VOX

Yes, both are on the same patchlevel. Also port 10000 is available.

Yes, both are on the same patchlevel. Also port 10000 is available.

the issues with RODC and Backup Exec occur if Backup Exec is installed on the same server because of a conflict with the SQL instance.  Is SQL installed on the RODC?

No, they are on two different servers. On the Backup Exec Server runs only Backup Exec.

Does the affected server run Exchange as well ?

As a test, is it possible for you to uninstall the BE2012 agent, install a BE 2010 R3 agent and see if this issue reoccurs when the RODC is up and running.
 

No, there is no Exchange running.

You mean the agent on the client? I tried it and it is the same - slow when RODC is running.

But we have also our old backup server with BE 2010 R3. There isn't this problem.

I tried another workarround: i blocked the IP of the RODC with the Windows-Firewall of the BE Server. Then it also works. Then i believe it connects to another domaincontroller which isn't located on our site, i think a "not RODC".

Hello,

what was the result of this problem? I'm just doing the same experience on a test site where the DC (AD, DNS and DHCP) is a WINDOWS 2008 R2 - RODC and the Media server is a separate WINDOWS 2008 R2 Server. If the DC is up and running, the "Test credentials" is not giving "green light", but is just simply doing "nothing" and hanging, a backup job is not running as well. If I switch off the RODC, it's "temporary" solving this problem.

I suppose it has something to do with the configuration from the RODC (cached passwords??: denied access ...) but I'm not sure.

Thank you for your feedback

Hello,

Till now i have no real solution. As a workarround i blocked the IP-address of the RODC in the Firewallsettings of the Backup Server, so it seems it uses another (central) Domaincontroller (we are in a larger network with different sites). I know, a quick-and-dirty solution ;)

I don't know if this is the same problem, with the RODC it was possible to make backups, but it was very slow till they start. And also if we open the folder list to select the data we want to backup.

In the next weeks i will try Backup Exec 2014.

Best regards!

Hi,

Thank you for your reply. Here, in my case, the creation of a job was even not possible until I switched off the RODC.

Yes, it's true; BE is working than with a "normal" DC and the creation and execution of a job is running fine.

I will investigate some time in the configuration from the RODC as it seems that there are some unclear settings for Backup Operators and Domain admin accounts (Deny) ..... I wonder if somebody from Symantec has some experience with RODC's and BE or if we are alone with such a configuration

so .... Let's wait and see.

Hi, 

We have the same problem here,but it takes nearly 7 min. for the selection list to appear.

RODC and BE servers are  two separated 2008R2.

First i thought it was an Active Directory problem so i opened a call at Microsoft Support. They told me that something goes wrong when Backup exec try to make netlogon requests against Active Directory.

You can see it in the "netlogon_trace" attachment file. (IP and names are changed)

At first the BE Server (beremote.exe) ask for a DC that has WRITABLE attribute ( line 1). Our RODC responds that he's not( line 4), but the BE server keeps asking the RODC, regardless or the response (line 9,17,23...). After a "timeout" of 7 mins, BE use some cached information to complete the request.

The microsoft guy thinks that BE doesn't support request against RODC by design, he gives me this link :

http://technet.microsoft.com/en-us/library/cc753644(v=ws.10).aspx

Maybe you, guys, should take a look at your netlogon.log to see if your server has the same behaviour...

(sorry for my english..)

Hello!

Very interesting. I also activated the netlogon trace. If the RODC isn't blocked and i have the problem the trace looks quite similar to yours and the time between two  "DsGetDcName" is one second or so.

When i block the RODC the log looks different. And the time between two "DsGetDcName" are only a few hundredth of a second.

The test i do was to open the selection the list of the servers i want to backup.

Hello,

We have the same configuration in our environment, Server 2008 R2 RODC on same site with a Backup Exec server (also Server 2008R2).  We get the same delays.  Very long backups unless using Guschelbauer's work around of blocking the IP of the RODC with Windows Firewall (very helpful by the way, thanks Guschelbauer).  Also long delays in enumerating the backup selection.  This is happening for us in Backup Exec 2014.

Does anyone have any further updates on this issue or know if Symantec support has been engaged?

Thanks!

Hello!

I never got a solution. In the meantime i tried BackupExec 2014 (with upgrade of the existing 2012 version), but have the same problem. I don't know if it would work with a full fresh server installation without upgrade of the existing one.

Hi again,

I can answer that part at least.  Our instance was a fresh install of BackuExec 2014 and still has the same problem.

Are you running your instance in production now?  Have you noticed any downside to using the Windows Firewall work around to block IP traffic to the RODC?

Thanks!

Hello!

I run it in production. I have not found any downside of the workaround.

Best regards!