none
DPM 2012 End User Recovery - Extending AD Schema tool crashes with error

    Question

  • Hi everyone,

    I deployed SCDPM 2012 R2 in my test environment, but it is an issue. When I'm trying to extend AD Schema by DPMADSchemaExtensionTool.exe, it stops to working with an appcrash message:

    Problem signature:
      Problem Event Name:	APPCRASH
      Application Name:	dpmdsacl.exe
      Application Version:	4.2.1092.0
      Application Timestamp:	51b1e89d
      Fault Module Name:	KERNELBASE.dll
      Fault Module Version:	6.3.9600.16384
      Fault Module Timestamp:	5215fa76
      Exception Code:	e0434352
      Exception Offset:	0000000000008384
      OS Version:	6.3.9600.2.0.0.272.7
      Locale ID:	1033
      Additional Information 1:	7644
      Additional Information 2:	7644cee486badc818e8a96bb7aba3bfd
      Additional Information 3:	2ddc
      Additional Information 4:	2ddcde93bf91b9ddbb6e1a89fb9b5892

    When I'm trying to do the same with cmd I get an error:

    C:\diagEUR>dpmdsacl.exe sc.local CN=MS-ShareMapConfiguration,CN=System,DC=sc,DC=
    local /A sc\dpm$
    
    Unhandled Exception: System.IO.FileLoadException: Could not load file or assembl
    y 'dpmdsacl, Version=1.0.523.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35
    ' or one of its dependencies. Strong name validation failed. (Exception from HRE
    SULT: 0x8013141A) ---> System.Security.SecurityException: Strong name validation
     failed. (Exception from HRESULT: 0x8013141A)
       --- End of inner exception stack trace ---

    How can I fix this error?
    • Edited by EugenBerend Friday, November 1, 2013 12:43 PM mistype
    Friday, November 1, 2013 12:33 PM

Answers

  • Hi,

    We have had a couple of customers reporting this. If you have DPM 2012 SP1 media, please run that version. 

    UPDATED:  You will need to install DPM 2012 Sp1 on a separate server (VM) so you can copy the DPMADSchemaExtension.exe utility from the %Program Files%\Microsoft System Center 2012\DPM\DPM\End User Recovery directory and run that. 


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.


    Friday, November 1, 2013 11:45 PM
    Moderator
  • Hi Seth,

    I think your script will be useful, please share them


    Here it is. It does the same items that the DPM tool does to the domain, with a few extra steps noted at the top.

    We create a group that has the permissions on the container, with the hope that one day, this feature will be available (DCR submitted).  In our support model, we would rather delegate permissions to support personnel to modify group membership than modify ACLs on system containers.    Your opinion on this may differ, so, feel free to remove it.

    It also gives our support personnel permissions to modify the sharemap container - so they can enable DPM EUR servers later.

    Both of these have been working fine for preparing a domain / enabling EUR.  Preparing the domain is run by domain admin, then, we leave enabling EUR to our support staff.

    Remember, this is not supported, this just makes the same changes that the EUR tool does.  You should use the EUR tool from Microsoft.

    #Requires -version 2.0

    # ***************************************************************************
    #
    # File:      DPMEndUserDomainPrep.ps1
    # Version:   0.1
    #
    # Purpose:   Domain Preparation for DPM End User Recovery
    #
    # Tasks compelted by this script:
    #      -Create MS-ShareMapConfiguration container in System container of the domain
    #            -Create the security group (NETBIOS Domain Name) DPM End User Recovery servers
    #      -Give Create,Delete MS-srvShareMappingObjects, ListChildren permissions for the newly created group, on the new MS-ShareMapConfiguration container
    #      -Find <SUPPORT GROUP> group in the forest root, and grant full permissions to the MS-ShareMapConfiguration container
    #
    # ***************************************************************************

    Param(
      [string]$domain
    )


    if ($domain -eq "")
    {
     write-host ""
     write-host "Script Usage" -foreground cyan
     write-host "-----------------" -foreground cyan
     write-host "./DPMEndUserDomainPrep.ps1 -domain domain.com" -foreground cyan
     write-host ""
     exit
    }

    $Title = "DPM End User Recovery Domain Prep"
    $Message = "Do you want to continue with domain prep for " + $domain + "?"
    $Yes = new-object system.management.automation.host.choicedescription "&Yes","Continue with Domain Prep for $domain"
    $No = new-object system.management.automation.host.choicedescription "&No","Exit the script"
    $options = [System.Management.Automation.Host.ChoiceDescription[]]($yes, $no)
    $result = $host.ui.PromptForChoice($title, $message, $options, 0)


    If ($result -eq 1){exit}


    # Load the AD module


    Import-Module ActiveDirectory


    # Figure out our domain

     $root = (Get-ADRootDSE -server $domain).defaultNamingContext

    #Get netbios domain name

     $domainname = (Get-ADDomain -Identity $domain).NetBIOSName

    #SchemaIDGuid for MS-SrvShareMapping Class

     $ShareMapGUID = new-object guid c356f65b-5540-4d85-9aef-3a7ecae7a878
     $guidNull = new-object Guid 00000000-0000-0000-0000-000000000000
            $guidGroupObject = new-object Guid BF967A9C-0DE6-11D0-A285-00AA003049E2

    # Get or create the MS-ShareMapConfiguration container

     $ou = $null
     try
     {
         $ou = Get-ADObject "CN=MS-ShareMapConfiguration,CN=System,$root"
     }
     catch
     {
         Write-host "MS-ShareMapConfiguration container does not currently exist." -foreground yellow
     }
     
     if ($ou -eq $null)
     {
        
         $ou = New-ADObject -Type Container -name "MS-ShareMapConfiguration" -Path "CN=System,$root" -Passthru
         write-host "Created Container $ou" -foreground yellow
         start-sleep -s 10
     }


    #Create DPM End User Recovery servers group

     write-host "Creating group $domainname DPM End User Recovery Servers" -foreground yellow
     new-adgroup -path "cn=builtin,$root" -name "$domainname DPM End User Recovery Servers" -groupscope universal -groupcategory security -description "Members of this group are delegated permissions to change contents of the System\MS-ShareMapConfiguration container"
            start-sleep -s 10
     $ServerGroup = get-adgroup "$domainname DPM End User Recovery Servers"
     $ServerGroupsid = [system.security.principal.securityidentifier] $ServerGroup.sid
     write-host ""
     write-host "Created group $ServerGroup" -foreground yellow

    #Get <SUPPORT GROUP>in Forest Root

     $forestname = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Name

     #Check to see if <SUPPORT GROUP> group exists

     $SupportGroup = $null
     $SupportGroup = get-adgroup -server $forestname "<SUPPORT GROUP>"

     if ($SupportGroup -eq $null)
     {
      write-host ""
      write-host "WARNING - <SUPPORT GROUP> Group does not exist in the forest root" -foreground red
      write-host "Permissions must be manually assigned to the MS-ShareMapConfiguration Container for the <SUPPORT GROUP>" -foreground red
      write-host ""
     }

     $SupportGroupSID = [system.security.principal.securityidentifier] $SupportGroup.sid

    #Get current ACL for the MS-ShareMapConfiguration Container

     $OUacl = get-acl "ad:cn=ms-sharemapconfiguration,cn=system,$root"

    #Create ACE for adding permissions to newly created group to MS-ShareMapConfiguration container

     $ace1 = new-object system.directoryservices.activedirectoryaccessrule $ServerGroupsid, "CreateChild,DeleteChild", Allow, $sharemapguid,"all"
     $ace2 = new-object system.directoryservices.activedirectoryaccessrule $ServerGroupsid, "ListChildren", Allow,$guidNull,"all"
     $ace3 = new-object system.directoryservices.activedirectoryaccessrule $SupportGroupsid, "GenericAll", Allow,$guidNull,"all"
     $OUacl.addaccessrule($ace1)
     $OUacl.addaccessrule($ace2)
     $OUacl.addaccessrule($ace3)

    #Apply ACL
     write-host ""
     write-host "Setting ACLs on cn=ms-sharemapconfiguration,cn=system,$root" -foreground yellow
     set-acl -aclobject $OUacl "ad:cn=ms-sharemapconfiguration,cn=system,$root"


    #Get current ACL for the DPM End User Recovery Servers group

     $ServerGroupDN = $servergroup.distinguishedname
     
     $Groupacl = get-acl "ad:$servergroupdn"
     $groupace = new-object system.directoryservices.activedirectoryaccessrule $SupportGroupsid, "GenericAll", Allow,$guidNull,"all"
     $Groupacl.addaccessrule($groupace)
     write-host ""
     write-host "Setting ACLs on $servergroupdn" -foreground yellow
     set-acl -aclobject $Groupacl "ad:$servergroupdn"


     write-host ""
     write-host "Script Complete" -foreground yellow


    Seth Cohen



    • Marked as answer by EugenBerend Tuesday, November 5, 2013 7:29 PM
    • Edited by Seth R C Friday, November 22, 2013 1:13 PM
    Tuesday, November 5, 2013 1:35 PM

All replies

  • Sure, I'm logged on DC and perform these actions under Enterprise Admin account.
    Friday, November 1, 2013 12:42 PM
  • Did you also add yourself to the builtin Schema Admins group?

    Seth Cohen

    Friday, November 1, 2013 4:11 PM
  • I am trying update AD to enable End User Recovery via the DPM 2012 R2 console. The DPMDSACL app keeps crashing?

    Problem signature:


      Problem Event Name: APPCRASH

      Application Name: dpmdsacl.exe

    Application Version: 4.2.1205.0

      Application Timestamp: 5226e06b

      Fault Module Name: KERNELBASE.dll

      Fault Module Version: 6.3.9600.16408

      Fault Module Timestamp: 523d557d

      Exception Code: e0434352

      Exception Offset: 000000000000ab78

      OS Version: 6.3.9600.2.0.0.272.7

      Locale ID: 1033

      Additional Information 1: d522

      Additional Information 2: d5228251694f130212c01ab1b52ad2a6

      Additional Information 3: 9af7

      Additional Information 4: 9af708336be70ceb01bc131c1baa7514

    Any suggestions?

    Friday, November 1, 2013 6:39 PM
  • Hi,

    We have had a couple of customers reporting this. If you have DPM 2012 SP1 media, please run that version. 

    UPDATED:  You will need to install DPM 2012 Sp1 on a separate server (VM) so you can copy the DPMADSchemaExtension.exe utility from the %Program Files%\Microsoft System Center 2012\DPM\DPM\End User Recovery directory and run that. 


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.


    Friday, November 1, 2013 11:45 PM
    Moderator
  • I wrote a script that will do the permissions piece without having to do it through the DPM console.  It's very simple, I can share if you want.

    You can also do it through the GUI if you want.  In order for the DPM server to "see" that EUR permissions are done and enable the checkbox for EUR, you have to :

     -Give Create,Delete MS-srvShareMappingObjects, ListChildren permissions for the specified computer on the MS-ShareMapConfiguration container

    Right now, you have to explicitly give permissions to the computer object on the container; giving group permissions does not work. We submitted a DCR for this functionality.


    Seth Cohen

    Saturday, November 2, 2013 3:27 PM
  • Hi Seth,

    I think your script will be useful, please share them


    • Edited by EugenBerend Tuesday, November 5, 2013 7:24 AM
    Tuesday, November 5, 2013 6:25 AM
  • Hi,

    We have had a couple of customers reporting this. If you have DPM 2012 SP1 media, please run that version. 

    Hi Mike,

    This is a solution, I successfully extended AD Schema, but I couldn't find this tool on DPM 2012 SP1 media - it is in %Program Files%\Microsoft System Center 2012\DPM\DPM\End User Recovery directory. 

    Tuesday, November 5, 2013 6:30 AM
  • Hi Seth,

    I think your script will be useful, please share them


    Here it is. It does the same items that the DPM tool does to the domain, with a few extra steps noted at the top.

    We create a group that has the permissions on the container, with the hope that one day, this feature will be available (DCR submitted).  In our support model, we would rather delegate permissions to support personnel to modify group membership than modify ACLs on system containers.    Your opinion on this may differ, so, feel free to remove it.

    It also gives our support personnel permissions to modify the sharemap container - so they can enable DPM EUR servers later.

    Both of these have been working fine for preparing a domain / enabling EUR.  Preparing the domain is run by domain admin, then, we leave enabling EUR to our support staff.

    Remember, this is not supported, this just makes the same changes that the EUR tool does.  You should use the EUR tool from Microsoft.

    #Requires -version 2.0

    # ***************************************************************************
    #
    # File:      DPMEndUserDomainPrep.ps1
    # Version:   0.1
    #
    # Purpose:   Domain Preparation for DPM End User Recovery
    #
    # Tasks compelted by this script:
    #      -Create MS-ShareMapConfiguration container in System container of the domain
    #            -Create the security group (NETBIOS Domain Name) DPM End User Recovery servers
    #      -Give Create,Delete MS-srvShareMappingObjects, ListChildren permissions for the newly created group, on the new MS-ShareMapConfiguration container
    #      -Find <SUPPORT GROUP> group in the forest root, and grant full permissions to the MS-ShareMapConfiguration container
    #
    # ***************************************************************************

    Param(
      [string]$domain
    )


    if ($domain -eq "")
    {
     write-host ""
     write-host "Script Usage" -foreground cyan
     write-host "-----------------" -foreground cyan
     write-host "./DPMEndUserDomainPrep.ps1 -domain domain.com" -foreground cyan
     write-host ""
     exit
    }

    $Title = "DPM End User Recovery Domain Prep"
    $Message = "Do you want to continue with domain prep for " + $domain + "?"
    $Yes = new-object system.management.automation.host.choicedescription "&Yes","Continue with Domain Prep for $domain"
    $No = new-object system.management.automation.host.choicedescription "&No","Exit the script"
    $options = [System.Management.Automation.Host.ChoiceDescription[]]($yes, $no)
    $result = $host.ui.PromptForChoice($title, $message, $options, 0)


    If ($result -eq 1){exit}


    # Load the AD module


    Import-Module ActiveDirectory


    # Figure out our domain

     $root = (Get-ADRootDSE -server $domain).defaultNamingContext

    #Get netbios domain name

     $domainname = (Get-ADDomain -Identity $domain).NetBIOSName

    #SchemaIDGuid for MS-SrvShareMapping Class

     $ShareMapGUID = new-object guid c356f65b-5540-4d85-9aef-3a7ecae7a878
     $guidNull = new-object Guid 00000000-0000-0000-0000-000000000000
            $guidGroupObject = new-object Guid BF967A9C-0DE6-11D0-A285-00AA003049E2

    # Get or create the MS-ShareMapConfiguration container

     $ou = $null
     try
     {
         $ou = Get-ADObject "CN=MS-ShareMapConfiguration,CN=System,$root"
     }
     catch
     {
         Write-host "MS-ShareMapConfiguration container does not currently exist." -foreground yellow
     }
     
     if ($ou -eq $null)
     {
        
         $ou = New-ADObject -Type Container -name "MS-ShareMapConfiguration" -Path "CN=System,$root" -Passthru
         write-host "Created Container $ou" -foreground yellow
         start-sleep -s 10
     }


    #Create DPM End User Recovery servers group

     write-host "Creating group $domainname DPM End User Recovery Servers" -foreground yellow
     new-adgroup -path "cn=builtin,$root" -name "$domainname DPM End User Recovery Servers" -groupscope universal -groupcategory security -description "Members of this group are delegated permissions to change contents of the System\MS-ShareMapConfiguration container"
            start-sleep -s 10
     $ServerGroup = get-adgroup "$domainname DPM End User Recovery Servers"
     $ServerGroupsid = [system.security.principal.securityidentifier] $ServerGroup.sid
     write-host ""
     write-host "Created group $ServerGroup" -foreground yellow

    #Get <SUPPORT GROUP>in Forest Root

     $forestname = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Name

     #Check to see if <SUPPORT GROUP> group exists

     $SupportGroup = $null
     $SupportGroup = get-adgroup -server $forestname "<SUPPORT GROUP>"

     if ($SupportGroup -eq $null)
     {
      write-host ""
      write-host "WARNING - <SUPPORT GROUP> Group does not exist in the forest root" -foreground red
      write-host "Permissions must be manually assigned to the MS-ShareMapConfiguration Container for the <SUPPORT GROUP>" -foreground red
      write-host ""
     }

     $SupportGroupSID = [system.security.principal.securityidentifier] $SupportGroup.sid

    #Get current ACL for the MS-ShareMapConfiguration Container

     $OUacl = get-acl "ad:cn=ms-sharemapconfiguration,cn=system,$root"

    #Create ACE for adding permissions to newly created group to MS-ShareMapConfiguration container

     $ace1 = new-object system.directoryservices.activedirectoryaccessrule $ServerGroupsid, "CreateChild,DeleteChild", Allow, $sharemapguid,"all"
     $ace2 = new-object system.directoryservices.activedirectoryaccessrule $ServerGroupsid, "ListChildren", Allow,$guidNull,"all"
     $ace3 = new-object system.directoryservices.activedirectoryaccessrule $SupportGroupsid, "GenericAll", Allow,$guidNull,"all"
     $OUacl.addaccessrule($ace1)
     $OUacl.addaccessrule($ace2)
     $OUacl.addaccessrule($ace3)

    #Apply ACL
     write-host ""
     write-host "Setting ACLs on cn=ms-sharemapconfiguration,cn=system,$root" -foreground yellow
     set-acl -aclobject $OUacl "ad:cn=ms-sharemapconfiguration,cn=system,$root"


    #Get current ACL for the DPM End User Recovery Servers group

     $ServerGroupDN = $servergroup.distinguishedname
     
     $Groupacl = get-acl "ad:$servergroupdn"
     $groupace = new-object system.directoryservices.activedirectoryaccessrule $SupportGroupsid, "GenericAll", Allow,$guidNull,"all"
     $Groupacl.addaccessrule($groupace)
     write-host ""
     write-host "Setting ACLs on $servergroupdn" -foreground yellow
     set-acl -aclobject $Groupacl "ad:$servergroupdn"


     write-host ""
     write-host "Script Complete" -foreground yellow


    Seth Cohen



    • Marked as answer by EugenBerend Tuesday, November 5, 2013 7:29 PM
    • Edited by Seth R C Friday, November 22, 2013 1:13 PM
    Tuesday, November 5, 2013 1:35 PM
  • Where on the media is the utility and is there any arguments when it is run?
    Tuesday, November 5, 2013 9:36 PM
  • I had the same problem and the following workaround resolved my issue. after adding the following reg keys, the UI worked fine and completed successfully;

    =====on an elevated command prompt=================

    reg.exe add HKLM\SOFTWARE\Microsoft\StrongName\Verification\*,71e9bce111e9429c /f
    reg.exe add HKLM\SOFTWARE\Wow6432Node\Microsoft\StrongName\Verification\*,71e9bce111e9429c /f
    reg.exe add HKLM\SOFTWARE\Microsoft\StrongName\Verification\*,* /f
    reg.exe add HKLM\SOFTWARE\Wow6432Node\Microsoft\StrongName\Verification\*,* /f

    net stop msiserver

    ============================================

    • Proposed as answer by Alex Kitrik Friday, November 22, 2013 5:37 AM
    Friday, November 22, 2013 5:37 AM
  • We also stumbled upon this problem in a Windows 2012 environment with DPM 2012 R2.

    Would be good if this issue could either become a KB article or even a correcting fix to DPM 2012 R2, as it would seem like .net signing of the dll involved wasn't correct if the later posters are right in that it works if you disable strong name checking (I didn't want to go down that route so I went with the binary from DPM 2012 SP1 instead).

    /Andreas

    Wednesday, November 27, 2013 8:48 AM
  • These reg keys worked on my test lab machine.  Clicking the Configure Active Directory button and using the signed-in user credentials worked with no further errors.  Thanks Alex!
    Friday, June 20, 2014 8:24 PM
  • I had the same problem and the following workaround resolved my issue. after adding the following reg keys, the UI worked fine and completed successfully;

    =====on an elevated command prompt=================

    reg.exe add HKLM\SOFTWARE\Microsoft\StrongName\Verification\*,71e9bce111e9429c /f
    reg.exe add HKLM\SOFTWARE\Wow6432Node\Microsoft\StrongName\Verification\*,71e9bce111e9429c /f
    reg.exe add HKLM\SOFTWARE\Microsoft\StrongName\Verification\*,* /f
    reg.exe add HKLM\SOFTWARE\Wow6432Node\Microsoft\StrongName\Verification\*,* /f

    net stop msiserver

    ============================================

    This worked for us, thanks!
    • Proposed as answer by dcorep Tuesday, December 9, 2014 4:54 PM
    Thursday, November 6, 2014 8:45 PM
  • That's perfect, I'm not really good with reedit bot this work for me perfectly, thanks
    Tuesday, December 9, 2014 4:55 PM
  • I must do this on DPM server, or schema master?
    ---------------------------------------

    =====on an elevated command prompt=================

    reg.exe add HKLM\SOFTWARE\Microsoft\StrongName\Verification\*,71e9bce111e9429c /f
    reg.exe add HKLM\SOFTWARE\Wow6432Node\Microsoft\StrongName\Verification\*,71e9bce111e9429c /f
    reg.exe add HKLM\SOFTWARE\Microsoft\StrongName\Verification\*,* /f
    reg.exe add HKLM\SOFTWARE\Wow6432Node\Microsoft\StrongName\Verification\*,* /f

    net stop msiserver

    ============================================

    • Edited by kilg Thursday, February 5, 2015 7:51 AM
    Thursday, February 5, 2015 7:49 AM
  • It is happening to me on a 2012 R2 fully patched...can't get around it.

    DBA & Web Administration

    Thursday, April 28, 2016 7:34 PM
  • I had the same problem and the following workaround resolved my issue. after adding the following reg keys, the UI worked fine and completed successfully;

    =====on an elevated command prompt=================

    reg.exe add HKLM\SOFTWARE\Microsoft\StrongName\Verification\*,71e9bce111e9429c /f
    reg.exe add HKLM\SOFTWARE\Wow6432Node\Microsoft\StrongName\Verification\*,71e9bce111e9429c /f
    reg.exe add HKLM\SOFTWARE\Microsoft\StrongName\Verification\*,* /f
    reg.exe add HKLM\SOFTWARE\Wow6432Node\Microsoft\StrongName\Verification\*,* /f

    net stop msiserver

    ============================================

    This worked for me, thank you!
    Sunday, December 4, 2016 5:56 AM