none
Trouble Backing up an Untrusted Domain Server which is a DC RRS feed

  • Question

  • Ive tried to install a DPM agent on a "Untrusted Domain Machine" which is a DC and DNS server to a totally separate network (itself).

    The installation goes perfectly fine and I can set the dpm server just fine (using see below) and I can add the server agent on the dpm server again just fine. But it wont let me backup ?

    Client:

    SetDpmServer.exe -dpmServerName DPM01 -isNonDomainServer -userName dpm01agent 

    DPM:

    Attach-NonDomainServer.ps1 -DPMServername DPM01 -PSName SERVER01 -Username dpm01agent

    Both of these commands execute just fine, however I then get this error on the DPM Server;

     

    Protection agent version:	3.0.7696.0
    Error:	Data Protection Manager Error ID: 316
    	The protection agent operation on server01 failed because the service did not respond.
    Detailed error code:	Internal error code: 0x8099090E
    Recommended action:	If you recently installed a protection agent on server01, the computer may be restarting. Wait a few minutes after restarting the computer for the protection agent to become available. Otherwise, troubleshoot the problem as follows:
    1) Check the recent records from the DPMRA source in the Application Event Log on server01 to find out why the agent failed to respond.
    
    
    2) Verify that the DPM server is remotely accessible from server01.
    
    
    3) If a firewall is enabled on the DPM server, verify that it is not blocking requests from server01.
    
    
    4) If server01 is a workgroup computer configured to use NETBIOS, ensure that the NETBIOS name of the DPM server is accessible from server01. Otherwise verify that the DNS name is remotely acessible. 
    
    
    5) If server01 is a workgroup server, ensure that the DPM server has an IPSEC exception to allow communication from workgroup servers.
    
    
    6) If server01 is a workgroup server the password for the DPM user accounts could have been changed or may have expired. To resolve this error, run SetDpmServer with the -UpdatePassword flag on the protected computer and Update-NonDomainServerInfo.ps1 on the DPM server.
    
    
    7) Restart the DPM Protection Agent service on server01. If the service fails to start, reinstall the DPM protection agent.
    


    and this on the client machine,

    Event Type:	Error
    Event Source:	DPMRA
    Event Category:	None
    Event ID:	84
    Date:		31/08/2011
    Time:		14:35:19
    User:		NT AUTHORITY\SYSTEM
    Computer:	SERVER01
    Description:
    A DPM agent failed to communicate with the DPM service on DPM01 because access is denied. Make sure that DPM01 has DCOM launch and access permissions for the computer running the DPM agent (Error code: 0x80070005, full name: DPM01).
    
    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    So to dig a little deeper, I can ping from both sides, I can view shares from both sides, I can see the services (via service control) on both sides and I get a result back from wmi/dcom on both sides and they are in the same subnet(All suggested in this thread ShaneB http://social.technet.microsoft.com/Forums/en-US/dpmsetup/thread/a6b29788-a30d-4865-9fce-da4d0e017845/ ) 

    So I read here (http://social.technet.microsoft.com/Forums/en-US/dpmworkgroupbackup/thread/537dc700-3792-4321-b2c0-6707697c1d0b/) 

    "If you use the NetBIOS name of the DPM server in the SetDPMServer command, you also must use the NetBIOS for the protected computer when you attach the computer. This also applies if you use the fully qualified domain name (FQDN) of the DPM server."
    
    I was using the GUI, which doesn't have an option to specify the DPM server name. So I removed the server from DPM, un-installed and re-installed the agent, and then re-added it using the powershell script and the FQDN of the DPM server and viola - it works. The GUI must use the NetBIOS name of the DPM server and the SPN for delegation probably used the FQDN that I entered on the command line for SetDpmServer which wouldn't match (one would be DPM07 and the other DPM07.orcsweb.com).

    So I tried the following after uninstalling and re-installing

    Client:

    SetDpmServer.exe -dpmServerName DPM01.DOMAIN1 -isNonDomainServer -userName dpm01agent -productionServerDnsSuffix SERVER01.DOMAIN2

    this just doesn't work and fails every time, now when I ping from the dpm server it says pinging server01.domain1 and not pinging server01.domain2 like it should

    any ideas please :)

     

    Thanks 

     

     

    Wednesday, August 31, 2011 2:27 PM

Answers

All replies

  • Hi,

     

    if you made no mistake in your description. could you please try change setdpmserver to

    SetDpmServer.exe -dpmServerName DPM01.DOMAIN1 -isNonDomainServer -userName dpm01agent -productionServerDnsSuffix DOMAIN2

     

    it means I removed SERVER01. from your command.

    Of course you have to properly resolve FQDN from both sides.


    Martin
    • Edited by MartinDZ Thursday, September 1, 2011 8:47 AM
    Wednesday, August 31, 2011 5:21 PM
  • I dont know if this makes any difference but on an ipconfig /all performed on the client side I get this

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : SERVER01
       Primary Dns Suffix  . . . . . . . : DOMAIN2
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : DOMAIN1

     

    Can you please expand further on this (see below) as Im still getting to grips with this :)

    Quote:

    "it means you have to remove SERVER01. and of course you have to properly resolve FQDN from both sides."

     

    Thursday, September 1, 2011 8:37 AM
  • i edited my 1st reply to get rid of possible confusion and bellow you can find rest.

     

    "of course you have to properly resolve FQDN from both sides"

    from client

    ping DPM01.Domain1

     

    from DPM server

    ping SERVER01.DOMAIN2

     

    Is it OK? if not, probably your networking infrastructure is not completely set. And you can use hosts file instead of it ( located at C:\Windows\System32\drivers\etc)


    Martin
    Thursday, September 1, 2011 9:33 AM
  • Thanks very much I will give that a try
    Thursday, September 1, 2011 11:53 AM
  • I gave up on the issue and dropped the PC and added it to the primary domain, thanks though 
    Friday, November 4, 2011 11:29 AM