This topic describes how to install a protection agent on a read only domain controller (RODC). Note that if a firewall is enabled on the RODC, you must either turn the firewall off or run the following commands before installing the protection agent:

netsh advfirewall firewall set rule group="@FirewallAPI.dll,-29502" new enable=yes

netsh advfirewall firewall set rule group="@FirewallAPI.dll,-34251" new enable=yes

netsh advfirewall firewall add rule name=dpmra dir=in program="%PROGRAMFILES%\Microsoft Data Protection Manager\DPM\bin\DPMRA.exe" profile=Any action=allow

netsh advfirewall firewall add rule name=DPMRA_DCOM_135 dir=in action=allow  protocol=TCP localport=135 profile=Any

To install a protection agent on a read only domain controller

  1. Create and populate the following security groups on the primary domain controller, where the protected server name is the name of the RODC on which you are planning to install the protection agent.

    1. Create a security group named DPMRADCOMTRUSTEDMACHINES$PSNAME, and then add the DPM server as a member.

    2. Create a security group named DPMRADMTRUSTEDMACHINES$PSNAME, and then add the DPM server as a member.

    3. Add the DPM server as a member of the Builtin\Distributed Com Users security group.

  2. Make sure that the security groups you created above are replicated on the RODC.

  3. Install the protection agent on the RODC.

  4. On the DPM server, perform the following steps to grant launch and activation permissions on the DPM RA service:

    1. Run dcomcnfg.exe to open the Component Services window.

    2. Expand the Computers node.

    3. Expand the My Computer node.

    4. Right-click the DPM RA service, and then select Properties.

    5. Click General, and set the Authentication Level to Default.

    6. Click Location, and make sure that only Run application on this computer is checked.

    7. Under Launch and Activation Permissions, select Customize, and then click Edit to open the Launch Permission dialog box.

    8. In the Launch Permission dialog box, assign permissions for Local Launch, Remote Launch, Local Activation, and Remote Activation for the DPM server machine account.

    9. Click OK to close the dialog box.

  5. On the DPM server, from <drive letter>:\Program Files\Microsoft DPM\DPM\setup copy the following files to the RODC at <drive letter>:\Program Files\Microsoft DPM\DPM\setup.

    • setagentcfg.exe

    • traceprovider.dll

    • LKRhDPM.dll


  6. On the RODC, using an elevated command prompt, run setagentcfg.exe a DPMRA domain\DPMserver from the location you specified in the previous step (<drive letter>:\Program Files\Microsoft DPM\DPM\setup).

  7. Attach the protection agent on the DPM server. For more information about attaching protection agents, see Attaching Protection Agents.