Roaming Profile stopped working during upgrade of Symantec End point 12.1.6 MP1 to 12.1.6 MP6
The network consists of two hyper v file servers with server 2012 R2 installed for two servers on each box.
One server is server 2012 R2 that includes all network services for the roaming profiles. They are server1 and server 2.
The servers use DFS management to share name space with server 1 always the preferred server.
During the upgrade of Symantec end point manager 12.1.6 MP1 to MP6, all seemed to go well. I was doing the setup via remote desktop off site.
I then deployed the MP6 to the servers. Part way through the deployment, my VPN connection was rejected, and connectivity was lost.
While on site, when I try log on to a work station, the roaming profile fails and all permissions to common folders are lost.
As an aside, from DNS Management, if I go to Namespaces, and choose a name space I get an error "\\xx\yyyy\users-yyyy Delegation Information for the namespace cannot be queried. The specified domain ether does not exist or could not be contacted"
Obviously I have corrupted the profile set up. The users are set to use \\xx.yyyy.com\username for the roaming profile. I have tried replacing the namespace with server1 with the same results. The end point manager is on server 2. I have used the removal tool to remove End point from server1 and shut server2 down with the same results.
I have not been able to reach Symantec at this point.
I have tried logging onto a workstation as Administrator without a roaming profile, and get the same issue when I try use windows explorer to view the network and open server1 or server2. I have to give Administrator credentials because the error indicates the credentials could not be found
How can I reestablish the roaming profiles with or without endpoint being present?
Would removing MP6 completely from both servers and installing MP1 again be of any help? My thought is that it probably would not be because I now have a profile /workstation / server issue
One server is server 2012 R2 that includes all network services for the roaming profiles. They are server1 and server 2.
The servers use DFS management to share name space with server 1 always the preferred server.
During the upgrade of Symantec end point manager 12.1.6 MP1 to MP6, all seemed to go well. I was doing the setup via remote desktop off site.
I then deployed the MP6 to the servers. Part way through the deployment, my VPN connection was rejected, and connectivity was lost.
While on site, when I try log on to a work station, the roaming profile fails and all permissions to common folders are lost.
As an aside, from DNS Management, if I go to Namespaces, and choose a name space I get an error "\\xx\yyyy\users-yyyy Delegation Information for the namespace cannot be queried. The specified domain ether does not exist or could not be contacted"
Obviously I have corrupted the profile set up. The users are set to use \\xx.yyyy.com\username for the roaming profile. I have tried replacing the namespace with server1 with the same results. The end point manager is on server 2. I have used the removal tool to remove End point from server1 and shut server2 down with the same results.
I have not been able to reach Symantec at this point.
I have tried logging onto a workstation as Administrator without a roaming profile, and get the same issue when I try use windows explorer to view the network and open server1 or server2. I have to give Administrator credentials because the error indicates the credentials could not be found
How can I reestablish the roaming profiles with or without endpoint being present?
Would removing MP6 completely from both servers and installing MP1 again be of any help? My thought is that it probably would not be because I now have a profile /workstation / server issue
Can you actually run DFSDiag /testdcs
and
DCDIAG /e
To see if server communicate without problems
and
DCDIAG /e
To see if server communicate without problems
Please let us know about the above test. I have Symantec Endpoint Protection 12.1.6 MP6 running at three clients with no connectivity or VPN issues.
We upgraded more gradually, not MP1 to MP6 in one step. We are planning to upgrade to V14 (just out and I am running that). You can get V14 (new key needed), and I recommend you uninstall V12 first, restart and then install V14.
We have IPsec VPN with NCP Secure Entry - no issues. We do not use roaming profiles.
We upgraded more gradually, not MP1 to MP6 in one step. We are planning to upgrade to V14 (just out and I am running that). You can get V14 (new key needed), and I recommend you uninstall V12 first, restart and then install V14.
We have IPsec VPN with NCP Secure Entry - no issues. We do not use roaming profiles.
ASKER
ASKER
RPC TCP port 135 is possibly blocked by any Firewall between the DCs
LDAP 389 port same story
Definitely you have firewall settings issues causing this madness
LDAP 389 port same story
Definitely you have firewall settings issues causing this madness
Could you also run this, just to be sure
repadmin /showrepl *
repadmin /showrepl *
On both dc
Netstat –an –b | find /I “’Listening” > C:\DCPortsOutput.txt
Netstat –an –b | find /I “’Listening” > C:\DCPortsOutput.txt
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ASKER
Seems to be a syntax issue. I have tried changing the first quotes to a normal quotes but still same answer
Displays protocol statistics and current TCP/IP network connections.
FIND: Parameter format not correct
Displays protocol statistics and current TCP/IP network connections.
FIND: Parameter format not correct
try it this way netstat -an |find /i "listening" >C:\DCPortsOutput.txt
Netstat -an -b | find /i "Listening" > C:\DCPortsOutput.txt i think i found the problem in "Listening" ( “’Listening”)
Netstat -an -b | find /i "Listening" > C:\DCPortsOutput.txt i think i found the problem in "Listening" ( “’Listening”)
ASKER
If I remove the end point manager, does anyone think the system would return to normal
portqryui1.log
portqryui1.log
UDP port 389 (unknown service): LISTENING or FILTERED
You also need to test it versus IP of other server, but as I said this is definitely firewall issue
I hope that the system didn't get corrupted after that update, but sure you can try to remove it to see
I wouldn't remember much of symantec, but I know there was policy - firewalls etc settings
You also need to test it versus IP of other server, but as I said this is definitely firewall issue
I hope that the system didn't get corrupted after that update, but sure you can try to remove it to see
I wouldn't remember much of symantec, but I know there was policy - firewalls etc settings
Repadmin: running command /showrepl against full DC Server1.AD.AEDC.COM
LDAP error 81 (Server Down) Win32 Err 58.
Can you test connection to DC1 and check ports and run test on dc1 also same as on DC2
LDAP error 81 (Server Down) Win32 Err 58.
Can you test connection to DC1 and check ports and run test on dc1 also same as on DC2
Do you have NTP also ? Network threat protection installed on both servers ?
ASKER
NTP is installed. Here is a screen shot from DC2 [Server2]
-NTP-on-DC2.png
-NTP-on-DC2.png
ASKER
The repadmin submitted was from server2 [DC2]. I will get one from server1
Go thru this article:
https://www.symantec.com/connect/forums/symantec-endpoint-protection-block-active-directory-replication
I am actually really tired and also I'm in different time zone 3:45am, hopefully the article above will sort your issue, basically remove NTP from servers to confirm that the problem is with firewall settings
https://www.symantec.com/connect/forums/symantec-endpoint-protection-block-active-directory-replication
I am actually really tired and also I'm in different time zone 3:45am, hopefully the article above will sort your issue, basically remove NTP from servers to confirm that the problem is with firewall settings
We have NTP enabled on Symantec on all client servers. No issue with that.
ASKER
Any thoughts on what would happen if I were to remove MP6 completely from the servers and revert to MP1? Within 3 weeks, we will be moving to 14. I needed something above MP1 in order to get windows 10 1607 to install on the computers.
I would remove it using the Symantec removal tool, but do not know whether there would be blocks allready set that will not remove with the uninstall
I would remove it using the Symantec removal tool, but do not know whether there would be blocks allready set that will not remove with the uninstall
ASKER
I removed NTP from both servers and one work station, restarted all 3 machines, with the same results when logging into the workstation as a user
-repadmin-dc1.txt
-repadmin-dc1.txt
ASKER
I will retire for the night and see if anything comes to me overnight. At this point my thought is to remove mp6 and go back to mp1 or mp3 and see what happens.
Any and all comments welcome
-DCPortsOutput-dc1.txt
Any and all comments welcome
-DCPortsOutput-dc1.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Will do,
I will use the clean wipe tool from Symantec MP6 to remove all traces. Will this remove firewall blockages? I will try a logon from a station without any SEP installed. Will be moving to SEP 14 within three weeks anyway, so it can run trial while I am getting the licences.
I will use the clean wipe tool from Symantec MP6 to remove all traces. Will this remove firewall blockages? I will try a logon from a station without any SEP installed. Will be moving to SEP 14 within three weeks anyway, so it can run trial while I am getting the licences.
ASKER
Ran into a few interesting items. I will close this question and when I have the firewall figured, will add the solution I finally used.
I used the Symantec tool to remove MP6 from all servers, and rebooted each server. The network and VPN performed as normal I installed SEP 14. The logistics of the installation are that the SEP manager is installed on DC2 [Server2]. It would not deploy to server2, so I installed SEP-64 on server2, and imported the communications. Next I deployed to the two hyper V servers and then to the two exchange servers.
As soon as the manager was deployed, I had exactly the same problem.
My temporary solution is to only install AV on the servers, and get in touch with Symantec to find exactly which ports need to be opened in the Symantec Firewall to allow the network to function properly
I used the Symantec tool to remove MP6 from all servers, and rebooted each server. The network and VPN performed as normal I installed SEP 14. The logistics of the installation are that the SEP manager is installed on DC2 [Server2]. It would not deploy to server2, so I installed SEP-64 on server2, and imported the communications. Next I deployed to the two hyper V servers and then to the two exchange servers.
As soon as the manager was deployed, I had exactly the same problem.
My temporary solution is to only install AV on the servers, and get in touch with Symantec to find exactly which ports need to be opened in the Symantec Firewall to allow the network to function properly
ASKER
Thanks for your assistance on this. I will do a follow up to post the final settings for SEP 14. I deployed it at another site, and did not uninstall SEP 12. It just upgraded but did not push to the work stations. It is a small network, so I did a remote install on each, and the communication worked right away
Thanks for the update and I was happy to help.
Test command Net use on server to see shares