Endpoint Protection

 View Only
Back to Library

Duplicate SEP clients appear in the Symantec Endpoint Protection Manager console 

Jun 21, 2012 05:56 AM

Problem:

Duplicate clients are appearing in Symantec Endpoint Protection Manager (SEPM) console.

Environment:

Symantec Endpoint Protection 11.x and 12.1

SQL Server 2005 and 2008

Windows Server OS

Cause:

There are two causes for this issue:

Current Theory: The first possible cause for this is when an Endpoint has been re-imaged (whether in a virtual machine or on a physical system).

Things we know: Each installation of Symantec Endpoint Protection (SEP) randomly creates a "Unique Identifier" for the client. So if this changes and the re-imaged system checks in, it is recognized as a new client.

Example: The IP and computer name are the same, yet the database still shows a different Unique ID.

The second cause for this is related to an issue with moving clients to a different OU in Active Directory.

Solution

There are 2 solutions for this issue as it relates to systems or sessions that have been re-imaged/reloaded.

Solution 1: Remove the client from SEPM if it is going to be rebuilt or re-imaged.

  1. If you know in advance that a group of systems are going to be re-imaged, you can remove those clients from the console ahead of time.
  2. If you have clients that are strictly running on virtual machines which are reloaded or re-imaged on a regular basis, create a separate client group for those clients. When it comes time to re-image them, they will be easier to locate when placed in their own group.

More Info in the Articles below: 

1) How to prepare a Symantec Endpoint Protection 12.1 client for cloning (image)

http://www.symantec.com/docs/HOWTO54706

2) How to repair duplicate IDs on cloned Symantec Endpoint Protection 12.1

http://www.symantec.com/docs/TECH163349 

Solution 2: Configure SEPM to remove clients which have not connected within a specific number of days.

  1. Open SEPM and select the Admin panel.
  2. Click on Servers
  3. Right click on the Site where your management servers are located and choose Edit Properties
  4. Check "Delete Clients that have not connected for __ Days"
  5. Enter a value for Days.
  6. Click OK.

NOTE: In version 12.1 of the SEPM, the location for adjusting the setting to delete clients which have not connected for X number of days has moved:

  1. In the SEPM, go to the Admin page.
  2. Select Domains.
  3. Under Tasks, select Edit Domain Properties
  4. In the Edit Domain Properties window, on the default General tab, note the option to "Delete clients that have not connected for specified time."

Configuring a low value for this setting would clear up the duplicates more quickly. 

It is important to consider clients that are offline over the weekend. Setting this value to 1 or 2 will likely cause all your clients to be removed after a weekend.
A recommended value for large enterprise environments would be 7 to 14 days.

Statistics
0 Favorited
26 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Felipe_Fujii
Nov 18, 2015 01:04 PM

I have problem with vdi stations. I've set for one day but the hosts are not removed after 24 hours.

 

Have any routine for stations delisting with the offline status?

Migration User
Jul 17, 2013 10:24 AM

I would really like to see an answer to Brent's question.

Migration User
Jul 12, 2013 01:09 AM

Hi,

Can I just ask, in reference to the SEPM Repair Tool in this article http://www.symantec.com/business/support/index?page=content&id=TECH163349, is there a similar automated way to get a list of these affected clients in an 11.x environment?

Brent

 

ℬrίαη
Jun 21, 2013 08:17 PM

No, both cannot be connected at the same. One is technically older and not connected.

John Santana
Jun 21, 2013 08:05 PM

Phil, no it will not, the only issue that I can see is that it uses more license.

Migration User
Jun 21, 2013 01:34 PM

Can Duplicate SEP clients in SEPM cause performance issues to the clients themselves?

John Santana
Sep 05, 2012 08:42 PM

Many thanks for the sharing here Mithun, so setting it up to 10 days after that what happened to the laptop users who have just came back from long service leave or holiday ?

ThaveshinP
Sep 05, 2012 08:17 AM

Thanks

Mithun Sanghavi
Aug 31, 2012 02:45 PM

Hello,

The setting above to delete clients that have not connected for 'x' days applies to clients that belong to non-OU groups (not imported from Active Directory). 

If the SEPM is in Sync with AD, then to purge the old data would be by removing the clients from the Active Directory group and sync the OU within SEPM.

Hope that helps!!

 

Migration User
Aug 31, 2012 02:38 PM

Thank you.

ThaveshinP
Aug 27, 2012 01:59 AM

We running SEP 11.RU7MP2 and AD integrated...how would you remove duplicates as we have machines that are in the domain but inside the default group.

Mithun Sanghavi
Aug 22, 2012 06:27 AM

Hello,

Correct, as soon as the old client is suddenly turned on and connected to the network, it would reconnect to the SEPM in the next heart beat interval and sylink.xml.

Hope that helps!!

 

Migration User
Aug 22, 2012 06:17 AM

Thanks for theposting here Mithun, so what happened if somehow an old client suddenly turn on and connected to the network ?

would they be managed b the SEPM as long as it is installed with the proper Sylink.XML ?

Migration User
Jun 27, 2012 02:00 PM

10x

Migration User
Jun 27, 2012 09:15 AM

Thanks.

Srikanth_Subra
Jun 25, 2012 11:46 PM

Thanks.

Mithun Sanghavi
Jun 25, 2012 05:03 AM

Hello,

Incase, if you are manually removing the Enteries from SEPM then it would not affect the licenses.

However, when you work on the steps above, the enteries would be deleted from the database would in return affect your Licenses.

For example, In the Symantec Endpoint Protection Manager (SEPM) the license status shows "Attention Required" on the Home Page, with an incorrect notification that licenses are overdeployed.

This is despite there being less clients actually deployed than there are license allocations.

Here, It is suspected that this issue is caused by duplicate entries in the database.

The following solution has been reported to resolve the issue.

For SEP 12.1 RTM:

  • From the console, navigate to Admin -> Servers.
  • Under Servers, Expand the Local Site.
  • Select the entry for the Database Server.
  • Under Tasks, click on Edit Database Properties.
  • Set the option to Delete clients that have not connected for to a very low number. For example, 10.
  • Click OK.

For SEP 12.1 RU1 and Later:

  • From the console, navigate to Admin -> Domains.
  • Under Domains, Select the Default Domain (or the relevant domain you are working with. Most SEPMs will only have the Default).
  • Under Tasks select Edit Domain Properties.
  • On the General Tab, Set the option to delete clients that have not connected for specified time to a low number, such as 10.
  • Click OK.

In observed cases this has allowed the older duplicate entries to be removed from the database, which resolves the issue.

Srikanth_Subra
Jun 25, 2012 04:43 AM

Hi,

Thanks for the article..iam having one doubt in this now i manually removing the duplicate clients?? by setting the client status to less days my client licensing will affect?

Related Entries and Links

No Related Resource entered.