Endpoint Protection

Greetings all,

Just trying to figure out best practices for adding a new domain to our SEPM. I have found a few articles about adding the domain and how to administer the new domain but cannot find any (new) docs on from start to finish if there are any in existence. I understand there are singular articles (as the links below) but was looking to find a "walkthrough".

What im hoping to find steps for:

• How to add the domain - https://support.symantec.com/en_US/article.HOWTO81193.html#v8901402
• Change domains (administer) - https://support.symantec.com/en_US/article.HOWTO80766.html#v15607166
• Add Ad server to sepm - https://support.symantec.com/en_US/article.TECH181458.html

I guess my question is:

1. If i add a domain using the lnks above, how does the "adding of directory servers" differentiate between all of the domain controllers that I may need to add for all of our domains that I would like to administer? It seems as tho that wizard is an all encompassing setting...

We already have a second domain in place so I am able to flip between the two but all i can see is that the directory servers were added to that directory server list and then it "magically works" to pull info from that new AD domain into the new SEPM domain? Im not sure if you tell it what AD servers it uses for which AD domain during sepm domain creation. Im assuming that the sepm domain that you add would be linked somehow to the directory server you added. Maybe just by sepm domain name and fqdn/ip of the directory server?

Thanks!

Please find answers to your question inline

1. If i add a domain using the lnks above, how does the "adding of directory servers" differentiate between all of the domain controllers that I may need to add for all of our domains that I would like to administer? It seems as tho that wizard is an all encompassing setting...

    This domain is not your windows AD domain, its simply a domain you create within SEPM to segregate two different set of network or office of group of pc as you wish this has nothing to do with directory servers or AD domains.

We already have a second domain in place so I am able to flip between the two but all i can see is that the directory servers were added to that directory server list and then it "magically works" to pull info from that new AD domain into the new SEPM domain? Im not sure if you tell it what AD servers it uses for which AD domain during sepm domain creation. Im assuming that the sepm domain that you add would be linked somehow to the directory server you added. Maybe just by sepm domain name and fqdn/ip of the directory server?

as I said before AD domain and SEPM domain has no correlation except for sharing the same name.

Thanks!

I understand that the domains in SEPM are not AD domains as my comments in my original post have stated. What I am not understanding fully is the way that a SEPM domain can be "linked" to an AD domain using Directory Servers. It seems that all directory servers are placed in that same window without any "linking" to SEPM domains.

If you log in to each SEPM domain, do the directory servers show up in both or only the initial one you set them up in?

Administering the first SEPM domain that I have imported our AD domain into, Im able to click on Servers (under Domains), right click the primary AV server and shoose properties then click the directory servers tab and see domain controllers from both Ad domains.

Administering the second SEPM domain that the second AD domain was imported into and following those same clicks as above, im able to see an identical Directory Servers window.

When you say login, do you truly mean log in or jsut change the administration form the single console? We only have one instance of SEPM running with 2 SEPM domains that has 2 AD domains imported into them.

When you have multiple domains in SEPM, on the console login you should have the drop down option to select which domain you want to log in to.

I think I may undertstand. After re-reading the article TECH181458 much more slowly, at the bottom, it talks about choosing "My Company" and then choosing Tasks -> Import OU then I can select the Domain. Is this what I was probably missing? That link i was alluding to?

On the SEPM console login screen, I have Username, Password, Server (which is my SEPM server) and Domain which is a text box, not drop down. We currently have administrators inside only one of the AD domains so that may be why it is not a drop down. Im not sure tho.

its never was a drop down box but a text field where you can enter the name of the domain that you want to login. 

to your other question, if you are looking to see the AD structure and objects in SEPM then yes you have to import those OU that you require in the clients tab under the group which you desire them to show up 

It appears as tho the SPEM attempts to ping any new server entry for new domains. Is there a way to either suppress this or am I able to continue to add the entry even tho it errors during the add new directory server wizard? Our firewall stopped the icmp request and im wondering if I need to add a rule to let that through for full functionality or can that step be skipped and everything work out?

I doubt there is any config unless there is some conf file that can be edited. Probably best to control at your fw.

It looks like we are ok. It still propgated all the domain resources.

When importing OUs; should the top most level be imported or should only OUs with computers to be managed be imported? Can SEPM handle having users and groups in an OU that is imported?