Domain Migration Activity with DLP Enforce move to new Application Server and new domains to update
search cancel

Domain Migration Activity with DLP Enforce move to new Application Server and new domains to update

book

Article ID: 210272

calendar_today

Updated On:

Products

Data Loss Prevention Enterprise Suite

Issue/Introduction

When migrating the DLP Enforce Manager Application server from one domain to another domain. This will involve changing the FQDN suffix from the old to the new domain.

Are there any specific steps and settings needed to check/validate from the application side to take care of during this activity?

Environment

Release : 15.x

Component : Enforce Server

Cause

Updates are required for DLP platform to continue to function as expected on new application server with new domains.

Resolution

1) Edit the krb5.ini file to change the olddomain.com to the newdomain.com realms and domains

Note: before any changes on krb5.ini file:

  • make a backup of the existing krb5.ini file and put it in a separate folder location
  • make sure you can access Enforce Server console currently, using the Administrator user
  • stop Enforce Server services

Stopping services in DLP 15.1 and later

    1. SymantecDLPDetectionServerController
    2. SymantecDLPIncidentPersister
    3. SymantecDLPManager
    4. SymantecDLPNotifier
  • make required changes in krb5.ini file replacing olddomain.com to the newdomain.com realms and domains*
  • make sure not to add any unnecessary extra spaces in krb5.ini file as this can affect the desired working outcome
  • after krb5.ini required changes have been made, restart Enforce Server services as follows:

Starting services in DLP 15.1 and later

    1. SymantecDLPNotifier
    2. SymantecDLPManager
    3. SymantecDLPIncidentPersister
    4. SymantecDLPDetectionServerController

2) Review AD based lookups (creating a new directory connection and switching over the domain used with plugins)

3) AD User Groups (For AD User groups reuse the existing directory connection where possible but review if some changes in this area are required)

4) If any discover scanning using domain accounts are in use (changing the username on credentials within the credential vault might be required). For AD lookups it would be depending on how the migration occurs.

5) Upon new use of domain, generation of new certificates for browser use with new domain when logging into enforce may be required.

Additional Information

*For best practice and a review of "gotchas" when configuring AD Authentication, see Configure Active Directory Authentication for DLP (broadcom.com).