

Thanks, but I'm not re-installing the client. I'm only moving them from one server to another.

whats the problem you are facing with CDW? its successful but clients do not report to new sepm?

or you get access denied error?

I worked on SCCM but no with Altiris, is there a way to pull the report to check that sylink replacement was success?

CDW says successful. As mentioned previously, some clients connect to the new server and stay. Others connect for a little while and then go back to the old server. Still others do not connect at all.

Altiris status says the job ran successfully. The job just copies SylinkDrop and Sylink.xml to the PC and silently imports Sylink.xml.

Out of curiosity have you gotten the sylink to copy to machines running 12.1? I have no problems with 11.x machine, but, some 12.1 machines are not so cooperative.

Verify Sylink.xml for those clients? Want me to determine the new location of sylink.xml on each client then copy it somewhere I can look at it? These clients are in a different state doing work to make the company money. I can't just interrupt all of them because of something like this.

Run the management server configuration wizard again? Just wondering... what does that do for me?

SQL Database maintenance. What are you looking for? The database is backed up nightly.

Create an another job in Altiris to delete

Sylinkex.bak (or Sylink.ex, I forgot the name actually :) ) and Sylink.bak files and then replace the new Sylink

For the most part, I've used CDW to do the move. Where that didn't work, I used Altiris to copy SylinkDrop.exe and Sylink.xml to the workstations. I then ran sylinkdrop.exe to silently import sylink.xml.

These are techniques I've used successfully in the past. I'm pretty sure I've done it with 12.1 clients, but I could be wrong. We've used Symantec (SAV and SEP) for over 10 years, and there have been several server changes over the years.

I'll have to dig up the new location of Sylink.xml and try to retrieve it from a workstation to verify it.

Ok. So how stupid can I get? As for the computers being different when I sorted on different items? Turns out I forgot that Symantec hid the "Results per page" in the Filter button. ARRRGGGGGHHHH!!!

Still need help getting clients from the old server to the new. Trying to retrieve sylink.xml now. Problem is 64-bit and 32-bit clients, and some on different versions of SEP, so because Symantec put version numbers in the folder names, it'll take some time to get that information.

All you need to do to get a sylink.xml from your new SEPM is to go to Clients and right click a client group and choose "Export Communications Settings..."

MJD

Well, I think I've found the quickest way to move clients between servers. Even worked on computers on which I was getting access denied errors. And yes, I was using Domain Admin credentials for the CDW transsfers.

I recalled reading something similar to this somewhere else on Connect. Here's what I did:

1. On the new SEPM, export the communications data for the group where you want the computers to go. In my case, I have multiple groups for multiple locations.
2. On the old SEPM, create a "Move" group/folder.
3. Remove the "Inherit Policies..." setting on the Policies tab.
4. Remove all policies from the "Move" group - just to remove any .
5. On their old folder, Change Communications Settings to "Push mode" and a Heartbeat Interval of about 5 minutes. I have fairly high bandwidth between sites, so this isn't an issue for me. You may want to double-check with your network team before making the Heartbeat Interval change so low.
6. Still on the old SEPM, go to the Details tab for the "Move" group and find the Group ID number.
7. Still on the old SEPM, find the folder with that Group ID as its name located here: InstallationDrive:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\outbox\agent
8. Rename sylink.xml in that folder to something else - sylink.bak
9. Copy the sylink.xml from the new SEPM into that folder and make sure to rename it to sylink.xml if it isn't already.
10. In the old SEPM, move all computer objects into the "Move" folder.
11. On the new SEPM, watch the computers appear!

See my previous posts... That wasn't working.

Good one !! outbox is where the clients will check for any changes wrt to policies , I think they grabbed the new sylink from there, will help many. :) 

Very interesting. Thanks for posting it.