Installing Protection Agents on a Read-Only Domain Controller

  • 發行項

適用於: System Center Data Protection Manager 2010

This topic describes how to install a protection agent on a read-only domain controller (RODC). Note that if a firewall is enabled on the RODC, you must either turn the firewall off or run the following commands before installing the protection agent:

netsh advfirewall firewall set rule group="@FirewallAPI.dll,-29502" new enable=yes

netsh advfirewall firewall set rule group="@FirewallAPI.dll,-34251" new enable=yes

netsh advfirewall firewall add rule name=dpmra dir=in program="%PROGRAMFILES%\Microsoft Data Protection Manager\DPM\bin\DPMRA.exe" profile=Any action=allow

netsh advfirewall firewall add rule name=DPMRA_DCOM_135 dir=in action=allow  protocol=TCP localport=135 profile=Any

To install a protection agent on a read-only domain controller

  1. On the primary domain controller, create and then populate the following security groups, where the protected server name is the name of the RODC on which you plan to install the protection agent:

    • Create a security group named DPMRADCOMTRUSTEDMACHINES$PSNAME, and then add the DPM server machine account as a member.

    • Create a security group named DPMRADMTRUSTEDMACHINES$PSNAME, and then add the DPM server machine account as a member.

    • Add the DPM server machine account as a member of the Builtin\Distributed Com Users security group.

  2. Ensure that the security groups that you created earlier have replicated on the RODC.

  3. Install the protection agent on the RODC.

  4. On the DPM server, perform the following steps to grant launch and activation permissions for the DPMRA service:

    1. Open DPM Management Shell, and then run the command dcomcnfg.exe.

      The Component Services window opens.

    2. In the Component Services window, expand Computers, expand My Computer, right-click the DPMRA service, and then click Properties.

    3. Click General, and then set the Authentication Level to Default.

    4. Click Location, and then ensure that only Run application on this computer is selected.

    5. Under Launch and Activation Permissions, select Customize, and then click Edit to open the Launch Permission dialog box.

    6. In the Launch Permission dialog box, assign permissions for Local Launch, Remote Launch, Local Activation, and Remote Activation for the DPM server machine account.

    7. Click OK to close the dialog box.

    8. Navigate to <drive letter>:\Program Files\Microsoft DPM\DPM\setup, copy the following files to the RODC at <drive letter>:\Program Files\Microsoft DPM\DPM\setup.

      • setagentcfg.exe

      • traceprovider.dll

      • LKRhDPM.dll

  5. On the RODC, from an elevated command prompt, run the command setagentcfg.exe a DPMRA domain\DPMserver from the location that you specified in the previous step (<drive letter>:\Program Files\Microsoft DPM\DPM\setup).

  6. Attach the protection agent to the DPM server. For more information about attaching protection agents, see Attaching Protection Agents.