none
DPM 2010 error 0x80070005 adding domain controller from untrusted domain

    Question

  • I have a domain controller, serverA, in a different domain that trusts my domain, but I don't trust it's domain. I installed the agent successfully and was able to add it to the DPM console, but am seeing a agent error. It's a very similar error to this:

    http://social.technet.microsoft.com/Forums/en-US/dpmworkgroupbackup/thread/93877d20-b1a9-4637-ae03-59dcc31443f0

    Except I do not have any child domains in serverA's domain. The following error is logged on the DPM server:

    Protection agent version: 3.0.7696.0
    Error: Data Protection Manager Error ID: 316
     The protection agent operation on serverA failed because the service did not respond.
    Detailed error code: Internal error code: 0x8099090E

    The DPMRA error log on serverA shows this:

    1CBC 1640 08/17 17:30:09.294 04 cmdproc.cpp(2017) [00BD3BB8] 46C5F2B7-304F-4323-9154-6D4729BF34DD WARNING Failed: Hr: = [0x80070005] : F: lVal : hr
    1CBC 1640 08/17 17:30:09.294 04 cmdproc.cpp(1804) [00BD3BB8] 46C5F2B7-304F-4323-9154-6D4729BF34DD WARNING Attempted CreateInstance failed (fUseSpnWithRealm=false). Now retrying with SPNWithRealm
    1CBC 1640 08/17 17:30:09.356 03 machinename.cpp(26) [0276F880] 46C5F2B7-304F-4323-9154-6D4729BF34DD WARNING Failed: Hr: = [0x80070005] : DsRoleGetPrimaryDomainInformation failed for:[DPM07]
    1CBC 1640 08/17 17:30:09.372 03 machinename.cpp(86) [0276F880] 46C5F2B7-304F-4323-9154-6D4729BF34DD WARNING Failed: Hr: = [0x80070005] : F: lVal : QueryAndSetDomainName()
    1CBC 1640 08/17 17:30:09.372 03 machinename.cpp(167) [0276F880] 46C5F2B7-304F-4323-9154-6D4729BF34DD WARNING Failed: Hr: = [0x80070005] : F: lVal : GetDomainName(ssDomainName)
    1CBC 1640 08/17 17:30:09.372 04 cmdproc.cpp(1889) [00BD3BB8] 46C5F2B7-304F-4323-9154-6D4729BF34DD WARNING Failed: Hr: = [0x80070005] : F: lVal : targetMachineName.GetHostSpn(spn, true)
    1CBC 1640 08/17 17:30:09.372 04 cmdproc.cpp(1816) [00BD3BB8] 46C5F2B7-304F-4323-9154-6D4729BF34DD WARNING Failed: Hr: = [0x80070005] : C: lVal : hr
    1CBC 1640 08/17 17:30:09.372 04 cmdproc.cpp(2242) [00BD3BB8] 46C5F2B7-304F-4323-9154-6D4729BF34DD WARNING Failed: Hr: = [0x80070005] : F: lVal : CreateInstance( strCmdTarget, clsidTarget, hrDLS, (IUnknown **)&pAgentCommand, (pCommand->GetSenderToken() == 0), pCommand->IsNonDomainAgent(), fIsNonADMachine, cmdTargetIP )
    1CBC 1640 08/17 17:30:09.372 04 cmdproc.cpp(2482) [00BD3BB8] 46C5F2B7-304F-4323-9154-6D4729BF34DD WARNING CCommandProcessor::SendOutboundCommand this:[00BD3BB8], ServerName: DPM07
    1CBC 1640 08/17 17:30:09.372 04 cmdproc.cpp(2579) [00BD3BB8] 46C5F2B7-304F-4323-9154-6D4729BF34DD WARNING Logging event for error: 257, detailed: 0x80070005

    And logs this error to EV:

    Event Type: Error
    Event Source: DPMRA
    Event Category: None
    Event ID: 84
    Date:  8/17/2010
    Time:  10:56:22 AM
    User:  NT AUTHORITY\SYSTEM
    Computer: ServerA
    Description:
    A DPM agent failed to communicate with the DPM service on DPM07 because access is denied. Make sure that DPM07 has DCOM launch and access permissions for the computer running the DPM agent (Error code: 0x80070005, full name: DPM07).

    I removed everything and ensured I followed these steps exactly:

    http://technet.microsoft.com/en-us/library/ff634193.aspx

    Still the same error. I used the following command line to configure serverA:

    SetDpmServer -dpmservername DPM07.orcsweb.com -isNonDomainServer -userName DPMAgent

    I added serverA to DPM07 via the DPM GUI as a non-trusted server. It created a domain user appropriately on serverA, and that user is in both the DPMRADCOMTrustedMachines and DPMRADmTrustedMachines groups.  I tried adding the DPM07 computer account to those groups as well as specifically granting the DPM07 computer access launch and access permissions to the DPMRA DCOM object in Component Services - neither worked. The firewall service is not running on serverA but is on DPM07. For testing, I disabled it on DPM07 but saw the same results. No hardware firewall in place here. 

    Any other pointers?


    Jeff Graves, ORCS Web, Inc.
    Tuesday, August 17, 2010 5:56 PM

Answers

  • Thanks for the follow-up. The DPMAgent is a domain user in serverA's domain which is untrusted by my domain, so I wouldn't be able to add it to the local administrators group on DPM07. I did try adding it to the Domain Admins group in serverA's domain but that didn't help either.

    However, while re-reading the documentation, I came across this:

    "If you use the NetBIOS name of the DPM server in the SetDPMServer command, you also must use the NetBIOS for the protected computer when you attach the computer. This also applies if you use the fully qualified domain name (FQDN) of the DPM server."

    I was using the GUI, which doesn't have an option to specify the DPM server name. So I removed the server from DPM, un-installed and re-installed the agent, and then re-added it using the powershell script and the FQDN of the DPM server and viola - it works. The GUI must use the NetBIOS name of the DPM server and the SPN for delegation probably used the FQDN that I entered on the command line for SetDpmServer which wouldn't match (one would be DPM07 and the other DPM07.orcsweb.com).

    Anyway, they're communicating now. Thanks for your help.


    Jeff Graves, ORCS Web, Inc.
    Tuesday, August 17, 2010 9:25 PM

All replies

  • Hey Jeff, I saw your post in the other thread... wanted to see if I could offer some help.  For testing purposes only, what happens if you add the DPMAgent to the BUILTIN\Administrators group on ServerA?

     

    -Tom


    blog TinyInt.Com | work Logicworks.Net
    • Edited by tcnolan Tuesday, August 17, 2010 9:38 PM changed server name
    Tuesday, August 17, 2010 8:51 PM
  • Thanks for the follow-up. The DPMAgent is a domain user in serverA's domain which is untrusted by my domain, so I wouldn't be able to add it to the local administrators group on DPM07. I did try adding it to the Domain Admins group in serverA's domain but that didn't help either.

    However, while re-reading the documentation, I came across this:

    "If you use the NetBIOS name of the DPM server in the SetDPMServer command, you also must use the NetBIOS for the protected computer when you attach the computer. This also applies if you use the fully qualified domain name (FQDN) of the DPM server."

    I was using the GUI, which doesn't have an option to specify the DPM server name. So I removed the server from DPM, un-installed and re-installed the agent, and then re-added it using the powershell script and the FQDN of the DPM server and viola - it works. The GUI must use the NetBIOS name of the DPM server and the SPN for delegation probably used the FQDN that I entered on the command line for SetDpmServer which wouldn't match (one would be DPM07 and the other DPM07.orcsweb.com).

    Anyway, they're communicating now. Thanks for your help.


    Jeff Graves, ORCS Web, Inc.
    Tuesday, August 17, 2010 9:25 PM
  • Hey Jeff, I had your server names backwards.  I meant to ask you to make the DPMAgent user a member of the BUILTIN\Administrators group on ServerA which is the untrusted domain controller. This is moot now anyway since your change fixed it.

    One thing to note however: keep in mind that the DPMAgent user gets created on both the target server that is being backed up (by SetDpmServer command) as well as on the DPM server itself (by Attach-NonDomainServer.ps1 script) so each time you configure a new untrusted server for backup, you may want to use a username that is indicative of which server is being backed up.  In your situation here it would make sense to use "dpmagent-servera" or something to that effect, which is better from a security perspective.

    You can use the same "DPMAgent" user for all of your servers, just make sure you don't change the password when bringing up a new one or the DPMAgent user on the dpm server may change and you would then have trouble communicating with all of the other agents.


    blog TinyInt.Com | work Logicworks.Net
    Tuesday, August 17, 2010 9:37 PM
  • Tx for mentioning. I didn't realize it was created on the DPM server as well. Yeah - the idea was to create a single "generic" account that could be used for all non-domain computers.
    Jeff Graves, ORCS Web, Inc.
    Tuesday, August 17, 2010 9:41 PM
  • I am having very similar issues, but have been unable to resolve this at all. I am now on Day 2, and no closer to getting to the bottom of what the issue may be. It sounds like I have done the same steps, but still stumped....
    Friday, November 26, 2010 10:11 PM
  • I had the same error message and in my case the timesync was not right, so one of the servers didn't give access. Make sure the time on the dpm servers matches....
    Tuesday, December 28, 2010 10:49 AM
  • Yep, I'm having this same issue.

    Domain Trust in place (one-way).  The remote domain has six servers.  Three work, three don't.  The three which don't are all domain controllers (2003).

    Tried everything.  Re-installed agents, run the setdpm command, done the PS command on the DPM server.  I have always used the FQDN rather than anything NetBIOS.

    Checked local accounts, DCOM settings etc etc.  Nothing is working!!!! Grrrrr

    Wednesday, March 27, 2013 1:49 PM