Move Endpoint Protection Manager to another server without breaking client communications or losing data
search cancel

Move Endpoint Protection Manager to another server without breaking client communications or losing data


Article ID: 155210


Updated On:


Endpoint Protection


This article describes how to prevent disruptions with Symantec Endpoint Protection (SEP) clients when moving Symantec Endpoint Protection Manager (SEPM) to another server.

These steps also help prevent the loss of:

  • Client policies
  • Group memberships
  • Historical reporting data


The method used to replace the SEPM will vary depending on whether the SEPM is a member of a site using a Microsoft SQL Server database, or an embedded database site.  Note both methods require the new and existing SEPMs to run the exact same SEPM version.

For embedded databases

Follow the disaster recovery steps best practices for your SEPM version. Make sure that you gather the database backup and recovery file(s) from your existing manager, and restore the database and recovery files to the new SEPM.

See Disaster recovery best practices for Endpoint Protection

For Microsoft SQL server databases

  1. Gather the recovery file from the existing SEPM. See Contents of the Endpoint Protection Manager disaster recovery file.
  2. Decommission the existing SEPM OR Stop all the SEPM Services. Ensure that it is no longer able to connect to the Microsoft SQL server hosting the SEPM database.
  3. Ensure that the new SEPM has the same host name as the existing SEPM.

    Note: You can configure the new SEPM with the same IP address as the existing SEPM.

  4.  In new Server, SQL Native client will not be installed by default..  Before installing SEP manager, need to download and Install SQL client components for Endpoint Protection Manager .
  5. Perform the following steps in the Management Server Configuration Wizard:
    1. On the Welcome screen, select Install an additional management server to an existing Site.
    2. Check use a recovery file to restore communication with previously deployed clients.
    3. Browse to the recovery file you exported from the existing manager in step 1, and click Next.
    4. Ensure the name in the Server name field matches what was entered for the existing server exactly, including all capitalization and punctuation marks.
    5. Click Next.
    6. Follow the rest of the prompts in the Management Server Configuration Wizard, providing the correct Microsoft SQL Server configuration and authentication information. Allow the Management Server Configuration Wizard to update the SEPM database.

Additional information

For Embedded databases, Prior to 14.3 RU1
In the event that the new SEPM server has a new IP and hostname, you need to follow an additional set of steps to migrate clients using a Management Server List or Communication Update Package (Sylink).

  1. Follow the disaster recovery best practices steps to back up the old SEPM, and then reinstall the SEPM using the backup on the new server.
  2. Log in to the SEPM on the old server.
  3. Click Clients > Policies > General Settings.
  4. On the Security Settings tab, uncheck Enable secure communications between the management server and clients by using digital certificates for authentication, and then click OK.  (Do this for all groups.) 
  5. Wait several heartbeats until all clients get the updated policy.
  6. Next, navigate to Policies > Policy Components > Management Server Lists > Add Management Server List.
  7. Click Add > Priority. A new Priority is added named "Priority2".
  8. Add the old SEPM server under Priority 2, and add the new SEPM server under Priority 1.
    Note: If the old SEPM server is not in the Management Server List, communication will fail. 
  9. For both servers, ensure that they use HTTP protocol
  10. Assign the new Management Server List to all groups. Clients start moving gradually from the old SEPM to the new one.
  11. Once all clients are showing in the new SEPM, Stop the "Symantec Endpoint Protection Manager" and "Symantec Embedded Database" services on the old SEPM server.
  12. Verify that all clients now report to the new SEPM.
  13. Once you verify that all clients are reporting to the new SEPM, uninstall the SEPM from the old server and restore https and secure communications settings. 

Note:  The methods outlined above only apply when performing disaster recovery.  Performing disaster recovery will restore the previous encryption password used for policy encryption.  Without this, client's from the "old" SEPM will not be able to communicate with the "new" SEPM. 

Additional Information

Is this process any different when migrating from physical platforms to virtual, such as VMWare or Azure?
No. Just like physical hardware, the new platform has to meet the system requirements for SEPM.