Symanec Protection Suites

Been running SEPM for years with good luck. Current version is 11.0.5002.

We recently moved to AD 2008 R2.

I went into Admin --> Server Properties and setup the new name DC two weeks ago; and it's been working fine.

Once we took the original AD server offline SEPM clients will not sync with AD.

I was looking at the setup for Importing OU/Container and noticed that it asks for the named server. Since the original would have been setup this same way I wonder if I will have to create a new AD Sync group. I looked at the original AD Sync group and do not see anywhere that I can change it to the new server.

Any thoughts?

Did you change the AD IP, name, port, etc.? Anything whatsoever?

Yes. It is a new DC server in name, IP, and now 2008 R2 AD from 2003 AD.

It is still the same domain name.

The new DC has been running for a week and all was fine until we turned off the original DC that the sync was setup several years ago.

The clients are still communicating with SEPM - we're still getting the green dot of goodness.

The issue is that we use the AD sync for applying policies to desktop groups. We do not do this with servers. Now if we move a desktop into a different container it doesn't follow in the SEPM - it's not syncing; and therefore we cannot move a desktop to assign a different policy.

i hope this provides more information.

That is the issue, there is currently an open defect on this. Here are the details I can provide:

Problem
The directory server information (eg. IP address, machine name, or port) has been modified. Imported organizational units (OUs) no longer synchronize.

Solution
When changing Directory Server information within the Endpoint Manager (SEPM) to match a modified directory server's configuration the Endpoint Manager appears to accept the change; however, further attempts to synchronize Organizational Units imported from that server fail. As a work-around delete the Directory Server from the list in the SEPM then add it again with the new information. Any organizational units imported from this server will also need to be removed, re-added, and have their policies reassigned.

This is scheduled to be fixed at some point, ETA is unknown however. Hope this helps a little.

I figured as much; I just didn't want to put that out there in case there was a solution and not just a workaround.

Do I have to delete the existing sync group first or can I add a new sync group, match up the policies, then delete the old one?

Interesting that you used the words "open defect" when describing the problem.

If I could make a suggestion, when running the OU import UI it should ask for domain name and not domain controller. The DC will change in the future, but the domain name may not.

Actually, that's not a work-around.

A workaround is: open this file and edit it to match your current DC.

You think you can find the name of that file???

To be clear, when I say "open defect" I mean there is an investigation into the cause of the problem. I am not saying its a problem with SEP or AD or Windows or whatever, its an ongoing investigation into the root cause of the issue. It would obviously appear to be Symantec though we haven't determined that 100% yet.

Reading through the notes, the ability to edit a file to correct all this has been proposed though as it stands now there is nothing to edit to resolve this. I believe the data is stored in the database though I wouldn't know how to go about editing it directly as alot of the information is stored in GUID form. I don't believe it is supported to edit it directly either.

Unfortunately there is limited information so far on this and I have provided everything I can see =/.