none
Unable to attach non-domain server to DPM 2010 RRS feed

  • Question

  • I have run into an error when adding a non-domain server into my DPM 2010 setup.  I have DPM setup and successfully backing up systems on the domain (one.domain.com), but when I try to add a Windows 2008 server on another domain (two.domain.com) it rejects the attach command.

    Since the server is not on the same domain I knew I needed to manually install the agent.  I ran the installer with no DPM server name passed to it and the installation ran with no errors.  I restarted the server to make sure everything was completed from the agent installation.  Next I started a Command Prompt and ran the SetDpmServer command to tell the agent where to find the server.  The command I used is:

    SetDpmServer -dpmServerName dpm-backup.one.domain.com -isNonDomainServer -userName dpmagent

    The command prompts me for a password which I provide and returns the message "Configuration completed successfully!!!"

    On the DPM server I have tried both the GUI and Management Shell methods to attach a non-trusted computer.  When using the GUI I have entered the computer name as servername.two.domain.com and entered dpmagent for the username.  When I attempt the attach I get the following error:

    Attach protected computer servername.two.domain.com failed:
    Error 32680: The credentials specified for server servername.two.domain.com are invalid.
    Recommended action: Rerun the operation with the same credentials that were provided when running SetDpmServer for the target server.

    I have also tried via the Management Shell using the command:

    Attach-NonDomainServer.ps1 -DPMServerName dpm-backup -PSName servername.two.domain.com -UserName dpmagent -Password XXXXXXXXX

    When the command is run I get the error:

    The credentials specified for server servername.two.domain.com are invalid.  Rerun the operation with the same credentials that were provided when running SetDpmServer for the target server.

    So both ways are saying I am not using the same username and password, but I know I am entering the exact same information that I used when I setup the target server.  I saw some references to the LAN Manager authentication level being different and causing this issue, so I checked.  Both servers are showing the same setting (Send NTLMv2 response only. Refuse LM).

    Any suggestions on where to go next to get this server attached to DPM?

    Thanks!
    Eric

    UF, Dept of Medicine
    Thursday, November 4, 2010 7:16 PM

Answers

  • I am glad it started working for you. Please propose an answer to this thread. And let us know if you need further assistance!

    /Steve


    Steve L [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.
    Thursday, November 11, 2010 11:02 AM
    Moderator

All replies

  • Eric,

    Check the proctected server to see if DCOM is enabled. Check HKLM\Software\Microsoft\Ole and see what EnableDCOM is set to. It needs to be Y. If it is not present or set to N change it to Y and try the attach wizard.

    /Steve


    Steve L [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.
    Friday, November 5, 2010 9:54 AM
    Moderator
  • The EnableDCOM was set to Y when I checked.
    UF, Dept of Medicine
    Friday, November 5, 2010 2:54 PM
  • I re-read you example scenario. You have used two domains that are not trusted. These were one.domain.com and two.domain.com. I know these are sample names but in reality do both the domains, one and two, have the same forest suffix of domain.com?

    /Steve


    Steve L [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.
    Saturday, November 6, 2010 1:31 AM
    Moderator
  • Yes, but they are completely separate with no trust between them. We are in the process of migration to one domain but I need to be able to backup systems from both until this migration is complete (which won't be until mid 2011).
    UF, Dept of Medicine
    Monday, November 8, 2010 3:15 PM
  • Eric,

    Let me make sure I have this. You have two untrusted domains but they do have the same domain suffix. Is this correct?

    Also, on the DPM server side, is there a domain in its forest that has the same NetBIOS domain name as the untrusted domain?

    /Steve


    Steve L [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, November 8, 2010 3:20 PM
    Moderator
  • Yes.  Domain 1 is ad.dept.domain.com and Domain 2 is ad.domain.com.  The first one was created before there was a centralized AD presence.  Now there is one we are migrating into it, but because how it has been setup there is no two way trust between them.

    The NetBIOS name for the server in the untrusted name has been entered into the DNS on the old system so it can be reached by any of these addresses: server.ad.dept.domain.com, server.dept.domain.com or server.ad.domain.com.  When I look at the System properties on the server it is showing its "Full computer name" as server.ad.domain.com.


    UF, Dept of Medicine
    Monday, November 8, 2010 3:29 PM
  • Eric,

    Thanks for the additional information. We may be hitting an issue that is being investigated by DPM dev. If you try to protected an untrusted domain controller who happens to have the same NetBIOS domain name the the DPM server's forest knows about we have issues.

    One work-around (not one I care for) is to create an account in the DPM server's forest, in the domain that is the same as the untrusted one. Give this account the same name and password as the account being created on the DPM server and protected server.

    See this thread for details: http://social.technet.microsoft.com/Forums/en-US/dpmworkgroupbackup/thread/93877d20-b1a9-4637-ae03-59dcc31443f0.

    Let me know how this fits your scenario.

    /Steve


    Steve L [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, November 8, 2010 3:36 PM
    Moderator
  • I have gone through and created a domain account in both domains with the same user name and password.  I have then run the SetDPMServer command on the protected server to assign the DPM server name and the local user account with the same name and password as the domain accounts.  But when I run the attach command (via GUI or PS) on the DPM server, it still fails with the credentials error.

    The situation sounded close to my setup with the two domains but appears this work around did not work for me.


    UF, Dept of Medicine
    Monday, November 8, 2010 8:16 PM
  • Eric,

    Did you place the account from the domain in the DPM server's local groups as the workaround indicated?

    /Steve


    Steve L [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, November 8, 2010 8:26 PM
    Moderator
  • Yes I placed the account in the 3 groups.  I tried the attach and it failed, then thinking it could be an issue with the permissions not taking immediately I restarted the DPM server and tried again and still won't attach the server.

    UF, Dept of Medicine
    Monday, November 8, 2010 8:30 PM
  • Is the server you are trying to protect a domain controller?

    /Steve


    Steve L [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, November 9, 2010 11:11 AM
    Moderator
  • No, its just a member server being used for file services.

    Eric


    UF, Dept of Medicine
    Tuesday, November 9, 2010 3:11 PM
  • Eric,

    I would suspect the scenario with the same NetBIOS domain name problem if we were protecting a DC. I would not expect a member server to hit this.

    On the protected server are you able to start/stop the DPMRA service? If so let's continue to the next test.

    Since you already have the user account created locally on the DPM server and protected server (ignore the domain account for now) we need to tweak one thing. Before we test remote WMI connectivity we need to make the local DPM account created for this protected server a local administrator on the DPM server and the protected server.

    Let's test various connectivity between the DPM server and protected server. We'll need to test basic connectivity, SMB, RPC, and WMI/DCOM.

    The commands below need to be run from an administrative command prompt. It is a good idea to test from both the DPM server and the protected server. The account used should be an administrative account on both servers.

    Basic connectivity is tested by using ping. If ICMP traffic is blocked ping commands will fail but that is OK.
      ping <protected server name>

    Next test SMB (file sharing).
      net view \\<protected server name>

    Now test RPC and connectivity to Service Control Manager (SCM). This displays a list of services on the remote server when successful.
      Sc \\<protected server name> query

    Lastly test WMI/DCOM. When successful this command lists some basic information about the remote server.
      Wmic /node:"<protected server name>" OS list brief

    If any of the tests after ping fail that may be where the problem is.

    /Steve


    Steve L [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, November 9, 2010 3:27 PM
    Moderator
  • I am able to start/stop the DPMRA service on the protected server with no errors.

    I added the local account into the Administrators group on the protected server, but I can't create a local account by the same name on the DPM server because that causes the agent attach to fail with a non unique account message.

    Test Results:

    ping <protected server>

    This worked and returned the correct IP address.  I then tried pinging the DPM server from the protected server and it worked as well.  I did have to use the servername.domain.com version of the name to reach it, not just servername since they are in different domains.

     

    net view \\<protected server name>

    This failed with "System error 5 has occurred." and "Access is denied".  I saw no way to pass a username/password for this command.  If I use an Explorer window and attempt to access \\servername.domain.com\ I get the login prompt and can give it the local account that I created and I am able to see the shares on the server.

     

    sc \\<protected server name> query

    This failed with "OpenSCmanager FAILED 5: Access is denited."

     

    Wmic /node:"<protected server name>" OS list brief

    Failed with error code 0x80070005, Access is denied.


    UF, Dept of Medicine
    Tuesday, November 9, 2010 5:00 PM
  • Eric,

    In your elevated command prompt you may map a drive to the remote server and pass the credentials there. That might give us the authenticated connection to run the other commands (not 100% on that).

    net use * \\server\c$ /user:machinename\useracct * /persistent:no

    The above should prompt you for the password and not retain the drive mapping. Try mapping the drive then test the commands.

    /Steve


    Steve L [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, November 9, 2010 5:55 PM
    Moderator
  • Ok things are working.  What changed I have no idea.  I was trying the command line net use yesterday afternoon and it wasn't working so I gave up on things for the day.  This morning I moved onto another project of installing the TSM client on the DPM server to get offsite backups working and after installing the TSM client  I went back to DPM and tried adding the agent and it worked.

    I am going to sit down next week and look over things further to see if I can figure out what exactly changed to allow it to work, but for the moment getting a full backup of the server is more important.

    Thank you for your assistance!

    Eric


    UF, Dept of Medicine
    Wednesday, November 10, 2010 7:58 PM
  • I am glad it started working for you. Please propose an answer to this thread. And let us know if you need further assistance!

    /Steve


    Steve L [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.
    Thursday, November 11, 2010 11:02 AM
    Moderator
  • Closing the thread as issue seem to be resolved.
    Thanks, Praveen D [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.
    Saturday, November 20, 2010 6:07 PM
  • Had the same issue for three days, finally figured it out.

    There was a time difference of 16 minutes between the DPM Server (correct time) and the target (wrong time), didn't spot it for 3 days until I noticed a W32time event in the System Logs, so anyone having this issue, check your time on both servers.

     

    Monday, July 3, 2017 12:36 PM