Endpoint Protection

Background: I have an AD structure that's replicating to our SEPM's. Hosts check in and show a 'green' dot which signifies that the SEP client is checking in correctly. This doesn't seem to be the case.

Problem: The SEP clients are installed correctly on the host(s), pulling down policy, pulling down definitions, but do not appear correctly in the SEPM console. The only object within the SEPM is the AD object, but not the actual 'check-in' icon showing a green dot. There are plenty of licenses as well and the communication between the client and server is functioning correctly. It just seems that the SEPM console cannot verify and shows the client as 'Offline' and has never checked into the console.

Note: I've blanked out the hostnames for security purposes.

HI,

Check these Article:

How to repair duplicate IDs on cloned Symantec Endpoint Protection 12.1 clients

http://www.symantec.com/docs/TECH163349

How to prepare a Symantec Endpoint Protection 12.1 client for cloning

http://www.symantec.com/connect/articles/duplicate-sep-clients-appear-symantec-endpoint-protection-manager-console

HI,

Try this thread also

https://www-secure.symantec.com/connect/forums/duplicate-clients-name-sepm

was SEPM rebuilt?

check the communication troubleshooting

http://www.symantec.com/docs/TECH160964

No, there aren't any duplicates... because if I do a search function on a particular host... only one exists and that's the AD object that's replicated.

pete_4u2002: No, the SEPM wasn't rebuilt. I'll check your article out though.

HI,

All the client showing Offline ?

First try running Sync Now. ( In SEPM - Clients -right click on the AD group in which those clients are present and click "Sync Now"
 

For one of the clients that aren't showing 'Offline' in the SEPM console I can ping and it's replying. I can also ping the server from the client. I've also verified that an active connection is happening from the client to the server over 8014. Any other ideas?

HI,

try to one system and check

How to repair duplicate IDs on cloned Symantec Endpoint Protection 12.1 clients

http://www.symantec.com/docs/TECH163349

I performed a Sync now. No difference. One thing I did verify is that the AD object is sitting where its supposed to be, but the policy the client is grabbing is from another OU. Yet, that client doesn't exist in the OU that the policy is being pulled from.... ??? I'm just going to call support.

No, that's not a proper solution. There aren't any duplicate ID's....

Hi,

Check this thread and break the sync with AD and check

https://www-secure.symantec.com/connect/forums/sepm-groups-and-ad-sync

Have you checked out Max2U's second link?

The behaviour you're seeing is consistent with when SEP is included in a machine image but not scrubbed of the hardware ID.  This leads to all clients using the same hardware ID and associating themselves to a single client record on the SEPM.

The below article tells you how to repair a cloned SEP client:

http://www.symantec.com/docs/TECH163349

These were done with a sysprep, different SIDS across the board... Like I said, not a duplicate issue. I'm going to try and rebuild the indexes of the database and give that a shot.

SEP Doesn't use the Windows SID, but its own proprietry hardware ID for client management.  I'd suggest at least walking through my linked article on a test client to see if this is your issue.

This resolves the issues on machines that were built from an image that had SEP included in it, and is not related to duplicate client records.

Duplicates is what happens if SEP clients fail to remember their hardware ID and generate a new one regularly.  So it's similar in that it is hardware ID related, but rather the opposute effect and cause of what you seem to be experiencing.

Like I say, test out the article I linked and see how you go.

SMLatCST your suggestion didn't fix the issue.