Houston Security User Group

 View Only
Expand all | Collapse all

SEP Console Mysteries

Migration User

Migration UserFeb 11, 2014 04:35 PM

  • 1.  SEP Console Mysteries

    Posted Feb 11, 2014 10:21 AM

    I installed a new SEPM (v12.1 RU4) on a new server (2008 R2 SP1). SQL Server is 2008 R2 on a different server.

    Server clients appeared to have moved without issue. However, in moving some PC clients, I've had several strange things happen:

    • Using the SEPM Client Deployment Wizard, some PC clients move and others do not. Some that do move to the new server, actually move back to the old server after about 15 minutes or so.
    • Some PC clients stay connected, but do not display a Policy Serial Number in the SEPM. When I remote control the client, it shows the correct Policy Serial Number.
    • When I sort the client listing by Name, Health State or Logon User or Computer, I get one listing of computer names. If I sort the same group by any other column, I get a different listing of computer names. It has only been a couple of different clients that I've noticed, but it's enough to cause concern. The number of computers doesn't change on the details page.


  • 2.  RE: SEP Console Mysteries

    Posted Feb 11, 2014 10:24 AM

    Did you use replication method to move the clients ? and then assigned Management server list?

    or just used communication deployment wizard?



  • 3.  RE: SEP Console Mysteries

    Posted Feb 11, 2014 10:25 AM

    In the package you created, did you reset the communication/policies, etc? Did you configure your MSL to point to the new server?

    Force the client to check in again and see what the result is. Some times it just a little longer to properly reflect.

    Can you share a screenshot?



  • 4.  RE: SEP Console Mysteries

    Posted Feb 11, 2014 11:40 AM

    No. No replication. We are not moving all clients to the new server, so I tried using the CDW. When that failed, I also tried using Altiris to deploy SylinkDrop and import the Sylink.xml for their new server. Some went. Some didn't. Some went, but apparently didn't like it there so they didn't stay.



  • 5.  RE: SEP Console Mysteries

    Posted Feb 11, 2014 11:44 AM

    Not moving all clients, so no replication, and no MSL to select.

    When you select to update communications, there are no options to reset anything. There is only the option to select the group in which you want to place the computer.

    I've done this several times in the past and haven't had this many issues before. Usually I'll just use Altiris to deploy SylinkDrop and a new sylink.xml.

    What do you want for a screenshot? The computer listing?



  • 6.  RE: SEP Console Mysteries

    Broadcom Employee
    Posted Feb 11, 2014 11:46 AM

    Hi,

    Thank you for posting in Symantec community.

    * Using the SEPM Client Deployment Wizard, some PC clients move and others do not. Some that do move to the new server, actually move back to the old server after about 15 minutes or so.

    --> Need to verify Sylink.xml file for those clients.

    * Some PC clients stay connected, but do not display a Policy Serial Number in the SEPM. When I remote control the client, it shows the correct Policy Serial Number.

    --> Could you run the management server confugration wizard again.

    * When I sort the client listing by Name, Health State or Logon User or Computer, I get one listing of computer names. If I sort the same group by any other column, I get a different listing of computer names. It has only been a couple of different clients that I've noticed, but it's enough to cause concern. The number of computers doesn't change on the details page.

    --> Make sure SQL database maintenance is happening regulary. Especially make sure after new install of SEPM database maintenance has taken place.



  • 7.  RE: SEP Console Mysteries

    Posted Feb 11, 2014 11:47 AM


  • 8.  RE: SEP Console Mysteries

    Posted Feb 11, 2014 12:11 PM

    Thanks, but I'm not re-installing the client. I'm only moving them from one server to another.



  • 9.  RE: SEP Console Mysteries

    Posted Feb 11, 2014 12:19 PM

    whats the problem you are facing with CDW? its successful but clients do not report to new sepm?

    or you get access denied error?

    I worked on SCCM but no with Altiris, is there a way to pull the report to check that sylink replacement was success?



  • 10.  RE: SEP Console Mysteries

    Posted Feb 11, 2014 12:55 PM

    CDW says successful. As mentioned previously, some clients connect to the new server and stay. Others connect for a little while and then go back to the old server. Still others do not connect at all.

    Altiris status says the job ran successfully. The job just copies SylinkDrop and Sylink.xml to the PC and silently imports Sylink.xml.



  • 11.  RE: SEP Console Mysteries

    Posted Feb 11, 2014 12:58 PM

    Out of curiosity have you gotten the sylink to copy to machines running 12.1? I have no problems with 11.x machine, but, some 12.1 machines are not so cooperative.



  • 12.  RE: SEP Console Mysteries

    Posted Feb 11, 2014 01:02 PM

    Verify Sylink.xml for those clients? Want me to determine the new location of sylink.xml on each client then copy it somewhere I can look at it? These clients are in a different state doing work to make the company money. I can't just interrupt all of them because of something like this.

    Run the management server configuration wizard again? Just wondering... what does that do for me?

    SQL Database maintenance. What are you looking for? The database is backed up nightly.



  • 13.  RE: SEP Console Mysteries

    Posted Feb 11, 2014 01:02 PM

    Create an another job in Altiris to delete

    Sylinkex.bak (or Sylink.ex, I forgot the name actually :) ) and Sylink.bak files and then replace the new Sylink



  • 14.  RE: SEP Console Mysteries

    Posted Feb 11, 2014 01:18 PM

    For the most part, I've used CDW to do the move. Where that didn't work, I used Altiris to copy SylinkDrop.exe and Sylink.xml to the workstations. I then ran sylinkdrop.exe to silently import sylink.xml.

    These are techniques I've used successfully in the past. I'm pretty sure I've done it with 12.1 clients, but I could be wrong. We've used Symantec (SAV and SEP) for over 10 years, and there have been several server changes over the years.

    I'll have to dig up the new location of Sylink.xml and try to retrieve it from a workstation to verify it.

     



  • 15.  RE: SEP Console Mysteries

    Posted Feb 11, 2014 02:03 PM

    Ok. So how stupid can I get? As for the computers being different when I sorted on different items? Turns out I forgot that Symantec hid the "Results per page" in the Filter button. ARRRGGGGGHHHH!!! blush

     

    Still need help getting clients from the old server to the new. Trying to retrieve sylink.xml now. Problem is 64-bit and 32-bit clients, and some on different versions of SEP, so because Symantec put version numbers in the folder names, it'll take some time to get that information.angry



  • 16.  RE: SEP Console Mysteries

    Posted Feb 11, 2014 03:28 PM

    All you need to do to get a sylink.xml from your new SEPM is to go to Clients and right click a client group and choose "Export Communications Settings..."

    MJD



  • 17.  RE: SEP Console Mysteries
    Best Answer

    Posted Feb 11, 2014 03:49 PM

    Well, I think I've found the quickest way to move clients between servers. Even worked on computers on which I was getting access denied errors. And yes, I was using Domain Admin credentials for the CDW transsfers.

    I recalled reading something similar to this somewhere else on Connect. Here's what I did:

    1. On the new SEPM, export the communications data for the group where you want the computers to go. In my case, I have multiple groups for multiple locations.
    2. On the old SEPM, create a "Move" group/folder.
    3. Remove the "Inherit Policies..." setting on the Policies tab.
    4. Remove all policies from the "Move" group - just to remove any .
    5. On their old folder, Change Communications Settings to "Push mode" and a Heartbeat Interval of about 5 minutes. I have fairly high bandwidth between sites, so this isn't an issue for me. You may want to double-check with your network team before making the Heartbeat Interval change so low.
    6. Still on the old SEPM, go to the Details tab for the "Move" group and find the Group ID number.
    7. Still on the old SEPM, find the folder with that Group ID as its name located here: InstallationDrive:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\outbox\agent
    8. Rename sylink.xml in that folder to something else - sylink.bak
    9. Copy the sylink.xml from the new SEPM into that folder and make sure to rename it to sylink.xml if it isn't already.
    10. In the old SEPM, move all computer objects into the "Move" folder.
    11. On the new SEPM, watch the computers appear!

     

     

     



  • 18.  RE: SEP Console Mysteries

    Posted Feb 11, 2014 03:50 PM

    See my previous posts... That wasn't working.



  • 19.  RE: SEP Console Mysteries

    Posted Feb 11, 2014 03:54 PM

    Good one !! outbox is where the clients will check for any changes wrt to policies , I think they grabbed the new sylink from there, will help many. :) 



  • 20.  RE: SEP Console Mysteries

    Posted Feb 11, 2014 04:35 PM

     

    Very interesting. Thanks for posting it.