Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

Trust Relationship failed / was not established when trying to backup.

Created: 18 Nov 2011 • Updated: 12 Feb 2013 | 18 comments
This issue has been solved. See solution.

Test of MSL-SVR71 -- The job failed with the following error: Backup Exec cannot connect to the remote agent because a trust relationship was not established between the remote agent and the media server. To establish a trust relationship, add the remote agent to the Favorite Resources in the backup selections tree.

We has BackUp Exec 2010 R3 (With all latest hotfixes and updates applied.)

We have a CA Server that controls all of our backup jobs. We have 1 MM Server that performs all of our backup jobs.

BKEXEC backups up some, the majority, of of systems fine. We have a problem with 3 of our servers, 1 is a Windows 2008 SP2 64Bit File Server, 1 is a Windows 2003 SP2 32Bit SQL Server and 1 Windows 2008 SP2 64Bit SQL Server.

Every time one of these servers is attempted to be backed up we get the above error. I have tried creating a new job for each server and the same happens.

PING and NSLOOKUP between the remote agent, MMS and CAS is working fine, all pingable and name resolves.

I have followed the following solution guide : http://www.symantec.com/business/support/index?page=content&pmv=print&impressions=&viewlocale=&id=TECH159323

None of the solutions work.

 

Please let me know if you need anymore information and and advice or help will be greatly appreciated.

Comments 18 CommentsJump to latest comment

Colin Weaver's picture

Have you trusted the remote agent from both the MMS and the CAS server as you have to in a CASO environment.

 Check in the Remote Agent Utility (Security and Publishing tabs) on the remote server(s) to confirm that both CAS and MMS are listed.

CraigV's picture

...in line with what Colin statedt above, you'd open up your selection list and click on the server to expand it. When it pops up the message asking if you'd like to trust the server, you say yes.

Alternative ways to access Backup Exec Technical Support:

https://www-secure.symantec.com/connect/blogs/alte...

leeweedon's picture

Hi Colin.

 

Thanks for your reply.

Yes, both MMS and CAS are listed in the Publishing and Security Tab.   I just removed them to try re-adding but only the CAS will stay.

The MMS server, adds and then disappears within seconds.

 

Any thoughts?

Regards

 

Lee

newsolutionBE's picture

Hi

From my CAS server, you see the two certs appear in the remote agent config. One for the local media server, and one for the Certificate Authority, i.e. the Central Admin Server.see in the attached jpeg

you should see the CAS and MMS and their hashes should match the crt files in the RAWS\Data folder.on the remote server remote agent publishing tab

See if this matches in your case

Thanks

ssl1.JPG

Thanks & Regards

If this response answers your query, please mark it as a solution.

leeweedon's picture

I have tried to 'Add' and connect to each server from the CAS server. It reports sucsesful, but the servers do not appear in the list/tree

 

Also, there are no certificated in that directory only

Regards

 

Lee

newsolutionBE's picture

Hi

 

From CAS server in backupexec go to tools-support utility-click on debug monitor & check the 1st check box with job engine , then beserver & then 3rd party o/p  then capture to file & also on remote server go to C-program file-symantec-backupexec-raws-& look for sgmon.exe & then check the 1st box with remote agent & last one with 3rd party o/p & capture to file

 

Now from CAS server open selection & then go to windows system-expand domain & then right click on the server having issue & click enable trust relationship & then once errors out you can close sgmon & post the sgmon.log from C-porgram files-symantec-backupexec-logs folder from CAS & remote server

 

Thanks

Thanks & Regards

If this response answers your query, please mark it as a solution.

newsolutionBE's picture

Hi

 

You are gettig this error below

BENETNS:  [11/18/11 10:34:23] [0000]     11/18/11 10:34:23 [ndmp\ndmpcomm]      - ndmpConnectEx : Control Connection information: A connection was established between end-points 172.19.10.33:59564 and 172.18.10.148:10000.
BENETNS:  [11/18/11 10:34:23] [0000]     11/18/11 10:34:23 [ndmp\ndmpclient]    - NDMP version 3 connection CONNECTED
BESERVER: [11/18/11 10:34:23] [0000]     11/18/11 10:34:23 -1 Client requested key (1321612632).
BESERVER: [11/18/11 10:34:23] [0000]     11/18/11 10:34:23 01 Server Configuration: Client added: 7
BESERVER: [11/18/11 10:34:23] [0000]     11/18/11 10:34:23 -1 Client 'MSL-SVR97' connected('','MIDSOFT\weedonl'): 0x12b300b8
BESERVER: [11/18/11 10:34:23] [0000]     11/18/11 10:34:23 01 Server Configuration: Client removed: 6
BESERVER: [11/18/11 10:34:23] [0000]     11/18/11 10:34:23 -1 Client 'MSL-SVR97' Disconnected:0x12b300b8
BESERVER: [11/18/11 10:34:23] [0000]     11/18/11 10:34:23 -1 Client requested key (1321612632).
BESERVER: [11/18/11 10:34:23] [0000]     11/18/11 10:34:23 01 Server Configuration: Client added: 7
BESERVER: [11/18/11 10:34:23] [0000]     11/18/11 10:34:23 -1 Client 'MSL-SVR97' connected('','MIDSOFT\weedonl'): 0x12b300b8
BESERVER: [11/18/11 10:34:23] [0000]     11/18/11 10:34:23 01 Server Configuration: Client removed: 6
BESERVER: [11/18/11 10:34:23] [0000]     11/18/11 10:34:23 -1 Client 'MSL-SVR97' Disconnected:0x12b300b8
BESERVER: [11/18/11 10:34:23] [0000]     11/18/11 10:34:23 -1 Client requested key (1321612632).
BESERVER: [11/18/11 10:34:23] [0000]     11/18/11 10:34:23 01 Server Configuration: Client added: 7
BESERVER: [11/18/11 10:34:23] [0000]     11/18/11 10:34:23 -1 Client 'MSL-SVR97' connected('','MIDSOFT\weedonl'): 0x12b300b8
BESERVER: [11/18/11 10:34:23] [0000]     11/18/11 10:34:23 01 Server Configuration: Client removed: 6
BESERVER: [11/18/11 10:34:23] [0000]     11/18/11 10:34:23 -1 Client 'MSL-SVR97' Disconnected:0x12b300b8
BENETNS:  [11/18/11 10:34:23] [0000]     11/18/11 10:34:23                      - SSL connection using version TLSv1
BENETNS:  [11/18/11 10:34:23] [0000]     11/18/11 10:34:23                      - SSL connection using cipher AES256-SHA
BENETNS:  [11/18/11 10:34:23] [0000]     11/18/11 10:34:23 [ndmp\ndmpclient]    - secureNDMPConnection: SECURITY ENABLED!!
BENETNS:  [11/18/11 10:34:24] [0000]     BECryptoInit: BECrypto non-FIPS mode successfully enabled.
BENETNS:  [11/18/11 10:34:24] [0000]     11/18/11 10:34:23                      - SSL Shutdown clean
BENETNS:  [11/18/11 10:34:24] [0000]     11/18/11 10:34:23 [BESocket]           - @@@@@@@MyCloseSocket called with sockfd = 580(0x244)    retval = 0
BENETNS:  [11/18/11 10:34:24] [0000]     11/18/11 10:34:23 NRDS API - client disconnected.
BESERVER: [11/18/11 10:34:24] [0000]     11/18/11 10:34:23 20 Usershares: MediaServerAdvertisementUpdate, Raws:MSL-SVR71, Add to agt dir list ok.
BENETNS:  [11/18/11 10:34:24] [0000]     11/18/11 10:34:23 [nrds]               - Accepted new connection.
BENETNS:  [11/18/11 10:34:24] [0000]     11/18/11 10:34:23 [nrds]               - AcceptConnection: SSL was requested
BENETNS:  [11/18/11 10:34:24] [0000]     11/18/11 10:34:24 [nrds]               - AcceptConnection: Failed Server Side SSL handshake.

 

I will suggest you to open case with symantec by contacting on 18006344747 so that they can investigate the issue with SSL

 

Also if backups are very critical in mean while you can uninstall BE 2010 R3 remote agent & install BE 2010 R2 remote agent on affected client computer so that you can have backup for weekend

 

Thanks

Thanks & Regards

If this response answers your query, please mark it as a solution.

CraigV's picture

Hi,

 

Installing 1 RAWS back might actually cause more issues, so don't do that!

Uninstall RAWS off the affected server and then push-install from your media server again. This will create the trust all over.

 

Thanks!

Alternative ways to access Backup Exec Technical Support:

https://www-secure.symantec.com/connect/blogs/alte...

SOLUTION
leeweedon's picture

Ok, the problem seems to be the MMS does not create a trust with any other server, the CAS does.

Regards

 

Lee

CraigV's picture

So are you then using the CASO server to delegate jobs etc. to the MMS? If not, then change the Job and Catalog location using BEutility back to the MMS.

Another alternative is to remove the MMS from the CASE and then try adding it again!

Alternative ways to access Backup Exec Technical Support:

https://www-secure.symantec.com/connect/blogs/alte...

newsolutionBE's picture

Hi

Can you also check one more thing on MMS server open local security policy & then go to user right assignments & ensure you give the following service rights to account used by you for taking backup & restores

http://www.symantec.com/docs/TECH23689 check this document & ensure you give all rights also please ensure the server you are accessing from also has all this rights

Once these rights are given please restart Backupexec services on MMS & also remote agent service on remote server & then check

(FYI In my case I had the same issue I resolved this by doing the above mention steps)

Thanks & Regards

If this response answers your query, please mark it as a solution.

CraigV's picture

...this is a trust issue between the CASO and MMS...what do service account rights needed for backups and restores have to do with that?

Alternative ways to access Backup Exec Technical Support:

https://www-secure.symantec.com/connect/blogs/alte...

newsolutionBE's picture

Hi

I am not understading your question you mean to say that this permission are not required ? This are basic rights & we ensure this permission are there in case of backup & restore issue & also when if in not able to access selections.as discussed in link given by me. So when SSL is been estalished if there are some issue with permission in background SSL will not be created so it is always good that OP ensure basic step if those permission are in place or not

Thanks

Thanks & Regards

If this response answers your query, please mark it as a solution.

CraigV's picture

The OP's question revolves around a trust issue between the MMS and CASO server. Not backing up the local server. First and foremost the trust issue is causing the backup issue.

You're busy getting him/her to check service account permissions on the local server. This has nothing to do with the issue at hand. Unless you have experience with a CASO environment, please don't comment or post unnecessarily...

Alternative ways to access Backup Exec Technical Support:

https://www-secure.symantec.com/connect/blogs/alte...

leeweedon's picture

I rasied a support call with Symantec.

The solution to the issues was to follow these steps for each remote agent:

  • Uninstall BKEXEC Remote Agent from Server
  • On the MMS Server Remove the Server from "Windows Systems"
  • Re-Add the Server in "Windows Systems" doing the installation during the process.

This re-establishes the trust and allows the backup.

 

However, the remote servers still won't add on the CAS.

Removing and re-creating the partnership/trust between the MMS and CAS seemed to help, but the remote agents still don't connect or allow trusts to be established on the CAS.  

 

Regards

 

Lee

CraigV's picture

Lee,

 

Are you talking about adding a remote server that doesn't run a full version of BE to a CASO? If so, this is not supported, and only full media servers can be added to the MMS...

Alternative ways to access Backup Exec Technical Support:

https://www-secure.symantec.com/connect/blogs/alte...

leeweedon's picture

Just to finalise, this issue is now resolved.

Removing all remote agents, including uninstall and then re-adding each agent resolved the issue.

 

Thanks for your help.

Regards

 

Lee