After upgrading to Backup Exec 2010 R3 or above backup job fails with cannot connect to the remote agent because a trust relationship was not established

Article:TECH162362  |  Created: 2011-06-15  |  Updated: 2014-07-14  |  Article URL http://www.symantec.com/docs/TECH162362
Article Type
Technical Solution

Product(s)

Issue



After upgrading to Backup Exec 2010 R3 or above, backup job fails with the error message "0xe0009b86:Backup Exec cannot connect to the Remote Agent because a trust relationship was not established between the remote agent and the media server."
 


Error



0xe0009b86:Backup Exec cannot connect to the Remote Agent because a trust relationship was not established between the Remote Agent and the media server.

Backup Exec Remote agent log will display error -

- ndmpRun: Control connection accepted : connection established between end-points 212.36.110.129:10000 and 212.36.111.135:62428
- sslOpen() : Opening SSL for: E05D088F
- sslOpen(): certinfo = E05D0A8F ; sslConn = E05CE9A
- GetCertificateDataFolderPath: Not checking for cluster.
- ERROR: LookupMSCertificate: Registry error obtaining install path, GetLastError() = 0
- GetCertificateDataFolderPath: Not Clustered.
- LookupCASOrMMSCertificates: Error obtaining certificate data path.
- ERROR: LookupMSCertificate: media server not found in certificate cache.  Failing verification.
- In ndmpdGetLastError:: Callback to get last NDMP Error.
- GetCertificateDataFolderPath: Not checking for cluster.
- GetCertificateDataFolderPath: Not checking for cluster.
- ERROR: ndmpdCertSSLHandshake:  WritePublicKeyToFilePEM for root returned E000A30C
 


Cause



Backup Exec 2010 R3 and above now uses stronger protocols to secure communication between Media Servers and Remote Agents, reducing the possibility that backup or restore operations can be compromised. When connecting to a remote computer from the media server, a trust relationship must be established between the media server and the remote computer. To establish a trust relationship, the media server and the remote computer exchange certificates so that each computer can confirm the identity of the other computer for subsequent operations.
 


Solution



Make sure the Backup Exec installation is fully patched and the remote agents have had the updates pushed out to them first.

Backup Exec stores the Certificates in the Data folder located under in Backup Exec installation folder.

1 - On the computer on which the Remote Agent is installed, Open the backup exec installation folder . By default location is \Program file\Symantec\Backup exec\Raws

2 - In the DATA folder under the RAWS directory, move the files located within the DATA folder to an alternate location.

3 - Open Backup Exec on the media server and open the selection list for a backup job.

4 - Navigate through windows systems, Active directory, or via user defined share to the problem remote agent.

5 - Right click on the remote server in the selection list and select the option to establish a trust relationship.

6 - Try to expand the remote server to see if the local resources enumerate (C: D: etc). It should expand correctly if the trust relationship is established and the correct credentials are used.
 

If the above steps do not correct the issue please try un-installing the remote agent off the remote server and then push install the remote agent back to the remote server. This will automatically create the trust relationship if it is a successful install.


 


Supplemental Materials

SourceError Code
Value0xe0009b86
Description

Backup Exec cannot connect to the remote agent because a trust relationship was not established between the remote agent and the media server.




Article URL http://www.symantec.com/docs/TECH162362


Terms of use for this information are found in Legal Notices