none
How to attach agent with unusual AD and DNS setup? RRS feed

  • Question

  • I am trying to configure DPM for a client, which is a university department. They have a somewhat unusual setup of their AD and DNS and I think that is why I am having trouble attaching an agent I have installed.

    It is a new installation of DPM 2012 R2 version 4.2.1292.0 with a local SQL Server 2012 SP2. The OS is Windows Server 2012 R2. It is going to protect a bunch of SQL Server databases all on the same Windows Server 2012 R2 server. The SQL Server is a physical server and the DPM server is a hyper-v VM, running on a Windows Server 2012 R2 host.

    The install of DPM itself went smoothly.

    To install the agent on the SQL Server machine, I followed the instructions here: https://technet.microsoft.com/en-us/library/hh758186.aspx#BKMK_Manual. This was successful (I think)

    Then I proceeded with these instructions to attach the agent: https://technet.microsoft.com/en-us/library/hh757916.aspx

    This fails at the enter credentials stage with this message:

    DPM could not connect to the service control manager on these servers: [SqlMachinename].win.[universityname].dk (ID: 33221)

    As far as I can tell, the problem has to do with how the university manages windows AD domains and DNS lookup.

    The university uses one common AD domain named win.[universityname].dk for the entire campus, but it looks like DNS names for individual windows machines is managed locally at individual departments.

    Ipconfig says this (abbreviated) for the SQL Server where I installed the agent:

    Host Name . . . . . . . . . . . . : [SqlMachinename]
    Primary Dns Suffix  . . . . . . . : win.[universityname].dk
    DNS Suffix Search List. . . . . . : win.[universityname].dk
                                                  [departmentname].[universityname].dk
    Ethernet adapter T2:
       Connection-specific DNS Suffix  . : [departmentname].[universityname].dk
       DHCP Enabled. . . . . . . . . . . : Yes

    This works from the DPM machine and shows the correct IP:

    ping [SqlMachinename]

    This works from the DPM machine and shows the correct IP:

    ping [SqlMachinename].[departmentname].[universityname].dk

    This fails from the DPM machine ("could not find host") and does not get an IP:

    ping [SqlMachinename].win.[universityname].dk

    I've used Message Analyzer to verify that when pinging just [SqlMachinename], in fact DNS tries first to append win.[universityname].dk, which fails and second [departmentname].[universityname].dk, which then succeeds. This is by the book, as I understand it because of the DNS Suffix Search list or because of the connections-specific DNS Suffix.

    The problem is that DPM only tries [SqlMachinename].win.[universityname].dk. I have verified this with Message Analyzer.

    I am not sure how to proceed. Is there another way to attach the agent? Maybe by IP-address?

    I cannot ask the client to put [SqlMachinename].win.[universityname].dk in their DNS database. I am sure that they do not register any individual machines in that DNS domain which cuts across the entire campus. I am equally sure that they will not consider creating individual AD domains for each department just because I ask (although that would probably be best in the long run).

    Any suggestions would be very much appreciated.


    • Edited by ThomasIsr Saturday, February 21, 2015 10:17 PM
    Saturday, February 21, 2015 10:14 PM

Answers

  • Found a workaround:

    I can install and attach the agent using one of the methods designed for agents in workgroups or untrusted domains. For me NTLM worked fine as long as I used simple nertbios computer names without any domain suffixes.

    This is what worked:

    On protected server:

    SetDpmServer.exe -dpmServerName DPMServername -isNonDomainServer -userName DpmNtlmAccount

    On DPM Server:

    Attach-NonDomainServer.ps1 -DPMServername DpmServername -PSName servername -Username DpmNtlmAccount -Password xxxxx

    I still think it is weird that DPM insist that protected servers in thewe same AD domain must use the AD domain name in their DNS name. Very inflexible.

    • Marked as answer by ThomasIsr Wednesday, February 25, 2015 9:25 PM
    Wednesday, February 25, 2015 9:25 PM