Hi,

We are running a SEPM (14.1) with SQL database in our environment and presently want to add a replication partner for failover functionality. The Primary SEPM is AD sync as of now and we want to break it as its causing lots of administrative troubles for us. Is there a way to add a secondary SEPM server (replication partner) and NOT have the AD tree structure imported to it? 

I know that if I break the AD sync in the primary SEPM, all the clients will start reporting to the "default" group and then they need to be manually moved to their designated groups. But we want to avoid this trouble as we have almost 200 different groups to which these clients are reporting.

What if we build a seperate SEPM (the secondary SEPM without AD sync) and export all the policies (virus &spyware\exceptions\Intrusion Prevention etc) from primary SEPM (which is AD sync) and import it into this secondary SEPM. Create different groups as per our liking and then apply these policies on these groups and then slowly start moving the clients from the primary SEPM into secondary one by replacing the Sylink on clients?

Any suggestions? I might be wrong but just wanted to check alternatives available. Thanks!

Hi Gurpreet,

You can use this tool to move large number of clients to different groups

How do I move a large number of SEP clients to a new group at once?

https://support.symantec.com/en_US/article.TECH98302.html

Thanks for your reply Rafeeq!

But my primary question still remains regarding breaking the AD integration in the most effective manner. Can you please guide me on that. Also, regarding the MoveClient tool, how will the tool know which client needs to go to which group (considering once AD sync is removed, we will be left with all the clients reporting to the "Default" group)?