From the forums: Manual agent installation on a DC or RODC

July 29, 2010 at 7:59 am in Uncategorized by mikeresseler

As promised in previous post, here is already an interesting topic.

Many people seem to be having issues with installing an agent on a domain controller (DC) or on a read-only domain controller (RODC).  Whether it is through the automatic install or the manual install, sometimes it doesn’t work.  This can be due to various reasons, one of them being the DC or RODC secured more properly.

Below you can find a method for deploying an agent on a DC or RODC when you encounter this.  The method comes from Praveen D [MSFT]

1. Create and populate the following security groups on Primary domain controller: (Where $PSNAME is the name of RODC on which you are planning to install agent)
    a. Create DPMRADCOMTRUSTEDMACHINES$PSNAME  and add DPM server as a member
    b. Create DPMRADMTRUSTEDMACHINES$PSNAME and add DPM server as a member
    c. Add DPM server as a member of Builtin\Distributed com users group
2. Ensure that above changes are replicated on to RODC
3. Install agent on RODC
4. Grant launch and activate permissions for DPM server on DPM RA service by doing the following:
    a. Run "dcomcnfg"
    b. Expand Component Services ->  Expand Computers -> Expand My Computer -> Expand DCOM Config
    c. Right click DPM RA Service and select Properties
    d. Under ‘General’, "Authentication Level – Default"
    e. Under ‘Location’, only "Run application on this computer" should be checked
    f. Under Security, verify that the "Launch and Activation Permissions" (select > "Edit") include the machine account for the DPM Server and Allow
    j. Click OK
5. Copy setagentcfg.exe, traceprovider.dll and LKRhDPM.dll from "c:\Program Files\Microsoft DPM\DPM\setup" on DPM server and place them in "c:\Program Files\Microsoft DPM\DPM\setup" on RODC.
6. Run "setagentcfg.exe a DPMRA domain\DPMserver"  on RODC using an elevated command prompt. (Run setagentcfg.exe from the location above i.e c:\Program Files\Microsoft DPM\DPM\setup)
7. If  a firewall is enabled on RODC run the following commands:
    a. netsh advfirewall firewall set rule group="@FirewallAPI.dll,-29502" new enable=yes
    b. netsh advfirewall firewall set rule group="@FirewallAPI.dll,-34251" new enable=yes
    c. netsh advfirewall firewall add rule name=dpmra dir=in program="%PROGRAMFILES%\Microsoft Data Protection Manager\DPM\bin\DPMRA.exe" profile=Any action=allow
    d. netsh advfirewall firewall add rule name=DPMRA_DCOM_135 dir=in action=allow protocol=TCP localport=135 profile=Any
8. Attach agent on DPM server, now you are ready to protect the RODC.