Learn how to prepare Symantec Endpoint Protection Manager (SEPM) for disaster recovery, or recover your SEPM environment in the event of a disaster.
Prepare for disaster recovery
You can recover from disasters, but first you must prepare for them using the SEPM.
Step 1: Back up the database
As a best practice, back up the database at least weekly.
- Run DBValidator tool to ensure that there are no broken links in the database. Check related articles below on how to use DBValidator tool to check for broken links.
- If there are no broken links found, click Start > Programs > Symantec Endpoint Protection Manager > Database Backup and Restore.
- Click Back Up. The database backup file name is date_timestamp.zip and is located in the following directory:
\Program Files\Symantec\Symantec Endpoint Protection Manager\data\backup
Note: The backup process saves the file to the location of the SEPM installation.
Step 2: Back up the disaster recovery file
After you install the management server, back up the disaster recovery file and copy it to another computer. As a best practice, store the backup file in a secure location off-site. See Step 4 for more information.
By default, the recovery file is located in the following directory:
Note: If you update the self-signed certificate to a different certificate type, the management server creates a new recovery file, which has the latest timestamp.
The disaster recovery file includes the following information:
- Encryption password
- Keystore files
- Default domain ID
The recovery file only stores the default domain ID; IDs for all domains (including the default domain) are stored in the database. If you have multiple domains and need to perform a disaster recovery without a database backup, you must re-add additional domains and their IDs after you reinstall the SEPM. See Step 3 for instructions.
- Certificate files
- License files
- Port numbers
Ensure that the KCS value in the recovery file matches to the current one in SEPM. Check TECH253460 to check the locations of the KCS values to verify with recovery files.
Step 3: (Optional) Save the management server information
If you have a hardware failure, you must reinstall the management server using the IP address and host name (case sensitive) of the original management server.
To save the management server information:
- Create a text file named SEPBackup.txt.
- Add to this file the IP address and host name of the management server.
- Add to this file all domain IDs beyond the default domain.
Note: If you have multiple domains and perform a disaster recovery without a database backup, you must recreate additional domains and their IDs after you reinstall the SEPM. You can find domain IDs in the SEPM Admin view or in sylink.xml files.
Step 4: Store the backup data in a secure location off-site
Copy the files you previously backed up to another computer. As a best practice you should store the backup data in a secure location off-site.
Perform disaster recovery
If you have a database backup to restore
To perform disaster recovery, follow these steps in sequential order:
- If you had a hardware failure, restore the server hardware using the IP address and host name from SEPBackup.txt (from Step 3).
- Reinstall the SEPM using a disaster recovery file (from Step 2). When the Management Server Configuration Wizard runs, select Custom configuration (not present on Endpoint Protection Small Business Edition) and before clicking "Next" choose Use a recovery file.
Note: For Endpoint Protection Small Business Edition, if the folder does not exist, create the following folder and place only one recovery file there before installation.(File obtained on Step 2)
\ \Server Private Key Backup
For example: C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Server Private Key Backup)
- Stop the following services:
- Symantec Endpoint Protection Manager
- Symantec Endpoint Protection Manager Webserver
- Restore the database:
- Click Start > Programs > Symantec Endpoint Protection Manager > Database Backup and Restore.
- Click Restore.
- Follow the on-screen steps to restore the database.
- Use the recovery file during the configuration of a new installation. If you use the recovery file to re-configure an existing installation, you can restore the SEPM certificate. However, the existing default domain ID does not change unless you restore a database backup.
- If you choose to configure the SEPM as a replication partner, the default domain ID in the recovery file is ignored and the SEPM uses the domain ID(s) in the database of its replication partner.
If you do NOT have a database backup to restore
You can still perform disaster recovery without a database backup, but the following points apply in this case:
- You must recreate all policies or import the policies from other backups (e.g. exported policy files).
- Clients can communicate with the SEPM, but reappear in the console only after their next check-in.
- Clients reappear in the default group as they check in, unless you enable automatic creation of client groups on the reinstalled SEPM by editing the conf.properties file to use:
WARNING, When you use the scm.agent.groupcreation=true setting, all clients checking back into the SEPM and auto creating the client groups will still lose their previously issued polices and revert to the default client policy files of the DEFAULT group. This will remove all file and folder exceptions, and all Application and deice control exceptions. For mission critical devices this could cause loss of access and or productivity. It is highly recommended if you are going to use this setting to 'rebuild' client groups on the fly, that you EDIT the Default group policies so that they do not affect mission critical devices such as Exchange servers and Sharepoint devices with restrictive firewall settings or scan settings.The conf.properties file is located
:\Program files or(x86)/Symantec/Symantec Endpoint Protection Manager/tomcat/etc
- If you originally had multiple SEPM domains beyond the default domain, you must re-create them using the domain IDs from SEPBackup.txt.
Re-enabling Federal Information Processing Standards (FIPS) 140-2 compliance
If you use a FIPS-compliant version of Symantec Endpoint Protection and have FIPS compliance enabled, you must turn on FIPS compliance after recovering the SEPM.
Note: This setting is not stored in the disaster recovery file.
How to use the Database Validation tool (DBValidator.bat)
Download the latest version of Symantec Endpoint Protection
Installing Symantec Endpoint Protection Manager
Imported Document Id