SEPM shows Duplicate entries for Groups due to Replication and Active Directory Synchronization on Both SEPM

book

Article ID: 158343

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

SEPM shows duplicate entries for Groups due to  Replication and Active Directory Synchronization on Both SEPM.

 

Cause

- Active Directory was synchronized with Both SEPM Console which are in replication.
- Once OU get created in AD. It get synchronized with Both SEPM Console.
- Due to Replication between SEPM newly created OU get duplicated.
 

Resolution

Solution  1
- Remove Ad Sync from Secondary Site SEPM. (Only Primary Site SEPM should have AD sync.)
- Remove imported OU from Both SEPM Console.
- Import OU on Primary Site SEPM.
- Wait for Replication schedule or run replication.
- Both SEPM will not have Duplicate OU.

--------------------------------------------------------------------------------------------------------------------------------------

Solution 2
1) Preparing the "Default Group" to receive clients from Deleted OU:
--------------------------------------------------------------------
In the Primary Site SEPM:
Create a new group under "My Company" and name it "Default Group Temp".
Copy the Policies of the "Default Group" to the "Default Group Temp".
Move all the clients from "Default Group" to the "Default Group Temp".
On the Policies tab of the "Default Group", Under "Communication Settings", Uncheck "Download policies and content from Management Server".

2) (If required) Backup the Policies of the groups of OU with duplicates:
-------------------------------------------------------------------------
In the Primary Site SEPM:
Create a new group under "My Company" and name it "Backup".
Under the group "Backup", create a copy (with same name) of the groups/subgroups of the "Affected OU" (that has duplicates).
Copy the policies of the groups/subgroups of the "Affected OU" to their copy under the group "Backup".

3) Removing the affected OU and its duplicate:
----------------------------------------------
In the Primary Site AD:
Create a temporary duplicate of the "Affected OU". The temporary duplicate OU has to be under a structure that is NOT imported in SEPM.
Move all the computers from the "Affected OU" to its duplicate.
Delete the "Affected OU".

4) Let the Primary Site AD and the Secondary Site AD sync with each other.

5) Let the Secondary Site SEPM sync with the AD.

6) Let the Primary Site SEPM sync with the AD.

Note: After the AD sync on the SEPM, the affected groups that were created for the "Affected OU" will get deleted on both the SEPM, leaving behind the duplicate groups that were created upon replication. The clients that were reporting to the affected group will start reporting to the "Default Group" in SEPM. But the policies of the client will not be changed as the 'policy download' has been disabled in the "Default Group".

7) Let the Primary Site SEPM and the Secondary Site SEPM replicate with each other.

Note: upon replication the duplicate groups on both the SEPM will get deleted.

8) In the Secondary Site SEPM, remove/disable the AD sync.

9) In the Primary Site AD, recreate the OU that was deleted in STEP-3.

10) Let the Primary Site SEPM sync with the AD.

Note: A new group will be created in Primary Site SEPM for the recreated OU.

11) In the Primary Site SEPM, copy the policies backed-up on STEP-2 to the recreated groups.

12) In the Primary Site AD, move the computers back from the temporary duplicate OU in to the recreated OU.

Note: In the Primary Site SEPM, the clients of the computers in the recreated OU will automatically move to the recreated group from the "Default Group".

13) Let the Primary Site SEPM and the Secondary Site SEPM replicate with each other.

Note: The new group on Primary Site SEPM will be replicated to the Secondary Site SEPM. There will be no duplicates.
 


Applies To

- Windows Server 2008 SEP 12.1
- Active directory Sync - Yes (Every 1 hour)
- Replication - Yes (Every 24 hours)

Attachments