Video Screencast Help

SEPM moving from one server to another??

Created: 29 May 2008 • Updated: 21 May 2010 | 29 comments
This issue has been solved. See solution.
How to move the manager with all the containing data from one server to another? which folders have to be move to the new installation of SEPM on the new sever? do I have to do it or the new SEPM will just find all computers in the company as a unmanaged computers and will just reinstall the SEP with new certificates?   

Comments 29 CommentsJump to latest comment

Siegfried's picture

Hi,

It's very interesting for me too, because i want to move it from one of my domains controlers on an old server.

Regards,

Siegfried

Abhishek Pradhan's picture
Watch this space. I'll post the steps in a few hours.
 
 

Abhishek Pradhan, PMP, MCT
Blog: http://blog.abhishekpradhan.net | SIG Lead - Pune IT Pro (Microsoft Pune User Group) | http://www.puneusergroup.org

Abhishek Pradhan's picture

Here you go.....


How do I move Symantec Endpoint Protection Manager from one server to another with a different IP address and Host name

Question/Issue:

How do I move Symantec Endpoint Protection Manager from one server to another with a different IP address and Host name?

Symptoms:
Need to move Symantec Endpoint Protection Manager from one server to another with a different IP address and Host name

Solution    
Follow the steps below to move Symantec Endpoint Protection Manager from one server to another with a different IP address and Host name:

1. Install Symantec Endpoint Protection Manager on the new server
2. In the Management Server Configuration Wizard panel, check Install an additional site, and then click Next
3. In the Server Information panel, accept or change the default values for the following boxes, and then click Next
4. Installing and configuring Symantec Endpoint Protection Manager for replication

Server Name
Server Port
Server Data Folder

5. In the Site Information panel, accept or change the name in the Site Name box, and then click Next
6. In the Replication Information panel, type values in the following boxes:

Replication Server Name
(The Name or IP address of the old Symantec Endpoint Protection Manager)
Replication Server Port
(The default is 8443)
Administrator Name
(The Username used to log on to the old console)
Password
(The password used to log on to the old console.)

7. Click Next
8. In the Certificate Warning dialog box, click Yes
9. In the Database Server Choice panel, do one of the following, and then click Next

Check Embedded database, and complete the installation.
Check Microsoft SQL Server, and complete the installation.

Note: While configuring the new server we can choose any of SQL or Embedded as this process is irrespective of the previous database type.

10. Log in to the new Symantec Endpoint Protection Manager (SEPM) and ensure that all the clients and policies are Migrated sucessfully
11. Click Policies
12. Click Policy Components
13. Click Management Server Lists
14. Click Add Management Server List
15. Click Add > Priority and a new Priority would get added named as Priority2
16. Add the Old server under Prority2 and add the new one under Prority1
17. After the sucessful Migration uninstall the old Symantec Endpoint Protection Manager (SEPM)




Abhishek Pradhan, PMP, MCT
Blog: http://blog.abhishekpradhan.net | SIG Lead - Pune IT Pro (Microsoft Pune User Group) | http://www.puneusergroup.org

SOLUTION
Dabbler's picture

Is there a way to do the move if both servers have the same IP/Machine Name/Domain? I've used sbsmigration.com's Swing Kit to move A/D off an old server onto a new one. The purpose of Swing Migration is to make the replacement of the server look transparent to the users, it keeps profiles, shares etc intact. But the result is I can't have both machines on a LAN at the same time, so it would be good if I can detach/copy/attach a database or some such mechanims.

 

Also installing the latest version of SEPM (MR2 MP1) on the new server vs MR1 on the old server.

 

I have < 10 clients so any manual effort would be minimal.

 

Any suggestions would be appreciated.

 

Thanks!

 

Michael

Abhishek Pradhan's picture

Hi Michael,

 

are you using the embedded DB or a SQL DB for the SEPM ? 

Abhishek Pradhan, PMP, MCT
Blog: http://blog.abhishekpradhan.net | SIG Lead - Pune IT Pro (Microsoft Pune User Group) | http://www.puneusergroup.org

twpclip's picture

After entering the replication information:

 

Replication Server Name

Replication Server Port

Administrator Name

Password

 

And clicking next, I get the certificate warning dialog then click yes.

 

At this point I receive a " Unable to connect to the server specified" error.

I click OK in the error dialog. Then the "Symantec Endpoint Protection Manager" service is stopped on the original server.

 

Any Ideas?

twpclip's picture

Answered my own question.

 

I remembered Symantec Backup exec as having a problem with passwords that contained special characters like $. I Changed the admin password on the original server and it connected fine.

Stan 2's picture

Do they have to be the same version/build?

 

Currently my SEPM and all clients are 11.0780, and I would like to setup the new server as 11.2000, then upgrade all the clients on the new server.

 

Or should I upgrade the old SEPM first then move all the clients, then upgrade the clients?

 

Thanks.

Scott

David-Z's picture

Yes, they have to be the same version. Upgrade your old SEPM to 11.0.2000 and then move and upgrade the clients.

 

Hope that helps!

David Z.

Senior Principal Technical Support Engineer

http://www.symantec.com/business/support/index?page=landing&key=54619

HotRob's picture

2. In the Management Server Configuration Wizard panel, check Install an additional site, and then click Next

 

I have just installed MR3 and had three options. For me selecting "Install an additional site" it wanted to overwrite the user data in the existing database, so i went back and selected "Install an additional Management Server".

 

This seems to have worked. Not sure if it's just the new version having this additional option? But i didn't want to wipe my database clean.

Cheers,

Rob

Message Edited by HotRob on 10-06-2008 12:30 PM
coozoe's picture

I just followed these steps and now the clients won't connect. The sylink.xml and the profile.xml files still refer to the old server. These are in symantec endpoint manager\data\outbox\agent in various folders. I corrected these and did a sylinkdrop on my own client, and it did not work.

SUMMU's picture

Yes I hv done exactly same. but the clients wont connect to the new management server. Though the priority has been changed, in fact the old server has been removed from any management server list, still the clients doesnt connect to the new management server.

 

The clients in the new management server shows a red arrow mark on it and the old server shows clients online though it has been removed from management server list.

 

Please suggest a solution for the resolve.

HotRob's picture

Hi,

 

I did the move but missed steps steps 10 -17, so none of the clients would connect to the new server. I went back and added the new Management server list with the two servernames as specified in steps 15 and 16 and still the machines wouldn't connect.

 

So i did the following to sort it out :

 

1) I searched the new server for the most recent sylink.xml file and opening it in Wordpad checked that it had both the old and new server names I'd just entered. You should see something like this (but don't copy this text as each certificate code is unique for each server i believe) :

 

<?xml version="1.0" encoding="UTF-8"?>

<ServerSettings DomainId="C33A55330ADE64C900154F34331523D0" NameSpace="rpc">

<CommConf>

<AgentCommunicationSetting AlwaysConnect="1" CommunicationMode="PUSH" DisableDownloadProfile="0" Kcs="11771C57D7F3865DC4813E470AC106AE" PushHeartbeatSeconds="300" RandomizationEnabled="1" RandomizationRange="300" UploadCmdStateHeartbeatSeconds="300" UploadLearnedApp="0" UploadLogHeartbeatSeconds="300" UploadOpStateHeartbeatSeconds="300"/>

<ServerList Name="New Management Server List">

<ServerPriorityBlock Name="Priority1">

<Server Address="xxx.xxx.xxx.xxx" HttpsVerifyCA="0" VerifySignatures="1"/>

<Server Address="newservername" HttpsVerifyCA="0" VerifySignatures="1"/>

</ServerPriorityBlock>

<ServerPriorityBlock Name="Priority2">

<Server Address="xxx.xxx.xxx.xxx" HttpsVerifyCA="0" VerifySignatures="1"/>

<Server Address="oldservername" HttpsVerifyCA="0" VerifySignatures="1"/>

</ServerPriorityBlock>

</ServerList>

<ServerCertList>

<Certificate Name="oldservername">MIICPDCCAaUCBEjsAgIwDQYJKoZIhvcNAQEFBQAwZTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNB&#xd;

MRAwDgYDVQQHEwdGcmVtb250MRUwEwYDVQQKEwxzeW1hbnRlYy5jb20xDDAKBgNVBAsTA3NjbTES&#xd;

MBAGA1UEAxMJZ2Nha2xpdDAxMB4XDTA4MTAwODAwNDI0MloXDTE4MTAwNjAwNDI0MlowZTELMAkG&#xd;

A1UEBhMCVVMxCzAJBgNVBAgTAkNBMRAwDgYDVQQHEwdGcmVtb250MRUwEwYDVQQKEwxzeW1hbnRl&#xd;

Yy5jb20xDDAKBgNVBAsTA3NjbTESMBAGA1UEAxMJZ2Nha2xpdDAxMIGfMA0GCSqGSIb3DQEBAQUA&#xd;

A4GNADCBiQKBgQCpRuW0IPVJ30kU8AY8JaFBbzCc3xEwOfDYVfSf2zlPxi8QEGoECIlDib0NfHyi&#xd;

GTaTx/gfHCWhRhta3CtaxZl8lvTBEIoWTxlGSGm7FMxtK0IZ1Ogy2UqjRbOSVzoLM44zvwxO2QQ7&#xd;

QbSQrYD7Pin+ZF9ZYTwW42XaLVvMFXlQSQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAGoPYbeRYYzQ&#xd;

vT5l9ZL0poY4LuJUzEUzFcC3+TLVcJeO4sKtEdI0ulNCH2He8O252BAZAr/lbWVG6+T3iJXfEyPf&#xd;

Fzd7MFmUnZ4+ll7020M6+Z1Z69+mzv8rRYcgVWsOPodG6KHvOJ/XAsyb7XqrUIKQgoId0RWNlbZA&#xd;

d97jqHcw&#xd;

</Certificate>

<Certificate Name="newservername">MIICPjCCAacCBEjqXfwwDQYJKoZIhvcNAQEFBQAwZjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNB&#xd;

MRAwDgYDVQQHEwdGcmVtb250MRUwEwYDVQQKEwxzeW1hbnRlYy5jb20xDDAKBgNVBAsTA3NjbTET&#xd;

MBEGA1UEAxMKZ2Nha2xsYWIwMTAeFw0wODEwMDYxODUwMzZaFw0xODEwMDQxODUwMzZaMGYxCzAJ&#xd;

BgNVBAYTAlVTMQswCQYDVQQIEwJDQTEQMA4GA1UEBxMHRnJlbW9udDEVMBMGA1UEChMMc3ltYW50&#xd;

ZWMuY29tMQwwCgYDVQQLEwNzY20xEzARBgNVBAMTCmdjYWtsbGFiMDEwgZ8wDQYJKoZIhvcNAQEB&#xd;

BQADgY0AMIGJAoGBAJfHjVd7LYGAVr5pUbNGBEAXTtRV/YcVoeFV2I+wBEDsmzwhCdWJ7Q7fLdNg&#xd;

DM281Zo+yaclvcYD+QvlyzYKFnpcArRbF2q9sqmWKvFwNWl4bLdYxRKKxbqcpXD1xA6lgTJlJPgN&#xd;

nyorp1nRzI7NeEd+RzWRMxdKMaPjkest/M/1AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAju+WprjS&#xd;

ckBmGiL+G+hNskpxLNZ1tNe1ID7BIKoGk7MIzM/SZm/1Eezt0FbphVeP4ZPBh6KDhx/CWD6OZI7I&#xd;

OxEq7SZOIe+5p1gTfcigfN0us3j6DJSprJN2j77pSiRYIFPoxg5DBlfmZVrJ2p8p1KcF8D8F3+mu&#xd;

csO3oYaxp3Q=&#xd;

</Certificate>

</ServerCertList>

<LogSetting MaxLogRecords="100" SendingLogAllowed="1" UploadProcessLog="1" UploadRawLog="1" UploadSecurityLog="1" UploadSystemLog="1" UploadTrafficLog="1"/>

</CommConf>

</ServerSettings>

 

2) I then copied this sylink.xml file to our network logon folder and added the following text to our logon script:

 

REM ***SYMANTEC***
REM Change SEP server to newserver

REM Stopping Symantec Services
"C:\Program Files\Symantec\Symantec Endpoint Protection\smc.exe" -stop > NUL


REM Copy new Sylink.xml file
xcopy \\servername\sylink.xml "%programfiles%\symantec\Symantec Endpoint Protection\" /Y > NUL

REM Starting Symantec Services
"C:\Program Files\Symantec\Symantec Endpoint Protection\smc.exe" -start > NUL

 

3) The clients should then connect to the new server, but this may not be instantaneous. If i remember right the green dots appeared again after about 5 - 10 minutes. 

 

I hope this helps.

 

Cheers,

Rob.

coozoe's picture

Thanks for your info. That sounds right. My situation was slightly different.

 

My sylinks looked like that also. I had removed the old server from the management server list. The new sylink did not work and here's why. If you go to the SEPM console, under Policies, there is the management server option. If you edit your management server list, it should read something like this:

 

ipaddress:8014

servername:8014

 

Mine did not. It only had the server names. I removed the old one but that did not help. The port is critical. So, with Symantec support help and generating the new sylink, this fixed my issues. I then pushed the new sylink with their latest sylinkdrop using text files with the names of members.

 

By the way, the new sylink still shows the old server certificate and the new one. I guess the DB is in need of some cleaning.

 

HotRob's picture

Glad to hear you got it sorted. I just read up in the Admisitration Guide for MR3 (as it says not to use the sylink drop tool for MR3) and I think doing what i did is easier rather than having to import the files on each users PC.

 

Yeah i left the old server certificate in there as the move was only temporary while we rebuilt the server. :)

Message Edited by HotRob on 10-23-2008 01:02 PM
Siegfried's picture

Hi,

 

I'm on SEPM MR3.

I moved my server (SEPM)on a new one, i've got the old one still online, but i need to remove it.

I've two question:

Is my offline's clients will be reconnected on the new server if i remove the old one?

I've made package to deploy clients, do i need to make new ones for the new server?

 

 

Regards,

 

Siegfried

coozoe's picture

I spoke to Tech Support about this same issue. What you can do is open Policies and select Management Server list. Make sure your new server is Primary. Then, assign this list to your client groups.

HotRob's picture

1) No i don't think your offline clients will connect to the new server because their sylink.xml file will still be looking at the old server. 

 

With your offline clients you may need to use the sylinkdrop tool. The instructions for this are in the Administrators guide under documentation on CD1 under the topic heading : Recovering client communication settings by using the SylinkDrop tool

 

2) If your package to deploy clients is the 'unpacked' one you can copy the new 'sylink.xml' file from your server - once you have created the New server management list - to the client pacakge and then any new deployments should talk to the new server.

 

On some machines i have ended up stopping the smc service manually and copying the new sylink.xml file to the PC over the exisitng one and then starting the service again, and the machines then started communicating with the new server.

 

Cheers,

Rob

Siegfried's picture

Hi HotRob,

 

Thanks for your answer.

1-When i go to the console, i've got some clients with red arrow, could it be because they are synchronised on the two servers?

 

Edit: On my new SEPM console, there is lot of clients with Out-of-date definitions (Red arrow i think), but on the old SEPM server, they're ok. Could you help me? I won't uninstall the old one as long as I am not sure.

 

 

2-For the packages they're compressed, do i need to make another ones on the new server?

 

Thanks a lot for your help.

 

 

 

Message Edited by Siegfried on 11-20-2008 11:55 PM
SUMMU's picture

Dear Friend,

 

Go to policies on the left pane of the SEPM console. Click Policy components, then management server lists.

On the management server list select the specific management server list. On the left pane Click Edit the list and change the priority. You have to make the new servers IP address & name in priority 1  and old server to priority 2. Then assign the list to all existing locations and groups and subgroups. I have added both the IP address and name in the priority lists.  It took around 1 week for the total migration for clients from old server to new server considering the mobile endpoints.

 

Stop the internet connection to the old server and allow internet connections to the new server. Then the clients will search for updates and hook to the new server gradually. The new management server list with new priority must be assigned to all groups, locations and subgroups including temporary. 

 

Remember to add the new server as priority 1.  Old server to priority 2. And assign.

 

Hope you will be successful.

 

Thanks.

Siegfried's picture

Thank you SUMMU, i forgot to assign the list to the groups !

 

 

Siegfried's picture

Hi,

 

I have deleted the old server manager, but all of my client are with a red arrow in SEPM and they have not virus's definitions in the client's properties?

 

Someone could help me?

 

Thanks a lot

HotRob's picture

Hi Siegfried,

 

1) According to the Symantec Administration guide the red arrow means the following :

 

This icon indicates the following status:
■ The client is communicating with Symantec Endpoint Protection
Manager at another site.
■ The client is in computer mode.

 

2) Yes if the packages are compressed you'll need ot create new ones asd the old ones will have the old sylink.xml file in them pointing to the old server.

 

It'd be best to create a new one on the new server and then test deploying on a test machine and then examine the sylink.xml file on that machine to make sure it is pointing to the new server.

 

Cheers,

Rob.

HotRob's picture

Check the sylink.xml file on a couple of the clients. My guess is that it;ll be pointing to the older server. If it is then you'll need to do the following : 

 

1) Search the new server for the most recent sylink.xml file. Open it in Wordpad and check that it has the new server name you have just entered. You should see something like this (but don't copy this text as each certificate code is unique for each server i believe) :

 

<?xml version="1.0" encoding="UTF-8"?>

<ServerSettings DomainId="C33A55330ADE64C900154F34331523D0" NameSpace="rpc">

<CommConf>

<AgentCommunicationSetting AlwaysConnect="1" CommunicationMode="PUSH" DisableDownloadProfile="0" Kcs="11771C57D7F3865DC4813E470AC106AE" PushHeartbeatSeconds="300" RandomizationEnabled="1" RandomizationRange="300" UploadCmdStateHeartbeatSeconds="300" UploadLearnedApp="0" UploadLogHeartbeatSeconds="300" UploadOpStateHeartbeatSeconds="300"/>

<ServerList Name="New Management Server List">

<ServerPriorityBlock Name="Priority1">

<Server Address="xxx.xxx.xxx.xxx" HttpsVerifyCA="0" VerifySignatures="1"/>

<Server Address="newservername" HttpsVerifyCA="0" VerifySignatures="1"/>

</ServerPriorityBlock>

</ServerList>

<ServerCertList>

<Certificate Name="newservername">MIICPjCCAacCBEjqXfwwDQYJKoZIhvcNAQEFBQAwZjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNB&#xd;

MRAwDgYDVQQHEwdGcmVtb250MRUwEwYDVQQKEwxzeW1hbnRlYy5jb20xDDAKBgNVBAsTA3NjbTET&#xd;

MBEGA1UEAxMKZ2Nha2xsYWIwMTAeFw0wODEwMDYxODUwMzZaFw0xODEwMDQxODUwMzZaMGYxCzAJ&#xd;

BgNVBAYTAlVTMQswCQYDVQQIEwJDQTEQMA4GA1UEBxMHRnJlbW9udDEVMBMGA1UEChMMc3ltYW50&#xd;

ZWMuY29tMQwwCgYDVQQLEwNzY20xEzARBgNVBAMTCmdjYWtsbGFiMDEwgZ8wDQYJKoZIhvcNAQEB&#xd;

BQADgY0AMIGJAoGBAJfHjVd7LYGAVr5pUbNGBEAXTtRV/YcVoeFV2I+wBEDsmzwhCdWJ7Q7fLdNg&#xd;

DM281Zo+yaclvcYD+QvlyzYKFnpcArRbF2q9sqmWKvFwNWl4bLdYxRKKxbqcpXD1xA6lgTJlJPgN&#xd;

nyorp1nRzI7NeEd+RzWRMxdKMaPjkest/M/1AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAju+WprjS&#xd;

ckBmGiL+G+hNskpxLNZ1tNe1ID7BIKoGk7MIzM/SZm/1Eezt0FbphVeP4ZPBh6KDhx/CWD6OZI7I&#xd;

OxEq7SZOIe+5p1gTfcigfN0us3j6DJSprJN2j77pSiRYIFPoxg5DBlfmZVrJ2p8p1KcF8D8F3+mu&#xd;

csO3oYaxp3Q=&#xd;

</Certificate>

</ServerCertList>

<LogSetting MaxLogRecords="100" SendingLogAllowed="1" UploadProcessLog="1" UploadRawLog="1" UploadSecurityLog="1" UploadSystemLog="1" UploadTrafficLog="1"/>

</CommConf>

</ServerSettings>

 

2) Copy this sylink.xml to a USB key and take it to each client but you will need to stop the smc service before you copy the file otherwise it'll say access denied. So at the run prompt type:

 

smc.exe -stop

 

3) Copy new Sylink.xml file to "C:\Program files\symantec\Symantec Endpoint Protection\

 

4) Start the smc service : smc.exe -start

 

5) The clients should then connect to the new server, but this may not be instantaneous. If i remember right the green dots appeared again after about 5 - 10 minutes. 

 

I hope this helps.

 

Cheers,

Rob.

 

P.S. If you want to do this for machines that logon to the network and runa logon script check back on page 2 of this thread to see how i put it into the logon script.

Siegfried's picture

Hi,

 

Thanks a lot for your answers.

I've tried to deploy a new package on a fresh computer ans the new sylink is good now.

 

Thanks for your help!