Agent Install to Windows XP client in Trusted Forest RRS feed

  • Question

  • We have a DPM 2010 server installed in ForestA/Domain1 and we are trying to backup a Windows XP client in ForestB/Domain1. There is a forest trust between the two.

    Is this possible? It is difficult to determine whether this is a supported configuration.

    I haven't had any success with the recommendations to use the "workgroup" installation method. I receive the following error on my DPM 2010 server:

    "Attach prtected computer #### failed: Error 32682: Failed to create user account for this username ####."

    I'm trying to use the same credentials associated with the setdpmserver command on the windows xp client. Anyone else have success here? I have a feeling the problem lies in the security context somewhere. Maybe the lookup won't traverse the trust?


    IT Operations Manager
    Thursday, March 24, 2011 5:56 PM

All replies

  • Data Protection Manager 2010 Frequently Asked Questions

    DPM 2010 supports data protection across forests if a forest-level trust exists between the forests.  DPM 2007 did not support protection across forests

    You should not need to use the workgroup / untrusted domain option.  To find a computer across a trusted domain, you must type the fully qualified domain name of the computer you want to protect (for example,, where Computer1 is the name of the target computer that you want to protect, and is the domain to which the target computer belongs.  From "Installing Protection Agents" at

    Also from the "Installing Protection Agents" page.

    Installing Agents across Forests
    This section provides information about installing a protection agent across a forest with selective authentication enabled. To protect a server across a forest with selective authentication, Allowed to Authenticate permissions must be given on the Active Directory directory service for the following computers:

    DPM server on the domain controller of domain "Server to be protected".

    DPM server on "Server to be protected".

    "Server to be protected" on the DPM server.

    “Account used to install the protection agent" on the DPM server.


    Thursday, March 24, 2011 10:01 PM
  • Thanks for the quick response. This isn't really the case for me though. When I do a "standard" install using the FQDN of the target client in a separate forest, I receive this error:

    The following computers were not found in Active Directory services, or they do not have a Windows Server Operating system installed.

    Did I mention I'm trying to back up a Windows XP client here? does that matter?

    The trust type is listed as "External" (it's two-way)  I didn't set it up, and I haven't had much experience with establishing trusts between forests, so maybe that's why it doesn't work.




    IT Operations Manager
    Thursday, March 24, 2011 10:32 PM
  • Are you able to resolve the name of the XP client from the DPM server using nslookup?



    Friday, March 25, 2011 5:12 PM
  • Yes, it returns the approriate IP address. (ping works as well)

    Incidentally I also tried disabling the firewall on the target, just in case. (even though I did the appropriate setdpmserver.exe operation on the target)


    IT Operations Manager
    Friday, March 25, 2011 5:20 PM
  • Additional information:


    I was able to make headway using the "workgroup" method to connect to the system. I had to add authentication permissions to the windows XP computer itself for the server, and vice versa in the ADUC. In addition I added "allow to authenticate" to the target domain controllers for the dpm server; as this appears to be a requirement as well.

    After resetting the "forceguest" key on the XP client to zero, I was able to attach to the windows XP client across my forest trust.

    However, now I am unable to add the client to a protection group. I receive the error: Some of the selected computers could not be added. To view the list of computers that could not be added, click the "Faile to add machines" link below the list of selectable computers." (ID7013)

    Clicking the link reveals "the following machines are not found in AD #####"

    It's becoming clear to me that the DPM server in a remote forest cannot be trained to look up object accounts in other domains. Please confirm.


    IT Operations Manager
    Friday, March 25, 2011 8:37 PM
  • You should not need to use the "workgroup" installation method.  You can push out the agent from the DPM server but need to provide credentials in the wizard on the DPM server for a user that has local administrator rights on the XP client where the protection agent is being installed.
    Monday, March 28, 2011 10:31 PM
  • Thanks but this was my very first course of action in attempting to perform backups through the trust. It simply didn't work. The DPM server doesn't find the target in it's local AD, so it balks at the request. If there's a way to tell the DPM server to search multiple domains when you enter the target host id, that would work. But this does not appear to be an option. Has Microsoft actually lab-tested this feature?
    IT Operations Manager
    Wednesday, March 30, 2011 9:49 PM
  • I'm having a similar issue with DMP 2012 trying to back up servers in our DMZ. The DMZ is a separate domain, but the trust is only one way (the DMZ domain trusts our internal domain but not the other way around). I've tried both installation methods but have seen the same errors as jailes.
    Wednesday, May 23, 2012 12:25 AM
  • Never mind... I have the answer. Run setdmpserver.exe on the target server and then attach with the "workgroup" method. Adds successfully now.

    I should RTFM (or STFW) before posting questions :)

    Wednesday, May 23, 2012 12:42 AM