Use the information in this article to help prepare the Symantec Endpoint Encryption environment and data in an event of a disaster or an unplanned interruption, such as a natural disaster or power outage.

Preparing for disaster recovery:

You prepare for disaster recovery by backing up the following information:
Item 1: Management Password
Item 2: Database files
Item 3: Server certificate (Keypair of SEE MS TLS cert, with Root and Intermediate certificates)
Item 4: Server installation files
Item 5: Database settings
Item 6: Web Server Confirmation pages with passwords
Item 7: Active Directory settings, port numbers, and the domain name, IP address, and host name of the management server.
TIP: For Items 5 through 7, if you take a screenshot of each of the pages for the SEEMS Configuration Files page, this will help to easily re-create these pages during a new installation of the SEE Management Server if needed:

Once you have screenshots of all your SEEMS Configuration Manager pages, this will help you to quickly set this backup up if needed.


Item 8: You should also back up all client installation files As a best practice, you should store the backed-up data off-site at a secure location.

IMPORTANT TIP!  Ask us about our Check Roles Tool that will make the installation of Symantec Endpoint Encryption Management Server simple and seamless!  This is an excellent tool that will both check if the features are enabled and tell you what is missing, and then **install them for you** (When run as administrator).  Please contact our Symantec Encryption Support team and we will be happy to provide the tool for you.  This tool makes it extremely easy to get all these features installed and enabled.  The name of this tool is called "CheckRolesFor_11_3_1_Plus.exe".

Item 9: Know how to do a new installation of the SEE Management Server if necessary.  For more information on this process, see the following article:

179347 - HOW TO: Install Symantec Endpoint Encryption Management Server (SEE Management Server)

Item 10: Always know the version and build number of your current setup.


High-level tasks to prepare for disaster recovery

The following sections describe recommended practices to help you prepare and manage disaster recovery in your enterprise. Although, an administrator can perform the following recommendations, you can contact Symantec Technical Support for any assistance with the process.
 

Recovering after an interruption - disaster recovery sequence

Symantec recommends that you adhere to a recommended disaster recovery preparation and strategies. If you do encounter an interruption and need to recover, follow this recovery sequence:

1. Set up an environment to install and configure Symantec Endpoint Encryption. For information on requirements to create the environment, see the Symantec Endpoint Encryption 11.3.x Installation Guide.
    
2. Restore the Symantec Endpoint Encryption Management Server.
   • Use the same IP address and host name of the server that you backed up and restore the Management Server.
      
3. Restore the database and install Symantec Endpoint Encryption Management Server
   • Restore the backed up database. For more information on restoring the Microsoft SQL Server database, see the Microsoft MSDN Library or your DBO.
   • Install the Symantec Endpoint Encryption Management Server using the existing database option. Use the Management Server information that you backed up while installing the Management Server.
     
     For information on the Management Server installation, see the Symantec Endpoint Encryption 11 and above Installation Guide and other documentation.
      
4. Restore client communication.
   • Restart a Symantec Endpoint Encryption client computer and verify communication between the Management Server and the client.

Redundancy for SEE Management Server
In addition to the above, it is beneficial to have multiple SEE Management Servers so that you can failover to another node if that particular Windows server goes down.
For example, you may have a server called "seems1.domain.dom" and another server called "seems2.domain.dom".  Each of these servers will be configured with the same database and will share all the same data.  If one server goes down, then the other can be used.

It is important to note that when the SEE Clients are build, they are built using a "Load Balancer" hostname, so the clients will automatically check in with the other nodes.  This means that when you create the client, you will need to have a DNS entry for an alias that will resolve to both "seems1" and "seems2".  For example, you may have the load balancer host called "seems.domain.dom", and that host will be resolved to either seems1 or seems2.  If seems1 goes down, the Load Balancer can redirect to "seems2" until seems1 can be brought back up.

Having the TLS certificates configured for "seems.domain.dom" is critical.  The Load Balancer can then do a TLS termination and simply pass traffic along to the next SEE Management Server. 

Note: It may also be beneficial to have a "regional" hostname configured so that SEE Clients will always reach out to the closest SEE Management Server.  This is something that could be configured on your own internal network for this resolution to occur within DNS.

Currently the SEE Management Server does not have any automatic failover built in.  If you would like this functionality, reach out to Symantec Encryption Support for further guidance and reference the ID in the Additional Information section below.