DPM 2007 Agent installation on DC Error 270

[Deatheye]

Hi

I'm starting to get insance cause of this. It's the first time I'm working
with DPM. I had some problems before with it (Installing it on 2008 R2), an
other little things which I could work out over the time. But now I'm stuck.
I tried to Install the agent on both of our DCs, both time the integration
into the DPM Server failed. I dont remember the error I got on the win2003
DC, right now I'm trying it on the 2008 DC.

I uninstalled it, installed it again, same as before.
No firewall active on the DPM-Server or the DC.
I added the DPM-Server account to the "Access this coputer from the network"
in the Default domain controller policy, same as before.
I checked the "deny access to this computer from the network" inside the
default domain controller policie, nothing set there.
I checked the DPM Machineaccount Membership in the Groups
DPMRADCOMTrustedMachines, DPMRADmTrustedMachines and Distributed COM-Users.
Anyone any Idea? Any logs somewhere I could check, any test possible to get
the cause of this?
Installation worked on other systems. Now the only other hint I found is
somtehing from around 2006 saying, that you need to add the DCs before you
add any other server. If you're adding an other server before all the DCs you
could start again. Removing all the servers from DPM, uninstalling all the
agents, start adding the DCs and the the other servers again. I only found
one post hinting in that direction, so I wonder is this reall (and still)
true? I hope not... there are some servers allready integrated and some of
them I can't just reboot as easy.

[Praveen D [MSFT]]

Hi Deatheye,

Can you please try the following steps to resolve this issue:
1. Please make sure that one of them holds between DPM server's
domain and Domain Controller that you want to protect.
a. DPM server domain is same as the Domain controllers
Domain.
b. There is a two way trust between the DPM servers domain
and the Domain Controller's Domain.
2. If you have setup sync between multiple Domain controllers can
you please make sure that you have synced them all together. Help around
Synchronizing domain controllers
http://technet.microsoft.com/en-us/library/cc778969(WS.10).aspx
3. Un-Install the existing agents from domain controllers and
Install the agent manually and then run SetDPMserver.
http://technet.microsoft.com/en-in/library/bb870935(en-us).aspx. The step 4
needs to be run on the Protected server.
4. Now can you try to attach the Domain controller on the DPM using
step 5 present at:
http://technet.microsoft.com/en-in/library/bb870935(en-us).aspx

Thanks,
Praveen D [MSFT]
This posting is provided “AS IS” with no warranties, and confers no rights

"Deatheye" <Deat...@discussions.microsoft.com> wrote in message
news:B882AE82-65F4-4FCC...@microsoft.com...

[Deatheye]

1. What does "one of them holds between the domains" mean?
Since the DC and the DPM are in the same domain I don't think this is a
problem.
2. Yeah there are two DCs for his domain, so I assume you mean the regular
synchronisation between DCs?
I used repadmin /syncall.
3. Step 3 and 4 I allread had to do, since the DC is a 2008 Server pushing
the agent isn't possible anyway. And I tried it severell times and the result
was the same again.

A two-way trust between Domains shouldn't influence this, right?
Do I need to use repadmin /syncall together with any more paramters, and on
all DCs inside the domain, or on all Domains that got a trust to the one I
want to protect?

I'll go trough the process again as soon as I'm sure everything is clear.
The reboot for the agent installation sucks a bit. Makes it hard to test
this since I can not just reboot the servers when ever I feel like it :/

"Praveen D [MSFT]" wrote:

> .
>

[Deatheye]

Additional Info:
Just tried to uninstall the agent from the DPM-Server.
Got Error 310. Is this also cause of the DC being a 2008 server or should
uninstalling be possible?

[Deatheye]

I menat error 302, sry.
No function to edit? :/

[Deatheye]

Well something interesting and new... maybe, this is all Greek to me.
I found a warning inside the DCs System log telling me that WinRM-Service
could not generate two WSMAN SPNs. Took me some hour to fix it and generate
the SPNs manuall. This was just a shoot into the blue since I had no Idea
anymore what to do.
Now for the first time I got some erros on the DCs Apllication log that have
something to do with DPM:

Source SidebySide ID:33
Fehler beim Generieren des Aktivierungskontextes für
"\\sdpm01\d$\Daten\DPM\DPM\Setup\ConfigureScp.exe". Die abhängige
Assemblierung
"Microsoft.VC90.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8""
konnte nicht gefunden werden. Verwenden Sie für eine detaillierte Diagnose
das Programm "sxstrace.exe".

and the second one:

Fehler beim Generieren des Aktivierungskontextes für
"\\sdpm01\d$\Daten\DPM\DPM\Setup\ConfigureScpTool.exe". Die abhängige
Assemblierung
"Microsoft.VC90.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8""
konnte nicht gefunden werden. Verwenden Sie für eine detaillierte Diagnose
das Programm "sxstrace.exe".

Does this ring an bell? I'm totally lost now.

"Praveen D [MSFT]" wrote:

> .
>

[Deatheye]

I got the error pinned down a bit. Found something helpfull under
http://omgili.com/newsgroups/microsoft/public/dataprotectionmanager/3CFD52EF-1477-4A98-8346-2721FCC813E2microsoftcom.html

That guy hat the same problem and he mentioned that you could verify if it's
the same problem if you add the DPM-Server to the domain-administrator group.

Right after I added the DPM-Server to the domain admin group the error
message dissappeared and the DPM-Server requested a reboot of the DC. Still
need to check out what happens after the reboot. But this is the first time I
see the reboot request and not the error 270. I'l try to look further into
this.

[Deatheye]

According to that Guy he solved it entering the DPM-Server into DCOM: Machine
Access Restrictions... & DCOM: Machine Launch Restrictions...
Which didn't solve it for me. But adding the DPM-Backupserver to the Domain
Admins seems to solve it. The reboot is still required so I'm not sure. But
as sad before, now the backup server tells me I need to reboot the DC.

I'm stuck again. Is this a high security risk to give the Backup Server
Domain Admin rights?

[Praveen D [MSFT]]

Sorry for the delayed reply:
Adding DPM server to Admins group on DC is not a good idea as it has
security Risk. Adding DPM to Admins group on DC, allows all DPM
Administrators to elevate themselves as Domain administrators. The suggested
way to solve this is by:

1. Adding DPM machine to
a)Distributed COM Users
b)DPMRADCOMTrustedMachines
b)DPMRADMTrustedMachines.
2. After this run the following command on the poduction server(you need to
copy SetAgentCfg.exe from DPM's <DPMInstall>\Setup\ to Production servers'
<DPMInstall>\bin location)
SetAgentCfg.exe DPMRA <DPM machine name> DPMRADCOMTrustedMachines
DPMRADmTrustedMachines

3. Restart DPMRA service.

After this try to refresh the agent on the DPM server. If you are still
hitting errors please try to debug using eventvwr on the DPM which is trying
to contact the DC server. And see the events in the DC also if it is
preventing the DPM to for any reasons.

Thanks,
Praveen D [MSFT]
This posting is provided “AS IS” with no warranties, and confers no rights

"Deatheye" <Deat...@discussions.microsoft.com> wrote in message

news:846288B7-2061-4DAC...@microsoft.com...

[Deatheye]

Hi

Thanks for your reply. I allready checked these groups before I even posted
here.
They exist and the DPM-server is a member of them.

I removed the DPM-server from the domain-admin group and checked the
eventlog on the dpm server:

DCOM hat den Fehler "2147942405" vom Computer "DomaincontrollerFQDN"
erhalten, als versucht wurde, den folgenden Server zu aktivieren:
{DA6AA17A-D61C-4E9C-8CEA-DB25DEA52A95}

"Praveen D [MSFT]" wrote:

> .
>

[Deatheye]

I just noticed that step 2 is somethign new to me.

i tried running setagentcfg.exe on the comaincontroller. I recieved an error
that it's not the right architecture. The DPM backupserver is installed as
x64 version, the Domaincontroller is x32 version.
I searched for an x32 version inside the setup folder but dind't see any.

[Praveen D [MSFT]]

Thanks for looking into the eventvwr and sharing the data. On the DC
production server can you please add the DPM-Server to have the
Launch/activation permissions and Access Permissions to the DPM RA service.

This can be done on the DC Production server by launching dcomcnfg.exe
from an elevated prompt -> Expand ( Console Root -> Computers -> My
Computer -> DCOM Config ) -> Select DPM RA -> Right click and select
Properties -> Goto Security Tab -> Click Customize button for Launch and
Activation permissions -> Click Edit button and Add DPM Server.
Do the same thing for Access permissions also, which is just below the
Launch and Activation permissions. Now you can try Agent refresh on the DPM
server.

Thanks,
Praveen D [MSFT]
This posting is provided “AS IS” with no warranties, and confers no rights

"Deatheye" <Deat...@discussions.microsoft.com> wrote in message

news:6980011A-A56D-4F3A...@microsoft.com...

[Praveen D [MSFT]]

Thanks for looking into the eventvwr and sharing the data. On the DC
production server can you please add the DPM-Server to have the
Launch/activation permissions and Access Permissions to the DPM RA service.

This can be done on the DC Production server by launching dcomcnfg.exe
from an elevated prompt -> Expand ( Console Root -> Computers -> My
Computer -> DCOM Config ) -> Select DPM RA -> Right click and select
Properties -> Goto Security Tab -> Click Customize button for Launch and
Activation permissions -> Click Edit button and Add DPM Server.
Do the same thing for Access permissions also, which is just below the
Launch and Activation permissions. Now you can try Agent refresh on the DPM
server.

Thanks,

Praveen D [MSFT]
This posting is provided “AS IS” with no warranties, and confers no rights

"Deatheye" <Deat...@discussions.microsoft.com> wrote in message

news:6980011A-A56D-4F3A...@microsoft.com...

[Deatheye]

Launch and Activation permissions allready hat the DPM Server as member with
all the rights activated and none denied.
Acess permissions where set to standard, so I changed that to add the DPM
server, set local and remote starting permissions.
Still got the error 270.
I also checked the eventlog again, seems like I didnt' get that dcom error
again in the eventlog. Actually I didn't get any dcom error on the backup
server since the last I posted.
I searched for the CLSID, named in the error entry.
Found it: HKEY_CLASSES_ROOT\CLSID\{DA6AA17A-D61C-4E9C-8CEA-DB25DEA52A95}
DPM RA Command Processor Class

"Praveen D [MSFT]" wrote:

> .
>

[Deatheye]

Since I removed the backup server from the domain-admin group I also recieve
emails from the backup server telling me (roughly translated from german to
english):
protection could not be configured. DPM could not communication with the
agent on DCFQDN. Cause: Access denied.

Propably not helpfull at all...

[Deatheye]

Looks like I found it...
Some.. how should I call it... nice guy, had the fantastic Idea to remove
NT-authority\authenticated users and nt-authority\interactive from the
builtin\users on the DCs... think I need to slap some faces...

Do you have a detailed technical explanation why this caused problems with
DPM and dcom?
I don't understand that, but at least I'm not stupid enough to remove
standard memberships as long as I don't know what I'm doing...