• Import DPM management packs in SCOM;
• Install central console on Management server;
• (Optional) Install central console on your console servers.

Import DPM management packs in SCOM

First of all, mount Data Protection Manager ISO on your SCOM management server. Then open your Operation Manager console and navigate to Administration tab. Right click on Management packs and select import Management Packs.

Next, click on Add and select Add from disk.

Navigate to SCDPM\ManagementPacks\<Your Language> in the DPM DVD drive. Select the two management packs and click on Open.

You will have a security warning about these management packs (MP). Because these MPs come from Microsoft, I trust them and so I click on Install.

The next step is the installation of the central console on the SCOM operation manager.

Install central console on Management server

Open the DPM DVD drive and launch the setup.exe. Next click on DPM Central Console as below. If you have not installed the Microsoft Visual C++ 2008 redistributable package you will have an error. But you are lucky because you just have to navigate to SCDPM\Redist\vcredist in
DPM DVD drive and run vcredist2008_x64.exe to solve the problem.

Next accecpt the license terms and conditions and click OK.

If you have installed a SCOM console on your management server, you have to install Central Console server-side and client-side Components. If you have not, just install Central Console server-side Components.

On the prerequisites check screen, click on Next if all is validated.

On installation settings screen click on next.

Because I update my systems with SCCM, I do not want to use Microsoft Update.

So it is ok, now DPM is monitored by SCOM.

Install central console on your console servers

If you are like me and you don’t like to manage servers from themselves, you should have a Remote Desktop server where you have installed all MMC and System Center consoles. In this case, you have to install the central console on this server also. So follow the process of the last part and on Central Console Opt-in screen, just Install Central Console client-side Components as below:

Monitor Data Protection Manager with SCOM

To view the result of the integration of DPM monitoring in SCOM, open an Operation Manager console. Open Monitoring tab. You should have the same tree as below:

So as you can see, it is possible to monitor the health of the disks, DPM servers, protected servers, protection groups etc. Moreover you can monitor the data sources state in function of the workload (SQL server, File System, Hyper-V etc.). It is very useful when you have multiple DPM servers. On the below capture, it is the disk monitoring:

And now the DPM servers status :

Protection groups health :

Unhealthy data sources :

The post Monitor Data Protection Manager with SCOM appeared first on Tech-Coffee.

• A production network with DNS zone. This DNS zone is used by Active Directory for production purposes;
• A private dedicated network for backup without DNS.

It is not recommended to register IP belonging to dedicated backup network in the production DNS zone because these IPs are not always reachable from outside. So there are two solutions: use host file on DPM (beurkkkk) or use DNS. I have chosen to use DNS with a new primary zone.

To use a dedicated network for Data Protection Manager, there are four steps:

1. Create a backup DNS zone;
2. Configure backup NIC on Domain Controller;
3. Configure backup NIC on member servers;
4. Configure DPM to use backup network.

For my example, I have these networks:

• Production network: 10.10.0.0/24
• Backup network: 10.10.1.0/24

Create a backup DNS zone

First of all, I create a backup DNS zone which I call backup.net. So I open a DNS console on a domain controller (dnsmgmt.msc) and I create a primary zone. Right click on the Forward Lookup Zone and select New Zone.

On the New Zone Wizard welcome screen, click on Next.

Create a Primary zone and to follow best practices, tick the Store the zone in Active Directory option.

Select the replication scope. On my side I choose to replicate on all DNS servers running on domain controllers in this domain.

Specify a Zone name. On my side I call my DNS zone backup.net.

Next configure the dynamic update. To follow best practices I choose Allow only secure dynamic updates.

To finish creating zone, click on Finish.

Once your DNS zone is created, you should have it in Forward Lookup Zones in your DNS console.

Once the zone is created, I recommend you to check listener on DNS service. So in the DNS console, right click on the server name and select properties.

Make sure that the DNS Service listens on your backup network. If you make a change, don’t forget to restart the DNS service.

Configure backup NIC on Domain Controllers

Once the zone is created and the DNS service listens on your backup network, it is time to register your domain controllers in this zone. For that, open network connection configuration, right click on your backup NIC and select properties.

Edit Internet Protocol Version 4 (TVP/IPv4) properties and click on advanced.

Regarding domain controller I have this IP configuration:

• VMADS01: 10.10.1.5/24
• VMADS02: 10.10.1.4/24

To follow best practices, on VMADS01 primary DNS is 10.10.1.4 and secondary DNS is 127.0.0.1 On VMADS02, the primary DNS is 10.10.1.4 and secondary DNS is 127.0.0.1. In this way, DNS resolution is crossed.

So on VMADS01 the configuration is like below screenshot:

On VMADS02 the configuration is like below screenshot:

You can use this Powershell script to configure your DNS settings as above:

Set-DnsClientServerAddress -InterfaceAlias "BackupNet" -ServerAddresses ("10.10.1.4","127.0.0.1")
Set-DnsClient –InterfaceAlias "BackupNet" -ConnectionSpecificSuffix "backup.net" –RegisterThisConnectionsAddress $true –UseSuffixWhenRegistering $true

Once the configuration is applied, don’t forget to run ipconfig /registerdns

So in my DNS zone, I have my two domain controllers registered automatically.

Configure Backup NIC on member servers

Now I apply the same configuration on member servers except that I set the primary DNS server to 10.10.1.4 and secondary DNS server to 10.10.1.5.

Set-DnsClientServerAddress -InterfaceAlias "BackupNet" -ServerAddresses ("10.10.1.4","10.10.1.5")
Set-DnsClient –InterfaceAlias "BackupNet" -ConnectionSpecificSuffix "backup.net" –RegisterThisConnectionsAddress $true –UseSuffixWhenRegistering $true

Once the configuration is applied, I run ipconfig /registerdns and all my servers are registered automatically in backup.net zone.

N.B: For IP Pool users on Virtual Machine Manager, you can make the configuration in VMM. Just configure the DNS and the specific connection suffix. However a Run Once script will be needed to tick the Use this connection’s DNS suffix in DNS registration option. You can use the Set-DNSClient powershell command like the script described above.

Configure DPM backup network

On DPM server, open a DPM Management shell. I will use the <verb>-DPMBackupNetworkAddress command to view and edit the networks used by Data Protection Manager. So First, I run Get-DPMBackupNetworkAddress to view backup network settings:

So as you can see in the above screenshot, no backup network is set on my DPM configuration. So I launch the below powershell command:

Add-DPMBackupNetworkAddress –DPMServerName VMDPM01.home.net –Address 10.10.1.0/24 –SequenceNumber 1

This command adds the 10.10.1.0/24 network as a first backup network in DPM. If DPM is able to resolve name on this network, it will use this network. The SequenceNumber is the priority of the network using.

Now I run again the Get-DPMBackupNetworkAddress and as you can see below, I have one backup network.

If you want to add your production network as a fallback network for backup, you can add another network with a SequenceNumber greater than 1.

To finish the configuration, restart the DPM service.

Now I run a Virtual Machine backup and that’s work J.

The post Use a dedicated network for Data Protection Manager appeared first on Tech-Coffee.

In this post we will see how to restore a server with Bare-Metal Recovery protection in Data Protection Manager 2012 R2. The server to restore is a virtual domain controller on Windows Server 2012 R2. Previously I have made a full system protection of this server. For this example, servers are named as below:

• Protected server: VMADS01
• DPM server: VMDPM01

There are two steps to restore a server with BMR protection:

• Recover a BMR backup
• Restore a server with Bare-Metal Recovery

Recover the Bare-Metal Recovery

First of all, I verify that VMADS01 is protected rightly. I need at least one recovery point for this test. So the below screenshot shows you that replica of VMADS01 is all right’s. So let’s go to recover the Bare-Metal Recovery.

First open the Recovery tab. In Browse field, enter the name of your server. Choose a recovery point with the calendar. Once you have chosen a recovery point, right click on Bare-Metal Recovery as below, and select Recover.

On the first screen of recovery wizard, just click next.

Because I have no tape library, I want to copy recovery files to a network folder. So the recovery will be performed across the network.

On specify destination screen, click on Browse and choose where you want store the recovery files. I choose VMDPM01 on D:\Restore folder.

Next configure recovery options as you want. You can for example set the network bandwidth uses for recovery needs, an E-mail notification or security option.

Once all parameters are set, click on Recover to copy files where you have specified.

During the recovery process, you can view the state on Monitoring tab.

Once the recovery process is finished, you should have a recovery success alert.

Open the folder where are located recovery files and rename it with a shorter name. This is to ease the recovery process in the next steps.

Create a share on your recovery folder.

Now that recovery files are hosted and ready to be used, we will see how to use the restore files from server side.

Restore a server with Bare-Metal Recovery

First, insert ISO of your operating system to boot on the Windows Server installer. For me, the OS is Windows Server 2012 R2.

Choose your language as fresh OS installation.

Next click on Repair your computer.

Then click on Troubleshoot.

Click on System Image Recovery.

The below warning is normal. Because my machine has no data on its hard disk, no system image is stored. So just click cancel.

So click on Select a system image.

Click advanced to take recovery files from a network share.

Enter the network folder. For my example the network folder is \\VMDPM01\BMRMyComputer.

So the backup is listed. Select it and click next.

Select what you want to restore and click next.

In this section you have additional options. For example you can restore only one disk or install additional drivers.

Click on finish to launch the restoring of your system.

In barely 10 minutes, my server is restored. Because this server is a domain controller, I have checked about the behaviour of the replication process. It is impressive because the Active Directory service knows that a restoration took place and so it ask a replication from its friends!

As you have seen, the restoration process is pretty easy and fast so Bare-Metal Recovery protection is a good way to protect servers. However the main disadvantage of this protection type is that it uses a lot of storage space because all data are saved. But I am ready to lose some storage space for this awesome protectionJ.

The post Restore a server with Bare-Metal Recovery protection in DPM 2012R2 appeared first on Tech-Coffee.

• Resize Recovery Partition
• Move shadow copy storage from Recovery Partition to C: volume
• Use Pre and Post backup script

Resize Recovery partition

The goal of the first solution is to resize the Recovery partition using the Diskpart tool to add 100MB:

It is possible to modify this partition when the computer is installed thanks to unattended file but it is not possible in my case when the computer is already installed (I can’t use a third tool to make the resizing of partitions). Because I have a lot of computers already installed, this solution is not good.

Move shadow copy storage

The goal of the second solution is to move the shadow copy storage from Recovery partition to C: partition. For that use the vssadmin command as below:

The volume with ID fd25aea8-4a3a-4b97-8c77-4e68f61a8d63 is the Recovery Partition. To move the shadow copy storage from this partition to C: volume, use this command:

vssadmin add shadowstorage /for=\\?\Volume{ fd25aea8-4a3a-4b97-8c77-4e68f61a8d63}\ /on=c: /maxsize=500MB

In my opinion, I won’t use this command because when a permanent fix will be released, I will have to change this setting again.

Use Pre and Post backup scripts in DPM 2012 R2

Data Protection Manager enables to run pre and post backup scripts. This (I hope) temporarily solution enables me to create two scripts:

• One to run REagentc /disable (Pre-Backup script)
  
• One to run REagentc /enable (Post-Backup script)
  

So I create two scripts called Disable-Reagentc.cmd and Enable-Reagentc.cmd that contains only the related command. These scripts must be located on the protected server. Next, modify the ScriptingConfig.xml located on protected servers. In standard installation, this XML file is located here:

C:\Program Files\Microsoft Data Protection Manager\DPM\Scripting\ScriptingConfig.xml

Modify the ScriptingConfig.xml as below:

<?xml version="1.0" encoding="utf-8"?>
<ScriptConfiguration xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance"
                     xmlns:xsd="https://www.w3.org/2001/XMLSchema" xmlns="https://schemas.microsoft.com/2003/dls/ScriptingConfig.xsd">
   <DatasourceScriptConfig DataSourceName="System Protection ">
      <PreBackupScript>C:\Tools\ Disable-Reagentc.cmd</PreBackupScript>
      <PostBackupScript>C:\Tools\ Enable-Reagentc.cmd</PostBackupScript>
      <TimeOut>30</TimeOut>
   </DatasourceScriptConfig>
</ScriptConfiguration>

/!\ Make sure that only Administrators and LOCAL SYSTEM account can edit and run these scripts. When DPM run these scripts, it uses the LOCAL SYSTEM account. So if a malicious guy tries to attack your system, this is a good entry point.

Now that the XML is modified, make sure that DPMRA service is stop ped (net stop DPMRA). When it is done, perform a consistency check and that should be all right!

For more information about Pre and Post backup script I recommend you this link.

The post Pre and Post backup scripts in DPM 2012 R2 appeared first on Tech-Coffee.

The first known misconfiguration that raises this error is that Windows Server Backup feature is not installed on the protected server.

Windows Server Backup

So if you have the below event, I am pretty sure that you have not installed the Windows Server Backup Feature.

To verify this assumption, connect to the protected server, and open the Add Roles and Features wizard. Verify that Windows Server Backup feature is installed. If not, you can do it without reboot.

WinRE issue

Then if you have installed Windows Server Backup and you still get the same error, it can be the WinRE (Windows Recovery) that can raise the problem. When I got this issue on my client infrastructure, I searched on Technet and I found this topic. My error in DPM is like the below screenshot:

So I connect to the protected server and I run this command: reagentc /disable.

This command disables the WinRE Agent.

Next I perform a consistency check and tadaaa:

To finish you can restart the WinRE agent: reagentc /enable.

 But why WinRE raises a Replica is inconsistent in DPM?

It is a bug known by Microsoft. Because System State is based on shadow copy, Windows needs 50MB on System Reserved partition. The problem is that WinRE take a lot of space also on this partition. So in my opinion, there is not enough space on the system reserved partition to make the shadow copy. This is why when the WinRE agent is stopped, Shadow Copy works.

The post Replica is inconsistent in DPM 2012R2 appeared first on Tech-Coffee.

DPM can store backup on disk (disk-to-disk or D2D), on library tape (disk-to-tape or D2T) or on Windows Azure (disk-to-cloud or D2C). These supports can be mixed for high availability: so it is possible to perform D2D2D backup or D2D2T etc. The latest best practice about backup is called 3.2.1 and says that:

• Perform 3 backups.
  
• On 2 different support.
  
• Store replica on 1 remote site.
  

This article is focusing on short-term protection with D2D support to explain protection group (and because I do not have a library tape J).

Disk-to-Disk protection process

When you create a protection group, an initial replica of data protected is created. Then the DPM agent tracks every change on data sources to transfer modification to replica, block per block though DPM server. That means that only changes are synchronized. Then a recovery point is created from the synchronized replica. A recovery point is a point in time from which you can perform a recovery of your data. The scheduling for recovery points creation is configurable.

To synchronize the replica, there are two ways in DPM: the synchronization and the express full backup. The synchronization tracks journal change in the Operating System or in applications and transfer only modification block per block. On express full backup, a full volume shadow copy is created but only changes are transferred. Some applications don’t support the synchronization (such as SQL Server in Simple Recovery Model) so the express full backup is very useful in this case.

Data protected by DPM

DPM can protect Microsoft Exchange, SQL Server, Hyper-V (and virtual machines), SharePoint, File Servers and System State. Thanks to System State protection, Active Directory databases can be saved (including AD DS, AD CS and AD LDS). To finish, DPM can protect and recover a machine as a Bare-Metal. That means that if the machine is broken and need a recovery, this last not need the DPM agent to be restored.

Protection group parameters

Protection group type

This setting defines which kind of machines is saved: Servers or Clients. The Server type is used to save file servers or application servers. You can save SQL databases, files, Hyper-V virtual machines, system states etc. Client type enables to save workstations (laptops or desktops).

Group Members

This setting defines the collection of data sources that you backup. Because that data sources share the same configuration in a protection group, these last are usually the same kind of data. For example to backup Active Directory, a protection group will be created to save system state of domain controller. In this example, the system state is the data source.

Data Protection Method

This is here that you choose short-term or long-term protection. When you choose short-term protection you can select the backup support (disk, tape or cloud) while when you select long-term protection you have to own a tape library.

Protection goals (Short-Term)

In this section you can define the retention range, the synchronization and full express backup frequency for files data and application data.

Protection group preparation table

Below an example of how to prepare your short-term protection groups:

I have based the recovery point on the synchronization frequency because in this example, databases support incremental backup using transaction logs in MSSQL. If your databases don’t support incremental (log shipping or Simple Recovery Model), synchronization cannot be used and Express full backup frequency should be increased.

On next section I will implement a protection group based on this table.

Protection group example: MSSQL databases backup

To create a Protection Group, click on Protection tab and select New. I assume that you have created a storage pool in DPM before performing the protection group creation.

To backup MSSQL databases, select the protection group type called Servers.

Then I select databases that I want a backup on my SQL server called VMSQL01. Once data sources are selected, they appear in Selected members list.

Next, type your protection group name and select the protection method. Here I want to perform a D2D backup and a short-term protection.

Then choose your short-term goals. In the below example, I synchronize the replica every 15mn and I create the recovery point every synchronization. An express full backup is performed every day at 20:200. To finish the retention range of recovery point is set to 7 days.

On the next screen, set the disk allocation. You can enable the auto grow of your replica volume and choose to co-locate data.

Next choose when you want to create the initial replica.

Then choose when to run a consistency check: only when a replica becomes inconsistent or on scheduling. The schedule method adds more CPU workload.

Once the protection group is created, the initial replica is created for each data source.

Below, the ReportServer database is protected by a replica and 3 recovery points have been created.

The post Protection groups in Data Protection Manager appeared first on Tech-Coffee.