Endpoint Protection

Hello,
the green dot is missing from the clients as viewed from the Management console after a reimage of workstation (there is no SID duplicate issues). The client/ workstation has a green dot and is recieving updates normally. When I open SEP on the workstation - Help and Support - Troubleshooting and view General Information - Group the location is incorrect and will not update. I have SEPM linked to Active Directory for the group creation. The workstation is a new vista image that was installed recently.

SEPM 11.0.5002.333 using SQL Server 2005 together on Server 2003
SEP 11.0.5002.333 on Vista
Linked to AD for Groups

There is a message I recieve when I perform a manual sync:
The management server has detected one or more problems with entries in LDAP. These entries were ignored. This could be caused by duplicate entries or other problems.

Try removing the Directory Server and add the LDAP server again. Then try to resynchronize the OU.

Is that an error or a warning??

If that is a warning then This warning is just a warning and does not indicate a genuine error.

 

It's a warning...

I've tried that but still I recieve the warning message. However, it is only for a couple OUs/Groups...all others sync normally. Structure and contents match Active Directory so its hard to isolate. Not sure what to check or if there are duplicate records in the database for the same computer..., I tried renaming the computer and created a fresh computer account but it still will not show in the management console with a green dot.

As far as the warning is concerned it can be ignored

For th Clients on online in concerned

Remove the sync and resync it.Alos make sure that you renter the passowrd for the LDAP server

I did remove the sync and re-added it using the correct password. still no green dot in management console. and the client still shows the wrong group location as viewed from SEP on the workstation. when i do a search in SEPM only one client resolves and that shows the correct group. seems to be a difference in what group the client thinks it should be in and what group the SEPM shows it to be in.

Replace the sylink on one client and see if that helps

lets go from basics if you dont mind
can you try the secars test on the client and check if that comes okay

Testing Communication

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007101711140148 
if you could post a sylink log that would be fine.

http://service1.symantec.com/support/ent-security.nsf/docid/2008041812561948

Hi, Secars tests OK

Hi,
Replaced Sylink...no help

 take a backup of this key
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink
delete this sylink key
go to start-run
type smc-stop
wait for 2 mins
smc -start
should populate with new informationi if the client is communicating
if that does not happen
post the sylink log in here.

https://www-secure.symantec.com/connect/downloads/sylink-toggle

you need to reset the communication between client and manager
open sepm
click on admin
install pacakges
click on client install settings
click on add.
add a setting with checked remove client communication radio buttom
when exporting the package, select the one you have created now with radio button
install this package, clients should communicate.

 

I've tried this before but tried again...the client installs... shows a green dot on the workstation..updates from the SEPM. But SEPM does not show a green dot for the client. The workstation SEP still shows the wrong group location.

Where does the group information in SEP come from? Is there a way to manually edit and or delete/recreate the data source? Is there a way to view the client information in the database? Thanks.

Hi,
I deleted the sylink key ... type smc-stop; wait for 2 mins; smc -start. a new key did not appear (not sure if it was suppose to) ... I checked the SEP again and it still shows the wrong group ... and still no green dot in SEPM.

 

Hay,

can you check if the client's ip address is present in C:\Program Files\Symantec\Symantec Endpoint Protection Manager\data\inbox\log\ersecreg log?
check the exsecars log at the same location as well. Search for the ip of any of the clients that have a green dot.

Get the sylinkmonitor logs and post them here so that we can take a look at it.

You can also refer to the following to understand the communication between sep-sepm.

https://www-secure.symantec.com/connect/videos/about-communication-between-sep-sepm

Aniket

In the server run the following url in the browser
  http://127.0.0.1:9090/servlet/ConsoleServlet?ActionType=ConfigServer&action=CleanClients
ref:Duplicate AD-imported clients & RU5 

Hi Aniket,
I'm looking in the ersecreg.log and see the old computer account name and the new computer account name with the current ip address. could this be the issue?

Also, I see a ersecreg-1.log in the folder...?

In the exsecars.log I'm seeing the following:

12/22 11:03:12 [4048:4224] Open File Error G:\Program Files\Symantec\Symantec Endpoint Protection Manager\data\outbox\agent\1C4D142BA08A281E00E5806F04902BD2\index.xml

12/22 11:03:12 [4048:4224] Update Profile Serial Number failed! GroupID=1C4D142BA08A281E00E5806F04902BD2

Please advise. Thank you.

Dan.

The computers I checked that have the green dot in SEPM console are listed as single entries in the ersecreg.log ... the computer accounts that are listed in pairs (next to each other)  do not have the green dot in SEPM console. Appears to be duplicate objects in the database. I guess now I have to figure out how to purge duplicates.

Any advise would be appreciated. Thanks.

Dan.

The computers I checked that have the green dot in SEPM console are listed as single entries in the ersecreg.log ... the computer accounts that are listed in pairs (next to each other)  do not have the green dot in SEPM console. Appears to be duplicate objects in the database. I guess now I have to figure out how to purge duplicates.

Any advise would be appreciated. Thanks.

Dan.

follow aravindkm 's suggestion of clearing the duplicates.
should help u out. 

I ran http://127.0.0.1:9090/servlet/ConsoleServlet?ActionType=ConfigServer&action=CleanClients and returned:

  <?xml version="1.0" encoding="UTF-8" ?>
  <Response ResponseCode="0" />

Thanks...

Dan.

Let us know if that quey was able to remove the duplicate clients from SEPM.

Hi,
I ran an SQL query (below) on a computer that is not reporting or showing the greendot in SEPM and returned three different Client ID records with the same HardwareID. All three records have the same DomainID, GroupID, Policy_Mode, ComputerID, and HardwareKey. For comparison, I ran the SQL query on a computer that is reporting and shows a greendot in SEPM and returned only one record. I'm thinking duplicate records in the database is causing the issue.
SELECT [CLIENT_ID]
,[DOMAIN_ID]
,[GROUP_ID]
,[POLICY_MODE]
,[COMPUTER_ID]
,[HARDWARE_KEY]
FROM [sem5].[dbo].[SEM_CLIENT] where [HARDWARE_KEY] = 'put HardwareID from above reg key'

I ran the above SQL query after pasting http://127.0.0.1:9090/servlet/ConsoleServlet?ActionType=ConfigServer&action=CleanClients string in the browser...which returned
  <?xml version="1.0" encoding="UTF-8" ?>
  <Response ResponseCode="0" />

Is there another way to remove duplicates in the database via a SQL script?

Thanks,
Dan.

I'm seeing computers with the same HardwareID... looks like an issue. Should these be unique?

Appears that one of our departments re-imaged their computers however did not ensure that the SEP client's HardwareID key or sephwid.xml file was removed before imaging thus conflicting with each other.

I deleted the HardwareID key and renamed the sephwid.xml file and the client popped in SEPM with all its informaiton and a nice bright green dot.

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007110510364248 


Thanks,
Dan.

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007110510364248 


Thanks everyone...
Dan.