Migrate Symantec Endpoint Manager 14.2 from Windows Server 2012 R2 to Windows Server 2019 seamlessly without breaking client communications

Way back in 2015 and 2016, I successfully migration all applications and servers from Windows Server 2008 R2 to Windows Server 2012 R2. Since DCSA approved deployment of Windows Server 2019, it is a season for me to migrate / upgrade all the servers and applications from Windows Server 2012 R2 to Windows Server 2019.

SEPM in my environment run’s on embedded databases, it is a smooth ride. For this article, I am testing on my lab.
Old SEPM server: W2K12R2-SVC01
New Windows Server 2019 VM: W2K19-APPS01.

Here are the steps that I will follow:

Step 1 : On W2K12R2-SVC01

a) Backup the Database

  • Navigate to SEPM Database back up and Restore and back up the database. By default, the database backup folder is saved to the following default location:
    C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\backup
    The backup file is called date_timestamp.zip.
  • Copy the above .zip file to a shared location

b) Backup the disaster recovery file

  • The recovery file includes the encryption password, keystore files domain ID, certificate files, license files, and port numbers. By default, the file is located in the following directory:
    C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Server Private Key Backup\recovery_timestamp.zip
  • Copy the recovery file to a shared location.


Step 2: on W2K19-APPS01
a) Install SEPM, When the Management Server Configuration Wizard runs, select Recovery Configuration and browse to the location of the previously saved recovery file and click net.

b) Choose install my first site (since I am going to restore the recovery database)

c) Verify port information and click Next
d) Confirm database settings and provide credentials and click Next
e) If connecting to an existing DB, you’ll be warned that the server name exists and asked if you want to replace it. Click Yes. Click Next

Restore the database:

a) Stop SEPM services
b) Click Start Programs Symantec Endpoint Protection Manager > Database Backup and Restore.
b) Click Restore.
c) Follow the on-screen steps to restore the database.

Since a new Windows Server 2019: W2K19-APPS01 has a new IP and hostname, we will follow an additional set of steps to migrate clients using a Management Server List.

  1. Log in to the SEPM on the old server.
  2. On the console, click Clients > Policies > General Settings.
  3. On the Security Settings tab, uncheck Enable secure communications between the management server and clients by using digital certificates for authentication, and then click OK.  (Do this for all groups.) 
  4. Wait several heartbeats until all clients get the updated policy.
  5. Wait several heartbeats until all clients get the updated policy.
  6. Click Add > Priority. A new Priority is added named “Priority2”.
  7. Add the old SEPM server under Priority 2,and add the new SEPM server under Priority 1.
  8. Assign the new Management Server List to all groups. Clients start moving gradually from the old SEPM to the new one.
  9. Once all clients are showing in the new SEPM, Stop the “Symantec Endpoint Protection Manager” and “Symantec Embedded Database” services on the old SEPM server.
  10. Verify that all clients now report to the new SEPM.
  11. Once you verify that all clients are reporting to the new SEPM, uninstall the SEPM from the old server.

Step 3: Generate a new server certificate for SEPM
Since we migrated SEPM to a new server with a new host name and IP address, we need to generate a new server certificate. If you try to login to SEPM without a new certificate, during the login you get a prompt to verify the certificate with old SEPM server name.
To generate a new server certificate:

  1. In the console, click Admin, and then click Servers.
  2. Under Servers, click the management server.
  3. Under Tasks, click Manage Server Certificate, and then click Next.
  4. In the Manage Server Certificate panel, click Generate new server certificate. Make sure that Generate new Keys is checked, and then click Next.Generate new Keys generates a new certificate with a new key pair (public and private keys). If you uncheck this option, the new certificate uses the same key pair as before, which lowers the Symantec Endpoint Protection Manager server security profile in the case of a compromised key pair.
  5. Click Yes, and then click Next.
  6. You must restart the following services to use the new certificate:
    • The Symantec Endpoint Protection Manager service
    • The Symantec Endpoint Protection Manager Webserver service
    • The Symantec Endpoint Protection Manager API service