none
DPM 2010 backup a Win2k8 R2 domain controller RRS feed

  • Question

  • Does DPM support backing up a Win 2008 R2 domain controller? I installed the dpm agent onto the domain controller without any problem. Ran the SetDmpserver -dpmservername successfully at the domain controller. At the DPM server side, I also able to attach the domain server.

    However, when it comes to browse or create a protection group, it gave me "cannot browse xxxx.local because access is denied. Id:32". At the Management Tab, when I highlight the domain controller and click "refresh information", it returned with Error and the detail pane said "Data Protection Error ID: 270, the agent operation failed on xxxx.local because DPM could not communicate with the DPM protection agent..."

    Is there anything I need to setup/configure in order for DPM to backup files on a domain controller? Please help.

    Tuesday, May 31, 2011 3:07 PM

Answers

  • Thanks for your information. It provided great help. Found out that the DPM server is not listed in the Distributed COM User group, and Authenticated Users is not listed in the builtin Users group. Once add the server and user to the group, everything started working. Status returned with "ok" and I can browse and create protection group.

    Thanks!

    • Marked as answer by TTSE Wednesday, June 1, 2011 5:08 PM
    Wednesday, June 1, 2011 5:08 PM

All replies

  • Hello,

    Most likely you have the integrated firewall turned on the DC. When you ran the SetDPMserver command it "should have" created all the neccessary rules to allow for successful DPM traffic.
    If you have, however, an explicit deny rule it will take precedence over an allow rule. For testing turn off the firewall on both the DPM and DC. This is easily done via the command prompt.

    net stop bfe

    This will turn off the base firewall engine including ipsec. Once this is done, refresh the agent in DPM. 

    Thanks
    Shane
    Tuesday, May 31, 2011 3:19 PM
  • Hello, Thank you for your information.

    The integrated windows firewall was already turned off for all profiles (domain, private, public). And I believed the SetDpmserver command also created a rule within the windows firewall, which it named DPMRA_DCOM_135,open 135 for all traffic.

    Since it is a W2k8 R2 domain controller, Will there be any adverse effect by stopping the BFE? I know that I am not using Internet Connection Sharing (ICS), not using Routing Remote Access, Windows' firewall already off.. But not sure about IPSec or IKE..

    Tuesday, May 31, 2011 7:26 PM
  • Hi

    First check the DCOM permissions

    http://technet.microsoft.com/en-us/library/cc161655.aspx

    Also make sure the DPM server is list as a member in the following local groups on the client server

    DPMRADmTrustedMachines
    DPMRADCOMTrustedMachines
    Distributed COM Users

    If there are other servers already connected to DPM its save to say its local ports are open.

    First test the comms from DPM to the client server, on the DPM server open CMD and type telnet clientservername portnumber, e.g. telnet testserver 135

    If it connects you will get a blank screen and you know comms are good from DPM to the client server on port 135, keep in mind that you might have to test additional ports see http://technet.microsoft.com/en-us/library/cc161377.aspx for a list of ports used by DPM. The command will time out if it fails to connect after a bout 30sec, if it does fail then you need to make sure that the port is open on the client side.

    On the client server use the same command that you used on the DPM server e.g. telnet testserver 135. If it fails to connect then you know that port is being blocked locally and in most cases its the AV or local firewall but there might also be another application that uses the same port. You should be able to track down the app using netstate -o, you will just have to match the PID to the relevant service or exe.

    If the telnet command goes through successfully then it might be an external device e.g. firewall/router that's blocking comms.

    • Proposed as answer by Koos Hattingh Friday, June 3, 2011 8:51 AM
    Wednesday, June 1, 2011 8:52 AM
  • Hello,

    There are some basic tests that you can do for connectivity.

    Connectivity test
    ***************

    Basic connectivity is tested by using ping. If ICMP traffic is blocked ping commands will fail but that is OK.
      ping <protected server name>

    Next test SMB (file sharing).
      net view \\<protected server name>

    Now test RPC and connectivity to Service Control Manager (SCM). This displays a list of services on the remote server when successful.
      Sc \\<protected server name> query

    Lastly test WMI/DCOM. When successful this command lists some basic information about the remote server.
      Wmic /node:"<protected server name>" OS list brief


    From protected server to the DPM server
     ********************************
     ping <protected server name>  <---succeed or fail
     net view \\<protected server name>  <---succeed or fail
     Sc \\<protected server name> query  <---succeed or fail
     Wmic /node:"<protected server name>" OS list brief   <---succeed or fail

    From the DPM server to the protected server
     ************************************
     ping <protected server name> <---succeed or fail
     net view \\<protected server name> <---succeed or fail
     Sc \\<protected server name> query <---succeed or fail
     Wmic /node:"<protected server name>" OS list brief <---succeed or fail
     

    Here are some articles on the DPM agent install tshooting.  Even though you are not having an issue with the agent being installed, I'd go over them for DCOM settings\permissions.

    http://blogs.technet.com/askcore/archive/2008/04/23/troubleshooting-agent-deployment-in-data-protection-manager-2007.aspx
    http://blogs.technet.com/askcore/archive/2008/05/09/troubleshooting-agent-deployment-in-data-protection-manager-2007-dcom.aspx
    http://blogs.technet.com/askcore/archive/2008/05/01/troubleshooting-agent-deployment-in-data-protection-manager-2007-networking.aspx



    Thanks
    Shane

     

    Wednesday, June 1, 2011 12:15 PM
  • Thanks for your information. It provided great help. Found out that the DPM server is not listed in the Distributed COM User group, and Authenticated Users is not listed in the builtin Users group. Once add the server and user to the group, everything started working. Status returned with "ok" and I can browse and create protection group.

    Thanks!

    • Marked as answer by TTSE Wednesday, June 1, 2011 5:08 PM
    Wednesday, June 1, 2011 5:08 PM