The Symantec Endpoint Protection Manager (SEPM) allows export a division of the SEPM database called a Domain. The resulting DAT file contains the group structure and all custom policies and assignment thereof. This information, along with a recovery file from the SEPM's Server Private Key Backup folder, allows you to rebuild the entire SEPM environment from about 1 MB of data, useful for a light-weight Disaster Recovery (DR) method. This export excludes any previous client install package versions (see note), historical log data and any definition content such as: AV (Virus and Spyware), IPS (Intrusion Prevention) and SONAR (Proactive Threat Protection), as these would be stored in a database backup. For disaster recovery with a full database backup, see: Disaster recovery best practices for Endpoint Protection
Important: The recovery must be performed on the same version of SEPM from which the Domain Export was collected. Domain Exports between minor versions is not supported or allowed.
If the recovery version is lower than 14 RU1 MP1 (14.0.3876.1100), an upgrade after DR is recommended for best security. (See: https://support.symantec.com/en_US/security-advisory.html for all known security issues.)
Note: Please remove any assigned install packages from groups prior to exporting the domain as this may cause issues adding new packages in the future.
This documentation is divided into two parts:
Preparing a Disaster Recovery Backup with a Domain Export
- Copy the ...Manager\Server Private Key Backup folder to a safe backup location.
- Open the SEPM to the Admin page.
- Click the Domains button at the bottom of the page.
- Click Export Domain in the Tasks pane.
- Select a location and name the file appropriately (e.g. Default SEPM Domain.dat).
Note: It may be useful to record the version/build of SEPM in the file name for reference during recovery. This will be your recovery version.
- Click Open and the domain will be exported to disk.
- Ensure you have a copy of the installation media for this recovery version to use during DR.
Performing a Disaster Recovery with a Domain Export:
- Install the SEPM using install files for the recovery version. (i.e. If you created the domain export in 14.3.4615.2000 (SEP 14.3 RU2) , you must reinstall 14.3.4615.2000 (SEP 14.3 RU2) for proper recovery.)
- When the configuration wizard launches, do not use a recovery file.
Note: If a recovery file is used in this step, it will prevent proper association of groups and policies with existing clients.
- Launch the SEPM upon completion of the configuration wizard.
- Open the SEPM to the Admin page.
- Click the Domains button at the bottom of the page.
- Click Export Domain in the Tasks pane. (This sets up the folder to allow import.)
- Save the file somewhere to complete the process. Do not overwrite your previously exported domain. This new file may be discarded.
- Click Rename Domain in the Tasks pane and change the current domain name to Default2.
- Click Import Domain in the tasks pane and select your exported domain from the DR backup.
- Click import and the domain will be added into the console.
- Highlight the domain you imported and click Administer Domain in the Tasks panel.
- Highlight the Default2 domain and click Delete Domain.
- Check the box "Yes, I want to delete this domain" and click OK.
- Log out of the SEPM and close the GUI.
- Click Start and expand all programs, then Symantec Endpoint Protection Manager, then Symantec Endpoint Protection Manager Tools.
- Click the shortcut for the Management Server Configuration Wizard.
- When the wizard loads, select "Reconfigure the management server", check the box "Use a recovery file..." and browse to your DR recovery file. (The newest recovery file in your DR copy of Server Private Key Backup is recommended.)
- Click Next through the wizard, ensuring that the settings appear correct and the correct database type is shown.
Note: Please answer No to the following dialog: "The certificate file in the recovery file does not match the certificate in the database, however the certificate on disk matches the certificate in the database. Do you want to use the certificate on disk rather than the certificate from the recovery file? Click yes (recommended) to use the certificate on disk. Click no to use the certificate from the recovery file.". A "Yes" answer would prevent clients from communicating properly with the SEPM due to the new certificate generated by step 2 of this DR process.
- Launch the SEPM upon completion of the configuration wizard.
Note: AD sync settings and some administrator accounts may not be present in a Domain Export.