Short answer: you'll want to add a new SEPM -- must be EXACT same SEP version as current SEPM -- migrate clients through SEPM policy configuration, then uninstall old SEPM. (See longer answer provided below.) I would not recommend changing the new SEPM's name at any point, because that would entail a certificate change, which can lose you connectivity with all your clients if you're not extremely careful.
Recommend highly to review prior to performing a migration:
https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Managing-management-servers-sites-and-databases.html
If you're in a different geo and/or that link doesn't work for you, please navigate to TechDocs.Broadcom.com > Symantec Security Software > Endpoint Security and Management > Symantec Endpoint Protection > Managing management servers, sites, and databases.
Please note that migrations generally follow one of the following two scenarios:
Scenario 1. Install a new SEPM as an additional server to the existing site. (This requires a licensed version of Microsoft SQL Server, not Express.)
Review topic "Setting up failover and load balancing" for details. https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Managing-management-servers-sites-and-databases/setting-up-failover-and-load-balancing-v51660713-d15e4845.html
Scenario 2. If your existing SEPM is using the free (local) MS SQL Express database, you would typically pursue a different migration path, utilizing SEPM replication. That starts by installing a new SEPM with its own local database (= a new SEPM 'site'), with credentials to connect to the existing site and replicate all policy and group information.
Review topic "Setting up sites and replication" for details. https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Managing-management-servers-sites-and-databases/setting-up-sites-and-replication-v50382461-d15e1412.html
Both scenarios:
Doing either of the above will do most of the migration work for you. The SEPM install process automatically creates a self-signed certificate and adds the new SEPM (with its cert) to the default client communication settings (sylink.xml), which is distributed automatically to every client the next time it checks in.
In scenario 1, the new SEPM is added as a Priority 1 server. After clients have checked in with the original SEPM, they will begin randomly connecting to the new SEPM until roughly half of them are talking with each server at any given moment. Once you are certain that all clients have received the new configuration (and thus have the new SEPM as a communication option), you can uninstall the old SEPM. Clients that try to connect to old SEPM will fail and then automatically connect to new SEPM. The uninstall process will automatically remove the old SEPM from the default communication settings, so after clients have checked in, they will no longer attempt to connect to the old server.
In scenario 2, the new SEPM is added as a Priority 2 server. After clients have checked in with the original SEPM, they will automatically try to connect to the new SEPM _only if_ the first SEPM is not available. To test whether they can communicate, you could take the original SEPM offline for a set amount of time. If you see clients show up in the management console of the new SEPM, you'll know they are able to communicate with the new server. A few additional steps are needed for them to permanently be managed by the new server. Without going into huge detail, the process mainly involves assigning the default management server list (MSL) in the NEW sepm console to all the client groups in the OLD sepm console. (The new MSL automatically has the new SEPM as a Priority 1 server, and the old SEPM as a Priority 2 server, because it was installed as a replicating site.) There are a number of methods to accomplish this. After all clients have checked in with new server, you can remove old Site from replication partner, and uninstall the old SEPM.
Tip: You can view the management server lists (MSLs) in the SEPM console under Policies > Policy Components. You can verify which MSL is assigned to each SEP client group there or, on the Clients page, select a client group on left hand side, and select the Policies tab on the right hand side. Click 'Communications' to see what Management Server List is currently assigned.
------------------------------
Sherri Nichols
Cyber Security Engineer at NetX Information Systems, Inc.
------------------------------