Endpoint Protection

I'm installing SEPM 12 on a 2008 R2 server, and shutting down the previous SEPM 11 on a 2003 server. When installing 12, should I select the option that it is the first node? Or should I install it as a secondary/failover to replicate, then shut down the old one?

I only need the clients to point to the new server, which has a new hostname and IP address, without having to manually reinstall all the clients.

Install as failover

After installation make it priority 1; In the Management server list; then shutdown the first one..

Won't the old one still show up as a failover server even after its gone?

You have a few options.

If you WANT the install to be totally fresh, installing a new stand-alone server using the recovery method is probably the best way to go.

But you do have a few other options to pick from -- but they will require to have both servers running the same version.

So here is a list of options I can think of:

1. Site Partners
   If you are using a SQL server, setup the new SEPM server as a Site Partner.
   Update your Management Server List and leave servers for a few days or until all clients have moved over.
   Then, turn off the first server and delete it from the SEPM console under Admin -> Servers.
2. Replication Partners
   Setup the new server in a replication partnership.
   Update your Management Server List and replicate at least once. Then leave both servers on for a few days.
   Turn off the first server and delete the old site from the SEPM console.
3. Manually drop a new Sylink file on all the clients (Avoid this if possible -- it can be a lot of work)
4. Setup the new site using the Recovery plan that I'll outline.

So for the rest of this comment I will talk about using the recovery method. (number 4). The one drawback to this method is you do not get any of your policies or groups in your new server. You have to start over. If you have a lot of policies or groups, method 1 or 2 is probably a better choose.
Note, if you do choose method 1 or 2, you need to have both server running the same version.

As a precaution, turn off the policy signature validation on your clients right now. It will give you a few more options incase you run into trouble. This setting is found under Clients button --> Policy Tab --> General Settings --> Security Settings. I can't remember the exact name of the checkbox option, but I think it's the last one and has a really long name. Anyhow, turn this secure communication option off. It will be re-enabled by the new server you setup. Do this right away so you're clients have time to get the policy.

Next, we need Disaster Recovery information. You have two ways of getting this. 1) Use the old 11.x recovery method. This involves going to various parts of the SEPM server and collecting information.
2) Use the new 12.x recovery method. But to do this, you need to first upgrade the old server to version 12. When you do this you will get a nicely packaged recovery.zip file that can easily be imported into the new server. Either method will work -- and since you can have both servers running at the same time, it's OK if you make a mistake -- you just try again.
I personally like the new 12.x recovery method better -- but you may not want to go through the trouble/risk of migrating the old server. If that's the case, then go with the 11.x recovery method. Restoring the information on the 12.x server is basically the same -- although the placement of information may be slightly different (i.e. The Keystore Password is store inside a different XML file in 12.x)

So, after you have the new server running, with the disaster recovery information restored, let's test if we can move a client over.

On the first server (which could be 11.x, or 12 if you upgraded it) create a new test group.
Move 1 client into this group.
Create a new Management Server List (Under Policies --> Policy Components --> Management Server Lists).
In this Management Server List, enter the connection information of your new SEPM server.
Assign this list to the new test group.
Have the client heartbeat.

Verify on both the client and the console that the client has moved to the new SEPM server. Just because the client registers successfully and shows up in the SEPM console, it does not mean we have full communication working. Double-check that the client is actually communicating. To do this: Check the current policy serial number on the new SEPM server. Ensure the client has the latest policy from the new SEPM server.

If the client is able to get the latest policy from the new SEPM server, it's time to move more clients over.

Clients will move from the old server to the new server when they get the policy with the Management Server List that has the connection information for the new server. If someone is on vacation, or otherwise does not turn on their computer, they may not get the policy the same day. That is why it's good to leave the old SEPM server running for a few days, or even weeks, if you can. If you have a large number of clients, inevitably one of them will not get the new policy (Unless you leave your server running for a while). If this happens, you simply have to go and move these clients one-by-one manually. But hopefully there are only a few of them. And if you can leave your old SEPM running for a while, there may be none.

I know these steps are a little bit on the "outline" side, not exactly step-by-step. But I'm not quite sure how much information you need -- or even if you will choose this method.

There are a few forum posts and knowledge base articles that talk about this. Most information was written for SEPM 11, but the basic ideas still work. If anything, they should be easier in SEPM 12 because of things like the enhanced Disaster Recovery method, and the Replication "Check Certificate" feature.

How to move SEPM from one machine to another
http://www.symantec.com/business/support/index?page=content&id=TECH104389&locale=en_US

Moving SEPM to a new server (Forum)
https://www-secure.symantec.com/connect/forums/moving-sepm-new-server-0

Cheers, hope that contains enough details for you.

At first, yes. But you can delete servers and sites from the Admin -> Server panel. Then they won't show anymore.

yes; thats why I said priority 1 for new sepm

you can then delete the old one.

Great post, thank you for the info. I had no idea it would be such a complicated process... I'm still a little confused though. I would rather not have to upgrade to SEPM 12 on the old server. I don't mind losing policies, I just don't want to go through the pain of losing all the clients (which happened to me once, before the sylink tool was "remote").

From the links you provided, I found this link which shows all the locations of the data on SEPM 11: http://www.symantec.com/business/support/index?page=content&id=TECH102333 . Would I be able to just import all of this into SEPM 12? Will SEPM 12 automatically upgrade the DB or will I be missing some functionality?

I forgot one other question, the 2003 server is 32-bit. Will SEPM 12 on 2008 R2 be a 64-bit install? Will that cause any issues, going from 32 to 64?

No problem..

So, depending on which method you want to uses, you can do it with, or without using the original database.

SEPM 12 can upgrade the DB if you want to go this route. If you want to use the database, but don't want to upgrade the SEPM 11 server, you can use a backup-restore routine. It goes something like this:

1. On SEPM 11, backup your database using the backup/restore wizard from the start menu. This will create a .zip file in the data\backup folder.
2. Copy the DB zip file from SEPM 11 to SEPM 12.
3. Move to the SEPM 12 server machine.
4. Install SEPM 12.
   NOTE: During the install, be sure to specify the same encryption key you previously used on SEPM 11.
5. Stop the SEPM 12 services.
6. Restore the database you copied over using the DB backup/restore wizard from the start menu.
7. Browse to the SEPM install directory.
8. Launch bin\upgrade.bat (be sure to run AS ADMIN in Windows 2008. You may have to launch a command prompt "As Admin" first if you have UAC enabled.)
9. SEPM 12 will upgrade the DB to SEPM 12.
10. Run the Configuration wizard (This will register the SEPM 12 server with the DB you just restored).
11. Log into SEPM 12.
12. Restore your SEPM 11 certificate into your SEPM 12 server (Admin --> Servers --> Task: Certificate Management)
13. Move one client from SEPM 11 to SEPM 12 using the Management Server List method previously mentioned. If it works, move the rest.

NOTE: One update on the Management Server List method I mentioned previously. You can set the SEPM 12 server up as Priority 1, and set the SEPM 11 server as Priority 2. That way if anything goes wrong with the SEPM 12 box, the clients will safely switch back to the SEPM 11 machine. This reduces your risk of 'loosing' your clients (we call it 'orphaning').

You pointed to a link to gather all the recovery information. This is a good link, and notice it has a sub section that says:

Restoring client communications with a database backup
-and-
Restoring client communications without a database backup

So you can do it with or without. If you do it without, you loose all your policies and groups. If you do it with your DB, you get to keep your policies and groups.

I wouldn't be afraid try a few test runs because, in this setup, you still leave the SEPM 11 server running -- so no risk of loosing everything if you're SEPM 12 setup is not correct the first time.

Finally, to answer your question about supported operating systems, SEPM 12 works just fine on Windows 2008 R2 64bit. It makes no functional difference -- and you don't need IIS installed either!

Jeez, what a mess. Who keeps marking "as solution" on these posts? I'm not done yet :P

So I installed SEPM 12 on the new server, as a first node. I exported all the keys and database off SEPM 11, and copied them to the SEPM 12 server. I ran the configuration wizard (in first time mode, not recovery). I manually modifed the key password, and domain ids in SEPM 12 to match the old one (I was able to change the domain ID in the manager, under the "advanced" tab when adding a new domain). The only thing I didn't do was copy over the sylink.xml- since the old sylink has a different IP address and server name, I figured that wouldn't help.

At first I didn't see any of my AD OU's, so I had to import it using the Import OU function in Clients, and then also Import Active Directory. Then it showed all the devices, but it showed them all as "offline".

So back to SEPM 11. First I disabled the secure connections policy. Then I created a new policy for management servers, and added SEPM 12 as the only entry. I assigned one desktop to it. Then I waited, refreshed, waited, re-assigned, etc... it still said the client was offline on 12 and online on 11. I looked at the client, and the system logs had a  few entries that said it connected to the SEPM 12 server, but within like 4 seconds, it disconnected, and reconnected back to SEPM 11. I don't understand why, since the management policy on it doesn't even have SEPM 11 anymore.

Finally, I decided to just import the database. I didn't re-install SEPM 12, I just continued and did a restore. It automatically popped up with the database upgrade wizard, and it went through successfully. But then it launced the Configuration Wizard again... so I ran the config again, because the console service wouldn't start otherwise. It asked me to create a new DB password, which I thought was odd, because I imported the old DB.

Once that was finished, SEPM 12 now shows SEPM 11 in the list of servers, so I guess it made itself a secondary server after all. However, SEPM 11 does not show SEPM 12 in the list of servers. Also, instead of seing "offline" clients, SEPM 12 doesn't show any of the clients that are on SEPM 11, not even "offline", just nothing. I didn't import the server certificate, but since I disabled secure communications, I'm not sure if I need it just to see the clients...

At this point, am I close? Do I just need to change the priority in SPEM 11 to point to the SEPM 12 server, and all is well? Or do I need to retry :P

Ok after importing the certificate and fiddling and rebooting, I finally got one client showing as "Online" on the new server.

So, is the next step is to modify the default management server list on SEPM 11, and point them all to the new server? (I checked it and all the settings are greyed out on the SEPM 11 server)

Hi,

Check this thread.

https://www-secure.symantec.com/connect/forums/symantec-end-point-protection-manager#comment-5237011

For some reason the SEPM 12 server contains the 11.x client install packages, but not the 12.x packages. Do I just import the new package from the install folder, or is that for unmanaged only?

Edit: Got it, I had to run the SEPM 12 installer again, and it upgraded the packages automatically.

Soylent said:

"Jeez, what a mess. Who keeps marking "as solution" on these posts? I'm not done yet :P"

That's a great question. If Soylent is the original poster didn't mark a post as the solution, how is that happening? Considering people get reward points for this stuff, it seems a little fishy on the surface.

So just for the record, I didn't mark my own post as the 'solution'.

So you have it working, correct? At least with that one client.

Try to move one other client, one that you haven't tried before -- just to make sure.

You can't modify the Default Management Server List. But instead, you use the Assign or Replace commands (in the task list) to have assign your new Management Server List to clients instead of the default one.

P.S. I wrote this long post based on your earlier comment that it still wasn't working -- then I saw your later comment that you got one client over. :P

Oh well, let's see how a few other clients move. If they are good, then we can move the rest.

Hey, if you only have one server listed in the Admin --> Servers page, click on it and check the details, including the IP address and all. If it matches our SEPM 12 machine, then what happened is the entry was "replaced". If that is the case then you can just click Edit to rename it to the new name.