none
Problem with DPM setup across two way trust

    Question

  • I have 2 domains; Domain2 trusts Domain1; while Domain1 does not really trust Domain2. All the variious commands have seemed to work - SetDpm server on the target box; and attach NonDomainServer on the DPMserver box, but the agent wont communicate when trying to communicate in the console. I have lots of details but this forum does not format very nice. Pls post your questions, and I can post the answers Currently in the console, I am seeing error 316, and in the target server event log, I see DCOM launch issues, but the permissions, I believe, are all in place. Help Please
    Friday, November 26, 2010 7:32 PM

Answers

  • Rick and I sorted this out in our service request. It appears to have been something amiss with the trusts. Once we removed and recreated the forest trusts we were able to get DPM primary and secondary protection working across the trust.

    DPM 2010 works fine across forest trusts with selective authentication enabled.

    /Steve


    Steve L [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.
    Wednesday, December 29, 2010 6:02 PM
    Moderator

All replies

  • Can you confirm that you have looked at the reconmmended action corresponding to error 316 and tried to resolve using the steps provided?

    Can you confirm if DPM Server and PS are accesible to each other outside DPM using their NETBIOS names?

     

     


    This posting is provided "AS IS" with no warranties, and confers no rights
    Monday, November 29, 2010 12:08 PM
    Moderator
  • I turns out that by using the setdpmserver command with the -IsNonDomainServer was not the way to go. The two domains in question have a trust established, and it is a two way selective trust. When running the setdpmserver commmand now, from the target server, ( and an elevated command prompt) I get an error 0x800706fc, saying " the trust realationship between teh primary domain and trusted domain failed. Go to http://go.microsoft.com/fwlink/?LinkId=169142 Ideas ?
    Monday, November 29, 2010 6:50 PM
  • Upon subsequent investigation, I had setup a non-transitive, selective, EXTERNAL trust; which was incorrect. Have blown that away, created a proper FOREST, selective trust. Still failing, however I am closer to complying with the requirements, so at least now I should have some good indications as to why.... setdpmserver is still telling me " access is denied", and I have reexamined which accounts have "allowed to authenticate" permissions; on both sides of the trust.....ARRRGHHHHH !!
    Monday, November 29, 2010 7:56 PM
  • Please correct me if I am wrong. Now both the machines trust each other. Are you not able to remotely install the agent using DPM Server UI?


    This posting is provided "AS IS" with no warranties, and confers no rights
    Tuesday, November 30, 2010 4:47 AM
    Moderator
  • No. Domain1 has the DPMServer, and does not fully trust ProductionServer2 on Domain2. Agent install fails thru the GUI. We get Error that relates back to DCOM activate and Launch permissions. Those permissions are set correctly as we can tell. In setting up DPM in this scenario, is it necessary to use the SETDPMServer command on the ProductionServer, and the AttachProductionServer command on the DPMServer? We have that done that as well, and it has not made a difference
    Tuesday, November 30, 2010 5:13 PM
  • Event 84 A DPM agent failed to communicate with the DPM service on DPMServer1.domain1.local. because access is denied. Make sure that DPMServer1.domain1.local has DCOM launch and access permission forthe computer running the DPM agent ( ProductionServer2.domain2.local (Error code 0x80070005) full name: DPMServer1.domain1.com I am assuming that the DPM server has to have the aforementioned rights (the DCOM ones) on ProductionServer2.domain2.local, is this correct? If so, these are in place, making the receiving of the error all the more puzzling...
    Tuesday, November 30, 2010 5:19 PM
  • More notes:  On Domain2 ProductionServer, I ran the SetDPM command, which completed successfully.

    On trying to run the attach productionserver.ps1 script from the DPM shell, I am using the following syntax

    DPMServer::  DPMServer1.domain1.local

    PSname::  ProductionServer2.domain2.local

    username::  username    OR   domain2.local\username OR username@domain2.local

    password::  givemeabreak

    domain:: Domain2.local

    The error is consistant; it does not like the username and password.

    I can attach to \\ProductionServer2.domain2.local\C$  just fine from DPMServer1.domain1.local, so I really am having some 'comprehension" issues about what exactly is wrong here.....

     

    I also found an article ( albeit DPM 2007) that said to adjust the local security policies to add the machine account (DPMServer1.domain1.local$)  to "access this computer from the network"  right assignment.; which I did

    Tuesday, November 30, 2010 6:22 PM
  • With the protected server throwing this DPMRA event 84 let's enable some logging.

    Set these on the DPM and protected server we are working on.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole

    Name:  ActivationFailureLoggingLevel

    Type:  DWORD

    Value: 1

     

    Name:  CallFailureLoggingLevel

    Type:  DWORD

    Value: 1

     

    This will give us DCOM events in the System log.

    Once we are done we may set these values to zero.

     

    Once you have the logging in place reproduce the DPMRA error. Once you get that on the protected server check the system event log on the DPM server for a DCOM 10016 and/or 10027. If you get those what is the DOMAIN\User account that is failing to access the DPM server?

    /Steve


    Steve L [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, December 06, 2010 6:55 PM
    Moderator
  • OK. This whole mess is being worked on by Microsoft, ( I have a ticket open and am working on it). However, Something a lot more critcal has just surfaced and become apparent. http://technet.microsoft.com/en-us/library/ff634170.aspx " Secondary protection for workgroup / untrusted domain computers is not supported" Edit article specifics: "If you are protecting data sources on a workgroup or untrusted domain computer using a primary DPM server, when you attempt to add secondary protection for the computer on a secondary DPM server the protected computers in a workgroup / untrusted doman are not listed. Consequently, they cannot be added for secondary protection. Reason: DPM 2010 does not support secondary protection of computers that are in a workgroup or untrusted domain. " This feature was available under DPM 2007, with the release of SP1; but was dropped in 2010 ???? are you kidding me ? Part of any good backup strategy is to have a second , off site backup location, and we built our whole strategy around funcionality that was there, in moving forward with 2010. Now its GONE ??? So not only ( at this point) not backup the DC's from a domain that has a selective trust in place, but now you cant even provide a second level of protection in the same scenario ?? Is it just me, or is something wrong with this picture ?
    Tuesday, December 07, 2010 4:34 PM
  • Rick and I sorted this out in our service request. It appears to have been something amiss with the trusts. Once we removed and recreated the forest trusts we were able to get DPM primary and secondary protection working across the trust.

    DPM 2010 works fine across forest trusts with selective authentication enabled.

    /Steve


    Steve L [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.
    Wednesday, December 29, 2010 6:02 PM
    Moderator