none
DPM 2010 Error 270 RRS feed

  • Question

  • I am receiving the following message on three servers I am trying to protect with DPM 2010

    Protection agent version:    3.0.7696.0
    Error:    Data Protection Manager Error ID: 270
        The agent operation failed on rushcrm02.rush-enterprises.com because DPM could not communicate with the DPM protection agent. The computer may be protected by another DPM server, or the protection agent may have been uninstalled on the protected computer.
    If rushcrm02.rush-enterprises.com is a workgroup server, the password for the DPM user account could have been changed or may have expired.
    Recommended action:    Check the following to troubleshoot this issue:
    1) If the agent is not installed on rushcrm02.rush-enterprises.com, run DpmAgentInstaller.exe with this DPM computer as a parameter. For details, see the DPM Deployment Guide.
    2) To attach the computer correctly to this DPM server, run the SetDpmServer tool on the protected computer.
    3) If the computer is protected by another DPM server, or if the protection agent has been uninstalled, remove the protected data sources on this computer from active protection. Then, remove the entry of this computer from the Agents tab in the Management task area.
    4) If rushcrm02.rush-enterprises.com is a workgroup server, run SetDpmServer with the -UpdatePassword flag on the protected computer and Update-NonDomainServerInfo.ps1 on the DPM server to update the password.
    5) If the DPM server and the protected computer are not in the same domain, ensure that there is a two-way trust setup between the two domains.
        If the computer is protected by another DPM server, or if the protection agent has been uninstalled, you can remove the record of the computer from this DPM server.
        Remove the record of the computer from this DPM server.


    The servers are on the same Active Directory Domain as the DPM server and there is no firewall between them.

    I have tried running setdpmserver and attach-productionserver.ps1. It succeeds, but the error persists.

    If I try to uninstall or install an agent on these servers from the DPM console, I get an access denied error.  Nothing is logged in any of the event logs on the servers I am protecting.
    • Moved by MarcReynolds Wednesday, October 20, 2010 11:55 AM (From:Data Protection Manager)
    Tuesday, October 19, 2010 9:51 PM

Answers

  • Well this solved itself quickly for me.

    I did these things before, but now when I did them again, for some reasons they worked:

    1. Manual install of agent.

    2. Reboot

    3. Running setdpmserver -setdpmservername xxx.xxx on administrative cmd prompt.

    Now status is OK and replica creation in progress.

    I must say I dont like it when things work randomly.

    -Reima

    Friday, October 22, 2010 12:02 PM

All replies

  • I suspect you are having some DCOM permission issues on the protected server.

    First check the built-in Users group on the protected servers. You need to have Domain Users, Authenticated Users, and Interactive in that group.

    If the group membership is correct we just need to add the following registry entries on the protected server, refresh the DPM GUI to get the 270 error, and check the system event log on the PS. If it is DCOM then we'll see events telling us that it is either machine-wide DCOM settings or the DPMRA settings that are denying access.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
    Name:  ActivationFailureLoggingLevel
    Type:  DWORD
    Value: 1

    Name:  CallFailureLoggingLevel
    Type:  DWORD
    Value: 1

    The resultant event error is similar to the following.

    Event Type: Error
    Event Source: DCOM
    Event Category: None
    Event ID: 10027
    Date:  1/27/2010
    Time:  13:50:03
    User:  FOURTHCOFFEE\DPM01$
    Computer: ProtectedServer

    Description:
    The machine wide limit settings do not grant Remote Activation permission for COM Server applications to the user FOURTHCOFFEE\DPM01$ SID (S-1-5-21-0123456789-01234567-0123456789-1234).  This security permission can be modified using the Component Services administrative tool.

    /Steve


    Steve L [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.
    Thursday, October 21, 2010 11:14 AM
    Moderator
  • Steve,

     

    Thank you so much, this was really helpful.  I am getting the exact same Event ID: 10027 error that you posted after I add those registry keys and refresh the agent status. My error specifies the ANONYMOUS LOGIN SID though.

    Event Type: Error
    Event Source: DCOM
    Event Category: None
    Event ID: 10027
    Date:  10/21/2010
    Time:  1:40:12 PM
    User:  NT AUTHORITY\ANONYMOUS LOGON
    Computer: xxxxxxx

    Description:
    The machine wide limit settings do not grant Remote Activation permission for COM Server applications to the user NT AUTHORITY\ANONYMOUS LOGON SID (S-1-5-7).  This security permission can be modified using the Component Services administrative tool.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: a0 01 00 00 00 00 00 00    .......
    0008: c0 00 00 00 00 00 00 46   À......F

    I tried to follow this article http://technet.microsoft.com/en-us/library/cc774464(WS.10).aspx

    and I added the DPM server to the COM security access permissions as well as launch and activation permissions. I gave the DPM server full local and remote access rights on both. Additionally, I did verify that ANONYMOUS LOGIN already has the same rights.

    I am still getting the error though....

     

    • Edited by RobinMoore Thursday, October 21, 2010 9:36 PM
    Thursday, October 21, 2010 6:45 PM
  • I am also getting this error message in the application event log

     

    Event Type: Error
    Event Source: COM
    Event Category: None
    Event ID: 10018
    Date:  10/21/2010
    Time:  2:14:23 PM
    User:  NT AUTHORITY\ANONYMOUS LOGON
    Computer: xxxxxxxx

    Description:
    The application-specific permission settings do not grant Local access permission to the COM Server application C:\Program Files\Microsoft Data Protection Manager\DPM\bin\DPMRA.exe to the user NT AUTHORITY\ANONYMOUS LOGON SID (S-1-5-7).The application set this security permission programmatically; to modify this security permission contact the application vendor.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: 32 01 00 00 00 00 00 00   2.......
    0008: c0 00 00 00 00 00 00 46   À......F

    Thursday, October 21, 2010 7:15 PM
  • Robin,

    The anonymous logon tells us a key bit. When DPM accesses a protected machine it uses its machine account to get a Kerberos ticket. Hence we'd expect to se see the logon attempt to be from DOMAIN\DPMServer$. Since it is using anonymous that means something is wrong with Kerberos.

    The DPM server will go to AD ask for a Kerberos ticket for the protected server. If it asks for the wrong thing or the protected server is not in AD the domain controller tells the DPM server that there is no such thing. Then DPM fails over to NTLM authentication. When a machine account attempts NTLM authentication to a remote server it uses a null session thus the anonymous logon we see.

    The key thing is to fix whatever DPM is trying to ask for when trying to get a Kerberos ticket. The way I do that is to get a network trace of the DPM server's traffic to the domain controller when refreshing the DPM console (getting the 270 error). Looking at the Kerberos requests in the trace we can see what the DPM server asked for. Once we know that we can work on figuring out what we need to fix.

    /Steve


    Steve L [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.
    Friday, October 22, 2010 10:09 AM
    Moderator
  • Hello

    Same problem here. dcom logging gives this:

    Log Name:      System
    Source:        Microsoft-Windows-DistributedCOM
    Date:          22.10.2010 14:51:37
    Event ID:      10016
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          SYSTEM
    Computer:      xxx.yyy.net
    Description:
    The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
    {24FF4FDC-1D9F-4195-8C79-0DA39248FF48}
     to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

    -Reima

    Friday, October 22, 2010 11:55 AM
  • Well this solved itself quickly for me.

    I did these things before, but now when I did them again, for some reasons they worked:

    1. Manual install of agent.

    2. Reboot

    3. Running setdpmserver -setdpmservername xxx.xxx on administrative cmd prompt.

    Now status is OK and replica creation in progress.

    I must say I dont like it when things work randomly.

    -Reima

    Friday, October 22, 2010 12:02 PM
  • Robin,

    The key thing is to fix whatever DPM is trying to ask for when trying to get a Kerberos ticket. The way I do that is to get a network trace of the DPM server's traffic to the domain controller when refreshing the DPM console (getting the 270 error). Looking at the Kerberos requests in the trace we can see what the DPM server asked for. Once we know that we can work on figuring out what we need to fix.

    /Steve


    Steve L [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.


    Steve,

    I figured out how to use the Wireshark kerberos filter, took a while there. So the error I see is

     

    2007 8.763013 172.17.14.120 172.16.5.110 KRB5 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED

     

    Do you know how I might go about fixing this?

     

    Tuesday, October 26, 2010 10:46 PM
  • I don't think that error is the issue. We should be seeing an error about principle not found or similar. You might want to try stopping the MSDPM service and restarting it before trying to get a network trace. That's in case the service caches the ticket (which is normal).

    /Steve


    Steve L [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.
    Thursday, October 28, 2010 10:34 AM
    Moderator
  • Great... you saved my life.

     

    Tuesday, August 23, 2011 9:33 AM
  • I had the same error and the below fixed it for me

    Added NT AUTHORITY\Authenticated Users to the builtin Users group

    Refreshed the Agent and communication is OK now

    This happened after Windows Update installation and server restart.


    wojmis

    Wednesday, November 25, 2015 11:27 PM