logo-header-sc-dpmgr-dg

When the DPM agent is installed on a machine that is to be protected by DPM, the admin doing the install specifies credentials that will be used for the initial installation.

After the installation phase has completed however, the DPM Agent services on the target machine to be protected will start up in the security context of their machine account and attempt to report back to the DPM server.  During that time the GUI console on the DPM server will be sitting and waiting for the target machine to report back in.

IF the target machine never reports back in to the DPM server, the error eventually logged on the DPM server is: Error: Data Protection Manager Error ID: 270

For these operations to succeed, the following needs to be in place:

a) The user account that is specified during the agent installation must have permissions to install the service on the target machine.
This is usually straight-forward to analyze as the agent will simply fail to install if you don’t have the required admin permissions on the target machine.

b) The DPM server must have the ‘Access this computer from the Network’ user right on the target machine
If this user right is missing the DPM server will not be able to initiate communication with the target machine

c) The target machine must have the ‘Access this computer from the Network’ user right on the DPM server.
If this user right is missing the DPM agent will not be able to report in to the DPM server.

By default the Authenticated Users security group has the ‘Access this computer from the Network’ (NetworkLogonRight) user right on all machines in the domain, if this is removed the admin needs to make sure that this User Right is granted through another group (the Domain Computers group for example). 

Adding only the Domain Users group instead of Authenticated Users is not sufficient as the computer accounts in the domain are not a member of it.

d) The target server and DPM machine must have unique SPN’s (Service Principal Names) registered.

HOST\targetserver.domain.com on the target server computer account and HOST\dpmserver.domain.com on the DPM server computer account (FQDNS HOST SPN's are registered by default on all computer accounts when they are created as well as the NetBIOS SPN for).

You can verify the SPN’s are in place by running the Setspn command (setspn –l <computer account>) for the target machine and DPM server.

If you look at gpedit.msc and the User Rights on the DPM server and target machine it should give you a summary of the user rights that are effective on the machines.  Running GPResult /Z should also give the same result in a text format.

Apart from the User Rights and SPN’s, you also need to make sure DCOM is correctly configured:

Further reading:

Troubleshooting Protection Agent Installation Issues
http://technet.microsoft.com/en-us/library/bb808878.aspx

Troubleshooting Agent Deployment in Data Protection Manager 2007
http://blogs.technet.com/askcore/archive/2008/04/23/troubleshooting-agent-deployment-in-data-protection-manager-2007.aspx