You can recover from disasters, but first you must prepare for them using the SEPM.
Step 1: Back up the database
As a best practice, back up the database at least weekly.
Run DBValidator tool to ensure that there are no broken links in the database. Check related articles below on how to use DBValidator tool to check for broken links.
If there are no broken links found, click Start > Programs > Symantec Endpoint Protection Manager > Database Backup and Restore.
Click Back Up. The database backup file name is date_timestamp.zip and is located in the following directory:
Windows 32bit: \Program Files\Symantec\Symantec Endpoint Protection Manager\data\backup
Windows 64bit: \Program Files(x86)\Symantec\Symantec Endpoint Protection Manager\data\backup
Note: The backup process saves the file to the location of the SEPM installation.
Step 2: Back up the disaster recovery file
After you install the management server, back up the disaster recovery file and copy it to another computer. As a best practice, store the backup file in a secure location off-site. See Step 4 for more information.
By default, the recovery file is located in the following directory:
Windows 32bit: \Program Files\Symantec\Symantec Endpoint Protection Manager\Server Private Key Backup\recovery_timestamp.zip
Windows 64bit: \Program Files(x86)\Symantec\Symantec Endpoint Protection Manager\Server Private Key Backup\recovery_timestamp.zip
Note: If you update the self-signed certificate to a different certificate type, the management server creates a new recovery file, which has the latest timestamp.
The disaster recovery file includes the following information:
Default domain ID The recovery file only stores the default domain ID; IDs for all domains (including the default domain) are stored in the database. If you have multiple domains and need to perform a disaster recovery without a database backup, you must re-add additional domains and their IDs after you reinstall the SEPM. See Step 3 for instructions.
Step 3: (Optional) Save the management server information
If you have a hardware failure, you must reinstall the management server using the IP address and host name (case sensitive) of the original management server.
To save the management server information:
Create a text file named SEPBackup.txt.
Add to this file the IP address and host name of the management server.
Add to this file all domain IDs beyond the default domain.
Note: If you have multiple domains and perform a disaster recovery without a database backup, you must recreate additional domains and their IDs after you reinstall the SEPM. You can find domain IDs in the SEPM Admin view or in sylink.xml files.
Step 4: Store the backup data in a secure location off-site
Copy the files you previously backed up to another computer. As a best practice you should store the backup data in a secure location off-site.
Perform disaster recovery
If you have a database backup to restore
To perform disaster recovery, follow these steps in sequential order:
If you had a hardware failure, restore the server hardware using the IP address and host name from SEPBackup.txt (from Step 3).
Reinstall the SEPM using a disaster recovery file (from Step 2). When the Management Server Configuration Wizard runs, select Recovery configuration (not present on Endpoint Protection Small Business Edition) and browse to the location of the previously saved recovery file. Click next.
Note: For Endpoint Protection Small Business Edition, if the folder does not exist, create the following folder and place only one recovery file there before installation.(File obtained on Step 2)
\Server Private Key Backup
For example: C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Server Private Key Backup)
Choose install an additional server to an existing site. Click Next
Verify port information. Click Next
Confirm database settings and provide credentials. Click Next
If connecting to an existing DB, you'll be warned that the server name exists and asked if you want to replace it. Click Yes. Click Next.
If restoring a backup created by Endpoint Protection Manager backup and restore wizard.
Follow the on-screen steps to restore the database.
Use the recovery file during the configuration of a new installation. If you use the recovery file to re-configure an existing installation, you can restore the SEPM certificate. However, the existing default domain ID does not change unless you restore a database backup.
If you choose to configure the SEPM as a replication partner, the default domain ID in the recovery file is ignored and the SEPM uses the domain ID(s) in the database of its replication partner.
If you do NOT have a database backup to restore
You can still perform disaster recovery without a database backup, but the following points apply in this case:
You must recreate all policies or import the policies from other backups (e.g. exported policy files).
Clients can communicate with the SEPM, but reappear in the console only after their next check-in.
Clients reappear in the default group as they check in, unless you enable automatic creation of client groups on the reinstalled SEPM by editing the conf.properties file to use: scm.agent.groupcreation=true
WARNING, When you use the scm.agent.groupcreation=true setting, all clients checking back into the SEPM and auto creating the client groups will still lose their previously issued polices and revert to the default client policy files of the DEFAULT group. This will remove all file and folder exceptions, and all Application and deice control exceptions. For mission critical devices this could cause loss of access and or productivity. It is highly recommended if you are going to use this setting to 'rebuild' client groups on the fly, that you EDIT the Default group policies so that they do not affect mission critical devices such as Exchange servers and Sharepoint devices with restrictive firewall settings or scan settings.
The conf.properties file is located
:\Program files or(x86)/Symantec/Symantec Endpoint Protection Manager/tomcat/etc
If you originally had multiple SEPM domains beyond the default domain, you must re-create them using the domain IDs from SEPBackup.txt.
Re-enabling Federal Information Processing Standards (FIPS) 140-2 compliance
If you use a FIPS-compliant version of Symantec Endpoint Protection and have FIPS compliance enabled, you must turn on FIPS compliance after recovering the SEPM.
Note: This setting is not stored in the disaster recovery file.