none
DPM Error 316, client did not respond - client shows DPMRA event 84, access denied check DCOM RRS feed

  • Question

  • I've looked over other posts and searched the whole web and can't find an answer for this.  I'm experiencing random problems with DPM clients losing their connections to the server and giving an "access denied" message, saying:

    "A DPM agent failed to communicate with the DPM service on DPMSERVER.domain because access is denied. Make sure that DPMSERVER.domain has DCOM launch and access permissions for the computer running the DPM agent (Error code: 0x80070005, full name: DPMSERVER.domain)."

    I've checked DCOM settings (nothing has changed), and even set back to default and re-set to correct settings with no success.  Sometimes the servers start talking to DPM again on their own (as is the case - twice - with our WS2008 Hyper-V host server), but others do not reconnect until they are rebooted (SQL Server (2008) and File Server (2003R2)).

    Restarting the DPMRA service on the client doesn't help, restarting the DPM Service/Server doesn't solve it either.  Restarting MS DTC on the client doesn't fix it.

    The first problem was last Wednesday (5/25/11) with the SQL Server, 2nd problem on Monday (5/30/11) with the SQL Server and the Hyper-V server, 3rd problem today (6/3/11) with the File/Print Server and the Hyper-V server again.

    All servers are fairly current with Windows Updates, and are running ESET NOD32 Antivirus - but I removed it from our SQL Server to see if that prevents the problem.  AV program and definition versions are the same between working and non-working servers.  The DPM Server itself doesn't not have ESET or any other antivirus on it - it was too problematic.

    We recently demoted a WS2003R2 Domain Controller and promoted a second 2008R2 DC, so we have 1 physical DC and 1 virtual DC (both WS2008 R2), then we raised the Domain and Forest Functional Levels to 2008 R2 from 2003.  I don't know if that has any bearing on the problem.

    Thanks for any attempt to help!



    Friday, June 3, 2011 11:33 PM

Answers

  • Hello Robert,

    On issues like this there are so many places to look. We have to realize that there is some difference between the working and non-working servers. I do have some questions for you.

    1.) Are all of the nonworking servers on the same subnet? If so,
         a.) have you tried changing the port on the switch
         b.) If you look at the switch logging, do you see a large amount of packets being dropped.
         c.) Do the servers experience other forms of loss of connectivity other than DPM, say DNS or can't browse to the internet.

    2.) Does this seem to happen at the same time of day or is it random?

    3.) Curious, what binary version of DPM is this? Click on the "i" at the top right hand corner of the DPM console.

    Actions
    ******
     First I'd suggest you follow each of the articles:
    http://blogs.technet.com/askcore/archive/2008/04/23/troubleshooting-agent-deployment-in-data-protection-manager-2007.aspx
    http://blogs.technet.com/askcore/archive/2008/05/09/troubleshooting-agent-deployment-in-data-protection-manager-2007-dcom.aspx
    http://blogs.technet.com/askcore/archive/2008/05/01/troubleshooting-agent-deployment-in-data-protection-manager-2007-networking.aspx

    Second, follow the steps below when this issue occurs:

    Basic connectivity is tested by using ping. If ICMP traffic is blocked ping commands will fail but that is OK.
      ping <protected server name>

    Next test SMB (file sharing).
      net view \\<protected server name>

    Now test RPC and connectivity to Service Control Manager (SCM). This displays a list of services on the remote server when successful.
      Sc \\<protected server name> query

    Lastly test WMI/DCOM. When successful this command lists some basic information about the remote server.
      Wmic /node:"<protected server name>" OS list brief


    From protected server to the DPM server
     ********************************
     ping <protected server name>  <---succeed or fail
     net view \\<protected server name>  <---succeed or fail
     Sc \\<protected server name> query  <---succeed or fail
     Wmic /node:"<protected server name>" OS list brief   <---succeed or fail
     

    From the DPM server to the protected server
     ************************************
     ping <protected server name> <---succeed or fail
     net view \\<protected server name> <---succeed or fail
     Sc \\<protected server name> query <---succeed or fail
     Wmic /node:"<protected server name>" OS list brief <---succeed or fail
     
    Thanks,
    Shane

    • Proposed as answer by ShaneB. _ Saturday, February 25, 2012 2:13 PM
    • Marked as answer by Robert Tuck Wednesday, November 28, 2012 4:41 PM
    Monday, June 6, 2011 10:25 AM

All replies

  • Hello Robert,

    On issues like this there are so many places to look. We have to realize that there is some difference between the working and non-working servers. I do have some questions for you.

    1.) Are all of the nonworking servers on the same subnet? If so,
         a.) have you tried changing the port on the switch
         b.) If you look at the switch logging, do you see a large amount of packets being dropped.
         c.) Do the servers experience other forms of loss of connectivity other than DPM, say DNS or can't browse to the internet.

    2.) Does this seem to happen at the same time of day or is it random?

    3.) Curious, what binary version of DPM is this? Click on the "i" at the top right hand corner of the DPM console.

    Actions
    ******
     First I'd suggest you follow each of the articles:
    http://blogs.technet.com/askcore/archive/2008/04/23/troubleshooting-agent-deployment-in-data-protection-manager-2007.aspx
    http://blogs.technet.com/askcore/archive/2008/05/09/troubleshooting-agent-deployment-in-data-protection-manager-2007-dcom.aspx
    http://blogs.technet.com/askcore/archive/2008/05/01/troubleshooting-agent-deployment-in-data-protection-manager-2007-networking.aspx

    Second, follow the steps below when this issue occurs:

    Basic connectivity is tested by using ping. If ICMP traffic is blocked ping commands will fail but that is OK.
      ping <protected server name>

    Next test SMB (file sharing).
      net view \\<protected server name>

    Now test RPC and connectivity to Service Control Manager (SCM). This displays a list of services on the remote server when successful.
      Sc \\<protected server name> query

    Lastly test WMI/DCOM. When successful this command lists some basic information about the remote server.
      Wmic /node:"<protected server name>" OS list brief


    From protected server to the DPM server
     ********************************
     ping <protected server name>  <---succeed or fail
     net view \\<protected server name>  <---succeed or fail
     Sc \\<protected server name> query  <---succeed or fail
     Wmic /node:"<protected server name>" OS list brief   <---succeed or fail
     

    From the DPM server to the protected server
     ************************************
     ping <protected server name> <---succeed or fail
     net view \\<protected server name> <---succeed or fail
     Sc \\<protected server name> query <---succeed or fail
     Wmic /node:"<protected server name>" OS list brief <---succeed or fail
     
    Thanks,
    Shane

    • Proposed as answer by ShaneB. _ Saturday, February 25, 2012 2:13 PM
    • Marked as answer by Robert Tuck Wednesday, November 28, 2012 4:41 PM
    Monday, June 6, 2011 10:25 AM
  • Hi. We are facing a similar problem on a hardened OS configuration on the dpm server side, but we have not still be able to successfully make it work ever.

    The four tests you propose pass without problems on both directions

    We have been able to get rid of the eventid 84 (it appeared on the client side anytime we clicked on "refresh agent status") by changing the local security policy "local policies/security options/network security: lan manager authentication level" to the least restrictive value (Send LM & NTLM responses). However, we are still not able to communicate between agent and server (we're still getting the DPM Error ID:316, the protection agent operation on <server> failed because the service did not respond. internal error code 0x8099090E

    I have the feeling that there's something too tight on the hardening of the os, maybe related to DCOM, but no clue about what. Any hints?

     

    Regards

    Roberto


    Wednesday, July 6, 2011 11:44 AM
  • Hey finally we solved this issue:

    on the hardened OS (the DPM server), you must add the "Authenticated users" group to the "users" group, that solved the issue. maybe this is applicable to your issue too.

    • Proposed as answer by MarcReynolds Wednesday, July 6, 2011 1:49 PM
    Wednesday, July 6, 2011 1:43 PM
  • Hello Roberto,


    Yes, that is covered in the links supplied above but thanks for your input.

    Thanks,
    Shane

    Friday, July 8, 2011 10:22 PM
  • Hi Shane,

    I've got a problem with Error 316 from the DPM server as well.  Here's some info:

    DPM 2012 running on Windows Server 2008 R2 on domain A
    Production servers running on Windows Server 2008 on domain B
    There is a two-way trust between the two domains
    Production servers are running Exchange 2007 CCR
    They are on the same subnet
    I have host file entries to force DNS resolution to our private net (10.100.x.x) on both sides
    DPM server uses a NIC team

    I believe the crux of the issue is that the agent is running on Server 2008, because I can attach the DPM server to other production servers on domain B that use R2 without issue.  This is also the second set of 2008 clusters that have had a problem, and as far as I can tell, this is the only factor that differs between those that work and those that do not.

    As for your questions:

    1) Yes
      a + b) co-located elsewhere, but I can try those if you need
      c) no
    2) At all times
    3) 4.0.1908.0 for both DPM and agents

    I have read the three articles you mentioned, and the computer object and DCOM groups have the appropriate permissions to the production server.  Uninstall / reinstall seems ineffective, and none of the tests you asked about failed as long as the user I'm logged in as on domain A is part of the domain admins group on domain B.  I'm not sure how to test it as the computer account, but I added that to the domain admins group just for fun.

    When I refresh the Agent Status, I do see DPMRA start up.  I then get an Error 84 (access denied).

    I would love any information you have, as we're trying to replace our current backup provider with DPM.

    Thanks,

    David

    Tuesday, July 10, 2012 3:48 PM
  • Please check both the DPM and the clients' time.

    I got the same issue, there're 10 mins latency between the server and clients, It's all set after I adjusted.

    The latency will raise Kerberos issue then impact on the DPM authentication.

    Hope it's useful.

    Thanks,

    Simon

    Wednesday, November 28, 2012 6:38 AM
  • fantastic, that did the trick!!! Why would this fix the issue though, by all accounts this seemed to be a DCOM issue
    Thursday, September 26, 2013 11:10 PM
  • Hi,

    I have the same problem and I'm sure that problem related to  Kerberos authentication. Could you prompt me, how you resolve this issue.  

    Tuesday, February 21, 2017 7:05 AM