none
DPM 2010 agent install on W2k8 Domain Controller issue

    Question

  • Hey guys, so I'm having a problem getting DPM 2010 agents on my Windows 2008 domain controllers. For some reason the agent will not communicate with the dpm server after running the attach process. The process I go through to install (which is working in my Dev environment) is

    1) (on DC) Run manual agent install by running agent.exe file from ProtectionAgents folder on DPM server

    2) (on DC) Run the setdpmserver command line to specify the DPM server

    3) (on specified DPM server) Run Agent attach sequence from Agent tabs in DPM console which says successful, but when you return to agents view under "unprotected computers" I see error.

    I've verified the tests that other users have posted on this forum including

    PING, DCOM permissions, verifying that inbound rules are setup, tested SMB, tested RPC, and also uninstalled and reinstalled the agent. Any ideas where to search next?

     

    • Moved by MarcReynolds Thursday, June 09, 2011 12:27 PM (From:Data Protection Manager)
    Wednesday, June 08, 2011 10:08 PM

All replies

  • Hello,

    You can search the DPMRA logs on the client and the MSDPMCurr.errlog on the DPM server for communication issues.

    Client Side Activity %Program Files%\Microsoft Data Protection Manager\DPM\Temp
    DPM Server Activity %Program Files%\Microsoft DPM\DPM\Temp

    You can also setup netmon on both servers to see if traffic is making it that far.

    Do you also have the integrated firewall turned on the DC. If so, can you try turning it off for testing. 

    Type "net stop bfe" at a command prompt should do it.

     

    Thanks
    Shane

    Thursday, June 09, 2011 3:56 PM
  • I checked the MSDPMCurr.errlog, but I'm not exactly sure how to look for the failures that relate to the DC. When I search for the netbios name of the DC, I can see failures, but I also see identical failures under other server names as well. Is there anything specifically I should be looking for?

    I am requesting turning off the integrated firewall for testing as well and am awaiting an answer.

     

    I am attaching part of the log I was looking at.

    tance.cs(253)   NORMAL </TECommand>' Error CmdProcAccessDenied
    0BE8 10E4 06/14 18:00:03.425 07 AMUtil_expanded.cs(3474)  BF90214B-F6C3-40B9-B53E-C6DC0A0235DF WARNING CheckTimeoutMessage: code[0x00000101], detailedCode[0x80070005], errMgs[Access is denied (0x80070005)]
    0BE8 10E4 06/14 18:00:03.425 07 AMUtil_expanded.cs(3474)  BF90214B-F6C3-40B9-B53E-C6DC0A0235DF WARNING [<?xml version="1.0" encoding="utf-16"?>
    0BE8 10E4 06/14 18:00:03.425 07 AMUtil_expanded.cs(3474)  BF90214B-F6C3-40B9-B53E-C6DC0A0235DF WARNING <Status xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" StatusCode="-2147024891" Reason="Timeout" CommandInstanceID="cb3dbc9c-b7fe-4df0-8dcd-c93baacae403" CommandID="GetProperties" GuidWorkItem="bf90214b-f6c3-40b9-b53e-c6dc0a0235df" TETaskInstanceID="bf90214b-f6c3-40b9-b53e-c6dc0a0235df" xmlns="http://schemas.microsoft.com/2003/dls/StatusMessages.xsd">
    0BE8 10E4 06/14 18:00:03.425 07 AMUtil_expanded.cs(3474)  BF90214B-F6C3-40B9-B53E-C6DC0A0235DF WARNING   <ErrorInfo ErrorCode="257" DetailedCode="-2147024891" DetailedSource="2" ExceptionDetails="" xmlns="http://schemas.microsoft.com/2003/dls/GenericAgentStatus.xsd">
    0BE8 10E4 06/14 18:00:03.425 07 AMUtil_expanded.cs(3474)  BF90214B-F6C3-40B9-B53E-C6DC0A0235DF WARNING     <Parameter Name="servername" Value="la-exchmbclu02.caa.com" />
    0BE8 10E4 06/14 18:00:03.425 07 AMUtil_expanded.cs(3474)  BF90214B-F6C3-40B9-B53E-C6DC0A0235DF WARNING   </ErrorInfo>
    0BE8 10E4 06/14 18:00:03.425 07 AMUtil_expanded.cs(3474)  BF90214B-F6C3-40B9-B53E-C6DC0A0235DF WARNING </Status>].
    0BE8 1194 06/14 18:00:03.426 04 cmdproc.cpp(2017) [000000001A62B200] C79F322F-BCB7-40BE-92D2-03D6E85EAAA5 WARNING Failed: Hr: = [0x80070005] : F: lVal : hr
    0BE8 1194 06/14 18:00:03.426 04 cmdproc.cpp(1816) [000000001A62B200] C79F322F-BCB7-40BE-92D2-03D6E85EAAA5 WARNING Failed: Hr: = [0x80070005] : C: lVal : hr
    0BE8 1194 06/14 18:00:03.426 04 cmdproc.cpp(2242) [000000001A62B200] C79F322F-BCB7-40BE-92D2-03D6E85EAAA5 WARNING Failed: Hr: = [0x80070005] : F: lVal : CreateInstance( strCmdTarget, clsidTarget, hrDLS, (IUnknown **)&pAgentCommand, (pCommand->GetSenderToken() == 0), pCommand->IsNonDomainAgent(), fIsNonADMachine, cmdTargetIP )
    0BE8 1194 06/14 18:00:03.426 04 cmdproc.cpp(2482) [000000001A62B200] C79F322F-BCB7-40BE-92D2-03D6E85EAAA5 WARNING CCommandProcessor::SendOutboundCommand this:[000000001A62B200], ServerName: dc2-01.domain.com
    0BE8 1170 06/14 18:00:03.426 01 TaskInstance.cs(253)   NORMAL Task: Received tiemout message from CmdProc '<?xml version="1.0" encoding="utf-16"?>
    0BE8 1170 06/14 18:00:03.426 01 TaskInstance.cs(253)   NORMAL <TECommand xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/2003/dls/Commands.xsd">
    0BE8 1170 06/14 18:00:03.426 01 TaskInstance.cs(253)   NORMAL   <Command xmlns="http://schemas.microsoft.com/2003/dls/GenericCommand.xsd">
    0BE8 1170 06/14 18:00:03.426 01 TaskInstance.cs(253)   NORMAL     <CommandInstanceID>80be8b52-30e1-4d12-bb3f-65c50676ffce</CommandInstanceID>
    0BE8 1170 06/14 18:00:03.426 01 TaskInstance.cs(253)   NORMAL     <AgentTypeID>da6aa17a-d61c-4e9c-8cea-db25dea52a95</AgentTypeID>
    0BE8 1170 06/14 18:00:03.426 01 TaskInstance.cs(253)   NORMAL     <WorkItemID>c79f322f-bcb7-40be-92d2-03d6e85eaaa5</WorkItemID>
    0BE8 1170 06/14 18:00:03.426 01 TaskInstance.cs(253)   NORMAL     <TETaskInstanceID>c79f322f-bcb7-40be-92d2-03d6e85eaaa5</TETaskInstanceID>
    0BE8 1170 06/14 18:00:03.426 01 TaskInstance.cs(253)   NORMAL     <ServerIdFilter>00000000-0000-0000-0000-000000000000</ServerIdFilter>
    0BE8 1170 06/14 18:00:03.426 01 TaskInstance.cs(253)   NORMAL     <VerbIndexFilter>45</VerbIndexFilter>
    0BE8 1170 06/14 18:00:03.426 01 TaskInstance.cs(253)   NORMAL     <DatasourceIndexFilter>0</DatasourceIndexFilter>
    0BE8 1170 06/14 18:00:03.426 01 TaskInstance.cs(253)   NORMAL   </Command>
    0BE8 1170 06/14 18:00:03.426 01 TaskInstance.cs(253)   NORMAL   <GetProperties />

    Wednesday, June 15, 2011 1:22 AM
  • Hello,

    You are getting access denied.

    errMgs[Access is denied (0x80070005)

    I'd start with the firewall blockage first. Again, just for testing to see if this is the culprit.  If you can not then you can enable logging for the integrated firewall (make sure to select to log dropped packets), go to the DPM server and refresh the agent in DPM. Go look at the firewall logs. The firewall logs are easy to read. It will show the dropped packets per IP.

    Make sure that the DC Policy "Deny access to this computer from the network" does not include the DPM Server's machine account, Everyone, Administrators, or Authenticated Users as these will prevent the DPM Server from connecting.

    Make sure that the DC Policy "Access this computer from the network" includes the <DPM Server Machine Account> account and\or "Authenticated Users"

    Thanks
    Shane

    Wednesday, June 15, 2011 1:37 PM
  • Hey Shane, so far I verified that there were no items listed in the "Deny Access GPO", also, we added the DPM server machine account to the 'Access this computer from the network" GPO, but that did not work.

    I've enabled the firewall logging on the Domain tab on the Domain Controller. I also only specified to have the dropped packets log, but at this point, the log file isn't filling up. Should the public and private tabs be enabled as well? My dpm server is part of the same domain my DC is in.

    Wednesday, June 15, 2011 11:19 PM
  • Hello,

    What is the exact error that you see?  Please paste it in this forum.

    Which ever firewall profile is enabled, is the profile that I'd enabled firewall logging.  In other words if you have all three profiles enabled, I'd turn on the firewall logging for all three.
    You may have seen this before as I usually post the tests below for connectivity.

    From protected server to the DPM server
     ********************************
     ping <protected server name>  <---succeed or fail
     net view \\<protected server name>  <---succeed or fail
     Sc \\<protected server name> query  <---succeed or fail
     Wmic /node:"<protected server name>" OS list brief   <---succeed or fail

    From the DPM server to the protected server
     ************************************
     ping <protected server name> <---succeed or fail
     net view \\<protected server name> <---succeed or fail
     Sc \\<protected server name> query <---succeed or fail
     Wmic /node:"<protected server name>" OS list brief <---succeed or fail


    Thanks,
    Shane

    Thursday, June 16, 2011 3:45 PM
  • The actual error in DPM console is as see below

    Protection agent version: 3.0.7696.0
    Error: Data Protection Manager Error ID: 270
     The agent operation failed on domain.controller.com because DPM could not communicate with the DPM protection agent. The computer may be protected by another DPM server, or the protection agent may have been uninstalled on the protected computer.
    If domain.controller.com is a workgroup server, the password for the DPM user account could have been changed or may have expired.
    Recommended action: Check the following to troubleshoot this issue:
    1) If the agent is not installed on domain.controller.com, run DpmAgentInstaller.exe with this DPM computer as a parameter. For details, see the DPM Deployment Guide.
    2) To attach the computer correctly to this DPM server, run the SetDpmServer tool on the protected computer.
    3) If the computer is protected by another DPM server, or if the protection agent has been uninstalled, remove the protected data sources on this computer from active protection. Then, remove the entry of this computer from the Agents tab in the Management task area.
    4) If domain.controller.com is a workgroup server, run SetDpmServer with the -UpdatePassword flag on the protected computer and Update-NonDomainServerInfo.ps1 on the DPM server to update the password.
    5) If the DPM server and the protected computer are not in the same domain, ensure that there is a two-way trust setup between the two domains.
     If the computer is protected by another DPM server, or if the protection agent has been uninstalled, you can remove the record of the computer from this DPM server.
     Remove the record of the computer from this DPM server.

    Ping and Net View commands from DPM server to domain controller are successful.

    SC and WMIC commands from DPM server to domain contoller fail:  

    [SC] OpenSCManager FAILED 5: Access is denied

    [WMIC] Node - domain.controller.com ; Error: Discription = Access is denied

    I haven't had access to run the commands from the domain controller to DPM server just yet.
    • Edited by John Hab Thursday, June 16, 2011 7:39 PM added text
    • Proposed as answer by ShaneB. _ Tuesday, July 05, 2011 5:17 PM
    Thursday, June 16, 2011 7:36 PM
  • Hello,

    From this point, I'd look at the firewall logs on the DC.  On the DC go to C:\Windows\System32\LogFiles\Firewall and open up the log in notepad. This link will help you determine if there is any blockage caused by the firewall at that time.

    - Step 5: Viewing the Firewall Log
    http://technet.microsoft.com/en-us/library/cc753781(WS.10).aspx

     

    Thanks,
    Shane

    Tuesday, July 05, 2011 5:22 PM
  • Hello,

    “housekeeping- closing old post. Open a new post if you still have a need.”
    no response.


    Thanks,
    Shane
    Wednesday, January 18, 2012 9:36 PM
  • 1) Try to disable the firewall on the domain controller to be sure. If communication with the agent appears, then clearly the case in the firewall.
    To prescribe the necessary exceptions, you must (if the firewall of) do SetDpmServer.exe -dpmServerName

    2) Try manually install on protected server VC++Redist  C:\Program Files\Microsoft System Center 2012\DPM\DPM\ProtectionAgents\AC\4.2.1205.0\amd64\vcredist2010_x64.exe

    3)

    On the domain controller where you've done a manual install and the DPM server is throwing a 270 error trying to communicate with it check the following.

    Ensure that Authenticate Users is in the Builtin -> Users group. That group should have Authenticated Users, Domain Users, and INTERACTIVE as members.

    http://social.technet.microsoft.com/Forums/en-US/c1beb170-4e2d-4169-826a-5606dc0b8b92/dpm-2010-agent-installation-on-domain-controller?forum=dpmsetup


    Have a nice day !!!

    Thursday, March 06, 2014 5:55 AM