Endpoint Protection

Hello,

I have recently took over our SEP environment and have been tasked with moving clients from a recently purchased company onto our SEPM. There is roughly 3000 clients needing transfered. I have been replacing the sylink file by pushing a communications update from the SEPM.

This works at times, but is a very slow process and I get a lot of machines returning the error "Login to **machinename** failed. The client could not be installed on the remote computer." I am using a domain admin account so there is no reason this account should not be loging in. Obvious observations include the machine being turned off etc, but I know they are on and connected. 

Manually accessing each machine is not really an option, and i would prefer to push this out silently than having any user interaction. From real world experience, what do people out there recommend?

One thought i had was to add the old SEPM to our new environment and move all the clients into the default folder, switch the communication via the SEPM to the new Server and once all the clients have moved across disconnect the old server. I don't know if this would work if the two SEPM's have different group structures. 

Alternatively, could use a script, but I am not handy with scripts and would need to be able to detect if the machine is a server/user machine (probably via the OS) as I only want user machines moved across at this time. 

You may also have to enable the remote registry service:

http://www.symantec.com/docs/HOWTO80805

Other than that, setup replication between the two and edit your MSL to make your new SEPM Priority 1 so all clients move over to it. Once they move, you can turn off the SEPM service on the old SEPM. May want to wait a week or two to make sure all clients move over successfully.

Have you tried the slink replacer tool? Alternativily you can use the communications wizard in the SEPM to do a comms push using a notpad list of the machines and then you'd only have to address the machines that have issues. 

https://www.symantec.com/connect/downloads/sylinkreplacer-tool-connecting-sep-clients-sepm

Or if the old SEPM can contact your new SEPM and they are of the same version you could setup replication to link them and then all you'd need to do is update the management server list to prioritise the new SEPM as first login and then you could remove the old SEPM once they've all checked in. 

I have tried the slink replacer tool, but it didn't work for me. I believe this has been replaced with comms push wizard on the SEPM?

The Comms push wizard is what i am currently using but if we take for example today i pushed it to 300 clients that i know are online by getting the info from the SEPM and putting their machine name into a notepad. Out of the 300, only 17 worked the rest through up the error above. 

If i replicate the old and new SEPM's will this work even if they do not have the same group structure?

Joe

They won't need the same group structure. It will show up as a 'remote' site and you can configure it as you see fit.

This has not worked for me.

We are talking about two seperate SEP environments. When i try to add old SEPM to new SEPM i get an error "The local site does not have the information for the remote site. You must synchronise the local sites data with its partners" There are two different certificates in play here as well. Is there a way around this? or what Steps should i take to connect two SEPM's within two different environments

Joe

If the SEPM's can communicate with each other and sync then they will sycronise certificates. Are both SEPM's on the same version? If they con't communicate with each other then unfortunatly it's going to be replacing all the sylink files on them manually if the wizard is not doing it. Or raise a case with symantec dirctly to investigate why the wizard is failing on so many.