Support Tip: Moving a DPM protected machine using Certificate Based Authentication from a domain to workgroup causes Consistency Checks to fail


Consider the following scenario:

In your environment you have a Windows domain controller, a computer running System Center 2012 Data Protection Manager (DPM) and one member server. You are using Certificate Based Authentication (CBA) for the domain member and the domain member name is MemberServer.Contoso.Com.

Note: The proper steps are followed to setup CBA as per the following:

You have successfully created a PG with successful backup.

You later move the server from the domain as a member and place it into a workgroup. The server name changes from “” to just “MemberServer”. This is important to note.

From this point forward, a Consistency Check (CC) will fail with the following error:

DPM Alert Event: (ID: 3170) DPM failed to communicate with the protection agent on because the computer is unreachable.

If you perform an attach-productionserverwithcertificate.ps1 command you will see the following error:

DPM Alert Event: (3122) The DPM protection agent on memberserver could not be contacted. Subsequent protection activities for this computer may fail if the connection is not established. The attempted contact failed for the following reason: (ID:3122) The DPM CPWrapper Service authorization failed on the MemberServer computer. Exception Message= Access is denied. (ID: 33303)


The general thought is that if you have the certificate in place and it’s valid and it can resolve the CRL then all should work if you move the server into a workgroup. This is actually incorrect. The thumbprint in use by the memberserver is used to create a bin file and to make registry entries on both the protected server and the DPM server.

Registry Key created on both DPM server and Protected server is
Bin file used to create the registry entries is:

When DPM performs an authorization check, it checks the registry for, notes that its there and makes a CC attempt. The problem is that this server does not exist anymore. Remember, we removed it from the domain. As such, any CC attempts for that server will fail.
When you attempt to perform an attach-productionserverwithcertificate.ps1 command, this also fails because we do not have a new bin file created for MemberServer. Remember that since we removed the server from the domain the server name has changed. The DPM server has no associated bin file or registry entry for “MemberServer” but rather “”.


1.) Re-run the SetDPMserver command on the protected server. This will create:

a.) A bin file named CertificateConfiguration_MemberServer.bin
b.) The associated registry keys on the protected server.

2.) Take the CertificateConfiguration_MemberServer.bin file to the DPM server and re-run Attach-ProductionServerWithCertificate.ps1, specifying the newly created bin file from the protected server. This will create:

a.) The associated registry key on the DPM server for MemberServer.

You can now create a new Protection Group (PG) for “MemberServer” and continue with your backups.

NOTE: For the old PG, you will not be able to associate it with this server. You can delete the PG and retain data to disk. See the following for more information.

Shane Brasher | Senior Support Escalation Engineer

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

App-V Team blog:
ConfigMgr Support Team blog:
DPM Team blog:
MED-V Team blog:
Orchestrator Support Team blog:
Operations Manager Team blog:
SCVMM Team blog:
Server App-V Team blog:
Service Manager Team blog:
System Center Essentials Team blog:
WSUS Support Team blog:

The Forefront Server Protection blog:
The Forefront Endpoint Security blog :
The Forefront Identity Manager blog :
The Forefront TMG blog:
The Forefront UAG blog: