If your problem is not resolved then Go for disaster recovery
How to prepare for disaster recovery
To perform disaster recovery, you must prepare for disaster recovery. You prepare for disaster recovery by backing up the database, disaster recovery file, and (optionally) the IP address and host name of the management server. As a best practice, you should store this data off-site at a secure location.
Differences between SEP 11.x and 12.1.x
Many of the individual files and data that had to be separately gathered in SEP 11.x are now generated and saved automatically by the SEPM into one file, the disaster recovery file. The recovery file includes the encryption password, keystore files, default domain ID, certificate files, license files, and port numbers. This file can be imported automatically during the disaster recovery process.
Similar data from Endpoint Protection Manager 11.x that has been manually compiled is also referred to as a "recovery file" but cannot be automatically imported. If you are installing version 12.1 to recover a previous 11.x installation, you must refer to this file manually. See Using 11.x disaster recovery files with Symantec Endpoint Protection Manager 12.1
Steps to prepare for disaster recovery
Task
|
Additional Information
|
Step 1: Back up the database.
|
Back up the database regularly, preferably weekly. The database backup folder is saved to the following directory:
Drive: \\Program Files\Symantec\Symantec Endpoint Protection Manager\data\backup.
The backup file is called date_timestamp.zip.
|
Step 2: Back up the disaster recovery file.
|
The recovery file includes the encryption password, keystore files, default domain ID, certificate files, license files, and port numbers. After you install the management server, copy the compressed recovery file to another computer. By default, the file is located in the following directory:
Drive:\\Program Files\Symantec\ Symantec Endpoint Protection Manager\Server Private Key Backup\recovery_timestamp.zip
■ The recovery file only stores the default domain ID; IDs for all domains (including the default domain) are stored in the database. If you have multiple domains and will be performing a disaster recovery without a database backup, you must re-add additional domains and their IDs after the SEPM is re-installed. See step 3 for instructions on backing up additional domain IDs.
■ If you update the self-signed certificate to a different certificate type, the management server creates a new recovery file. Because the recovery file has a timestamp, you can tell which file is the latest file.
|
Step 3: Create text file Backup.txt. Save to this file the IP address and host name of the management server, and all domain IDs beyond the default domain.
|
If you have a catastrophic hardware failure, you must reinstall the management server using the IP address and host name of the original management server, this is case sensitive. Add the IP address and host name to a text file that is called Backup.txt. If you have multiple domains and will be performing a disaster recovery without a database backup, you must recreate additional domains and their IDs after the SEPM is re-installed. Domain IDs may be found in the SEPM Admin view or in sylink.xml files.
|
Step 4: Copy the files you backed up in the previous steps to another computer.
|
Copy the backed up files to a computer in a secure location.
|
Performing the disaster recovery
A disaster recovery requires you to sequentially complete the following procedures:
- If you had a catastrophic hardware failure, restore the server hardware using the IP address and host name from Backup.txt (from Step 3 above).
- Reinstall Symantec Endpoint Protection Manager using a disaster recovery file (gathered in Step 2 above). When the Management Server Configuration Wizard runs, choose "Custom configuration" and "Use a recovery file".
- Stop the following Services: Symantec Endpoint Protection Manager and Symantec Endpoint Protection Manager Webserver
- Restore the database (Use the "Database Backup and Restore Wizard from the SEPM tools folder).
Note that the recovery file should be used during the configuration of a new installation; if you use the recovery file to re-configure an existing installation, the Manager certificate can be restored but the existing default domain ID will not be changed unless you restore a database backup. Also, if you choose to configure the Manager as a replication partner, the default domain ID in the recovery file will be ignored and the Manager will use the domain ID(s) in the database of its replication partner.
If you do not have a database backup to restore
You can perform a disaster recovery without a database backup, but the following points apply in this case:
- All policies must be re-created, or imported from other backups i.e. exported policy files.
- Clients will be able to communicate with the SEPM but will re-appear in the console only after their next check-in.
- Clients will reappear in the default group as they check in, unless you enable automatic creation of client groups on the re-installed SEPM by editing "scm.agent.groupcreation=true" to the conf.properties file.
- If you originally had multiple SEPM domains beyond the default domain, you must re-create them using domain IDs from Backup.txt.
Re-enabling Federal Information Processing Standards (FIPS) 140-2 compliance:
After recovering the SEPM, it is necessary to re-enable FIPS compliance as this setting is not stored in the disaster recovery file.
Problem
How do I perform a disaster recovery when the database backup/restore process fails using the "Database Backup/Restore Wizard" for an Embedded Database?
Symptoms
Database backup/restore fails through the database backup and restore wizard
Cause
Inability of the "Database Backup/Restore Wizard" to access the database to launch a backup OR a restore operation
Solution
Follow the steps below to resolve this issue:
· ON THE OLD INSTALLATION
2. Copy the "Server Private Key Backup" folder from:
\\ProgramFiles\Symantec\ Symantec Endpoint Protection Manager\Server Private Key Backup
3. Paste it to another storage area (as it will be deleted during Symantec Endpoint protection Manager uninstall)
4. Stop the services "Symantec Embedded database" and the "Symantec Endpoint Protection Manager"
5. Copy the "db folder" from:
\\ProgramFiles\Symantec\ Symantec Endpoint Protection Manager\
6. Paste it to another storage area.
· ON THE NEW INSTALLATION AFTER THE DISASTER RECOVERY OF OPERATING SYSTEM (OS)
Warning: Re-installation of Symantec Endpoint Protection Manager needs to be done on the same IIS Port and Website for it restore client-server communication after the Disaster Recovery Process is complete.
1. Ensure that the server has the same IP Address and Host Name the Operating System has been Installed.
2. Install the "Symantec Endpoint Protection Manager" with the "Embedded Database" with the default settings.
3. Log in to the Console
4. Click Admin.
5. Select Tasks> Servers.
6. Under "View Servers", expand Local Site.
7. Click the that identifies the local site.
8. Select Tasks.
9. Click Manage Server Certificate.
10. In the "Welcome panel", click Next.
11. In the "Manage Server Certificate panel", select Update the Server Certificate
12. Click Next.
13. Under "Select the type of certificate to import", select JKS keystore.
14. Click Next.
Note: If one of the other certificate types has been implemented, select that type.
15. In the "JKS Keystore panel", click Browse.
16. Locate and select the backed up "keystore_.jks" keystore file.
17. Click OK
18. Open the "server_.xml" file
19. Select and copy the "keystore password."
20. Activate the "JKS Keystore" dialog box.
21. Paste the "keystore password" into the "Keystore" and "Key boxes."
Note: The only supported paste mechanism is Ctrl + V.
22. Click Next
Note: If you get an error message that says you have an invalid keystore file, you probably entered invalid passwords. Retry the password copy and paste. (This error message is misleading.)
23. In the "Complete panel", click Finish.
24. Stop the services Symantec Embedded database and the Symantec Endpoint Protection Manager
25. Go to:
\Program Files\Symantec Endpoint Protection Manager\
on the new "Symantec Endpoint Protection Manager" and rename the "Db" folder to "Db_new"
26. Move the "old db" folder under:
\Program Files\Symantec Endpoint Protection Manager\
27. Go to Administrative Tools> Data Sources ODBC
28. Ensure the database connectivity after the changing the database file location to:
\Program Files\Symantec Endpoint Protection Manager\db1\sem5.db
29. Start the service Symantec Embedded database
30. Run the Management Server Configuration Wizard
31. Click Yes to replace the database after entering the password
32. Login to the "Symantec Endpoint Protection Manager" using the OLD password.
33. Ensure that the Domain ID is same as it was on the old clients.
· If it not, follow the direction in the below document to restore the Domain ID. This will enable client communicationhttp://service1.symantec.com/support/ent-security.nsf/docid/2007082112135948
All of the clients should begin reporting back within approximately 30 minutes