Endpoint Protection

We have Windows 2008 R2 domain controllers.

Has anyone seen domain controller issues with the Symantec endpoint protection version 11.0.7000.975. On 8/11 we rolled out AV client (client version 106.5.4.4) to a large number of servers. Since then we are finding domain controllers as failing on RDP, console, although they seem to funtion okay as domain controllers e.g LDAP works.

We suspect antivirus, because this is happening across three forests, on both physical and virtual DCs. We have not released any patches on these DCs, and the forests are on isolated VLANs, so we dont expect virus issues. The DCs are not reporting anything meaningful in their logs. At the moment, we are having to hard reset the DCs to get them back. We only install the antivirus and antispyware protection component.

Any assistance appreaciated.

Upgrade RU7MP1 Clients

This might be related but might not be...

Check if After Removing SEP everything is working fine.

Domain controller becomes unresponsive after installation of Symantec Endpoint Protection 11.0 RU6 MP3
Fix ID: 2393251
Symptom: A domain controller may become unresponsive to RPC, authentications, replication, and file sharing after installation of Symantec Endpoint Protection 11.0 RU6-MP3. The server still answers to ping.
Solution: The AutoProtect driver (srtsp.sys) was modified to prevent a condition where calling into the mount manager could cause a deadlock.

how do I match the version code to the RU and MP number We have server 11.0.7000.975, presumably 11.0 RU7 MP? We have client 106.5.4.4 (what is the RU amd MP of this)?

You need to upgrade SEP client on doamin controller.

you have 11.0.7000.xx on the server check if you have same version on the domain controller (ccApp.exe version is 106.5.4.4) check what is the version of SEP client on DC's

Open SEP client-Help and Support-About.

we also had the same issue.

4 2008 r2 domain controllers would not accept ldap connections either. (at least external ldap lookups)

couldn't login via rdp, console, etc.

some client pcs were able to login.

Version: 11.0.7000.975

after a force shutdown/reboot via HP iLO the servers came back and functioned ok. the only thing that happened between saturday and today was a full system scan on sunday.

Can you restart the Symantec Service?  Possibly via powershell...... This may atleast prevent you from having to access it via the iLo for a hard shutdown.  

You also might want to have a look at the windows Firewall on the serever. How is it being managed?

For further reference have a look at this link http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx

"Do not disable Windows Firewall by stopping the service"

I experienced the same issue on Domain controllers that were also acting as the GUP.  Some of the fixes in the release notes for RU7 MP1 appear to be the cause of this issue.

http://www.symantec.com/business/support/index?page=content&id=TECH103087

Release Update 7 Maintenance Patch 1 (RU7 MP1) == 11.0.7101.1056

i hate when companies have different versions in the product name and actual help->about.

according to symantec support this is the fix. we will implement this fix after hrs and it should fix this issue.

hope that helpes someone else. i dont see with so many people using domain controllers why the other versions don't have a huge disclaimer about this bug. take a peek at vmwares download/support portal. saved me a few times from having upgraded to a version that would've caused an issue for me.

anyway good luck.

GD