How to move SEPM from one machine to another

Nguồn: có 2 link quan trọng
How to move Symantec Endpoint Protection Manager from one machine to another
http://www.symantec.com/business/support/index?page=content&id=TECH104389
SEP 11.x: Best Practices for Disaster Recovery with the Symantec Endpoint Protection Manager
http://www.symantec.com/business/support/index?page=content&id=TECH102333

Sau khi tham khảo Article: TECH104389 quyết định chọn phương án Disaster Recovery on different IP  and Host name. Các bước như sau:
+ Upgrade old machine lên RU6 (đang là RU5) + sử dụng Auto Update Client Packages từ 11.0.5 -> 11.0.6 (chi thiết tham khảo Installation Guide trong CD cài đặt
+ Tiến hành backup old machine theo hướng dẫn trong Best Practicle for Disaster Recovery with the SEPM ở trên.
+ Install SEPM trên new machine. Sau khi xem port list mà SEPM sử dụng, quyết định cài trên SubCA (SCA) mà không cài trên VIM do sợ trùng port + trên SCA cũng đã cài sẵn IIS. Chú ý SEPM yêu cầu thêm 3 role services là: ASP.NET, CGI, IIS 6.0 Management Compatibility (all options). Thông số cài đặt:

• Create custom website at port 8014
• Đặt username (admin), pass và e-mail giống như old machine
• Site name: My Site
• Server name: new host name (SCA)
• Server Port: 8443
• Remote Access Port: 9090
• Database Type: Embeded
• DB name: sem5
• Username: admin
• E-mail: same as old e-mail

Quan trọng: The key task to perform when you reinstall the Symantec Endpoint Protection Manager is to type the same encryption password you specified during installation of Symantec Endpoint Protection Manager on the server that failed. You should also use the same settings that you used for other options during the previous installation, such as Web site creation, database type, and password used for the admin user account.
+ Restore Server Certificate
+ Restart SEPM service
+ Restoring client communications bằng cách Restore DB (DB khoảng 1GB mất khoảng 1h và chiếm khoảng 2.5GB HDD). Chú ý: Chức năng Restore DB chỉ thực hiện được với Local Administrator. Kể cả Domain Admins account thuộc nhóm Local Administration cũng không thực hiện được -> phải log off Domain Admins rồi log on với acc Administrator. Do Restore DB mất nhiều thời gian và phát sinh nhiều vấn đề -> chỉ nên thực hiện đối với các site qui mô nhỏ. Nếu site lớn, chọn cách Restoring client communications without a database backup.

• Stop SEPM service
• copy DB backup vào \Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\backup
• Chạy Database Back Up and Restore.
• Thực hiện Reconfigure the Management Server theo các bước từ 10-15.
• DB Server Port: 2638
• DB name: sem5
• DB user: DBA
• DB Password (bắt buộc phải nhập): same pass logon vào SEPM

Một số vấn đề phát sinh như sau: You can't logon because server is not synchronized with the DB" -> yêu cầu upgrade the server then logon to the console
Lỗi tương tự trên Symantec Forum
http://www.symantec.com/connect/forums/help-wupgrade-sep-4000-4014-database-isnt-synchronized-cant-logon
Xử lý:
Tìm và thực hiện C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin\upgrade.bat" để upgrade DB status
Một lần nữa việc upgrade không thực hiện được với acc Domain Admins (treo) -> log off then log in with local admin -> run upgrade.bat again -> Done
+ Thực hiện các bước còn lại theo hướng dẫn

B) Disaster Recovery method

1. Follow "Best Practices for Disaster Recovery with Symantec Endpoint Protection" (see Related Articles below) to backup and reinstall SEPM on MACHINE_2
2. Log in to the old SEPM on MACHINE_1
3. Click Policies > Policy Components > Management Server Lists > Add Management Server List
4. Click Add> Priority and a new Priority would get added named as "Priority2"
5. Add MACHINE_1 under Priority 2 and add MACHINE_2 under Priority 1, and assign this New Management Server List to all the groups.
6. Clients will then move from old SEPM to new one gradually
7. Stop the "Symantec Endpoint Protection Manager" and "Symantec Embedded Database" service on MACHINE_1 to verify whether all client now report to the new SEPM on MACHINE_2

Chờ 8h sau để kiểm tra trước khi thực hiện nốt 2 bước còn lại

1. Once verified that all the clients are reporting into the new SEPM, and have moved away from the old one, proceed to the next step.
2. Uninstall SEPM from MACHINE_1

---------------
Cập nhật 5-1-2012
Thực hiện thep Phương án A trong TECH104389 có vẻ đơn giản hơn. Lưu ý:

- Phiên bản SEPM của cả 2 máy phải như nhau
- Khi thực hiện bước 12 của Plan A ,cần thực hiện việc gán trên cả 2 máy (nhất là máy cài SEPM cũ) rồi tiến hành replication now. Như vậy sẽ nhanh hơn

A) Replication method

1. Install Symantec Endpoint Protection Manager on MACHINE_2
   NOTE: The version installed to the new server must be the same version as on the old server. The new management console can be migrated to a newer version once the transition is complete.
2. In the Management Server Configuration Wizard panel, check Install an additional site, and then click Next
3. In the Server Information panel, accept or change the default values for the following boxes, and then click Next
   
   • Server Name
   • Server Port
   • Server Data Folder
4. In the Site Information panel, accept or change the name in the Site Name box, and then click Next
5. In the Replication Information panel, type values in the following boxes:
   • Replication Server Name
     The Name or IP address of MACHINE_1
   • Replication Server Port
     The default is 8443.
   • Administrator Name
     The Username used to log on to the old console.
   • Password
     The password used to log on to the old console.
6. Click Next
7. In the Certificate Warning dialog box, click Yes
8. In the Database Server Choice panel, do one of the following, and then click Next:
   Check Embedded database or Microsoft SQL server (whichever database type you'd prefer to install), then complete the installation.
9. Log in to the new SEPM on MACHINE_2 and ensure that all the clients and policies have Migrated successfully.
10. Click Policies > Policy Components > Management Server Lists > Add Management Server List
11. Click Add> Priority and a new Priority would get added named as "Priority2"
12. Add MACHINE_1 under Priority 2 and add MACHINE_2 under Priority 1, and assign this New Management Server List to all the groups.
13. Wait at least one replication cycle.
14. Stop the "Symantec Endpoint Protection Manager" and "Symantec Embedded Database" service on MACHINE_1 to verify whether all clients now report to the new SEPM on MACHINE_2
15. Once verified that all the clients are reporting into the new SEPM, and have moved away from the old one, proceed to the next step.
16. Delete the Replication Partner from MACHINE_2 SEPM: Click on the Admin button | Under View Servers, Expand Replication Partners and select the partner to delete | Under Tasks, choose Delete Replication Partner | Type Yes when asked to verify deletion of the replication partner.
17. After the successful Migration, uninstall SEPM from MACHINE_1