Here is the problem on DPM one of the agents for a protected server stops communicating with DPM. You see the error “DPM failed to communicate with the protection agent on protectedservername.domainname.com because access is denied. (ID 42 Details: Access is denied (0x80070005))”
In my scenario the protected server was in a non-trusted domain. I checked a couple of things as a part of the troubleshooting process. Here is what I checked:
- Made sure DPM can ping the protected server and the protected server can ping the DPM server.
- Checked firewalls on both DPM server and protected server to make sure nothing changed here.
- Checked the network for high latency and saturation. (Link to tutorial on checking latency: Tutorial)
- Checked to make sure the user account being used by DPM was in the following security groups on the protected server:
DPMRADmTrustedMachines
DPMRADCOMTrustedMachines
Distributed COM Users
- Checked DPM services on the DPM server to make sure they are configured to run using the Local System account.
None of the items I checked was the issue. The last thing to check was the account used by the DPM agent as the protected server is in a non-trusted domain. That turned out to be the issue. The account being used by the DPM agent needed to be re-sync’d. Here are the steps I took to do this.
On Protected Server:
- Open elevated command prompt
- Navigate to: C:\Program Files\Microsoft Data Protection Manager\DPM\bin
- Run:
SetDpmServer.exe –dpmServerName DPMSERVERNAME.DOMAINNAME.com -isNonDomainServer -userName dpmaccount
PASSWORD: ************
On DPM server:
- Open DPM PowerShell. You will be here: PS C:\Program Files\Microsoft DPM\DPM\bin\
- Run:
Attach-NonDomainServer.ps1
- You will be prompted for the following:
DPMServer::
PSName::
UserName::
Password::
After doing this the agent will be able to communicate again.
