Endpoint Protection

So we've been running with the same MSSQL 2005 DB for quite some time now (since MR3 I believe). We are synced with AD and it seems that more and more machines are ending up in the default group with a green dot AND down in the AD tree without a green dot. Adding and removing them from the domain or re-installing the client are not options.

What we are looking for is a safe method for deleting ALL CLIENTS and their associated LOGs, etc...from the Database. So that they can then check back in on their own to recreate their entry in the DB.

Does this make sense? Is it a bad idea?

If I had more confidence in the disaster recovery process...I would install new consoles and recover the certificate to get the clients talking again. Unfortunatly we tried this on another, much smaller. network and could never get the clients talking without running Sylink Replacer on all 200 machines. :-( Not willing to do that on a network with 20,000 machines.

Thanks for any suggestions,

-Mike

Yes , you can delete the client entries from the database after taking a proper backup of the database

i would PM you the query the you need to run

I would love to see the SQL statement to accomplish this.

We take backups every night, so were covered on that end.

Thanks,

-Mike

Please give me some time , I would PM you the query.

>> We are synced with AD and it seems that more and more machines are ending up in the default group with a green dot AND down in the AD tree without a green dot. Adding and removing them from the domain or re-installing the client are not options.

This would be a good idea though. You can remove the clients from the DB but I suppose they will end up in the default group anyway. I would rather had it troubleshot first than purge all machines from DB.

First, are your machines in client or computer mode? How they appear in the console? Are you sure you have not changed computer mode to user mode or vice-versa?

Do you use imaging software? Is SEP client installed on the image? Remove SEP from the image and install it after imaging takes place. Duplicate SID is the issue most of the time.

If it is the case, you can just remove hwID (hardware id)

Configuring Symantec Endpoint Protection client for deployment as part of a drive image
http://www.symantec.com/docs/TECH102815

Here are some details requested above.

1) We run in computer mode...but sometimes a machine will slip into user mode and it's not very easy to switch back to computer mode since we Sync with AD and cannot right click on the machine and switch it back. :-(

2) Yes, our machines are built off a drive image but we use the procedures above (this was not always the case) to ensure that duplicate Computer_ID's and Hardware_ID's are not occuring.

My guess is that we also have a bunch of stale machines in the DB that are not being purged after 30 days. This is another reason to scrub the DB and start fresh.

I'm hoping that Prachand's query will do that for me.

-Mike

why not restore the server without DB backup from DR steps?

I've had ZERO success using the DR process getting clients to communicate with the sepm again. Followed the procedure exactly and even had a support ticket in and got nowhere. On one of our small networks, I had to run Sylink Replacer in the login script for a couple hundred machines. Not willing to do that for 25k machines. The machines are talking to the SEPM now, I want to keep it that way.

Thanks for the suggestion...

-Mike

check this part of information, To restore client communications with a database backup

http://www.symantec.com/business/support/index?page=content&id=TECH102333&locale=en_US