none
Unable to add untrusted computer behind firewall RRS feed

  • Question

  • I'm having problems adding an untrusted domain computer in DPM 2012R2. We have 3 remote sites that are waiting to be migrated on to our network/AD forest but I want to back up some of their data using my DPM server in our datacentre in the meantime. I have this working already for 2 of these sites but I'm having problems with the remaining site.

    Let's say the computer to be protected is server01.untrusted.com and the DPM server is dpmserver.mydomain.com.

    Here are the steps I have followed:

    1) Installed the DPM protection agent on server01 and rebooted it.

    2) Created 2 hosts file entries on the server01 to point to the public IP address of my DPM server, one for the NETBIOS name and one for the FQDN.

    3) On server01 - Ran setdpmserver.exe -dpmservername dpmserver.mydomain.com -isnondomainserver -username svcDPMserver01 (and entered a password when prompted).

    4) Created 2 hosts file entries on dpmserver to point to the public IP address of server01, one for the NETBIOS name and one for the FQDN.

    5) On dpmserver - Ran attach-nondomainserver.ps1 -dpmservername dmpserver.mydomain.com -psname server01.untrusted.com -username svcDPMserver01 (and entered the same password as in step 3). I then get the following error:

    WARNING: Connecting to DPM server: dpmserver.mydomain.com
    There is failure while attaching production server
    G:\Program Files\Microsoft System Center 2012
    R2\DPM\DPM\bin\Attach-NonDomainServer.ps1 : Unable to contact the protection
    agent on server server01.untrusted.com
    At line:1 char:1
    + Attach-NonDomainServer.ps1 -dpmservername dpmserver.mydomain.com-psname
    server01.untru ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~
        + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorExcep
       tion
        + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorExceptio
       n,Attach-NonDomainServer.ps1

    1) Ensure that the above server name is accessible from the DPM server.
    2) Ensure that the protection agent has been installed on the remote server. Als
    o ensure that you have run SetDpmServer.Exe with the -isNonDomainServer option o
    n the protected computer.

    I have also tried step 5 using the GUI rather than the .ps1 script and steps 3 and 5 using the NETBIOS name of both machines rather than FQDN just to see if it made any difference. It didn't.

    I should add that the DPM server and the 3 remote sites are behind firewalls. 2 of the remote sites have firewalls which I do not have access to. However, they are provided by the same ISP who have assured me that the configuration is the same for both. They have given me a new public IP address for each site for this purpose and set up a static 1 to 1 nat to my server on the inside network that I am trying to protect. All TCP/UDP ports are open but one site works and one doesn't.

    On the one that doesn't work I can ping server01, telnet to it on port 135, RDP etc.. I can't find anything wrong with it and the steps I have followed are the same on both. Windows firewall is turned off on both dpmserver and server01.

    Thursday, September 29, 2016 12:07 PM