Syed Jahanzaib Personal Blog to Share Knowledge !

April 10, 2018

Symantec SEPM 12.x Migration to 14.x


Today was a hectic day. We received new series of HP G5/8th Gen laptop which supports Windows 10 only  , & when we tried to installed SEPM 12.x client, it stated that the App is not compatible with this version of windows. That was really an hectic news for us because our SEPM server was based on windows 2003 32bit & there is no straightforward method for in-place upgrade to SEPM 14. It requires minimum 64bit of server window 2008 or above server . Any way we managed to migrate SEPM 12.1.6 to SEPM 14.x on Windows 2012 R2 64bit at a cost of whole day brainstorming.

Following are steps I followed for the migration of SEPM v12 W2003 32bit to SEPM v14 on Windows 2012 R2 64bit.

First Take Backup of current SEPM 12.x DB

Step 1# Back up the Database

  1. Click Start Programs Symantec Endpoint Protection Manager > Database Backup and Restore.
  2. Click Back Up. The database backup file name is and is located in the following directory:

\Program Files\Symantec\Symantec Endpoint Protection Manager\data\backup

Copy above folder at some centralized file server folder or USB.

Step 2# Back up the Disaster Recovery File

Copy the following folder at some centralized file server folder or USB.

\Program Files\Symantec\Symantec Endpoint Protection Manager\Server Private Key Backup\

Now shutdown current SEPM Server machine & proceed to install SEPM on new machine

Step  3# Install SEPM on new Windows 2012 R2 server

on New Windows 2012 R2 , configure same Computer name & IP Address which was setup on old SEPM server.

Install the Same SEPM version, in my case it was 12.1.6 MP6.

Once installation is done, & When the Management Server Configuration Wizard runs, select Custom configuration & choose Use a recovery file. Point to the backup folder we took in Step 1/2.

As showed in the image below …

1- sav restore from backup.JPG

Once its done, Start the SEPM console one time to confirm if all is running ok.

Step 4# Restore the database:

To restore DB, Stop the following services,

  • Symantec Endpoint Protection Manager
  • Symantec Endpoint Protection Manager Webserver
  1. Click Start Programs Symantec Endpoint Protection Manager > Database Backup and Restore.
  2. Click Restore.

Once All done, reboot server one time and make sure all services are started properly in the SERVICES console.

User Rights Assignment in Group Policy.

If your SEPM is an member of Active Directory then services will not start dueto lack of LOGON AS SERVICE rights.

As a workaround I installed GROUP POLICY MANAGEMENT on the new SEPM server, and edit Group Policy to add following users in LOGON AS SERVICE section.

  • NT SERVICE\semsrv
  • NT SERVICE\semwebsrv
  • NT SERVICE\semapisrv

Since I was editing Domain Group Policy from the SEPM server itself, that is why I changed Location to local PC and then above accounts was added successfully. As a workaround we can add user SID as well. See following command to get SID of accounts and SID accordingly.

sc showsid semsrv
sc showsid semwebsrv

Step 5# Upgrade

Now run the 14.x setup , and choose upgrade. the upgrade process is quite simple and generally requires clicking next button.



Client SEPM 14.x Server Console

sepm server.JPG

Client SEPM 14.x Client

client sepm.JPG

Few Helpful links for Broadcom Symantec:

To access Symantec web admin Console


Use Admin or your named id that was configured during setup

– Backup DB Location

C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\backup

To access Broadcom Support Panel over the internet

To View Latest SEPM server version & history

– To View Virus Definitions & Security Updates version

– DR – Recovery

-Checking that Symantec Endpoint Protection Manager has the latest content

– Upgrade to latest (embedded db vs sql express)

– SEPM Heart beat cycle is 2 hours,Heartbeat%20is%20two%20hours.,changes%2C%20upload%20logs%2C%20etc.

December 7, 2016

Fighting with Ransomware !

Filed under: Microsoft Related, Symentec Related — Tags: , , , , , , — Syed Jahanzaib / Pinochio~:) @ 11:22 AM


What is Ransomware 

Quite a HOT topic Now a days. Every email server administrator must be well familiarized with this malware and they try even harder to protect their users from this malware attack called locky (and many other similar variants) which encrypts users word/excel/etc documents and asks for money to restore them).

Our company users got hitted by this most smart malware repeatedly / several times resulting in great loss. Luckily most users data got recovered from Tape backup. This malware which usually comes by email , posted itself to be some valid / legitimate payment query & no matter how many times we provide users with education/warning about this matter, user stills open it considering it as valid email resulting in lost (encrypt/inaccessible) of all word/excel files.

We are using IBM Lotus Domino Email System along with Symantec Mail Security for Domino. With lots of R&D I am still unable to block this ransomware which comes in .JS files hidden inside .ZIP container. If I block .JS file inside the ZIP container, it will block legitimate PDF files as well. How frustrating ! The symantec should post some simple update to fix this issue. This issue is well discussed over here.

Workaround ! [Use Domain Group Policy to alter File Association Open with for .JS extension]



Since we cannot change our Symantec enterprise protection suite as it is covered under 3 years renewal (till 2018) . therefore aftering conducting lot of R&D I finally made a workaround for our DOMAIN USERS which is working Good so far.

I changed the .JS file extension OPEN WITH policy pointed to NOTEPAD.
[via Group_Policy ]

This way even if the user try to opens the .JS file, it will be open by notepad.
(instead of Windows Scripting Host)

I made changes to our domain controller in Windows 2008 R2

  • Login to Domain Controller PC
  • Open Group Policy (or by issuing following command)
    %SystemRoot%\system32\mmc.exe %SystemRoot%\system32\gpmc.msc
  • Edit the Default Domain Policy (or any custom you may have)
  • Goto User Configuration > Preferences > Control Panel Settings > Folder Options
  • Now Right click on Folder Options > New > Open With
  • Now use the below defined method as a reference to Update/Create the file extension

As shown in below image …

group policy.png

  • Action: Update
  • Files Extension: js
  • Assoticated Progra: %windir%\system32\notepad.exe
  • Set As Default : Select Tick on it


At client either issue gpupdate /force or restart the client pc or wait for the policy update.

Now try to open any .JS file and it will be opened in NOTEPAD (instead by windows scripting host program) and thus it will do no harm to user computer 😀 😀 😀

Please test this method and let us know your feedback on it 🙂

Note: you can use the same method to block / alter the file extension using Local Group POlicy

Alhamdolillah !

Syed Jahanzaib


June 4, 2014

Symantec Backup Exec Reference Notes


First version: Year 2014
Last Updates @ 12 Sep, 2021

Recently we upgraded our SAP infrastructure with new IBM xSeries server and also replace the old IBM tape library TS3200 with TS100. In previous Windows 2003, we were using classic NTBACKUP solution to take backup on TAPE library system, but with the new windows 2008 R2 upgrade, we found that that the tape drive support have been removed from the new Server Backup tool. Therefore we were looking for some reliable backup solution which can facilitate our tape library. Finally after searching a lot, we selected SYMANTEC BACKUP EXEC 2012 (with SP4 and latest patches) as our backup solution. Last year We tested its demo and it was fulfilling our requirements and fitting under our budget. I did it’s installation and it went smooth without any errors, but it took me few days to understand how it actually works. Its GUI interface looks pretty much simple and easy to navigate, but I found it very typical to configure Tape Library for auto loading function according to job/day.

Following is a short reference notes I am posting. I will keep updating with day to day tasks and issues I face and how I manage to solve them. Symantec have great number of guides, postings at there site too, but sometimes its hard to find the correct solution when its kinda urgent.



1- The VSS Writer timed out (0x800423f2), State: Failed during freeze operation (9) [4th June, 2014]

2-  Simplified Disaster Recovery: Howto exclude some Folders with SDR ON  [5th June, 2014]

3- Backup Exec (2012 SP4) Services Credentials Lost on every Reboot [6th June, 2014]

4- V-79-57344-42009 – Failed to load the configuration xml file,  [6th June, 2014]

5- Barcode Labeling   [10th June, 2014]

6- Exclude a sub-folder name “xyz” or end with .ft , from every where in specific folder/drive. [15thth July, 2014]

7- Remote Agent Service not starting at Client PC/Server / NDMP Port already in use error

8- error=V-79-57344-33967 / Final error: 0xe00084af – The directory or file was not found, or could not be accessed.

9- Account privilege Error when installing Backup Exec

10- Stuck on ‘Discovering Resources’

11- Using SDR (Disaster recovery) restore to other hardware using Tape (31-Aug-2022)

12- A communications failure has occurred with a System State resource

1- The VSS Writer timed out (0x800423f2), State: Failed during freeze operation (9)

If backup failed with following error:

V-79-57344-6523314.0.1798.1364eng-systemstate-backupV-79-57344-65233ENRetailWindows_V-6.1.7601_SP-1.0_PL-0x2_SU-0x112_PT-0x3 – Snapshot Technology: Initialization failure on: “\\YOURSERVER\System?State”. Snapshot technology used: Microsoft Volume Shadow Copy Service (VSS).
Snapshot technology error (0xE000FED1): A failure occurred querying the Writer status. See the job log for details about the error.

Check the Windows Event Viewer for details.

Writer Name: COM+ Class Registration Database, Writer ID: {542DA469-D3E1-473C-9F4F-7847F01FC64F}, Last error: The VSS Writer timed out (0x800423f2), State: Failed during freeze operation (9).

Writer Name: Windows Management Instrumentation, Writer ID: {A6AD56C2-B509-4E6C-BB19-49D8F43532F0}, Last error: The VSS Writer timed out (0x800423f2), State: Failed during freeze operation (9).

The following volumes are dependent on resource: “C:” “E:” .
The snapshot technology used by VSS for volume C: – Microsoft Software Shadow Copy provider 1.0 (Version
The snapshot technology used by VSS for volume E: – Microsoft Software Shadow Copy provider 1.0 (Version

        Job ended: Wednesday, June 04, 2014 at 2:49:03 AM
Completed status: Failed
Final error: 0xe000fed1 – A failure occurred querying the Writer status. See the job log for details about the error.


issue this command and see if any writer is failing

vssadmin list writers


if System Writer is TIMED OUT, then simply a system restart would fix the error auto. In my case , windows applied some updates, and when I rebooted the server, it fixed the above issue.

Writers Non-retryable error

In backup exec report, I was seeing following error

The job failed with the following error: A communications failure has occurred with a System State resource.

upon running, following cmd,

vssadmin list writers

I was seeing following error,

vssadmin 1.1 – Volume Shadow Copy Service administrative command-line tool(C) Copyright 2001-2005 Microsoft Corp.

Waiting for responses.These may be delayed if a shadow copy is being prepared.

Writer name: ‘Oracle VSS Writer – R3D’Writer Id: {26d02976-b909-43ad-af7e-62a4f625e372}Writer Instance Id: {590dbfff-51b9-478b-a83f-5345014ebc3b}State: [1] Stable Last error: Non-retryable error

To settle this, Goto Services, and restart “OracleVssWriterR3D” service. and re-run the “vssadmin list writers” command. Hopefully the error will not appear. (your db instance name may differ, adjust accordingly)

2-  Simplified Disaster Recovery: Howto exclude some Folders with SDR ON

Symantec provide Simplified Disaster Recovery option which you can use to restore the whole backup to bare metal system (from scratch) using SDR boot CD. However SDR forces you to backup every critical components including boot drive, system state, or any folder that SDR thinks its critical. But sometimes even excluding a non-critical component can turn off the SDR (for example in my case I was excluding a ‘backup folder’ from G: drive and SDR was turning off , possibly it was thinking that the whole G: drive was critical component for SDR.

For Example:


So in order to forcefully exclude it, I had to use the following WORKAROUND by adding the drive entry in the REGISTRY manually. IMO, So pathetic that SYMANTEC have not added this option in its Backup Exec GUI, because playing with the windows registry can be very dangerous for normal administrators.

Here is an Example of the registry key. If folders from G: were to be excluded, create a new key called “User-Defined Exclusion Resources“.
Under this key create another empty key called “G:
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Backup Exec For Windows\Backup Exec\Engine\Simplified System Protection\User-Defined Exclusion Resources\G:

As showed in the image below …
b2 b2-2.

Now if you try to exclude any folder from the particular drive (in my example it was G:) , SDR will remain ON as showed in the image below ..

3- Backup Exec (2012 SP4) Services Credentials Lost on every Reboot

This was very annoying that on every reboot I had to enter my domain admin credentials in the Backup Exec Services Section Otherwise I receive “Failed to start service dueto Logon Failure”. It seems BE keeps forgetting the credentials or not storing them.


Make sure the account you are using to manage Backup Exec, must have Rights to logon as service (and few others, read the Symantec rights assignment article) add the account in your Domain controller group policy / local security policy / users right assignment. After addition, force update using gpupdate on both ends, first server then client,


To sort this issue, I used BEUTILITY provided with backup exec installation.

For Windows 2008 64bit, Goto C:\Program Files\Symantec\Backup Exec and Open BEUTILITY.EXE

Add your backup exec server in the list (known computers group ,

After adding, Right click on the Server and click con CHANGE SERVICE ACCOUNT

Enter your domain admin account or any account with equivalent rights and click OK,
As showed in the images below …



Now restart and check if the services are starting properly 🙂

At least this tricked worked for me


4- V-79-57344-42009 – Failed to load the configuration xml file [6th June, 2014]

Using Symantec backup Exec 2012 Sp4 , When I take full backup (SDR ON) , it completes successfully but with following error:

Job ended: Thursday, June 05, 2014 at 9:31:29 AM Completed status: Completed with exceptions

Backup- MYSERVER-79-57344-42009 – Failed to load the configuration xml file.
C:\Program Files\Symantec\Backup Exec\Catalogs\AGPSAPDEV\CatalogProcessTemporaryFolder\{6BCA5C76-6547-430D-A0D5-37251330D96D}\p2v.xml

To solve this, I applied Backup Exec 2012 Revision 1798 Hotfix 216746 and problem got solved. Download it and apply , Also dont forget to update the remote agents as well (via using BE GUI). I had to reboot the BE server also after applying this fix.


 5- BARCODE LABELING  [10th June, 2014]

In our company we have IBM TS3100 Library (which ahve 24 Cartridges slots). Using BE, I wanted to Auto Label every cartridge after the backup. I also used INVENTORY option, but it took much time. During the BE inventory process, the tape is taken from its slot, put into the tape drive to have their internal labels read and then returned to their slots.  This process is repeated for each tape and hence the inventory process for a TS3100 can take a long time. For my IBM TS3100 tape library with 24 tapes (only 5 Used) , an inventory of the 5 slots will take around 15-20 minutes. The tape library can identify a tape from its barcode label without having to read the internal label in the tape drive or doing other action.
When there is a need to update the status of the slots in the library in BE, you can use scan instead of inventory if you have barcode labels.  What scan will do is to read the barcode labels and it is done within a couple of seconds.  Otherwise, you would have to do an inventory
Some Snapshots.



You can download the BARCODE GENERATOR from following link.

Just make sure that you use only 8 Digits code, and the code must be end with L5 letter. (FOR IBM LTO5 drives)




For LTO5 cartridge sticker, I used following size for printing the above label.


Put your tapes with the new barcode labels and do a scan of the entire library.Make sure you don’t have a mix of tapes with and without barcode labels.

6- Exclude a sub-folder name “xyz” from every where in specific folder/drive. [25th June, 2014]

Recently I upgraded my file server from Windows 2003 NT.Backup to Windows 2008 R2 Backup Exec 2014. I have a following directory structure …


–  User1
–  Daily_Data
–  Junk_Data

–  User2
–  Daily_Data
–  Junk_Data

–  User3
–  Daily_Data
–  Junk_Data

and so on , users numbers are around 300. I want to exclude “Junk_Data” from every folder, Exclude them one by one is a lengthy task. I exclude Junk_Data from every sub folder by defining following criteria.

(which means for every user folder Exclude junk_data)

Exclude all sub-folders name end with .ft from every where in specific folder/drive. [15th July, 2014]

Lotus domino have every users folder design data which are not necessary to backup. to exclude every folder which have .ft in end, use following.


7- Remote Agent Service not starting at Client PC/Server / NDMP Port already in use error  [27/8/2014]

Today , when I tried to backup one of our server (Lotus Sametime), Backup exec could not browse the server, When I checked at client server, backup remote agent service was not starting giving following error.




because of conflict with NDMP port.

SOLUTION  . At client server goto C:\WINDOWS\system32\drivers\etc and open file name SERVICES

ADD this line.

ndmp          12000/tcp # Backup Exec Remote agent ndmp port changed / zaib

save and exit,

now start remote agent utility server and it will work :D, at least it did for me.

8- Error=V-79-57344-33967 / Final error: 0xe00084af – The directory or file was not found, or could not be accessed.

From past 2 days, I was getting above error, After some search on Veritas forums, it came to my knowledge  that its a bug in 2014 version. To sort it, use following.

  1. Stop All Backup Exec Services
  2. Open comamnd prompt, navigate to Backup Exec installation folder (C:\Program Files\Symantec\Backup Exec)
  3. & run the following command
Catrebuildindex.exe -r

Now start the services or preferable restart the server ( in my case services failed to start , so i simply rebooted the server & all went fine.

9- Account privilege Error when installing Backup Exec

accnt prevelerror

IF you get above error during installation of Backup Exec, then do the following…

If you are part of domain, then open group policy editor on your domain controller, and add your user in following

  1. Backup files and directories
  2. Debug Programs
  3. Manage auditing and security log

10- Stuck on ‘Discovering Resources’

If your backup exec job stucks on ‘Discovering Resources’ , try following

BackupExec Solution for Job stuck on Discovering Resources – LINK

In short. Goto

11- Using SDR (Disaster recovery) restore to other hardware using Tape (31-Aug-2022)

We have SAP production server running physical on windows server 2008. Using BackupExec we take its complete (including OS/etc) using remote agent to LTO-8 TAPE library. For audit requirements, we occasionally restore it in vmware LAB. First we created SDR boot image using the BackupExec console , selected all adapters drivers for a safe side, incase if its required to be booted from the original physical server which have RAID/NIC . Then on esxi server, we create new vm , assigned it same size storage. Then booted the vm guest using SDR ISO image. With network support, we pointed towards BackupExec server, domain credentials, & it picked the last backup sets, afterwards at storage selection we were seeing following error

At physical server, we have GPT based partitions, Using Advanced Disk configuration, first I deleted all existing partition it were showing, then I right click on the disk & converted the disk type to GPT, & get back to main window (click on SAVE when it ask). This time it showed NEXT button available (MS reserved partition was still showing mismatched, but its ok to Ignore & move forward. Later it auto mounted the TAPE from the selected backup set, & every thing went smoothly till end. For a data size about 1.3 TB, it around 2 Hours to complete the restoration job.

Once the OS booted, we first installed the vmware tools, set the IP in network adapter, checked the DATE.TIME, & finally rebooted it once. Alhamdolillah ! all went well 🙂

12- A communications failure has occurred with a System State resource

We are running few Windows 2008 R2 physical servers (Oracle SAP Servers). Using Veritas BackupExec  , When taking complete system image for bare metal recovery purposes (SDR) , below error occurs,

A communications failure has occurred with a System State resource.

To sort this I did following,

Stop the below services from an administrator command line:

  1. net stop wuauserv
  2. net stop cryptSvc
  3. net stop bits
  4. net stop msiserver

Rename the two folders DataStore and Download which are inside the SoftwareDistribution folder or rename or delete the complete SoftwareDistribution folder (later is recommended)

Method 1:

  • Rename C:\Windows\SoftwareDistribution\DataStore to DataStoreOffline
  • Rename C:\Windows\SoftwareDistribution\Download to DownloadOffline
  • Move the SoftwareDistributionOffline and DownloadOffline folders to C:\TEMP or to another drive/folder location outside of C:\Windows directory.

Method 2: [Recommended & I followed this one)

  • Rename C:\Windows\SoftwareDistribution to SoftwareDistributionOffline
  • Move the SoftwareDistributionOffline folder to C:\TEMP or to another drive/folder location outside of C:\Windows directory. Or You may delete it

Start the below services from an administrator command line:

  1. net stop wuauserv
  2. net stop cryptSvc
  3. net stop bits
  4. net stop msiserver

Now reboot the server & try to Perform a System State or Server Backup.


aacable at
http : / /  aacable . wordpress . com

March 27, 2012

Symantec Endpoin Protection. Win32 Definitions not updating [SOLVED]

Symantec Endpoint Protection Manager 11.0

Symantec Endpoint Protection Manager 11.0

We have Symantec Endpoint Protection Manager Ver 11.0 Server [S.E.P.M]to protect our clients and servers from Virus / Spywares / and Network Threats. It is really cool product and it have helped us to breath smoother in many aspects and it is very good in centralized management/deployment.

It was working fine since long, but I noticed that SEPM stopped updating Antivirus And Antispyware Protection virus definitions and they were almost 1 week + old, rest of definitions including Proactive Threat Protection and Network Threat Protection were up to date. So there was something wrong with the virus definition update engine. I tried to manually launch Live Update on SEPM various times, but no use, Every time update all other definitions excluding Antivirus updates.
As showed in the image below . . .


It looked like that only Virus Definition engine was Jammed and for some reasons it was not downloading/accepting new definition.

I followed the below procedure to solve this issue.

Browse to

Save the latest definition file (in .jdb extension) on your Desktop.

03/26/12 03:55PM [GMT]                179,486,566 vd38f402.jdb
(171 MB)

Copy this definition file in the Default location of   SEPM  , (Where your SEPM is installed on the server.

C:\Program Files\Symantec Endpoint Protection Manager\data\inbox\content\incoming\

As showed in the image below . . .

After few minutes , it will automatically push the definition to SEPM console and it will be distributed to clients in few minutes, All of my clients (100+) took about 20 minutes to update. Afterwards it worked fine.

As showed in the image below . . .





Cheers and Best Regard’s

Syed Jahanzaib

%d bloggers like this: