When you install a Microsoft System Center Data Protection Manager 2007 Protection Agent on a target server, you may receive an error Agent operation failed. (ID: 370) followed by another error Id. This article discusses how to troubleshoot agent installation errors based on the second error id that you receive.
When you install Microsoft System Center Data Protection Manager (DPM) 2007 Protection Agent on a target server, you may receive the following error message:
Agent operation failed.
Then, you receive one of the following Error IDs:
- Error ID: 7:
Unable to connect to the Active Directory Domain Services database. Make sure that the DPM server is a member of a domain and that a domain controller is running. Also verify that there is network connectivity between the DPM server and the domain controller
Details: The specified directory service attribute or value does not exist
- Error ID: 277:
Could not connect to the service control manager on FQDN_Server_Name. (ID: 277)
1) Make sure that FQDN_Server_Name is online and remotely available from the DPM server.
2) If a firewall is enabled on FQDN_Server_Name, make sure that it is not blocking requests from the DPM server.
- Error ID: 302:
The protection agent operation failed because it could not access the protection agent on server %FQDN_of_Production_Server%. The server %FQDN_of_Production_Server% may be running DPM, or the DPM protection agent may have been installed by another DPM computer. (ID: 302)
- Error ID: 313: DPM 2007 can successfully deploy agents to member servers in a Windows Server 2003 domain. However, you cannot deploy an agent to any other domain controller. Installation reaches 90% and then fails with this error:
Install protection agent on computername failed. Error 313: The agent operation failed because an error occurred while running the installation program on computername. Error details: Fatal error during installation [0x80070643].
- Error ID: 326:
The protection agent operation failed because access was denied to the Servername DPM server. (ID: 326)
- Error ID: 337:
Data Protection Manager Error ID: 337
You cannot install the protection agent on targetserver because access to the computer has been denied.
These errors occur for the following reasons:
- Error ID: 7: This error occurs when the target server is in a different organizational unit in Active Directory, and authenticated users do not have read access to this organizational unit. Therefore, the DPM service account cannot find the server in Active Directory.
- Error ID: 277: This error occurs when Network DTC access is disabled.
- Error ID: 302 and Error ID: 337: These errors occur when the Service Principal Names (SPNs) for the server are not consistent in Active Directory. The agent installation may use the incorrect information to complete the installation and connection. This problem can cause many symptoms.
- Error ID: 313: This error occurs when the DPM agent setup wizard does not have sufficient permissions to write files to a directory or to a registry subkey. You may also receive this error when there was a failed DPM agent installation on this or other domain controllers within the domain.
- Error ID: 326: This error occurs when a dialog box appears on the destination server where you are installing the DPM agent. This dialog box is only visible from the console of that server. This dialog box requires manual interaction to acknowledge and close the dialog box. This dialog box is only visible from the console of that server. Until this dialog box is closed, you cannot deploy the DPM agent to this server.
To resolve this issue, use the resolution for the specific Error ID that you receive.
Resolution for Error ID: 7
To resolve this error, change the Authenticated Users group so that it has read permissions for the organizational unit that the target server is a member of. To do this, follow these steps:
- On the domain controller, open the Active Directory Users and Computers MMC.
- Right-click the organizational unit that contains the target server, and then click Properties.
- On the Security tab, add the Authenticated Users group and give them READ permissions.
- Redeploy the DPM protection agent to the protected server.
Resolution for Error ID: 277
To resolve this issue, follow the steps in Microsoft Knowledge Base article 817064, and then redeploy the DPM agent to both cluster nodes.
How to enable network DTC access in Windows Server 2003
Resolution for Error ID: 302 and Error ID: 337
To resolve this issue, run the SetSPN tool and check the Service Principal Names for the server that you cannot push the agent to. Note
For more information about how to obtain the latest version of the SetSPN tool, click the following article number to view the article in the Microsoft Knowledge Base:
Setspn.exe support tool update for Windows Server 2003
- Log on as a Domain Administrator.
- At a command prompt, type the following command, and then press ENTER:
setspn -L ServernameNote In this command, the placeholder Servername represents the target server that you cannot deploy the DPM agent to.
The resulting output should resemble the following:
Notice that all the "HOST/" SPNs entries that are listed in the output indicate that the primary DNS is set to Incorrect_Servername, not Servername. When the agent is being deployed, the DPM server is resolving the name TARGETSERVER.SERVERNAME, and this is what is being used to build the SPN that it is being requested at the time of agent deployment. However, because the SPNs that are registered for targetserver are for www.Incorrect_Servername, the Kerberos connection attempt fails, and an attempt is made to establish an anonymous connection. This may results in an event ID 6033 logged on the Exchange server.
Registered ServicePrincipalNames for CN=TARGETSERVER,OU=Member
- Verify that there are no duplicate SPNs of the target server. At a command prompt, type the following command, and then press ENTER:
setspn -X Examine the output for any duplicates of the desired SPN for the target server.
- To make sure that the Host SPNs are registered correctly, type the following commands at a command prompt. Press ENTER after each command.
setspn -a HOST/targetserver.Servername targetserver
setspn -a HOST/targetserver targetserver
- Replicate the changes throughout Active Directory.
- Redeploy the DPM protection agent to the affected servers.
For more information about the SetSPN tool, visit the following Microsoft TechNet Web site:
Resolution for Error ID: 313
To resolve this issue, use one of the following methods.
To troubleshoot the permissions issue, examine the Msdpm installation log file that is located on the client computer in the following folder:
Determine which folder or registry subkey could not be accessed, and then give the client computer's Administrators group permission to write to them.
If there was a previous failed attempt to install the agent to this domain controller or to another domain controller, please verify and delete any entries in the Users
container of the Active Directory Users and Computers tool that resemble the following:
You can safely delete these entries because they are duplicates of the DPMRADCOMTrustedMachines and DPMRADmTrustedMachines groups. They can easily be identified by the CNF:GUID
text that is appended to each entry. After you have deleted these entries, run the Repadmin.exe to force replication of the changes to Active Directory to the other domain controllers, or you can give Active Directory sufficient time to replicate these changes to the other domain controllers.
Resolution for Error ID: 326
To resolve this issue, log on to a console session on the destination server and then manually acknowledge the dialog box after you retry to install the DPM agent.