cancel
Showing results for 
Search instead for 
Did you mean: 

Backing up Across 2 Domains Fails with Error: Unable to Establish Trust (BE 2014 on Windows Server 2012)

pxtian
Level 4

Hi,

I have a BE 2014 server on a WINDOWS Server 2012 standard in domain1. It is trying to backup a WINDOWS Server 2012 domain controller in domain2 but is getting the error:

 

Trust Error.jpg

I have an existing BE logon account for domain1 that does not have any issues backing up any server or DC in domain1

I have created another BE logon account for domain2 that has the same properties and memberships as that in domain1, but with the scope being domain2 (domain admin membership, etc).

I can use the logon to browse the $ shares of both servers either way.

I have changed the time and date settings on the target DC in domain2..

I have reinstalled the agent using push install and also manual install on the target DC in domain2.

When I go to the BE agent on the target server in domain2 and try to manually add the IP or hostname of teh BE server in domain1, I get the same trust error.

I added another non-DC server in domain2 to the BE Server in domain1 and had no issues establishing trust and creating backup jobs. I used the BE Logon for domain2.

 

As always, any help will be very appreciated. Thanks in advance.

17 REPLIES 17

pkh
Moderator
Moderator
   VIP    Certified
1. Does your 2 domains trust each other? 2. If yes, then add the BE login id to the second domain as a domain admin

pxtian
Level 4

Hi Pkh,

Yes, the 2 domains trust each other. The BE login is already a domain admin on domain2. Also, I have added another server in domain2 (non DC) to the BE Server in domain1 using the same BE Login and did not get the trust error.

lmosla
Level 6

Hi pxtian,

Make sure that port 1000 is available on the Backup Exec media server and the remote servers. If there is a firewall try disabling it.

also check the nics to verify they are working properly.

pxtian
Level 4

Hi Imosla,

On the BE server, I am unable to telnet tcp port 1000. The same is true for the target remote server. However, please note that this is the same case for all other remote servers that do not have trust issues.(both domain1 and domain2) 

Also, there is no other firewall other than windows firewall and it is turned off.

Ben_L_
Level 6
Employee

The port number should be 10000. Looks like both posts were missing a 0

pxtian
Level 4

Thanks, Ben. Ok, in that case, port 10000 is open in both the BE Server and the target remote server.

 

Ben_L_
Level 6
Employee

When you are trying to add the media server from the remove agent utility on the target remote server how are you entering the account information?

domain\username
username
username@domain

pxtian
Level 4

Hi Ben,

I have tried all 3 formats for the login and got the same trust error.

For the server name, I have tried IP, hostname, and FQDN. Same thing, unfortunately.

Ben_L_
Level 6
Employee

Can we verify that port 6101 is not blocked as well on the servers?  This is the port used for advertisements / setting the trust relationship.

We can aslo debug what's going on.

1. Make sure that no jobs are running on the media server, then open the sgmon program. (Select the BE button at the top left of the console - Technical Support - Collect Debug output)

2. Once the debug monitor is open, click the Capture button and click the first button under Custom.  It looks like a circle with 2 arrows pointing at it.  Also make sure Capture to File is selected.

3. Go over to the target server and open the sgmon.exe located in Program Files\Symantec\Backup Exec\RAWS

4. Again click the Capture button, select Job Engine and Backup Exec Agent Utility. Also make sure Capture to File is selected.

5. Minimize the Program then go into the Backup Exec utility and attempt to add the media server to establish the trust. Do this a couple times so we have a good set of data.

6. Close the debug monitor on both servers.  In the Logs directory of the BE install you'll see a file called SERVERNAME-Sgmon.log, either attach those files to the thread or message them to me so I can take a look.

pxtian
Level 4

Thanks, Ben. It may take me until tomorrow to get the data but I will surely provide you with the needed info.

pxtian
Level 4

Hi Ben,

 

I have sent you a PM with the logs. Thanks in advance.

Ben_L_
Level 6
Employee

So looking over the logs and I see the connection fro the backup exec server to the target, but I don't see anything in the log on the target. We should see the communication between the servers. Based off some of the errors I saw in the log on the media server though it appears that something else might be taking over port 10000 on the target.

Try changing the port of the Remote Agent on the target to see if that helps out.

http://www.symantec.com/docs/TECH24256

pxtian
Level 4

Hi Ben,

Thanks. So I have changed the port on the target to 9000. I still get the same error when I try to establish trust from teh agent.

Telnet to locahost reveals the port is open.

 

But from teh BE server, the error message changed to:

 

TRUST2.JPG

Ben_L_
Level 6
Employee

At this point I'm going to have to suggest calling in to open a support case.  I'd really need to look into what's going on with this and am not allocated the time to do so without a support case being opened.

pxtian
Level 4

Thanks, Ben.

Can I do that using "open a support case" option from the support site? 

I called in about 45 minutes earlier (for a different problem) and I am still on the phone now. Seems to be a more difficult route.

VJware
Level 6
Employee Accredited Certified

In case the case hasn't been opened via the phone, it can be opened online as well from https://my.symantec.com

pxtian
Level 4

Thanks for the replies. I have opened case ##08099265