Trust Relationship failed / was not established when trying to backup.
Test of MSL-SVR71 -- The job failed with the following error: Backup Exec cannot connect to the remote agent because a trust relationship was not established between the remote agent and the media server. To establish a trust relationship, add the remote agent to the Favorite Resources in the backup selections tree.
We has BackUp Exec 2010 R3 (With all latest hotfixes and updates applied.)
We have a CA Server that controls all of our backup jobs. We have 1 MM Server that performs all of our backup jobs.
BKEXEC backups up some, the majority, of of systems fine. We have a problem with 3 of our servers, 1 is a Windows 2008 SP2 64Bit File Server, 1 is a Windows 2003 SP2 32Bit SQL Server and 1 Windows 2008 SP2 64Bit SQL Server.
Every time one of these servers is attempted to be backed up we get the above error. I have tried creating a new job for each server and the same happens.
PING and NSLOOKUP between the remote agent, MMS and CAS is working fine, all pingable and name resolves.
I have followed the following solution guide : http://www.symantec.com/business/support/index?page=content&pmv=print&impressions=&viewlocale=&id=TECH159323
None of the solutions work.
Please let me know if you need anymore information and and advice or help will be greatly appreciated.
Comments 18 Comments • Jump to latest comment
Have you trusted the remote agent from both the MMS and the CAS server as you have to in a CASO environment.
Check in the Remote Agent Utility (Security and Publishing tabs) on the remote server(s) to confirm that both CAS and MMS are listed.
...in line with what Colin statedt above, you'd open up your selection list and click on the server to expand it. When it pops up the message asking if you'd like to trust the server, you say yes.
If you find this is a solution, please mark it as such.
Hi Colin.
Thanks for your reply.
Yes, both MMS and CAS are listed in the Publishing and Security Tab. I just removed them to try re-adding but only the CAS will stay.
The MMS server, adds and then disappears within seconds.
Any thoughts?
Regards
Lee
Hi
From my CAS server, you see the two certs appear in the remote agent config. One for the local media server, and one for the Certificate Authority, i.e. the Central Admin Server.see in the attached jpeg
you should see the CAS and MMS and their hashes should match the crt files in the RAWS\Data folder.on the remote server remote agent publishing tab
See if this matches in your case
Thanks
Thanks & Regards
If this response answers your query, please mark it as a solution.
I have tried to 'Add' and connect to each server from the CAS server. It reports sucsesful, but the servers do not appear in the list/tree
Also, there are no certificated in that directory only
Regards
Lee
Hi
From CAS server in backupexec go to tools-support utility-click on debug monitor & check the 1st check box with job engine , then beserver & then 3rd party o/p then capture to file & also on remote server go to C-program file-symantec-backupexec-raws-& look for sgmon.exe & then check the 1st box with remote agent & last one with 3rd party o/p & capture to file
Now from CAS server open selection & then go to windows system-expand domain & then right click on the server having issue & click enable trust relationship & then once errors out you can close sgmon & post the sgmon.log from C-porgram files-symantec-backupexec-logs folder from CAS & remote server
Thanks
Thanks & Regards
If this response answers your query, please mark it as a solution.
Log files as requested
Regards
Lee
Hi
You are gettig this error below
BENETNS: [11/18/11 10:34:23] [0000] 11/18/11 10:34:23 [ndmp\ndmpcomm] - ndmpConnectEx : Control Connection information: A connection was established between end-points 172.19.10.33:59564 and 172.18.10.148:10000.
BENETNS: [11/18/11 10:34:23] [0000] 11/18/11 10:34:23 [ndmp\ndmpclient] - NDMP version 3 connection CONNECTED
BESERVER: [11/18/11 10:34:23] [0000] 11/18/11 10:34:23 -1 Client requested key (1321612632).
BESERVER: [11/18/11 10:34:23] [0000] 11/18/11 10:34:23 01 Server Configuration: Client added: 7
BESERVER: [11/18/11 10:34:23] [0000] 11/18/11 10:34:23 -1 Client 'MSL-SVR97' connected('','MIDSOFT\weedonl'): 0x12b300b8
BESERVER: [11/18/11 10:34:23] [0000] 11/18/11 10:34:23 01 Server Configuration: Client removed: 6
BESERVER: [11/18/11 10:34:23] [0000] 11/18/11 10:34:23 -1 Client 'MSL-SVR97' Disconnected:0x12b300b8
BESERVER: [11/18/11 10:34:23] [0000] 11/18/11 10:34:23 -1 Client requested key (1321612632).
BESERVER: [11/18/11 10:34:23] [0000] 11/18/11 10:34:23 01 Server Configuration: Client added: 7
BESERVER: [11/18/11 10:34:23] [0000] 11/18/11 10:34:23 -1 Client 'MSL-SVR97' connected('','MIDSOFT\weedonl'): 0x12b300b8
BESERVER: [11/18/11 10:34:23] [0000] 11/18/11 10:34:23 01 Server Configuration: Client removed: 6
BESERVER: [11/18/11 10:34:23] [0000] 11/18/11 10:34:23 -1 Client 'MSL-SVR97' Disconnected:0x12b300b8
BESERVER: [11/18/11 10:34:23] [0000] 11/18/11 10:34:23 -1 Client requested key (1321612632).
BESERVER: [11/18/11 10:34:23] [0000] 11/18/11 10:34:23 01 Server Configuration: Client added: 7
BESERVER: [11/18/11 10:34:23] [0000] 11/18/11 10:34:23 -1 Client 'MSL-SVR97' connected('','MIDSOFT\weedonl'): 0x12b300b8
BESERVER: [11/18/11 10:34:23] [0000] 11/18/11 10:34:23 01 Server Configuration: Client removed: 6
BESERVER: [11/18/11 10:34:23] [0000] 11/18/11 10:34:23 -1 Client 'MSL-SVR97' Disconnected:0x12b300b8
BENETNS: [11/18/11 10:34:23] [0000] 11/18/11 10:34:23 - SSL connection using version TLSv1
BENETNS: [11/18/11 10:34:23] [0000] 11/18/11 10:34:23 - SSL connection using cipher AES256-SHA
BENETNS: [11/18/11 10:34:23] [0000] 11/18/11 10:34:23 [ndmp\ndmpclient] - secureNDMPConnection: SECURITY ENABLED!!
BENETNS: [11/18/11 10:34:24] [0000] BECryptoInit: BECrypto non-FIPS mode successfully enabled.
BENETNS: [11/18/11 10:34:24] [0000] 11/18/11 10:34:23 - SSL Shutdown clean
BENETNS: [11/18/11 10:34:24] [0000] 11/18/11 10:34:23 [BESocket] - @@@@@@@MyCloseSocket called with sockfd = 580(0x244) retval = 0
BENETNS: [11/18/11 10:34:24] [0000] 11/18/11 10:34:23 NRDS API - client disconnected.
BESERVER: [11/18/11 10:34:24] [0000] 11/18/11 10:34:23 20 Usershares: MediaServerAdvertisementUpdate, Raws:MSL-SVR71, Add to agt dir list ok.
BENETNS: [11/18/11 10:34:24] [0000] 11/18/11 10:34:23 [nrds] - Accepted new connection.
BENETNS: [11/18/11 10:34:24] [0000] 11/18/11 10:34:23 [nrds] - AcceptConnection: SSL was requested
BENETNS: [11/18/11 10:34:24] [0000] 11/18/11 10:34:24 [nrds] - AcceptConnection: Failed Server Side SSL handshake.
I will suggest you to open case with symantec by contacting on 18006344747 so that they can investigate the issue with SSL
Also if backups are very critical in mean while you can uninstall BE 2010 R3 remote agent & install BE 2010 R2 remote agent on affected client computer so that you can have backup for weekend
Thanks
Thanks & Regards
If this response answers your query, please mark it as a solution.
Hi,
Installing 1 RAWS back might actually cause more issues, so don't do that!
Uninstall RAWS off the affected server and then push-install from your media server again. This will create the trust all over.
Thanks!
If you find this is a solution, please mark it as such.
Ok, the problem seems to be the MMS does not create a trust with any other server, the CAS does.
Regards
Lee
So are you then using the CASO server to delegate jobs etc. to the MMS? If not, then change the Job and Catalog location using BEutility back to the MMS.
Another alternative is to remove the MMS from the CASE and then try adding it again!
If you find this is a solution, please mark it as such.
Hi
Can you also check one more thing on MMS server open local security policy & then go to user right assignments & ensure you give the following service rights to account used by you for taking backup & restores
http://www.symantec.com/docs/TECH23689 check this document & ensure you give all rights also please ensure the server you are accessing from also has all this rights
Once these rights are given please restart Backupexec services on MMS & also remote agent service on remote server & then check
(FYI In my case I had the same issue I resolved this by doing the above mention steps)
Thanks & Regards
If this response answers your query, please mark it as a solution.
...this is a trust issue between the CASO and MMS...what do service account rights needed for backups and restores have to do with that?
If you find this is a solution, please mark it as such.
Hi
I am not understading your question you mean to say that this permission are not required ? This are basic rights & we ensure this permission are there in case of backup & restore issue & also when if in not able to access selections.as discussed in link given by me. So when SSL is been estalished if there are some issue with permission in background SSL will not be created so it is always good that OP ensure basic step if those permission are in place or not
Thanks
Thanks & Regards
If this response answers your query, please mark it as a solution.
The OP's question revolves around a trust issue between the MMS and CASO server. Not backing up the local server. First and foremost the trust issue is causing the backup issue.
You're busy getting him/her to check service account permissions on the local server. This has nothing to do with the issue at hand. Unless you have experience with a CASO environment, please don't comment or post unnecessarily...
If you find this is a solution, please mark it as such.
I rasied a support call with Symantec.
The solution to the issues was to follow these steps for each remote agent:
This re-establishes the trust and allows the backup.
However, the remote servers still won't add on the CAS.
Removing and re-creating the partnership/trust between the MMS and CAS seemed to help, but the remote agents still don't connect or allow trusts to be established on the CAS.
Regards
Lee
Lee,
Are you talking about adding a remote server that doesn't run a full version of BE to a CASO? If so, this is not supported, and only full media servers can be added to the MMS...
If you find this is a solution, please mark it as such.
Just to finalise, this issue is now resolved.
Removing all remote agents, including uninstall and then re-adding each agent resolved the issue.
Thanks for your help.
Regards
Lee
Would you like to reply?
Login or Register to post your comment.