none
A DPM agent failed to communicate with the DPM service

    Question

  • Hi

     

    I have DPM 2010 and im trying to protect three servers on DMZ.

    Two of these servers protected successfully.

    The 3rd server is failing to be protected.

    I recieve the following error in DPM console

    Protection agent version: 3.0.7696.0
    Error: Data Protection Manager Error ID: 316
     The protection agent operation on SBCEXTDB02 failed because the service did not respond.
    Detailed error code: Internal error code: 0x8099090E
    Recommended action: If you recently installed a protection agent on EXTDB, the computer may be restarting. Wait a few minutes after restarting the computer for the protection agent to become available. Otherwise, troubleshoot the problem as follows:
    1) Check the recent records from the DPMRA source in the Application Event Log on EXTDB to find out why the agent failed to respond.
    2) Verify that the DPM server is remotely accessible from EXTDB.
    3) If a firewall is enabled on the DPM server, verify that it is not blocking requests from EXTDB.
    4) If EXTDB is a workgroup computer configured to use NETBIOS, ensure that the NETBIOS name of the DPM server is accessible from EXTDB. Otherwise verify that the DNS name is remotely acessible.
    5) If EXTDB is a workgroup server, ensure that the DPM server has an IPSEC exception to allow communication from workgroup servers.
    6) If EXTDB is a workgroup server the password for the DPM user accounts could have been changed or may have expired. To resolve this error, run SetDpmServer with the -UpdatePassword flag on the protected computer and Update-NonDomainServerInfo.ps1 on the DPM server.
    7) Restart the DPM Protection Agent service on EXTDB. If the service fails to start, reinstall the DPM protection agent.

     

    I checked the Protected server and in the logs i found

    A DPM agent failed to communicate with the DPM service on DPM because of a communication error. Make sure that DPM is remotely accessible from the computer running the DPM agent. If a firewall is enabled on DPM, make sure that it is not blocking requests from the computer running the DPM agent (Error code: 0x800706ba, full name: DPM).

    The setting for DCOM groups is as it should be. The DPM agent account is been created. the DPM is on the DCOM group.

     

    Take into consideration that the other two server been added successfully so there is something on that server.

     

    Any suggestions?

    // Laith.

     


     

     

    • Moved by MarcReynolds Monday, January 24, 2011 1:50 PM (From:Data Protection Manager)
    Friday, January 21, 2011 8:59 AM

Answers

  • The traffic needs to be open in both directions. The DPM server will initiate communication to the DPMRA on a protected server. The server will initiate DCOM/RPC communication to the DPM server.

    /Steve


    Steve L [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Laith IT Thursday, February 24, 2011 8:24 AM
    Wednesday, February 02, 2011 10:45 AM
    Moderator

All replies

  • Hello!

    Is the Windows firewall activated on the server where protection is failing? In that case, compare the firewall rules with the others.

    Link to ports that has to be open: http://technet.microsoft.com/en-us/library/cc161275.aspx

    Best regards,

    Markus

     


    Markus Bölske, Lumagate. www.lumagate.se
    Friday, January 21, 2011 11:02 AM
  • The domain firewall is on.

    I will check the setting and get back to you.

    Monday, January 24, 2011 12:34 PM
  • Hi Markus,

    This is for DPM 2007. There must be different ports for DPM 2010 since it can protect untrusted domain.

    Do you have the list of ports that should be open for DPM 2010?

    // Laith.

    Tuesday, January 25, 2011 12:02 PM
  • Hi Laith,

    DPM 2010 uses the same set of ports as DPM 2007. Here's the link to the DPM 2010 technet article:

    http://technet.microsoft.com/en-us/library/ff399341.aspx

     

    Marc

     

    Tuesday, January 25, 2011 1:08 PM
  • Now i added a new Windows 2003 protected server which has the firewall off (even windows firewall is disabled).

    And i got the same error.

     

    A DPM agent failed to communicate with the DPM service on DPMSRV because of a communication error. Make sure that DPM is remotely accessible from the computer running the DPM agent. If a firewall is enabled on DPMSRV, make sure that it is not blocking requests from the computer running the DPM agent (Error code: 0x800706ba, full name: DPMSRV).

    Both firewalls are disabled.

     

    Any suggestions?

    // Laith.

     

     

    Tuesday, January 25, 2011 2:19 PM
  • Does anyone know if this error is related to the Firewall or network connection problem or even trust issue?

     

    // Laith.

    Thursday, January 27, 2011 10:06 AM
  • Laith,

    The error you are getting on the protected server indicates that the agent cannot make an RPC connection to the DPM Server. Can you verify the protected server can communicate with the DPM Server onTCP port 135? You can test this using the telnet command "telnet <dpm server name> 135" or download and use the PortQuery tool

    http://www.microsoft.com/downloads/en/details.aspx?familyid=89811747-C74B-4638-A2D5-AC828BDC6983&displaylang=en

     

    Marc

    Thursday, January 27, 2011 1:38 PM
  • Hi Marc,

    I have exactly the same problem.

    I have some servers and clients protected by a DPM server.

    Then a client got new hardware and was completelly newly installed including the DPM agent. Now, the DPM agent can no longer communicate with the DPM server.

    I have removed the client entry on the DPM server and deinstalled the DPM agent on the client, then tried to install the DPM agent from the DPM Management Console but got the mentioned error 0x8099090E.
    From the client, I can read the DPM server at port 135 via telnet.

    Ulrich

     

    Friday, January 28, 2011 11:45 AM
  • DPM need to communicate via RPC/DCOM. Let's test various connectivity between the DPM server and protected server. We'll need to test basic connectivity, SMB, RPC, and WMI/DCOM.

    The commands below need to be run from an administrative command prompt. It is a good idea to test from both the DPM server and the protected server. For testing the account used must be an administrative account on both servers.

    Basic connectivity is tested by using ping. If ICMP traffic is blocked ping commands will fail but that is OK.
      ping <protected server name>

    Next test SMB (file sharing).
      net view \\<protected server name>

    Now test RPC and connectivity to Service Control Manager (SCM). This displays a list of services on the remote server when successful.
      Sc \\<protected server name> query

    Lastly test WMI/DCOM. When successful this command lists some basic information about the remote server.
      Wmic /node:"<protected server name>" OS list brief

    If any of the tests after ping fail that may be where the problem is.

    /Steve


    Steve L [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.
    Friday, January 28, 2011 6:12 PM
    Moderator
  • Please check if DCOM is working fine between the machines using the instructions documented at http://support.microsoft.com/kb/259011
    -- Thanks Venkata Praveen[MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, January 31, 2011 1:22 PM
  • The incomming trafic is close to the protected server. I dont think its needed to open RPC for the incoming trafic for the DMZ. It's the DPM server which is going to make RPC-anrop to the DMZ protected server not the other way around.

     

    I have this setting for all the server. Two of them are protected and the other two DPMRA is unable to connect to them.

     

    The question is... Does RPC needs to be open for the incomming trafic in the protected server or its just need to be open in the DPM server?

    I have two protected servers on the same DMZ with the same rule which can be protected while the other two servers can be protected?

    Tuesday, February 01, 2011 1:34 PM
  • The traffic needs to be open in both directions. The DPM server will initiate communication to the DPMRA on a protected server. The server will initiate DCOM/RPC communication to the DPM server.

    /Steve


    Steve L [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Laith IT Thursday, February 24, 2011 8:24 AM
    Wednesday, February 02, 2011 10:45 AM
    Moderator
  • If the traffic needs to be open in both directions why i have two servers that are protected and at the same time the incomming traffic is blocket while the outgoing traffic is open?

    Wednesday, February 02, 2011 1:10 PM
  • Hi Laith,

    Is DCOM test  http://support.microsoft.com/kb/259011  went fine on these machines. Im suspecting some n/w issue between the machine such as the machine might be pinging to a wrong server.

    Also please check the following:

     

    Please check the following

    1. Ping is working fine on both the machines (to and from). Using both netbios name and FQDN

    2. Run net time /set command on both the machines and ensure that communication and time between AD are in sync

    3. Authenticated users group is part of users group on both machines

    4. Check the KB http://support.microsoft.com/default.aspx?scid=kb;EN-US;978900


    -- Thanks Venkata Praveen[MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    • Proposed as answer by Venkata Praveen[MSFT] Thursday, February 10, 2011 7:25 AM
    • Unproposed as answer by Laith IT Friday, February 11, 2011 6:21 AM
    • Proposed as answer by Jamests Friday, June 01, 2012 9:25 PM
    Thursday, February 10, 2011 6:58 AM
  • Venkata, 

    Number 3 on your list fixed our problem.

    Thanks!

    James 

    Friday, June 01, 2012 9:25 PM