none
DPM agent connection across domain forest fails

    Question

  • Hi

    Trying to setup dpm agent install (version DPM 2012 SP1) across a domain trust.

    The target is a 2003 DC. I can resolve both by NetBIOS and FQDN from the dpm server. However when trying to attach the agent I get a:

    'The provided domain credentials does not have administrator access to the following items:<server fqdn> (ID 33220)

    I've enabled dcom on the target server and tried a varierty of tests including wbemtest which fails with the following error:

    Number: 0x80070005 Access is denied.

    All the settings SEEM ok, is there a definitive article that anybody knows about for testing the communications, I cannot see any errors in either of the server event logs.

    Thanks

    Monday, November 18, 2013 4:50 PM

All replies

  • Trying to setup dpm agent install (version DPM 2012 SP1) across a domain trust.

    The documentation says that a domain trust is not enough; instead you should create a full (bi-directional) forest trust instead.

    The target is a 2003 DC. I can resolve both by NetBIOS and FQDN from the dpm server. However when trying to attach the agent I get

    'The provided domain credentials does not have administrator access to the following items:<server fqdn> (ID 33220)

    I've enabled dcom on the target server and tried a varierty of tests including wbemtest which fails with the following error:

    Number: 0x80070005 Access is denied.

    There are numerous issues and options as follows:

    1.        If you later want to perform a BMR of a 2008 or later server, the forest trust is a must. This is so that the agent’s computer account can access the share on the DPM server to save its system state to.  Otherwise it will require 15GB free locally to save it first.
    2.       If you only want to backup that one 2003 DC server, then you could treat it as a client from an untrusted domain, and use the instructions relevant to that scenario.
    3.        Which are to manually install the client, then use the setdpmserver.exe command to create the username/password for the agent to use, which will be repeated on the DPM server when attaching the client from the untrusted domain/workgroup etc. 
    Wednesday, November 20, 2013 12:43 AM
  • I've enabled dcom on the target server and tried a varierty of tests including wbemtest which fails with the following error: Number: 0x80070005 Access is denied

    Please note that an administrator on THIS domain is treated as a regular user on THAT domain.

    Thus if you require administrative rights on a server (such as the 2003 DC) in the target domain, use an administrative rights holding account from the target domain instead.

    You can test this by attempting to access \\2003DC.DOMAIN.LOCAL\C$\  with an administrative account from the target domain.

    Wednesday, November 20, 2013 7:57 AM
  • Hi

    Thanks both for the responses. Sorry for the delay in replying. So what I have at the moment is a domainadmin account I use to login to the DPM server on domain X.

    I've added this account to the local administrators group on the server 2003 DC  (one to be protected). Trying this account from either the 'add' or 'attach' options in DPM still gives the same error. I can run the above 2003dc\c$ path mentioned above and it connects ok from the dpm server. So I started to dig into why the attach/install fails and have not really got anywhere with this. Kind of stuck on how to proceed at the moment.

    Can anybody suggest a way forward for either testing or logging ?

    Monday, November 25, 2013 10:18 AM
  • Further update to this. I can add a server 2008 r2 server in the x domain onto the dpm server. So i'm guessing that the correct trust relationship is in place. So it must be down to either

    The server I need to protect is a DC

    The OS level (server 2003)

    Attributes on the target server such as decom, winrm etc etc

    Does anybody have any pointers ?

    Monday, November 25, 2013 12:58 PM
  • And probably another thing I should add is that we can manually install the dpm agent onto the DC. We can also manually run the -setdpmserver command successfully , however the servername does not appear in the server unprotected 9or protected) list and we get the error when we try and attach the server via the gui.

    Monday, November 25, 2013 2:07 PM
  • >I can add a server 2008 r2 server in the x domain onto the dpm server.

    True, but you won't be able to configure it for a BMR backup.

    >Does anybody have any pointers ?

    Either change the trust from a domain trust into a forest trust, or backup the windows server 2003 domain controller as if it were a server in a workgroup or from an untrusted domain, using the instructions for that scenario, for which you have two choices, either to use certificates, or use a username/password.

    Here is the walkthrough for the username password approach:

    1. on the 2003 DC, run the setdpmserver command as follows:

    setdpmserver -dpmservername yourDPMserver.dpmdomin.local -isnondomainserver -username 2003DCuser
    (you will be prompted for the password)

    2. on the DPM server, attach a machine from an untrusted domain or workgroup, then provide the username and password from above.

    Monday, November 25, 2013 9:24 PM