When attempting to back up a system protected by the ShadowSnap backup agent, you receive the error message, "The backup failed because the protected system was not able to access the backup image file over the network."
In legacy versions of the Datto IRIS environment, this error message was ".datto is not found or not accessible."
The following additional symptoms may follow:
When attempting to access a file restore on your Datto appliance via its UNC path, you receive the error message "[UNC path] is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions. The account is not authorized to log in from this station."
You may also be prompted for a username & password when attempting to access the Datto appliance this way.
- ShadowSnap Agent
Local network settings render Samba shares on the Datto appliance inaccessible, or a high level of traffic prevents persistent communication between the device and the agents. ShadowSnap backups require a non-interactive connection from the agent to a public Samba share on the Datto appliance in order to transfer the backup data.
Common causes of this error are:
- Poor network latency.
- Hostnames fail to resolve from the Datto appliance.
- Agents hosted on another subnet are not routable to the Datto appliance.
- Improper routing tables.
- Another service may have generated a conflict, such as those found in Commonly found VSS-Related Services
- Samba communication is disabled on the production machine. This is often performed by IT administrators as a defense measure against ransomware such as WannaCry.
- SMB signing settings are mismatched. SMB signing must be disabled on the client or an SMB signing mismatch will occur.
- Low system resources.
- The Datto appliance is joined to the Domain.
- Registry or Group Policy settings are preventing the protected machine from connecting to the Datto appliance via UNC.
- Set Share Compatibility Mode for the specific agent.
- On protected Windows machines, for the active network connection, enable the Client for Microsoft Networks and File and Printer Sharing for Microsoft Networks.
- Unjoin the Datto appliance from the Domain. If this is required in your deployment, contact Datto Technical Support.
- Check the subnet masks and DNS settings for the protected machines to ensure that the Datto device has the correct network settings to allow the device to reach the agents.
- Create a DNS A record on the DNS server using the device's hostname, and reboot the affected server.
- Verify that the Datto appliance has both a local level DNS server and search domain configured to resolve local hostnames.
If these steps fail to resolve the issue, proceed to the next steps of these articles.
Test UNC Functionality
Create a public NAS Share on the Datto appliance and access it from the protected machine. If the share is inaccessible, use another machine on the same network.
- If the share is inaccessible from just the protected machine, modify necessary settings on the network to ensure it can access the share via UNC, such as the LanmanWorkstation registry. Also verify that the account configured in the Log On tab in the Properties of the following services is a Domain or Local Administrator:
- StorageCraft Shadow Copy Provider
- StorageCraft Raw Agent
- ShadowProtect Service
- If one or more of the machines on your network cannot access the share, ensure that any Group Policies applied to the Datto appliance use valid SMB signatures. You can learn more about SMB signing in Microsoft's article, Overview of Server Message Block signing (external link).
Modifying this registry may resolve UNC connectivity issues between the protected machine
In the registry, check the value of the following two LanmanWorkstation keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanworkstation\Parameters\Enablesecuritysignature = 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanworkstation\Parameters\Requiresecuritysignature = 1
If they are both set to 1, change the Requiresecuritysignature value to 0, and reboot the protected machine. For more information about the LanmanWorkstation service, see this article.
Regenerate the Incremental Tracker
The agent database may contain incorrect or unreadable SMB signing information. To resolve this, rebuild the database by following these steps:
- Open services.msc, and stop the StorageCraft Raw Agent service.
- Navigate to C:\Program Files (x86)\StorageCraft\ShadowProtect\ShadowSnap.
- Find the endptconfig.sqlite3 file. Append .old to the end of the filename.
- Restart the StorageCraft Raw Agent service.
- Repair agent communications on the device, and attempt another backup job.
For Advanced-Trained partners only
- Disable SMB v1 in Managed Environments with Group Policy (external link)
- Require SMB Security Signatures (external link)
- The Basics of SMB Signing (external link)
- Windows Server 2012 R2: Which version of the SMB protocol (SMB 1.0, SMB 2.0, SMB 2.1, SMB 3.0 or SMB 3.02) are you using? (external link)