While configuring Remote agent for Deduplication (RADA), get error "Unable to authenticate with the NDMP server, or with remote computer that is configured as a Remote Media Agent".

Article:TECH170478  |  Created: 2011-09-27  |  Updated: 2013-01-08  |  Article URL http://www.symantec.com/docs/TECH170478
Article Type
Technical Solution

Product(s)

Issue



When setting up Remote agent for Deduplication (RADA) on a remote machine the "Authentication error" and/or "Unable to connect to the NDMP server with the remote computer that is configured as a Remote media agent" error/s are encountered.



Error



"Unable to authenticate NDMP server, or with the remote computer that is configured as a Remote media agent, or with the remote computer that is configured for deduplication"


Following are listed in SGMON Verbose logging for Device & media,

PVLSVR:   [09.27.11 11:12:14] [0000]     09/27/11 11:12:14.264 DeviceIo: ndmpFreeMessage: connection: 0x0000000008ED0018 message: 0xf33b
PVLSVR:   [09.27.11 11:12:14] [0000]     09/27/11 11:12:14.364 DeviceIo: ndmpClose
PVLSVR:   [09.27.11 11:12:14] [0000]     09/27/11 11:12:14.364 DeviceIo: ndmpDestroyConnection
PVLSVR:   [09.27.11 11:12:14] [0000]     09/27/11 11:12:14.364 DeviceIoScsi::Provider::TestNdmpServerConnection: DERROR_NDMP_ACCESS_DENIED(0x70000040) <-
PVLSVR:   [09.27.11 11:12:14] [0000]     09/27/11 11:12:14.364 AdammSession::Execute( ADAMM_SESSION_EXECUTE_NDMP_VALIDATE_HOST )

            Session = {8A128C24-5BCA-44FB-A1E8-7113B0313D0F}

            ERROR = 0xA0009B22 (E_PVL_NDMP_AUTH_FAILURE)

Note: For detailed information on using SGMON, refer the article www.symantec.com/docs/HOWTO11932


Cause



(I) The Remote agent may not be installed on the targeted machine on which the Remote agent for Deduplication (RADA) is being configured.
(II) The user account does not have enough permission through which Remote agent for Deduplication (RADA) is being configured.
(III) SSL Certificates is not installed correctly in Backup Exec 2010.
(IV) This issue can be caused by teamed NICs that are conflicting.
(V) Backup Exec 2010 R3 now uses stronger protocols to secure communication between media servers and Remote Agents, reducing the possibility that  backup or restore operations can be compromised.

When connecting to a remote computer from the media server, a trust relationship must be established between the media server and the remote computer.  In certain situations the trust must be established manually.

Examples:

  • If the Backup Exec 2010 R3 Remote agent for Windows System (RAWS) is installed manually, the trust must be established before selecting the remote computer for backup or an existing selection list\job can run.
  • An alternate or new media server is attempting to backup a remote computer where no trust is established.
  • A trust relationship for a remote windows computer must be established first before a backup.

Solution



(I) Make sure the Remote agent must be installed on the targeted machine on which the Remote agent for Deduplication (RADA) is being configure.

(II) Check the user account through which Remote agent for Deduplication (RADA) is being configure. It should be the same account which was responsible for the de-duplication folder when it was created.

  • The account must be a domain administrator, administrator. Should be added in the local policy & should be added under local administrator and local backup operator's group on the media server as well as on the remote machine on which Remote agent for Deduplication (RADA) is being configure/installed.
  • The account should be listed under backup exec logon account window (Network>logon account

(III) Enabling SSL Communications between a Media Server and a Remote Agent for Windows Servers

Method 1: Single Remote Server - Push Install

  1. Push install the Remote Agent for Windows Servers to a remote machine.
  2. After install, the remote machine may require a reboot.
  3. Open the Backup Exec Windows Servers Admin Console
  4. Go to the Job Setup tab
  5. Open a new Backup Selection List.
  6. Go to Favorite Resources > Windows Systems and confirm the remote machine is listed.
  7. If the machine is listed, attempt to expand the server.
  8. A prompt will be received if the machine is not trusted. The option to trust the machine will be made available at this time.

Method 2: Single Remote Server - Local Install

  1. Perform a Local Install of the Remote Agent for Windows Servers to a remote machine. (http://www.symantec.com/docs/TECH91735)
  2. After install, reboot may be required.
  3. Go back to the Media Server
  4. Open the Backup Exec Windows Servers Admin Console
  5. Go to the Job Setup tab
  6. Open a new Backup Selection List
  7. Go to Domains > Microsoft Windows Network > DomainName in the selection list.
  8. Locate the remote machine node.
  9. Right click on the machine name and select Establish Trust Relationship.
     

Troubleshooting

How to determine if the SSL certificate is installed correctly:

  • BE 2010 R3 Remote agent advertisement appears under Favorites

Note: BE 2010 R2 and below agents will still appear under Favorite Resources. BE 2010 R3 agents will only appear if they’re trusted.

  • Browsing to remote agent does not prompt to establish trust
  • Use Backup Exec 2010 Remote Agent Utility > Security tab at Remote Agent machine to view installed certificates.

Note: Backup Exec 2010 Remote Agent Utility can be found under the Symantec Backup Exec program group.

If the remote machine is not listed under favorite resources:

  1. Open a new Backup Selection List
  2. Go to Domains > Microsoft Windows Network > DomainName in the selection list.
  3. Locate the remote machine node.
  4. Right click on the machine name and select Establish Trust Relationship.

If the remote machine is not listed under favorite resources or as a domain machine, it can be added as a user defined selection. After that, the Establish Trust Relationship option can be used.

These trusts are established on a per Media Server basis. Each additional Media Server that has not trusted the remote machine will need to do so individually.

(IV) Check to make sure that a ping to the remote server works.

If the ping fails to the device by IP, break the NIC Team and try again.

Note: If breaking the Team resolves the issue, try to update the firmware and drivers of the NIC cards and try to create the TEAM again.  If pinging the NDMP device with Teamed NICs still fails, please contact the hardware manufacturer to find out why the teamed NICs are not working properly.

(V) A trust relationship between the media server and the remote computer can be established in the following ways:

  • Push-install the remote agent to one or more remote computers from the media server. The trust relationship between the remote computer and the media server is automatically established during installation. (See related articles for How to push install Backup Exec RAWS)
  • Copy RAWS 32 / RAWS 64 folder from : \program files\symantec\backup exec\agents "  from media server to the remote computer and perform a local install of a remote agent on a remote computer that is in a domain or a workgroup. Open the selection list and browse the remote server. It will prompt if we want to authorise the server or not. This is another way the we can initiate the trust relationship between remote computer and media server.
  • Browse to the directory "C:\Windows\System32\drivers\etc " and open the "services" file using notepad. Scroll to the bottom of the file and make the following  entry ,

ndmp             10000/tcp     # Network Data Management Protocol

Restart the remote agent service on the server you have made the changes to.

  • Install the Remote Agent, and then add the computer to User-defined Selections

Please refer to the Related Document below for more information. (TECH156427)





Article URL http://www.symantec.com/docs/TECH170478


Terms of use for this information are found in Legal Notices