Windows Server backups fail with "Unable to start backup because agent service is stopped, or, "Unable to start backup because agent is unreachable"

Issue

When attempting to back up a protected machine running Windows Server 2008 or newer, you receive the errors, "Unable to start backup because agent service is stopped" or, "Unable to start backup because agent is unreachable."

Environment

  • Datto SIRIS
  • Datto ALTO
  • Datto Windows Agent
  • Windows Server 2008 and newer

Cause

DirectAccess settings in the Group Policy are preventing communication between the backup agent and the Datto appliance, which can cause both agent pairing and backup failures.

Resolution

  1. Verify that you have created TCP and UDP firewall rules for DirectAccess. The following steps are from Microsoft's Knowledge Base article, Configure DirectAccess in Windows Server Essentials (external link):
    1. On the Start page, open Group Policy Management.
    2. In the Group Policy Management console, click the default forest and domain, right-click DirectAccess Server Settings, and then click Edit.
    3. Click Computer Configuration, click Policies, click Windows Settings, click Security Settings, click Windows Firewall with Advanced Security, click next-level Windows Firewall with Advanced Security, and then click Inbound Rules. Right-click Domain name Server (TCP-In), and then click Properties.
    4. Click the Scope tab, and in the Local IP address list, add the IPv6 address of the IP-HTTPS interface.
    5. Repeat the same procedure for Domain Name Server (UDP-In).
  2. Reserve ports for the WinNat service by running the following PowerShell command:
    Set-NetNatTransitionConfiguration –IPv4AddressPortPool @("#IPADDRESS#, 25569-47000")

    By default, Microsoft recommends defining a port range of 10000-47000, which encapsulates the ports used by the Datto agents. When you create a custom range, ensure that you exclude TCP port 25568 for the Datto Windows Agent.