none
Manual Agent Install on a 2008 R2 RODC RRS feed

  • Question

  • Hello -

    I'm having a frustrating time with a particular RODC.  I am successfully protecting other RODCs in our domain using the steps provided here: http://technet.microsoft.com/en-us/library/ff634246.aspx

    After completing the steps and making sure the security groups have replicated to my RODC(I even waited 24 hrs), I try to manually install the client.  I get this gem: DPMAgentInstaller failed with errorcode =0x80070643, error says: Fatal error during installation. Check log files in [WINDIR]Temp\MSDPM*.LOG

    I do some research and start poking around the logs and below are what I believe to be the pertinent errors.  My assumption is there's a failure to read or locate the manually created security groups.

    From the MSDPMAgentInstall log:

    Invoking remote custom action. DLL: C:\Program Files\Microsoft Data Protection Manager\DPM\bin\SetupUtilv2.dll, Entrypoint: DoMachineIndependentDPMConfiguration

    AddRADlsTrustedMachinesGroup: Failed to add DPMRADCOMTrustedMachines

    CustomAction _DoMachineIndependentDPMConfiguration.88BD42D4_8EBE_4E98_B407_81775C1F7E9C returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)

    Action ended 9:04:29: InstallExecute. Return value 3.

    From the MSDPMAgentBootstrap0Curr log:

    WARNING           Failed: Hr: = [0x00000000] DetectDPM: completed

    WARNING           Failure in getting members of local group DPMRATrustedMachinesGroup

    WARNING           Failed: Hr: = [0x800708ac] : F: lVal : (UINT)status

    WARNING           Failed: Hr: = [0x800708ac] CleanupDcomLaunchPermisions failed

    WARNING           DeleteLocalGroup: NetLocalGroupDel returned errorcode 2220

    WARNING           AddLocalGroup: NetLocalGroupAdd for group[DPMRADCOMTrustedMachines$BOI-BR-1-VM] returned error 32

    WARNING           AddRADlsTrustedMachinesGroup: Unable to add local group[DPMRADCOMTrustedMachines$BOI-BR-1-VM] with an errorcode= 32

    WARNING           Failed: Hr: = [0x80070032] : F: lVal : AddRADlsTrustedMachinesGroup(hInstall)

    WARNING           Failed: Hr: = [0x80070032] DoMachineIndependentDPMConfiguration failed

    The only thing I can find that is close is this thread: http://msgroups.net/microsoft.public.dataprotectionmanager/error-313-0x80070643/122831  And I have deleted and re-created the security groups many times and the install continues to fail.

    Any thoughts are greatly appreciated!

    -Scott

    Wednesday, May 9, 2012 8:36 PM

Answers

  • i had a similar issue and this is now it was resolved.


    > 1. Create and populate the following security groups on Primary domain
    > controller: (Where $PSNAME is the name of RODC on which you're planning to
    > install agent)
    >     a. Create DPMRADCOMTRUSTEDMACHINES$PSNAME  and add DPM server as a

    > member
    >     b. Create DPMRADMTRUSTEDMACHINES$PSNAME and add DPM server as a member
    >     c. Add DPM server as a member of Builtin\Distributed com users group
    > 2. Ensure that above changes are replicated on to RODC
    > 3. Install agent on RODC
    > 4. Grant launch and activate permissions for DPM server on DPM RA service by
    > doing the following:
    >     a. Run "dcomcnfg"
    >     b. Expand Component Services ->  Expand Computers -> Expand My
    > Computer -> Expand DCOM Config
    >     c. Right click DPM RA Service and select Properties
    >     d. Under 'General', "Authentication Level - Default"
    >     e. Under 'Location', only "Run application on this computer" should be
    > checked
    >     f. Under Security, verify that the "Launch and Activation Permissions"
    > (select > "Edit") include the machine account for the DPM Server and Allow
    > "Local  Launch", "Remote Launch", "Local Activation", "Remote Activation"
    >     j. Click OK
    > 5. Copy setagentcfg.exe, traceprovider.dll and LKRhDPM.dll from "c:\Program
    > Files\Microsoft DPM\DPM\setup" on DPM server and place them in "c:\Program
    > Files\Microsoft DPM\DPM\setup" on RODC.

    > 6. Run "setagentcfg.exe a DPMRA domain\DPMserver"  on RODC using an elevated
    > command prompt. (Run setagentcfg.exe from the location above i.e c:\Program
    > Files\Microsoft DPM\DPM\setup)
    > 7. If  a firewall is enabled on RODC run the following commands:
    >     a. netsh advfirewall firewall set rule group="@FirewallAPI.dll,-29502"
    > new enable=yes
    >     b. netsh advfirewall firewall set rule group="@FirewallAPI.dll,-34251"
    > new enable=yes
    >     c. netsh advfirewall firewall add rule name=dpmra dir=in
    > program="%PROGRAMFILES%\Microsoft Data Protection Manager\DPM\bin\DPMRA.exe"
    > profile=Any action=allow
    >     d. netsh advfirewall firewall add rule name=DPMRA_DCOM_135 dir=in
    > action=allow protocol=TCP localport=135 profile=Any
    >
    > 8. Attach agent on DPM server, now you are ready to protect the RODC.

    Friday, May 25, 2012 9:48 AM

All replies

  • Anyone have any input?
    Friday, May 11, 2012 5:24 PM
  • i had a similar issue and this is now it was resolved.


    > 1. Create and populate the following security groups on Primary domain
    > controller: (Where $PSNAME is the name of RODC on which you're planning to
    > install agent)
    >     a. Create DPMRADCOMTRUSTEDMACHINES$PSNAME  and add DPM server as a

    > member
    >     b. Create DPMRADMTRUSTEDMACHINES$PSNAME and add DPM server as a member
    >     c. Add DPM server as a member of Builtin\Distributed com users group
    > 2. Ensure that above changes are replicated on to RODC
    > 3. Install agent on RODC
    > 4. Grant launch and activate permissions for DPM server on DPM RA service by
    > doing the following:
    >     a. Run "dcomcnfg"
    >     b. Expand Component Services ->  Expand Computers -> Expand My
    > Computer -> Expand DCOM Config
    >     c. Right click DPM RA Service and select Properties
    >     d. Under 'General', "Authentication Level - Default"
    >     e. Under 'Location', only "Run application on this computer" should be
    > checked
    >     f. Under Security, verify that the "Launch and Activation Permissions"
    > (select > "Edit") include the machine account for the DPM Server and Allow
    > "Local  Launch", "Remote Launch", "Local Activation", "Remote Activation"
    >     j. Click OK
    > 5. Copy setagentcfg.exe, traceprovider.dll and LKRhDPM.dll from "c:\Program
    > Files\Microsoft DPM\DPM\setup" on DPM server and place them in "c:\Program
    > Files\Microsoft DPM\DPM\setup" on RODC.

    > 6. Run "setagentcfg.exe a DPMRA domain\DPMserver"  on RODC using an elevated
    > command prompt. (Run setagentcfg.exe from the location above i.e c:\Program
    > Files\Microsoft DPM\DPM\setup)
    > 7. If  a firewall is enabled on RODC run the following commands:
    >     a. netsh advfirewall firewall set rule group="@FirewallAPI.dll,-29502"
    > new enable=yes
    >     b. netsh advfirewall firewall set rule group="@FirewallAPI.dll,-34251"
    > new enable=yes
    >     c. netsh advfirewall firewall add rule name=dpmra dir=in
    > program="%PROGRAMFILES%\Microsoft Data Protection Manager\DPM\bin\DPMRA.exe"
    > profile=Any action=allow
    >     d. netsh advfirewall firewall add rule name=DPMRA_DCOM_135 dir=in
    > action=allow protocol=TCP localport=135 profile=Any
    >
    > 8. Attach agent on DPM server, now you are ready to protect the RODC.

    Friday, May 25, 2012 9:48 AM