When attempting to back up a system protected by the ShadowSnap backup agent, you receive the error message, "The backup failed because the protected system was not able to access the backup image file over the network."
In legacy versions of the Datto IRIS environment, this error message was ".datto is not found or not accessible."
The following additional symptoms may follow:
When attempting to access a file restore on your Datto appliance via its UNC path, you receive the error message "[UNC path] is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions. The account is not authorized to log in from this station." The system may also prompt you for a username and password.
- ShadowSnap Agent
Local network settings render Samba shares on the Datto appliance inaccessible, or a high level of traffic prevents persistent communication between the device and the agents. ShadowSnap backups require a non-interactive connection from the agent to a public Samba share on the Datto appliance to transfer the backup data.
Common causes of this error are:
- Poor network latency is causing connectivity issues.
- Hostnames fail to resolve from the Datto appliance.
- Agents hosted on another subnet are not routable to the Datto appliance.
- Improper routing tables are causing connectivity issues.
- Another service may have generated a conflict, such as those found in our VSS compatibility article
- Samba communication is disabled on the production machine. IT administrators often disable samba as a defense measure against ransomware such as WannaCry
- SMB signing settings are mismatched. SMB signing must be disabled on the client, or an SMB signing mismatch will occur
- System resources are low.
- You have joined the Datto appliance to the domain.
- Registry or group policy settings are preventing the protected machine from connecting to the Datto appliance via UNC.
- Insecure guest logins for SMB are disabled.
- Run gpedit.msc and verify the Computer configuration → administrative templates → network→ Lanman Workstation Enable insecure guest logons setting is Enabled.
- On protected Windows machines, for the active network connection, enable the Client for Microsoft Networks (external link), and File and Printer Sharing for Microsoft Networks (external link).
- Unjoin the Datto appliance from the domain. If you need to join the domain for your deployment, contact Datto Technical Support.
- Check the subnet masks and DNS settings for the protected machines to ensure that the Datto device has the correct network settings to allow the device to reach the agents.
- Create a DNS A record on the DNS server using the device's hostname, and reboot the affected server.
- Verify that the Datto appliance has both a local level DNS server and search domain configured to resolve local hostnames.
If these steps fail to resolve the issue, proceed to the next steps of these articles.
Test UNC Functionality
Create a public NAS Share on the Datto appliance and access it from the protected machine. If the share is inaccessible, use another computer on the same network.
- If the share is inaccessible from just the protected machine, modify necessary settings on the network to ensure it can access the share via UNC, such as the LanmanWorkstation registry. Also verify that the account configured in the Log On tab in the Properties of the following services is a domain or local administrator:
- StorageCraft Shadow Copy Provider
- StorageCraft Raw Agent
- ShadowProtect Service
- If one or more of the machines on your network cannot access the share, ensure that any group policies applied to the Datto appliance use valid SMB signatures. You can learn more about SMB signing in Microsoft's article, Overview of Server Message Block signing (external link).
Modifying this registry may resolve UNC connectivity issues between the protected machine
In the registry, check the value of the following two LanmanWorkstation keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanworkstation\Parameters\Enablesecuritysignature = 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanworkstation\Parameters\Requiresecuritysignature = 1
If they are both set to 1, change the Requiresecuritysignature value to 0 and reboot the protected machine. For more information about the LanmanWorkstation service, see this article.
Regenerate the Incremental Tracker
The agent database may contain incorrect or unreadable SMB signing information. To resolve this, rebuild the database by following these steps:
- Open services.msc, and stop the StorageCraft Raw Agent service.
- Navigate to C:\Program Files (x86)\StorageCraft\ShadowProtect\ShadowSnap.
- Find the endptconfig.sqlite3 file and append .old to the end of the filename.
- Restart the StorageCraft Raw Agent service.
- Repair agent communications on the device, and attempt another backup job.
- Disable SMB v1 in Managed Environments with Group Policy (external link)
- Require SMB Security Signatures (external link)
- The Basics of SMB Signing (external link)
- Windows Server 2012 R2: Which version of the SMB protocol (SMB 1.0, SMB 2.0, SMB 2.1, SMB 3.0 or SMB 3.02) are you using? (external link)