Troubleshooting Agent Deployment in Data Protection Manager 2007 - DCOM

The DPM agent is a DCOM application - it cannot function correctly without proper DCOM configuration. This section covers the necessary configuration checks to make sure that DCOM is configured correctly.

Non-Clustered Member Servers:

As a rule, DCOM Settings for a working DPM 2007 Agent are evidenced by a lack of problems:  You'll need to check Event Viewer, Add\Remove Programs, DCOMCNFG, and WBEMTEST in order to confirm the COM is working.

Event Viewer:

Make sure that there are no VSS or DCOM errors showing up in the event logs on the agent and the DPM server.

Here are some examples of what you might see on your DPM Server if DCOM needs to be checked out....

5/6/2008 8:46:46 AM 1 0 10006
DCOM N/A
<<DPMserverName>> 2148007941 <<DPM serverName fqdn>>
{C4EBD674-1457-4B79-BE30-B04735AED9D1}     

Event Type: Error
Event Source: DPM-EM
Event Category: None
Event ID: 2
Date: 5/8/2008
Time: 9:02:00 AM
User: N/A
Computer: <<DPMserverName>>

Creation of recovery points for <<Protected ServerName>> on
<<Protected ServerName fqdn>> have failed.
The last recovery point creation failed for the following
reason: (ID: 3159)

The replica of <<Protected ServerName>> on
<<Protected ServerName fqdn>> is not consistent
with the protected data source. (ID: 30301)

 

DCOMCNFG:

Open DCOMCNFG, by clicking on Start\Run, and entering ‘DCOMCNFG’. Navigate down to

Console Root\Component Services\Computers\My Computer and open the properties of ‘My Computer’.

Note: If 'My Computer' has a red 'X' by it and the properties cannot be fully displayed, check the MSDTC (Distributed Transaction Coordinator) service to make sure it is running. If it doesn’t start, correct this problem before continuing. If the protected computer is a member server or workstation, try starting it and setting the service to 'Automatic' and rebooting. After logging onto the machine, open DCOMCNFG and 'My Computer' should appear without a red 'X' by it. If the system is a clustered server, make sure the cluster service is running as this will affect the MSDTC service's ability to run. MSDTC doesn’t, however, have to be a clustered resource in order for this to work correctly.

Check also for the existence of 2 DCOM Applications that are installed when the DPM Agent (recall that the DPM Agent is often called the "DPMRA")  is installed on a server or workstation. Following are the settings for the DPMRA and WSSCmdletsWrapper DCOM applications.

‘DPM RA’ DCOM Application

Navigate through the "DCOM Config" tree to the DPM RA Service, as below, and select properties.

image

 

1. Under 'General', "Authentication Level - Default"
2. Under 'Location', only "Run application on this computer" should be checked
3. Under Security, verify that the "Launch and Activation Permissions" (select "Edit") include the machine account for the DPM Server as shown below.

clip_image002

clip_image004

4. Under Endpoints, leave "… default system protocols …" as the only entry.

5. Under Identity, the radio button "The system account (services only)." should be checked.

 

WSSCmdletsWrapper

This DCOM application appears under the same tree as above (My Computer / DCOM Config / WSSCmdletsWrapper / Properites).  The related application is C:\Program Files\Microsoft Data Protection Manager\DPM\bin\WSSCmdletsWrapper.exe.

1. Under 'General', "Authentication Level - Default"
2. Under 'Location', only "Run application on this computer" should be checked
3. Under Security, you should see

image

4. Under Endpoints, leave "… default system protocols …" as the only entry.
5. Under Identity, the radio button, "The launching user" should be checked. 

If you're concerned that the DCOM permissions have been modified, check the following registry key on both the protected server and the DPM server. There are up to 4 registry values added at the root of the OLE key.

HKLM\Software\Microsoft\Ole – check for the existence of the following value: ‘EnableDCOM’[REG_SZ] = ‘Y’  if not present, or if it is set to ‘N’ – either add the value or change it to ‘Y’. This is the registry storage location which tells if DCOM is enabled or disabled.

To reset the DCOM security, at the OLE registry key, delete all keys except for 'Default' and 'EnableDCOM'. Now reboot the server. When the server comes back up, the DCOM security will be at the default and you will need to open up DCOMCNFG in order to reconfigure it.

NOTE: Please backup the OLE key before you delete it. This will not cause the server to fail to boot but having a copy of the key will allow you to return it to its previous configuration if needed or desired.

The DPM Agent requires Distributed COM to work and does not require COM+ for agent installation or normal operation. Agents can be deployed on to systems that do not have the "Enable network COM+ Access" enabled within Add\Remove Programs.

Local DCOM Settings for DPM Agents are shown below.

1. Check to make sure that DCOM is enabled on the server that is going to be protected by DPM. This can be done in 2 ways. From within the UI, check the following in DCOMCNFG.

Open DCOMCNFG, by clicking on Start\Run, and entering ‘DCOMCNFG’. Navigate down to

Console Root\Component Services\Computers\My Computer and open the properties of ‘My Computer’.

On the "Default Properties" tab, "Enable Distributed COM on this computer" should be checked.

image

 

2. Check to make sure that the "Default Authentication Level" is set to "Connect" and “Default Impersonation Level" is set to "Identify".

3.  The other option is to check the registry. Look for the key " HKLM\Software\Microsoft\Ole\EnableDCOM = Y"<REG_SZ> – check for the existence of this key and if not present, or if it is set to 'N' – either add the value or change it to 'Y'.

4. Back to the GUI on the Default Protocols tab - confirm that "Connection-oriented TCP\IP" is at the top. Also check the properties for DCOM port range to see if there are any restrictions (by highlighting "Connection-oriented TCP\IP" and selecting properties).  Most likely, the screen will be blank, as below.

image

There are several registry settings that control the DCOM port restriction functionality. All of the named values listed below are located under the

HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet

registry key. This registry key does not appear in the registry by default and must be created. If you find a need to restrict the  DCOM ports, you should add the same port restrictions to both the DPM server and the protected server.

Note: You must reboot your machine any time you make changes to any of the following registry settings in order for them to take effect. Warning: Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

NAME TYPE

VALUE

Ports

REG_MULTI_SZ

Specify one port range per line. Example: 3000-4000 5141

DESCRIPTION: One or more port ranges. The options below determine the meaning of this named value.

PortsInternetAvailable REG_SZ "Y" (don't include quotes)

DESCRIPTION: Always set this to "Y".

UseInternetPorts REG_SZ "Y" or "N" (don't include quotes)

 

DESCRIPTION:  If this value is set to "Y", then the Ports named value indicates which ports should be used for DCOM applications. If this value is set to "N", then the Ports named value indicates which ports should NOT be used for DCOM applications.

Examples:

1. Add the Internet key under: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc

2. Under the Internet key, add the values "Ports" (MULTI_SZ),

"PortsInternetAvailable" (REG_SZ), and "UseInternetPorts" (REG_SZ).

In this example ports 5000 through 5100 inclusive have been arbitrarily selected to help illustrate how the new registry key can be configured.  For example, the new registry key appears as follows:

Ports: REG_MULTI_SZ: 5000-5100

PortsInternetAvailable: REG_SZ: Y

UseInternetPorts: REG_SZ: Y

 

3. Restart the server. All applications that use RPC dynamic port allocation use ports 5000 through 5100, inclusive. In most environments, a minimum of 100 ports should be opened, because several system services rely on these RPC ports to communicate with each other.

You should open up a range of ports above port 5000. Port numbers below 5000 may already be in use by other applications and could cause conflicts with your DCOM application(s). Furthermore, previous experience shows that a minimum of 100 ports should be opened, because several system services rely on these RPC ports to communicate with each other.

Note: The minimum number of ports may differ from computer to computer and depends on the configuration of the computer.

To test and verify connectivity after making this registry change you can utilize the DCOMtest.exe tool. To download the tool and get additional details regarding the use and results you can leverage the following article.

KB259011 “SAMPLE: A Simple DCOM Client Server Test Application”

<https://support.microsoft.com/default.aspx?scid=kb;EN-US;259011>

For additional details on Using Distributed COM with Firewalls you can leverage the following links:

KB154596 “How to configure RPC dynamic port allocation to work with firewalls”

<https://support.microsoft.com/default.aspx?scid=kb;EN-US;154596>

<https://msdn2.microsoft.com/en-us/library/ms809327.aspx>

4. Check the COM Security tab for the following settings. The 'Edit Default' settings do not have to be modified.

On the COM Security tab, under Access Permissions, click Edit Limits.

Verify that the “Distributed COM Users” group is allowed both Local Access and Remote Access permissions. This is the group where the DPM Server's machine account has been added. This group is available after SP1 for Windows Server 2003 is applied, and after Windows XP SP2 has been applied.

image

after checking "Edit Limits" you'll see

image

 

6.  On the COM Security tab, under Launch and Activation Permissions, click Edit Limits. 

image

Verify that the Distributed COM Users group is allowed the following permissions:

·    Local Launch
·    Remote Launch
·    Local Activation
·    Remote Activation

Be sure to run secpol.msc and make sure that local security policy is not preventing network access. 

1. Check ‘User Rights Assignment’ to confirm that the DPM Server’s machine account
   or authenticated users is specified here.
2. Make sure that “Deny access to this computer from the network” does not include
   the DPM Server's machine account, Everyone, Administrators, or Authenticated Users
   as these will prevent the DPM Server from connecting.

Troubleshooting Security is beyond the scope of this article, but for a good reference, check out:

       909887  Error message when you try to view a Web site that is hosted on Internet 
       Information Server 6.0 by using anonymous access: "401.1 Unauthorized: Logon failed"
       https://support.microsoft.com/default.aspx?scid=kb;EN-US;909887

 

If Agent issues have been preventing consistency checks and/or replication, you may need to now reboot, uninstall the DPMRA, reboot, and reinstall.

 

Authors:
Victor Reavis
Tom Acker
Microsoft Corporation Enterprise Support