Data Protection Manager (DPM) 2007 issue on Domain Controllers

Be very careful when deploying DPM to multiple domain controllers in an environment.

Lesson Learned:

When installing Data Protection Manager (DPM) agents onto Active Directory Domain Controllers (DC), the following needs to occur.

1. Agent MUST be installed on each DC, ONE AT A TIME.

2. After EACH installation, you MUST run replication using the repadmin /syncall command to force replication

3. Failure to do this will cause major issues….

Why:

When the agent is installed on a domain controller it creates two Domain Local Security Groups in the Users Organizational Unit (OU): DPMRADCOMTrustedMachines and DPMRADmTrustedMachines. If you do not replicate after EACH DC Agent installation, the SID’s on these groups get hosed. This can be checked by going into the Members of these groups and determining if the DPM Servername has been changed to DUPLICATE$. If you see this, life just got quite a bit uglier.

Hot to Fix it:

1. Remove the DPM Agent using Add/Remove programs

2. Remove the above Security groups from Active Directory

3. Using the DPM Console, remove the Domain Controllers using the remove agent utility. You will get a pop up stating that the system in question does not appear to have the agent installed and would you like to remove it from the DPM Database. Yes, you do.

4. At this point, you may resume installing your DC’s. One at a time, as directed above.

Recommendation:

Always install the Domain Controller DPM agents first. Otherwise, you get to spend your nights uninstalling ALL the Agents from every server in the DPM environment and starting over… that’s not my definition of fun.

By the way, it appears that at this point in time none of this information is addressed in the Installation and Configuration guide. Searching for resolutions to this issue, there isn’t a lot out there for DPM 2007 so be aware!

Special thanks on this to Robert Burleson who tracked this down, and wrote it up!