(SI) BackupExec – Unable to establish trust with Backuped hosts.

“The job failed with the following error: Backup Exec cannot connect to the remote computer because a trust was not established between that computer and the Backup Exec server. From the list of servers in the Backup Exec administration console, right-click the remote computer and then click Establish Trust.”

Possible Solutions:

1) uninstalling the remote agent and then run a push install from the backup exec server. (push install would automatically establish a trust)

2) Is this remote server part of a different domain or it a DC ? If yes, try this KB –

3) Ensure the system time is in sync between the media server and the remote server

4) Push Establishment from Server


Othwerwise you can Delete SSL Certification and Keys from both sides(Server and Depending System)
This Solution is the Last way that you try. You need to re-establich all Server again, from the BackupExec Console

1) got to C:\Program Files\Symantec\Backup Exec\Data\

2) Copy all *.key and *.crt Files to Backup Location

3) Delete all Files like *.key and *.crt

I have 12 Backup Exec Environments from BE2014-BE2015 under Administration and it works everytime

List Groups and Groupmembership from ActiveDirectory with PowerShell

Using the Get-ADGroup cmdlet in Windows PowerShell to retrieve members. … Select Name,Description,Infotext and all Members

Foreach($G In Get-ADGroup -Properties * -Filter * -SearchBase "OU=Groups,OU=User,DC=DOMAIN,DC=de" | 
#Exception for String like LAN and WLAN
where {($_.CanonicalName -notlike "*/LAN*") -and ($_.CanonicalName -notlike "*/WLAN*") } 
| sort CanonicalName )
    [System.Environment]::NewLine | Out-File C:\test.txt -Append
    write-output $G.Name  | Out-File C:\test.txt -Append
    write-output $G.Description  | Out-File C:\test.txt -Append
    write-output $G.Info  | Out-File C:\test.txt -Append
    write-output "-------------"  | Out-File C:\test.txt -Append
    #Output is CN=***** instead of Full Object Attribute , 
    Foreach($E In $G.Members){
    $E.Substring(0,$E.IndexOf(','))  | Out-File C:\test.txt -Append

Windows Activation KMS and slmgr.exe

slmgr Description
-ato Activate Windows license and product key against Microsoft’s server.
-atp Confirmation_ID Activate Windows with user-provided Confirmation ID.
-ckms Clear the name of KMS server used to default and port to default.
-cpky Clear product key from the registry (prevents disclosure attacks).
-dli Display the current license information with activation status and partial product key.
-dlv Verbose, similar to -dli but with more information.
-dti Display Installation ID for offline activation.
-ipk Key Enter a new product key supplied as xxxxx-xxxxx-xxxxx-xxxxx-xxxxx.
-ilc License_file Install license.
-rilc Re-install system license files.
-rearm Reset the evaluation period/licensing status and activation state of the machine.
-skms activationservername:port Set the Volume Licensing KMS server and/or the port used for KMS activation (where supported by your Windows edition).
-skhc Enable KMS host caching (default), this blocks the use of DNS priority and weight after the initial discovery of a working KMS host.
-ckhc Disable KMS host caching. This setting instructs the client to use DNS auto-discovery each time it attempts KMS activation (recommended when using priority and weight).
-sai interva Sets the interval in minutes for unactivated clients to attempt KMS connection. The activation interval must be between 15 minutes and 30 days, although the default (2 hours) is recommended. The KMS client initially picks up this interval from the registry but switches to the KMS setting after the first KMS response has been received.
-sri interval Sets the renewal interval in minutes for activated clients to attempt KMS connection. The renewal interval must be between 15 minutes and 30 days. This option is set initially on both the KMS server and client sides. The default is 10080 minutes (7 days).
-spri Set the KMS priority to normal (default)
-cpri Set the KMS priority to low.
-sprt port Sets the port on which the KMS host listens for client activation requests. The default TCP port is 1688.
-sdns Enable DNS publishing by the KMS host (default).
-cdns Disable DNS publishing by the KMS host.
-upk Uninstall current installed product key and return license status back to trial state.
-xpr Show the expiry date of current license (if not permanently activated).
Token-based activation:
-lil List the installed token-based activation issuance licenses.
-ril ILID ILvID Remove an installed token-based activation issuance license.
-stao Set the Token-based Activation Only flag, disabling automatic KMS activation.
-ctao Clear the Token-based Activation Only flag (default), enabling automatic KMS activation.
-ltc List valid token-based activation certificates that can activate installed software
-fta Certificate Thumbprint . Force token-based activation using the identified certificate. The optional personal identification number (PIN) is provided to unlock the private key without a PIN prompt when using certificates that are protected by hardware (for example, smart cards).

SI-BackupExec “The BackupExec Management Service was unable to start” The BackupExec database was offline.

BackupExec 15 console on Windows Server 2012 R2 is not working.
Message: “The BackupExec Management Service was unable to start” The BackupExec database was offline.
Please bring the database online and restart the BackupExec services.

I found at event log:

An exception occured starting Backup Exec Management Service:

System.ApplicationException: Failed to connect to the database.
at BackupExec.Management.Components.DataAccess.DataAccessManager.Init(String configFile)
at BackupExec.Management.Components.Common.ComponentBroker.Init()
at BackupExec.Management.Server.ServerCommon.Start()


Backup Exec Management Service startup in EXCEPTION mode.

There lot of Articel to try to solve it ….

All of this aren’t working …. Try following ….

System: Windows 2012 R2
Software: Backup Exec 2015

I had the same issue after a clean installation. I have tested all proposed solutions. None of these solutions succeeded. I had this Problem with 4 different Instances on different Locations.

I have installed the .Net Framework — NDP462-KB3151800-x86-x64-AllOS-ENU.exe

This Solution is working

BitLocker Basic Deployment Cmdlet Powershell

There are two Phases of BitLocker Activation. Script running under Windows 2012 Infrastructur with Windows 10 and 7 x64.
Script can be deploy on the PC directly or as remote script.
1st Phase is preparing the System for TPM Activation and Check Diskdrive
-> After it System needs Reboot, BIOS will initiate a Acception of Activation… most cases F1
2nd Phase is BitLocker Deployment, in my case we use TPM PIN with randomized PIN Generator. In the End the Script will send an EMail with Informations of Computer and PIN. Please prepare your AD to write TPM Recovery Password to Computeraccount.

1st Phase:

# Loglocation
$Logfile = \\serverpath\bitlocker$\"$computername".log
Function LogWrite
 Param ([string]$logstring)
 Add-content $Logfile -value $logstring

# Varibale
$computername = $env:computername

# Prepare Bitlocker & TPM
$BitLocker = Get-WmiObject -Namespace "root\CIMV2\Security\MicrosoftVolumeEncryption" -Class Win32_EncryptableVolume | Select-Object -Property DriveLetter,ProtectionStatus | Where-Object {$_.ProtectionStatus -eq 1 -and $_.DriveLetter -eq "c:"}

if($BitLocker.ProtectionStatus -eq 1) {
Else {

$value = Get-WmiObject Win32_DiskPartition | Where-Object {$_.Size -eq 314572800} | Select -ExpandProperty Size
if($value -eq 314572800) {
 cmd /c manage-bde.exe -tpm -turnon
Else {
BdeHdCfg.exe -target default -quiet
manage-bde.exe -tpm -turnon

Get-WmiObject Win32_DiskPartition >> \\serverpath\bitlocker$\"$computername".log
manage-bde -status >> \\serverpath\bitlocker$\"$computername".log

2nd Phase:

# Varibale
$fqdn = (Get-WmiObject win32_computersystem).DNSHostName+"."+(Get-WmiObject win32_computersystem).Domain
$hostname = (Get-WmiObject win32_computersystem).DNSHostName
$dns = (Get-WmiObject win32_computersystem).Domain
$maildomain = (Get-WmiObject win32_computersystem).Domain | ForEach-Object{$_ -replace '(.+?)\..+','$1'}
$key = Get-Random -minimum 1 -maximum 9999
$computername = $env:computername
$timestamp = Get-Date -Format g

# BitLocker
#manage-bde -tpm -turnon
cmd /C manage-bde -tpm -o 'TPMPASSWORD'
cmd /C manage-bde -protectors -add c: -TPMAndPIN $key
cmd /C manage-bde -protectors -add c: -RecoveryPassword
cmd /C manage-bde -protectors -add c: -RecoveryKey c:
cmd /C manage-bde -protectors -get c: > \\serverpath\bitlocker$\$computername.txt
cmd /C manage-bde -on C: -SkipHardwareTest

# Copy & Move
cmd /C attrib.exe -H -S C:\*.bek /S /D
cmd /C move c:\*.bek \\serverpath\bitlocker$\

# Backup to ADS
$adkey = (Get-WmiObject -Namespace root/cimv2/Security/MicrosoftVolumeEncryption -Class Win32_EncryptableVolume -Filter 'DriveLetter = "C:"').GetKeyProtectors(3) | Select -Expand VolumeKeyProtectorID
cmd /C manage-bde -protectors -adbackup c: -id "$adkey"
"$key + $computername" >> \\serverpath\bitlocker$\BitLockerKeys.txt

# Genrate Mail and Send
# assign multiple recipients with delimited string
[string[]]$EmailTo = ","
$EmailFrom = "$"
$EmailSubject = "BitLocker PIN for  $fqdn " + (get-date).ToShortDatesTring() + ""
$EmailBody = "Generated BitLocker PIN on Name$maildomain `n`nSystemname:$hostname `nPIN is $key `n`nTimelog:$timestamp"
Write-Host $EmailBody

$SMTPServer = "mail.$dns"
$SMTPAuthUsername = ""
$SMTPAuthPassword = ""
$mailmessage = New-Object
$mailmessage.from = ($emailfrom)
$mailmessage.Subject = $emailsubject
$mailmessage.IsBodyHtml = $true
$mailmessage.Body = $emailbody

$SMTPClient = New-Object Net.Mail.SmtpClient($SmtpServer, 25) 
$SMTPClient.Credentials = New-Object System.Net.NetworkCredential ("$SMTPAuthUsername", "$SMTPAuthPassword")
1 2 3 19


Insgesamt 1.167.226 gereiste km ,das sind ~ 31% der Welt