none
cant install dpm 2010 agent on any windows R2 domain controller in the domain RRS feed

  • Question

  • the error message is

    Install protection agent on JDC01.UBT.EDU.SA failed:

    Error 337: You cannot install the protection agent on JDC01.UBT.EDU.SA because access to the computer has been denied.

    Recommended action: Do the following to troubleshoot this issue:

    1) If another DPM server is currently protecting JDC01.UBT.EDU.SA use that DPM server to uninstall the protection agent from JDC01.UBT.EDU.SA. Then, use this DPM server to install the protection agent on JDC01.UBT.EDU.SA.

    2) Verify that the time on the DPM server and the selected computer is synchronized with the domain controller. At a command prompt, type "net time /set" to synchronize the time with the domain controller.

    3) If the computer is a domain controller, verify that the primary domain controller (the PDC Emulator) is running Windows Server 2003 with Service Pack 1 (SP1), and that Active Directory has completed replication between the domain controllers since the Windows Server 2003 SP1 installation.

     

     

     

    tried manual installation also completes but when attaching the dc it has error communicating with the agent message .

    the error message is :

    |the agent maybe reporting to another dpm or access denied " plz help SOS

     

     

    • Moved by Nicholas Li Friday, January 21, 2011 9:10 AM (From:System Center Essentials - Software Deployment)
    Thursday, January 20, 2011 9:51 AM

Answers

  • I have same error, but i use this solution (see below)

     

    On the domain controller where you've done a manual install check the following:

    Ensure that Authenticate Users is in the Builtin -> Users group. That group should have Authenticated Users, Domain Users, and INTERACTIVE as members.

     

     

     

     


    sys_admin
    Friday, November 25, 2011 2:10 PM
    Moderator

All replies

  • Hi,

    When you tried the manual install did you run the SetDpmServer command on the protected computer?

    On the domain controller where you've done a manual install check the following:

    Ensure that Authenticate Users is in the Builtin -> Users group. That group should have Authenticated Users, Domain Users, and INTERACTIVE as members.

    Friday, January 21, 2011 1:10 PM
  • Please check this KB:

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;978900

    Resolution for Error ID: 302 and Error ID: 337

    To resolve this issue, run the SetSPN tool and check the Service Principal Names for the server that you cannot push the agent to.

    Note For more information about how to obtain the latest version of the SetSPN tool, click the following article number to view the article in the Microsoft Knowledge Base:

    970536  (http://support.microsoft.com/kb/970536/ ) Setspn.exe support tool update for Windows Server 2003
    1. Log on as a Domain Administrator.
    2. At a command prompt, type the following command, and then press ENTER:
      setspn -L <var>Servername</var>
      Note In this command, the placeholder <var>Servername</var> represents the target server that you cannot deploy the DPM agent to.

      The resulting output should resemble the following:
      ~~~~~~~~~~~~~~~~~~~~~~~~~
      Registered ServicePrincipalNames for CN=TARGETSERVER,OU=Member 
      Servers,DC=<Servername>,DC=com:
      SMTPSVC/targetserver.<Servername>
      NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/targetserver.<Servername>
      HOST/targetserver.www.<Incorrect_Servername>/Incorrect_Servername
      HOST/targetserver.www.<Incorrect_Servername>
      exchangeMDB/targetserver.www.<Incorrect_Servername>
      SMTPSVC/targetserver.www.<Incorrect_Servername>
      HOST/targetserver.www.<Incorrect_Servername> /www.<Incorrect_Servername>
      exchangeRFR/targetserver.www.<Incorrect_Servername>
      exchangeRFR/targetserver.<Servername>
      exchangeMDB/targetserver.<Servername>
      exchangeRFR/TARGETSERVER
      exchangeMDB/TARGETSERVER
      SMTPSVC/TARGETSERVER
      HOST/TARGETSERVER
      ~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      Notice that all the "HOST/" SPNs entries that are listed in the output indicate that the primary DNS is set to <var>Incorrect_Servername</var>, not <var>Servername</var>. When the agent is being deployed, the DPM server is resolving the name TARGETSERVER.<var>SERVERNAME</var>, and this is what is being used to build the SPN that it is being requested at the time of agent deployment. However, because the SPNs that are registered for targetserver are for www.<var>Incorrect_Servername</var>, the Kerberos connection attempt fails, and an attempt is made to establish an anonymous connection. This may results in an event ID 6033 logged on the Exchange server.
    3. Verify that there are no duplicate SPNs of the target server. At a command prompt, type the following command, and then press ENTER:
      setspn -X
      Examine the output for any duplicates of the desired SPN for the target server.
    4. To make sure that the Host SPNs are registered correctly, type the following commands at a command prompt. Press ENTER after each command.
      setspn -a HOST/targetserver.<var>Servername</var> targetserver
      setspn -a HOST/targetserver targetserver
    5. Replicate the changes throughout Active Directory.
    6. Redeploy the DPM protection agent to the affected servers.

    -- Thanks Venkata Praveen[MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.
    Thursday, February 10, 2011 8:45 AM
  • I also got this error, until now I don't know how to fix it.

    Same error Error 337.

    I tried few machines all give me same result. If this something to do with Domain Controller, DC is beyond my privileges to change anything.

    Is so trouble, it fresh installation DPM 2010 using Windows Server 2008 64-Bit. Microsoft always never give me smooth when come on server.

    How to fix this?


    • Edited by Oneoa Tuesday, September 27, 2011 8:13 PM
    Tuesday, September 27, 2011 8:10 PM
  • I have same error, but i use this solution (see below)

     

    On the domain controller where you've done a manual install check the following:

    Ensure that Authenticate Users is in the Builtin -> Users group. That group should have Authenticated Users, Domain Users, and INTERACTIVE as members.

     

     

     

     


    sys_admin
    Friday, November 25, 2011 2:10 PM
    Moderator
  • *** The fix/info from LEU21 fixed my failing agent installs on my domain controllers (2008 R2) as well.  The built in Users group did not have the Interactive or Authenticated Users as a member.  Once adding them, the Agent installation worked fine.

    THANKS!

    Friday, January 18, 2013 6:09 PM
  • Same Problem here with 2x   2008R2 Domain Controllers and DPM 2012 R2

    after adding  authenticated users to the "users" Group installation worked.
    After installation was finished i removed the authenticated users.

    Hope there will be no problems with the backups.

    It seems that only installations on Domain Controllers are affected.

    regards

    Stefan

    Tuesday, March 11, 2014 1:24 PM
  • Just a short Update,

    after the installation of the agent was finished i remove the "authenticated users" Group from the "Users" Group.
    After that the communication between dpm Server and agent on the DC didn't work.

    After all i figured out a good way:

    Adding the Computer Object of the DPM Server to the "Users" Group also fixes the Problems without weakening Domain Security.

    regards

    Stefan

    Wednesday, March 12, 2014 2:18 PM
  • Super big up vote for this solution. Worked a treat for me. Except in a slightly different situation. My server that wouldn't install the agent was a demoted domain controller, i.e. it was a domain controller once in it's past. I'm guessing that when it was demoted, the Users group wasn't populated the same as a member server. Specifically, Authenticated Users & INTERACTIVE weren't in there. Added them and the agent installed a treat.

    This is also with a newer version of DPM 2012 so the problem persists there as well.

    The clue was in the error message about access denied but it took a while to find this post.

    Saturday, December 31, 2016 3:36 PM