I am close to giving up!

New to DPM but very experienced with networking/servers.

I installed DPM 2012 R2 and then installed rollup 2

I launch the DPM console, add some storage and then go to install the agent on a server - it fails

I get the standard message. When I check on the server I tried to install to I can see that the dpm 2012 r2 agent coordinator service was installed and running and listening on port 5719 but there is no DPMRA service.

So I perform a manual installation using the correct version from Rollup 2 on the server to be protected. This goes OK and I return to the DPM server to add the protected server. Made sure services were running on both servers, checkerd RPC, WMI, DCOM settings and all seems OK but when I try to add the protected server from the DPM console using the attach agent option it fails with error 370.

Followed the top 20 suggestions, configured firewall for all ports on both servers. Tried turning the firewall off and still will not install.

I have also tried using a Hyper-V server, a physical server and none will work which tends to point to an issue with the DPM server.

The thing that puzzles me is that after I perform a manual agent installation on the protected server this seems to knock out the dpm 2012 r2 agent coordinator service which is no longer listed under services wheras DPMRA is running. I expected both services to be installed and running.

When I perform a NETSTAT -a after installing the remote agent I can see port 5718 is listening but not port 5719

If I go back a step and try a dpm 2012 r2 agent coordinator install via DPM console (as part of adding the protected server) it does install dpm 2012 r2 agent coordinator and it listens on port 5719 but the DPMRA agent software is not installed.

I have tried deinstalling both the DPM agent software on the protected server and have even reinstalled DPM 2012 R2 with Rollup 2 with no change

I have verified communications between the servers. Checked the DPM server is in the relevant groups. Am at a complete loss on what to do next - it should not be this hard.

Can someone confirm to me that they expect both the dpm 2012 r2 agent coordinator service running on 5719 and the DPMRA service to be running on 5718 on the protected server which is what I assume but this is not happening!

DPM server is a physical box running Server 2012. Protected server is a Physical box running Server 2012 R2. I have also tried with a physical server 2008R2 with the same results. I am not running Server 2003

Hi,

Agent coordinator service is only installed long enough to install the DPMRA service, then it is un-installed.

For general agent communications troubleshooting, see the following blog.

Data Protection Manager Agent Network Troubleshooting  

Ah the light dawns!

After 3 long days trying everything I could think of and following all of the excellent guidance out there ( thanks guys) I have a workaround.

The answer was to make the dpm server computer account a member of the domain admins group.

After I restarted the DPM server I saw that although the protected server account was still in error - the error message changed from 270 to 316.

So I then add the protected server computer account to the domain admins group

After I restarted the computers I could see the magic OK in the status of the DPM console.

As an experiment I removed the protected servers computer account from domain admins and restarted the server. After the restart DPM could no longer communicate with error 316 again.

So I tried adding the DPM server computer account to the protected servers local administrators group but this did not work.

Deeply unhappy with making a computer account a member of domain admin group but it works.

The question is why? There is obviously a security permissions issue that does not affect domain admins.

I am running this on freshly built servers on a simple, single domain. Microsoft you need to look into this.

Hi,

I have heard of other customer having to do that, but that is not normal and means some security policy or other security related problem exists in the domain. 

Mike

My domain is almost out-of-the-box. Any permissions made are in addition to OOTB not taking away. The Domain Admin group permissions have never been altered. The policy for computers has had minor changes always adding not taking away.

I think the most frustrating thing for me is that the complete lack of any errors in the logs and the generic 370 error meant me having to spend days researching and testing.

It would help greatly if Microsoft were able to:-

1. Provide more detail on the actual errors in the logs when problems occur. error:370 can be caused by so many things that made this like looking for a needle in the haystack.

2. Provide a list of security policy settings required for this to work properly

This has been a very poor experience for me and I almost gave up in frustration.

Mike

My domain is almost out-of-the-box. Any permissions made are in addition to OOTB not taking away. The Domain Admin group permissions have never been altered. The policy for computers has had minor changes always adding not taking away.

I think the most frustrating thing for me is that the complete lack of any errors in the logs and the generic 370 error meant me having to spend days researching and testing.

It would help greatly if Microsoft were able to:-

1. Provide more detail on the actual errors in the logs when problems occur. error:370 can be caused by so many things that made this like looking for a needle in a haystack and in the end finding it in a different haystack.

2. Provide a list of security policy settings required for this to work properly

This has been a very poor experience for me and I almost gave up in frustration.

TIP: If you are really struggling with an issue like the one I faced try adding the computer accounts to Domain Admins group. For the simple reason that after you do so you may find more meaningful error messages that allow you to identify solutions. Then take the accounts out of the

When manually installing the DPM agent on the protected server, did you configure the DPM server name too? I run the installer with the host name of the DPM server as the only parameter. Maybe you didn't do this because this configures firewall and security groups for your DPM server.

Hi Marcus

Yes I ran the manual install using the fqdn of the DPM server.

All the recommended firewall exceptions were preconfigured correctly. The solution was to add both the protected serv and the dpm server machine accounts to the global domain admins group and then it worked. This single change enabled the connections.

There appears to be an asyet unknown domain security setting that was preventing the dpm to protected server communications.