Assigning administrationservers in a multi-site environment

  • 31 May 2019
  • 1 reply

  • Anonymous
  • 0 replies
Hey guys,

I recently became responsible for the Kaskerspy-Infrastructur in my company and I would like to know how you handle assigning Administrationservers to the Agents in a multi-site environment, or if there are best-practices I just don't know yet.

Let me start with describing the situation in my company.

We have a whole bunch of sites with several thousand clients, all of them are members of the same Windows Domain. From the Domain-Point-of-View, each site is build in a separate Organisational Unit in the Microsoft Active Directory.

Furthermore, each Site has its own local Kaspersky Security Center-Administrationserver. All these servers are subordinate to one Main-Administrationserver located at our main site.

Each Site-Administrationserver synchronizes with the Active Directory Organisational Unit for its site and so finds out about its clients.

That way we have sets of rules and tasks on the Main-Server and they are inherited to the subordinate Administrationservers.

The clients are set up by a client management system and they are running a version of Kaspersky Endpoint Security and a version of the Administration-Agent.

Right now assigning the Administrationserver to the Agents is done by a Group Policies that run the klmover-tool. Each site has it's own Group Policy so every Client gets an Administrationserver based on the Site-Organisational Unit it belongs to.

From what I've read so far, using the klmover-tool like this is not recommended as it can cause duplicate devices on the Administrationservers. Because of that and for several other reasons I want to get rid of the Group-Policy-Way of doing it.

Is there a way to assign the Administrationservers to the Agents with the methods of Kasperky Security Center?

I already found out about assigning profiles to the agents but unfortunately Organisational Units are not a possible criteria when creating the conditions.

I could use the site's local Domain Controllers as a criteria but if I do that, laptop-users visiting other sites would end up in unassigned devices, which is something I want to avoid.

And well maybe I am totalls on the wrong way so please let me know how you solved this;)

Kind regards


1 reply

Userlevel 5
Badge +4

You can link a PC to necessary KSC using network agent policy - Connectivity-Connection profiles.

As for using klnagchk - hosts will be removed from previous KSC server after relocation but not instantly.
It will be removed according to "Managed Computers(or any group) - Properties - Devices - Remove the device from the group if it has been inactive for onger than (days) -60" by default.