Best Practices for Disaster Recovery with Symantec Endpoint Encryption Management Server (SEE Management Server)
search cancel

Best Practices for Disaster Recovery with Symantec Endpoint Encryption Management Server (SEE Management Server)


Article ID: 161187


Updated On:


Endpoint Encryption Desktop Email Encryption Drive Encryption Encryption Management Server File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK


This Knowledge Base article provides information on the best practices for planning and executing a successful Disaster Recovery program for the Symantec Endpoint Encryption product.


For Best Practices and Disaster recovery for the PGP Server (Symantec Encryption Management Server/SEMS) product line, see the following article:

269071 - Best Practices for Disaster Backup and Recovery with PGP Server (Symantec Encryption Management Server (SEMS)


Use the information in this article to help prepare the Symantec Endpoint Encryption environment and data in an event of a disaster or an unplanned interruption, such as a natural disaster or power outage.

Preparing for disaster recovery:

You prepare for disaster recovery by backing up the following information:
Item 1: Management Password
Item 2: Database files
Item 3: Server certificate (Keypair of SEE MS TLS cert, with Root and Intermediate certificates)
Item 4: Server installation files
Item 5: Database settings
Item 6: Web Server Confirmation pages with passwords
Item 7: Active Directory settings, port numbers, and the domain name, IP address, and host name of the management server.
TIP: For Items 5 through 7, if you take a screenshot of each of the pages for the SEEMS Configuration Files page, this will help to easily re-create these pages during a new installation of the SEE Management Server if needed:


Once you have screenshots of all your SEEMS Configuration Manager pages, this will help you to quickly set this backup up if needed.

Item 8: You should also back up all client installation files As a best practice, you should store the backed-up data off-site at a secure location.

IMPORTANT TIP!  Ask us about our Check Roles Tool that will make the installation of Symantec Endpoint Encryption Management Server simple and seamless!  This is an excellent tool that will both check if the features are enabled and tell you what is missing, and then **install them for you** (When run as administrator).  Please contact our Symantec Encryption Support team and we will be happy to provide the tool for you.  This tool makes it extremely easy to get all these features installed and enabled.  The name of this tool is called "CheckRolesFor_11_3_1_Plus.exe".

Item 9: Know how to do a new installation of the SEE Management Server if necessary.  For more information on this process, see the following article:

179347 - HOW TO: Install Symantec Endpoint Encryption Management Server (SEE Management Server)


Item 10: Always know the version and build number of your current setup.

High-level tasks to prepare for disaster recovery

The following sections describe recommended practices to help you prepare and manage disaster recovery in your enterprise. Although, an administrator can perform the following recommendations, you can contact Symantec Technical Support for any assistance with the process.

Task Description
Step 1: Back up the database often Back up your database immediately following the successful installation and configuration of the Symantec Endpoint Encryption Management Server. At scheduled, frequent intervals, you should manually backup your database or perform automatic backups. For more information on backing up your Microsoft SQL Server database, see the Microsoft MSDN Library or your database owner.
Step 2: Back up important files or save information that you will require when you start the disaster recovery process The files or information that you must back up or save and use during the disaster recovery process are:
  • Password: Save the Symantec Endpoint Encryption Management password.
  • Certificate: Save the Web Server SSL certificate and Removable Media Encryption Recovery Certificate.
  • Database: Back up and save the database backup file (.bak) and database certificate that is used for configuring secure SQL Server. Also, save the database settings such as database server name, database port number, database account that was used for Symantec Endpoint Encryption Management Server installation and database access.
  • Active Directory settings: Save the Active Directory Configuration settings such as the forest name, server name, domain name, and Active Directory's Administrator account name and password.
  • Management Server information: Save the MSI files of Management Server, Management Agent, Drive Encryption and Removable Media Encryption. Also, save the Management Server IP address, host name, domain name, and port numbers used for configuring the web services.

    SEE "TIP" above this table for screenshots to backup in the SEEMS Configuration Manager. 
Step 3: Copy the files you backed up off-site

Store the backed-up data off-site at a secure location.

Caution: When you backup files to a secure, off-site location, be sure that the files are copied properly. If the copied files are corrupted, you cannot restore your data.

Step 4: Test your backup strategy Simulate a mock-disaster situation and try to restore all backed up files, database, and re-establish communication between server and clients.

Caution: To minimize the associated risks of simulating a mock-disaster situation, carefully review your organization’s policies and procedures.


Recovering after an interruption - disaster recovery sequence

Symantec recommends that you adhere to a recommended disaster recovery preparation and strategies. If you do encounter an interruption and need to recover, follow this recovery sequence:

  1. Set up an environment to install and configure Symantec Endpoint Encryption. For information on requirements to create the environment, see the Symantec Endpoint Encryption 11.3.x Installation Guide.
  2. Restore the Symantec Endpoint Encryption Management Server.
    • Use the same IP address and host name of the server that you backed up and restore the Management Server.
  3. Restore the database and install Symantec Endpoint Encryption Management Server
    • Restore the backed up database. For more information on restoring the Microsoft SQL Server database, see the Microsoft MSDN Library or your DBO.
    • Install the Symantec Endpoint Encryption Management Server using the existing database option. Use the Management Server information that you backed up while installing the Management Server.

      For information on the Management Server installation, see the Symantec Endpoint Encryption 11 and above Installation Guide and other documentation.
  4. Restore client communication.
    • Restart a Symantec Endpoint Encryption client computer and verify communication between the Management Server and the client.


Redundancy for SEE Management Server
In addition to the above, it is beneficial to have multiple SEE Management Servers so that you can failover to another node if that particular Windows server goes down.
For example, you may have a server called "" and another server called "".  Each of these servers will be configured with the same database and will share all the same data.  If one server goes down, then the other can be used.

It is important to note that when the SEE Clients are build, they are built using a "Load Balancer" hostname, so the clients will automatically check in with the other nodes.  This means that when you create the client, you will need to have a DNS entry for an alias that will resolve to both "seems1" and "seems2".  For example, you may have the load balancer host called "", and that host will be resolved to either seems1 or seems2.  If seems1 goes down, the Load Balancer can redirect to "seems2" until seems1 can be brought back up.

Having the TLS certificates configured for "" is critical.  The Load Balancer can then do a TLS termination and simply pass traffic along to the next SEE Management Server. 

Note: It may also be beneficial to have a "regional" hostname configured so that SEE Clients will always reach out to the closest SEE Management Server.  This is something that could be configured on your own internal network for this resolution to occur within DNS.

Currently the SEE Management Server does not have any automatic failover built in.  If you would like this functionality, reach out to Symantec Encryption Support for further guidance and reference the ID in the Additional Information section below.



Additional Information