Symantec Endpoint Protection Manager (SEPM) is failing to replicate data between two sites. This happens even if basic data only is replicated (i.e. no content nor logs, only group structure/policies). SQL Client components are installed on SEPM and correctly configured (BCP.exe path is found/correct).
More than one SEPM 12.1 site, recently upgraded to version RU5 or newer.
SQL Server database used at backend, in Windows Authentication mode.
Following errors appear in SEPM's System Activity log:
Unable to fetch changed data from remote site [REMOTESITENAME]: Failed to load data: SQLState = S1000, NativeError = 0Error = [Microsoft][SQL Server Native Client 10.0]Unable to open BCP host data-file
As part of security enhancements coming with SEP 12.1 RU5, Access Control Lists (ACLs) have been modified for folders used by SEPM, in order to ensure only strictly-required permissions are granted. If Windows authentication is used to communicate with SQL Server database, some permissions may be missing.
This issue has been fixed in Symantec Endpoint Protection Manager 12.1.6. For information on how to obtain the latest build of Symantec Endpoint Protection, read KB article TECH103088: Download the latest version of Symantec Endpoint Protection. To work around the issue if you are not able to upgrade:
Grant FULL access for the Windows account used to authenticate against SQL Server database on following folders (NOTE these are the default installation paths; actual installation location may vary):
This should be done on all servers triggering BCP errors. Note that all sites are not necessarily impacted (depending on ACL in place before upgrade to RU5, account used for Windows authentication, etc.), so BCP errors may impact one side of the replication only (e.g. from site A to site B, and not from site B to site A).