Protecting multiple Domain Controllers in a multi-DPM server environment

If you are protecting more than one domain controller, and using more than one DPM server to do it, you may experience an issue where at random times, all servers being protected by Data Protection Manager ("DPM") may lose connection with the DPM server. They may lose connection over a short period of time, not all at once. This can occur with both Data Protection Manager 2006 and 2007, or a mixture of both.

This can occur if the domain controllers are protected by more than a single DPM server. In other words, one domain controller is protected by one DPM server, and another domain controller is protected by a different DPM server.

Another symptom may be the existence of bogus entries in Users container in Active Directory Users and Computers. These entries will be similar to DPMRADCOMTrustedMachinesCNF:28f84c90-fa10-4ff7-b4fa-7d945440e08b.

This issue is caused by the replication process between the domain controllers.

There are two workarounds for this issue:

1. Have all domain controllers protected by a single DPM server.

2. To allow domain controllers to be protected by different DPM servers, do the following:

Step 1. Delete all the bogus DPMRADCOMTrustedMachinesCNF:{GUID} on ONE domain controller, then wait a few hours for the changes to be replicated throughout your environment including remote sites. The amount of time required will vary based on the domain topology.

Step 2. On ONE domain controller, confirm that all DPM server names are members of the following groups:






Distributed COM Users


Allow sufficient time for the changes to replicate throughout the domain.

Author: Kevin McNiel
Support Engineer
Microsoft Enterprise Platforms Support