System Center 2012 Data Protection Manager Beta Release

This document is provided "as-is". Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. You may modify this document for your internal, reference purposes. This document is confidential and proprietary to Microsoft. It is disclosed and can be used only pursuant to a non-disclosure agreement. 2010 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Internet Explorer, JScript, SharePoint, SQL Server, Visio, Visual Basic, Visual Studio, Win32, Windows, Windows PowerShell, and Windows Vista are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.

Contents
Installing System Center 2012 DPM Beta ..................................................................................................... 5 Supported Operating Systems .................................................................................................................. 5 Installation Scenarios ................................................................................................................................ 5 New Installation .................................................................................................................................... 5 DPM 2010 QFE-2 (or QFE3) to System Center 2012 DPM Beta ............................................................ 5 DPM Protection Agent .......................................................................................................................... 6 Using a remote instance of SQL Server for DPM Database ...................................................................... 7 Scale Considerations ............................................................................................................................. 7 Prerequisites ......................................................................................................................................... 7 Local SQL Server instance to Local SQL Server instance ....................................................................... 7 Local SQL Server instance to remote SQL Server instance ................................................................... 8 Remote SQL Server instance to Remote SQL Server instance .............................................................. 8 Installing Central Console ............................................................................................................................. 9 Supported Client Operating Systems ........................................................................................................ 9 Server and Client Features ........................................................................................................................ 9 Only Server Features ............................................................................................................................... 10 Only Client Features ................................................................................................................................ 10 Post-Installation ...................................................................................................................................... 11 Configuring Users .................................................................................................................................... 12 Hardware considerations for scale ......................................................................................................... 13 Remote DPM Administrator Console...................................................................................................... 14 Scoped DPM Administrator Console....................................................................................................... 14 General Recommendations: ................................................................................................................... 14 Recommendations for Disk Requirements for Operations Manager Data Warehouse Database ......... 15 Centralized Management ........................................................................................................................... 16 Centralized Monitoring ....................................................................................................................... 16 Remote Administration ....................................................................................................................... 16 Alert Consolidation ............................................................................................................................. 17 Scoped Troubleshooting ..................................................................................................................... 17 Using Central Console ............................................................................................................................. 17

Managing Users ...................................................................................................................................... 18 Infrastructure Management ............................................................................................................... 19 Protection Intent Management .......................................................................................................... 20 Basic Corrective Actions ...................................................................................................................... 20 Tape Library Operations...................................................................................................................... 20 Advanced Tape Library Operations ..................................................................................................... 20 Tape Operations.................................................................................................................................. 20 Protection Tasks ...................................................................................................................................... 20 Creating a protection group ................................................................................................................ 20 Modifying a protection group ............................................................................................................. 21 Creating a recovery point.................................................................................................................... 21 Recovering data .................................................................................................................................. 21 Troubleshooting Alerts from Central Console ........................................................................................ 21 The States View....................................................................................................................................... 22 Resolving Alerts....................................................................................................................................... 22 Advanced Troubleshooting using Central Console ................................................................................. 23 The Alerts ............................................................................................................................................ 23 Optimized SharePoint Item Level Recovery................................................................................................ 27 Item-Level Recovery of Filestream Items ............................................................................................... 27 Known Issues........................................................................................................................................... 27 Limitations .............................................................................................................................................. 27 Certificate-based Authentication for Computers in Untrusted Domains ................................................... 28 Introduction ............................................................................................................................................ 28 Prerequisites ........................................................................................................................................... 28 Certificate Requirements ........................................................................................................................ 28 Setting up DPM to protect computers using certificates ....................................................................... 28 Setting up a computer for protection by DPM ....................................................................................... 29 Attaching an untrusted computer to DPM ............................................................................................. 29 Using Set-DPMCredentials ...................................................................................................................... 29 Using SetDPMServer ............................................................................................................................... 30 Using Attach-ProductionServerWithCertificate ...................................................................................... 31 Renewing Certificates ............................................................................................................................. 31

Disaster Recovery.................................................................................................................................... 31 Troubleshooting ...................................................................................................................................... 31 Tape Optimization....................................................................................................................................... 32 Introduction to tape optimization .......................................................................................................... 32 Scenario 1............................................................................................................................................ 32 Scenario 2............................................................................................................................................ 33 Scenario 3............................................................................................................................................ 34 Creating a new protection group set ...................................................................................................... 35 Modifying a protection group set ........................................................................................................... 35 Example:.............................................................................................................................................. 35 Deleting a protection group set .............................................................................................................. 36

Installing System Center 2012 DPM Beta

If you have downloaded System Center 2012 Data Protection Manager Beta, you are ready to go. But before you run setup.exe, go through this section to understand the various options on the setup splash screen so you know what each means and which ones you want to use. Important Information: If you are upgrading an existing installation of DPM, the registry key for DS Collocation Factor is retained if it was modified by you and does not get reset. Click Ignore on any pop-up dialog boxes that appear during upgrade. If your Express Full backups for SQL Server databases are transferring large amounts of data (almost the size of the primary MDF file), you must install the update KB2471430 on the SQL Server. This typically happens after you have run DBCC CHECKDB on a Windows 2008 server.

Supported Operating Systems

The computer on which you are installing DPM should run on of the following operating systems. Windows Server 2008 Windows Server 2008 SP2 Windows Server 2008 R2 Windows Server 2008 R2 SP1.

Installation Scenarios
The procedure to install DPM Beta will depend on your current DPM installation. This section outlines the various installation paths to System Center 2012 DPM Beta. Setup.exe is located at ..\<Extract Location>\DPM2012_BETA\DPM2012_BETA_FullBuild. New Installation Procedure 1. If you want to use a remote SQL instance, run Setup.exe on the SQL Server, select DPM Remote SQL Prep tool from the Setup page and install the tool. For more information about shared SQL Server, see Using a remote instance of SQL Server for DPM Database. 2. Run Setup.exe on the DPM server and select Data Protection Manager from the Setup page and follow the wizard. For more information about the Setup wizard, see Setup Wizard Help Pages (http://technet.microsoft.com/en-us/library/ff399389.aspx). 3. Read Post-Installation instructions. DPM 2010 QFE-2 (or QFE3) to System Center 2012 DPM Beta In this section, we discuss how to install DPM Beta on a computer that is already running DPM 2010 QFE-2 or DPM 2010 QFE3. Procedure

1. Remove shared tape libraries, if you are using any. 2. Backup DPMDB. 3. If you want to use a remote SQL instance, run Setup.exe on the SQL Server and select DPM Remote SQL Prep tool from the Setup page. For more information about shared SQL Server, see Using a remote instance of SQL Server for DPM Database. 4. Restore DPMDB. 5. Run Setup.exe on the DPM server, select Data Protection Manager from the Setup page and follow the wizard. For more information about the Setup wizard, see Setup Wizard Help Pages (http://technet.microsoft.com/en-us/library/ff399389.aspx). 6. Turn on tape library sharing again, if you are using any. Note: Syntax for SetSharedDPMDatabase has changed. You can get the new syntax by running SetSharedDPMDatabase /?. 7. Read Post-Installation instructions. Notes: 1. 2. 3. 4. 5. 6. Added firewall exceptions for port 6075 to enable scoped DPM Admin console. Open ports for SQL Server.exe and SQL browser.exe. DPMSCOM group is added as part of setup to Windows groups MSDPM Trusted Users group is added as part of setup to Windows groups. New event logs are added DPM Backup event and DPM alert. If you want to retain your job filters, copy the file JobFilters.xml from <DPM Install location>\DPM\bin to %SystemDrive%\Users\<user name>\appdata\Roaming\Microsoft\Microsoft System Center Dat a Protection Manager\. 7. On Read-Only Domain Controller (RODC) computer, the user should give the original password he used for DPMR$<Machine Name> while installing DPM 2010. Otherwise, Reporting will not work after upgrade. To fix this issue, manually change the password for DPMR$<Machine Name> account on the domain controller. DPM Protection Agent After you have installed DPM, you are ready to protect data. But before you do that you must install the protection agent on the computers that you want to protect. Installing Protection Agents on Computers Outside of a Firewall Installing Protection Agents on Computers Behind a Firewall Installing Protection Agents on Computers in a Workgroup or Untrusted Domain Installing Protection Agents Manually Installing Protection Agents Using a Server Image

Using a remote instance of SQL Server for DPM Database

DPM Beta introduces the ability to share one instance of SQL Server to host the databases of multiple DPM servers. An important part of upgrading to DPM Beta is upgrading the DPM database (DPMDB). System Center 2012 DPM Beta allows you to consolidate the databases of all your DPM servers to one SQL Server instance. When upgrading, you have to choose one of three scenarios. Each of these is explained in detail here. Note: Install your DPM servers sequentially. Parallel installations will lead to errors. Scale Considerations Each DPMDB requires 2.5 GB of memory. For instance, if 12 DPM servers share one instance of SQL Server, the computer running SQL Server must have 32 GB memory. The disk volume on which the database is stored should have RAID configuration for better performance. For more information on this page, see Installing a Remote Instance of SQL Server 2008 (http://technet.microsoft.com/en-us/library/ff399612.aspx). Prerequisites Run DPM Remote SQL Prep tool from the DPM Setup page on the computer running SQL Server. Cumulative Update package 4 for SQL Server 2008 R2 Points to remember You must not share a SQL Server instance installed by DPM. We recommend you use the SQL Server instance only for DPM databases. TCP/IP protocol must be enabled on the SQL Server and TCP/IP client protocol on DPM server. When setting up tape library sharing, provide the complete name <servername>\<instancename>\<databasename>. The naming conventions for the DPM database have changed with this new feature, and you can find the name of the database from the Information button on the Administrator console.

Local SQL Server instance to Local SQL Server instance Use this option if you want to continue to have DPMDB on the same computer as DPM. 1. Backup DPMDB 2. Add Microsoft$DPM$ACCT to the ACL for the DPMDB folder, if it doesnt exist. Add full control to the user. 3. Launch System Center 2012 DPM Beta installation. This will start setup in upgrade mode. 4. Choose Use the dedicated instance of SQL Server. 5. Follow the wizard.

Local SQL Server instance to remote SQL Server instance Use this option when you want to move from using a local instance of DPMDB to a remote instance. Using this feature, one SQL Server instance can host the databases of multiple DPM servers. Before proceeding, read Installing a Remote Instance of SQL Server 2008 (http://technet.microsoft.com/enus/library/ff399612.aspx). 1. Backup DPMDB. 2. Add Microsoft$DPM$ACC to the ACL for the DPMDB folder, if it doesnt exist. Add full control to the user. 3. Restore the DPMDB backup to a remote SQL Server 2008 R2 instance which you plan to use to host databases of multiple DPM servers. Note: The name of the restored database should be DPMDB. This SQL Server instance should be dedicated for hosting DPM databases only. Turn off library sharing before taking a backup of DPMDB. 4. Ensure that TCP/IP protocol is enabled for the SQL Server instance. 5. Install DPM SQL Prep on the remote SQL Server. You can find this on the DPM Setup page. 6. Launch System Center 2012 DPM Beta installation. This will start setup in upgrade mode. 7. Choose Use an existing instance of SQL Server. 8. Follow the wizard. Remote SQL Server instance to Remote SQL Server instance Use this option when you want to continue to use a remote SQL Server instance to host the DPMDB. Using this feature, one SQL Server instance can host the databases of multiple DPM servers. Before proceeding, read Installing a Remote Instance of SQL Server 2008 (http://technet.microsoft.com/enus/library/ff399612.aspx). Note: After setup is complete, you can remove the user account from the local Administrators group on the computer running the remote instance of SQL Server. 1. Backup DPMDB. 2. Restore the DPMDB backup to a remote SQL Server 2008 R2 instance which you plan to use to host databases of multiple DPM servers. Note: The name of the restored database should be DPMDB. This SQL Server instance should be dedicated for hosting DPM databases only. Turn off library sharing before taking a backup of DPMDB. 3. Ensure that TCP/IP protocol is enabled for the SQL Server instance. 4. Install DPM SQL Prep on the remote SQL Server. You can find this on the DPM Setup page. 5. Launch System Center 2012 DPM Beta installation. This will start setup in upgrade mode. 6. Choose Use an existing instance of SQL Server. 7. Follow the wizard.

Installing Central Console

The Central Console is a new feature in System Center Data Protection Manager 2012. Using the Central Console, you can monitor and manage multiple DPM servers from one location. In this section, we discuss how you can install Central Console. DPM supports three installation scenarios for Central Console. Using Central Console, you can monitor and troubleshoot both DPM 2010 with KB2465832 and feature pack and DPM. Important: Install the Operations Manager agent on all the DPM servers that you will be monitoring. For more information on installing Operations Manager agents, see Deploying Windows Agents.

Supported Client Operating Systems

Windows XP SP3 Windows Vista Windows 7

Server and Client Features

By installing both the server and client features, you will be able to monitor DPM servers on which the Operations Manager agent is present and use the scoped DPM Administrator console. Note: If you have DPM protection agent installed on the computer, you cannot install Central console client features. Note: Added firewall exceptions for port 6075 to enable scoped DPM Admin console. Open ports for SQL Server.exe and SQL browser.exe. Prerequisites System Center Operations Manager 2007 R2 Server components Important: Do not install the Central Console server components on a computer running only System Center Operations Manager 2007 R2 Console. Procedure 1. 2. 3. 4. 5. Run Setup.exe. Select Install Central Console option from the Setup page. Select Install Central Console Server and Client side Components option. Read Post-Installation instructions. After installation is complete, start Operations Manager console.

Importing management pack

1. Import System Center 2012 DPM Beta management packs. The Central Console consists of two management packs - Microsoft.SystemCenter.DataProtectionManager.2011.Discovery.mp and Microsoft.SystemCenter.DataProtectionManager.2011.Library.mp - import both management packs. The management packs are located at C:\Program Files\Microsoft DPM\Management Packs. Note: When you are importing the management pack, Windows will show you a warning about write actions. This is an expected warning and you can continue by clicking OK.

Only Server Features

By installing only the server features, you will be able to monitor DPM servers on which the Operations Manager agent is present but you cannot use the scoped DPM Administrator console. Note: Added firewall exceptions for port 6075 to enable scoped DPM Admin console. Open ports for SQL Server.exe and SQL browser.exe. Prerequisites System Center Operations Manager 2007 R2 Server components Important: Do not install the Central Console server components on a computer running only System Center Operations Manager 2007 R2 Console. Procedure 1. 2. 3. 4. 5. Run Setup.exe. Select Install Central Console option from the Setup page. Select Install Central Console Server side Components option. Read Post-Installation instructions. After installation is complete, start Operations Manager.

Importing management packs 1. Import System Center 2012 DPM Beta management packs. The Central Console consists of two management packs - Microsoft.SystemCenter.DataProtectionManager.2011.Discovery.mp and Microsoft.SystemCenter.DataProtectionManager.2011.Library.mp - import both management packs. The management packs are located at C:\Program Files\Microsoft DPM\Management Packs. Note: When you are importing the management pack, Windows will show you a warning about write actions. This is an expected warning and you can continue by clicking OK.

Only Client Features

By installing only the client features, you can use the scoped DPM Administrator console but you cannot monitor DPM servers.

Note: If you have DPM protection agent installed on the computer, you cannot install Central console client features. Prerequisites System Center Operations Manager 2007 R2 Operations Console Procedure 1. Run Setup.exe. 2. Select Install Central Console option from the Setup page. 3. Select Install Central Console Client side Components option.

Post-Installation
If you are using an Operations Manager server to monitor the DPM servers, you must make the following overrides on the server running Operations Manager: Default Health Service Handle Count Threshold Health Service Private Bytes Threshold Monitoring Host Handle Count Threshold Monitoring Host Private Bytes Threshold 2000 100MB 2000 100MB Override Value 8000 1GB 8000 1GB

For more information on how to override Operation Manager monitors, see How to Override a Monitor (http://technet.microsoft.com/en-us/library/bb309455.aspx). Also, add the following registry key on the server running Operations Manager: Key HKEY_LOCAL_MACHINE\SOFTWAR E\Microsoft\Microsoft Operations Manager\3.0\Modules\Global\Po werShell Value IsolationLevel Type dword Data 00000000 Description
Specifies whether a separate AppDomain will be used for each script. A value of 1 indicates that a separate AppDomain is used for each script. Defines how many minutes before a script expires from the queue.

QueueMinutes

dword

00000077

On the DPM server, you need to make changes to the following registry keys.

Important: Before making the following changes, ensure that Operations Manager agent is installed on this computer. Key HKEY_LOCAL_MACHINE\SOFTWAR E\Microsoft\Microsoft Operations Manager\3.0\Modules\Global\Po werShell Value IsolationLevel Type dword Data 00000000 Description
Specifies whether a separate AppDomain will be used for each script. A value of 1 indicates that a separate AppDomain is used for each script. Defines how many minutes before a script expires from the queue. Maximum size of memory for list of modifications that are made to the HealthService store database. Number of items in the state change events list. Maximum queue size for agents.

QueueMinutes

dword

00000077

HKEY_LOCAL_MACHINE\SYSTEM\C urrentControlSet\services\HealthS ervice\Parameters

Persistence Version Store Maximum

dword

0005dc00

State Queue Items HKEY_LOCAL_MACHINE\SYSTEM\C urrentControlSet\services\HealthS ervice\Parameters\Management Groups\<Management Group Name> MaximumQueu eSizeKb

dword dword

00001000 00019000

Important: Restart the System Centre Management service (Health service) for the registry updates to take effect.

Configuring Users
DPM Central Console allows you to create users and assign tasks that they have permissions to work on. Once you have installed Central Console and imported the management packs, you need to configure users on the Operations Manager server. The first step towards configuring users on Central Console is to run the default role creation tool (DefaultRoleConfigurator.exe). This tool is location in C:\Program Files\Microsoft DPM\bin\. After running this tool, you will see default DPM roles. Default Role DPM Reporting Operator DPM Read-Only Operator DPM Tier-1 Support Description Can create, modify and view scheduled or ondemand reports Can view all DPM configuration, jobs and alerts. Can view all alert and job information. Can

DPM Tape Admin DPM Tier-2 Support DPM Admin DPM Recovery Operator DPM Tape Operator

perform basic jobs like re-running a failed job. Can perform all tape related actions. Can perform all tasks of tier-1 support and additionally can troubleshoot problems. Can perform all actions. Can only perform recovery of data protected by DPM. Can perform only lightweight tape related operations such as running tape inventory, cleaning dives, etc.

Now, you can assign users to each role and once they have been assigned a role, they will only see actions based on the permissions they have. For more information about security roles in Operations Manager, see How to Administer Security Roles, Accounts, and Profiles in Operations Manager 2007 (http://technet.microsoft.com/en-us/library/bb309646.aspx). Points to remember: If a user belongs to multiple roles, the rights for the user will be a combination of the rights of all the roles. The rights assigned to a user in Central Console also carry over into the scoped DPM Administrator console when it is launched from within it. The permissions assigned to users do not hold true on the DPM server.

Hardware considerations for scale

In this section, we will discuss the hardware requirements for the Operations Manager server depending on the amount of data you will be protecting. No. of data sources 10000 20000 Role Single server which has Root Management Server and Operations Manager database Hardware 4 disk RAID 10 (147GB) 8 GB RAM Quad Proc Database estimates Number of days for data retention Number of computers Total size (MB) Total size (GB) Suggested space allocation with 10% buffer (GB) 7

250 4104.48 4.01 6.01

20000 40000

Two servers One hosts Root Management Server One hosts the Operations Manager database 2 disk RAID 1 8 GB RAM Dual Proc 6 disk RAID 10 (147GB) 4 GB RAM Dual Proc

Number of days for data retention Number of computers Total size (MB) Total size (GB) Suggested space allocation with 50% buffer (GB)

500 8208.97 8.02 12.02

Note: The hardware guidance provided is applicable for dedicated Operations Manager deployment.

Remote DPM Administrator Console

Scoped Administrator Console Operations Manager Consoles Common Console Server* ~40 ~20 Operations Manager Client Console ~2 1 DPM Server ~6 NA

*A common console server allows you to access the Central Console on an Operations Manager server over the network.

Scoped DPM Administrator Console

Scoped Administrator Console Operations Manager Consoles Common Console Server* ~150 ~20 Operations Manager Client Console ~10 1 DPM Server ~20 NA

*A common console server allows you to access the Central Console on an Operations Manager server over the network.

DPM does not support remote connection to Administrator Console or Scoped Administrator Console over WAN.

General Recommendations:
The DPM server hardware for scaled up scenarios should be same as that recommended for DPM 2010. We recommend you provide a separate drive for Operations Manager agent installation on DPM server as we expect a high number of IO.

Overall, on the recommended hardware for DPM for scaled up scenarios like 2000 DB, 3000 clients, o The CPU utilization during discoveries and monitoring averages under 20%. o The private byte usage is under 1 GB for health service and monitoring host processes.

Recommendations for Disk Requirements for Operations Manager Data Warehouse Database
When deciding on disk requirements for the data warehouse database, consider the following factors: Number of backups in the environment per day = Average number of backups per data source per day * Average number of data sources per DPM * Number of DPM servers. Number of days for retention, for e.g.: 30 days.

For example, for a 100 DPM server environment with an average of 1500 data sources per DPM and with one backup per day per data source, number of backups per day works out to 150000. Number of days for retention = 30 Days Based on this, you must plan to allocate 292.5 GB for 30-day retention.

Centralized Management
Managing multiple DPM 2010 servers can be a tedious task. It requires you to move from one DPM to another to perform various management and maintenance tasks. However, with DPM, you can manage all your DPM servers from a single location. Once you have installed Central Console, open the Operations Manager console and go to the Monitoring tab. Expand the Data Protection Manager folder to begin monitoring and managing your DPM servers. You can track both DPM 2010 and DPM Beta servers on the Central Console. If you want Central Console to track your DPM 2010 servers also, you must install the DPM2010_CentralizedManagement_Interoperability_Hotfix.exe upgrade on them, unless you do, the DPM 2010 servers will be grouped under the DPM Server (needs upgrade) view. The salient features of Central Console are: Centralized monitoring of DPM servers across different versions of DPM Remote administration. Role-based access control. Remote recovery. Take corrective actions remotely. Scoped troubleshooting Resume backups with a single click SLA-based alerting : Alerts are raised only when SLA is broken. Alert consolidation Supports scripting of repetitive DPM jobs

Centralized Monitoring Using the centralized management solution, you can monitor all your DPM servers from a single location. Using the Central Console you can monitor the health of the various DPM resources like DPM server, protected computers, tape libraries, disk space available, and more. The Central Console also tracks the various tasks in DPM, like whether recovery points are being taken at the scheduled times, whether a server is still on the network, etc. The Central Console requires System Center Operation Manager 2007 R2. Remote Administration If you have a smaller setup with about 5-10 DPM servers you can manage your DPM server centrally using Remote Administration. Remote Administration is basically the DPM Administrators console on your machine. Using the Remote Administration screen, you can connect to and work on any DPM server. You do not have to be a DPM administrator to use the remote Administrator Console, just as long as your account is configured on Operations Manager.

Alert Consolidation Alert consolidation helps unclutter your alerts screen and helps you work on the high priority items. DPM Central Console consolidates alerts in three cases: If the alert occurs repeatedly, you will see only one alert on the Central Console. On the DPM Administrator Console, the behavior is unchanged. If a job was scheduled to run hourly and hasnt run for the last ten hours, you will see one alert for the failed job instead of ten. If the root cause for multiple alerts is the same or if multiple backups for the same data source have failed, you will see only the alert informing you of the failure. If you are using a ticketing system, consolidation of similar alerts means that only one ticket is raised.

You can resolve the alerts in different ways depending on the type of alert. Resume backups: If your backups were failing due to a cause which you have fixed or resolved, just click Resume backups. The backup will start and the alert will get resolved. Take recommended action: If there is a clear recommended action that can resolve your issue, click this option and Central Console will trigger the action. Troubleshooting: For more complicated issues, you can use the scoped Troubleshooting console.

Scoped Troubleshooting The scoped troubleshooting console is the administrators best friend. The scoped console is based on the DPM Administrator console with a few very noticeable changes The title bar provides you with information like ticket number, alert, and DPM server on which the alert was raised. The context bar gives you more details about the alert and where it was generated. The actions available in the console are scoped to only show those that work with the object on which the alert was raised. Note: The scoped console will also show tasks that are not associated with any protection group or server because the jobs are common across all objects.

Using Central Console

The Central Console allows you to do everything that you can do from the Administrator console on the DPM server. You can group these tasks as: Protection Infrastructure management Troubleshooting Reporting

Managing Users
DPM Central Console allows you to modify roles and tasks that users have permissions to work on. Since the Central Console is built on System Center Operations Manager, you will use the Operations Manager console to manage users. For more information about security roles in Operations Manager, see How to Administer Security Roles, Accounts, and Profiles in Operations Manager 2007 (http://technet.microsoft.com/en-us/library/bb309646.aspx). To restrict the tasks that a user has permissions for, use the Tasks page of the wizard or the Tasks tab if you are editing an existing role. The DPM tasks are grouped under the System Centre Data Protection Manager 2012 Monitoring management pack. All the tasks are named Reserved, but the actual action is displayed in brackets. User will get to see only tasks that they have permissions to perform. The permissions also extend to Troubleshooting UI and to cmdlets. The following table shows you the various preconfigured roles and the tasks each role can perform.
ReadOnly Operator Reporting Operator Tier-1 Support (Helpdesk) Recovery Operator Tier-2 Support (Escalation) Y Tape Operator Tape Admin DPM Admin

Infrastructure Management Protection Intent Management

Recovery Related Y

Access to Logs

Basic Corrective Actions

Modify Disk Allocation Perform Consistency Check

Create Recovery Point for Disk Create Recovery Point for Tape Agent Management Cancel Scheduled jobs

Retry Jobs

Tape Library Operations Tape Operations

Allow Recovery

Reporting Operations Monitoring Operations

Advanced Tape Library Operations

Resume Backups Y

Infrastructure Management Modify disk allocation Clear Replica Inconsistent alert Allocate more disk space

Protection Intent Management Run Tape Erase job again Run Stop Protection job again Modify Catalog Alert Threshold size Claim ownership of the computer Modify protection group for this data source Basic Corrective Actions Run Tape Inventory job Run Catalog Reload job Run Verification job Run Drive Cleaning job Run Configure Protection job again Retrigger backup with verification Tape Library Operations Allow detailed inventory Open library door Enable/disable drive Clean drive Remove tape Advanced Tape Library Operations Rescan Rename library Refresh library Add Tape (I/E port) Tape Operations Erase tape Mark/unmark tape as free

Protection Tasks
Protection tasks include creating protection groups, maintaining the protection groups, maintaining recovery points and replicas, and recovering data. Creating a protection group If you want to create a protection group on a DPM server from the Central Console, expand that DPM management pack folder. It will show up under Monitoring. 1. Expand State Views. 2. Select DPM Server. 3. From the DPM server Tasks in the Action pane, select Manage DPM server.

This brings up the DPM Administrator console, from where you can now create the protection group. Modifying a protection group If you want to modify a protection group on a DPM server from the Central Console, expand that DPM management pack folder. If you are working with DPM 2010, this will show up as Data Protection Manager 2010, and if you are working with DPM Beta, it will show up as Data Protection Manager 2012 under Monitoring. 1. 2. 3. 4. Expand State Views. Select Protection Groups. From the main window, select the protection group you want to modify. From Protection group Tasks in the Actions pane, select Manage protection. This brings up the DPM Administrator console with Protection tab open and the protection group you selected already highlighted.

Creating a recovery point If you want to create a recovery point on a DPM server from the Central Console, expand that DPM management pack folder. If you are working with DPM 2010, this will show up as Data Protection Manager 2010, and if you are working with DPM Beta, it will show up as Data Protection Manager 2012 under Monitoring. 1. 2. 3. 4. Expand State Views. Expand Datasources and select the data source type. From the main window, select the data source for which you want to create a recovery point. From DPM datasource Tasks in the Actions pane, select Create recovery point. This brings up the Create Recovery Point dialog box where you can specify what kind of recovery point you want to create. Click OK to create the recovery point.

Recovering data If you want to recovery data from the Central Console, expand that DPM management pack folder. If you are working with DPM 2010, this will show up as Data Protection Manager 2010, and if you are working with DPM Beta, it will show up as Data Protection Manager 2012 under Monitoring. 1. 2. 3. 4. Expand State Views. Expand Datasources and select the data source type. From the main window, select the data source you want to recover. From DPM datasource Tasks in the Actions pane, select Recover datasource. This brings up the DPM Administrator console with Recovery tab open and the data source you selected already highlighted.

Troubleshooting Alerts from Central Console

Depending on your role and area of interest, DPM gives you different views from where you can monitor and manage the DPM servers that interest you.

After Operations Manager has discovered the DPM servers, it will begin to monitor the state of the DPM objects. The central console gives you two views of the DPM data: Alert View: A list of all DPM alerts that have been raised and require action. State View: The state of the various DPM objects including data sources.

The right side of the console gives you a list of DPM tasks that you can perform based on the DPM object for which the alert was raised.

The States View

To view the state of various DPM objects: 1. Expand the DPM folder on the left pane 2. Expand the State Views folder. 3. Click the DPM object group you want to view. The main pane will show you the list of DPM objects and their current health state. To troubleshoot an object that is not in good health: 1. Right-click the object, select Open, and then select Alert View. 2. This opens the Operations Manager Alerts View and lists all the alerts raised on the object. 3. Resolve the alerts against the object to bring it to a healthy state.

Resolving Alerts
To view the list of alerts: 1. Expand the DPM folder on the left pane 2. Expand the Alerts Views folder. 3. Click the alert group you want to view. The alerts are grouped under the Alerts Views folder by object. The groups are: Data Source Alerts DPM Disk Alerts DPM Tape Alerts DPM Tape Drive Alerts DPM Tape Library Alerts Protected Computer Alerts Protection Groups Alerts Replica Volume Alerts Note: To see what alerts come under each group, go to The Alerts. 4. To see the alerts in a group, click the group name.

To resolve an alert: 1. Select the alert. The Alert Details pane will bring up all relevant details about the alert. Check the Corrective action in this section to know what you need to do next. The Alert Tasks section of the Actions pane shows the actions to help you resolve the alert. 2. Select the action from the Alert Tasks section of the Actions pane. The Alert Task section has the following options: Get more information: Takes you to a TechNet page where you can get more information about the alert and possible solutions. Resume backups: Resumes the backups that were stopped. In case of a consolidated alert, this option resumes backups for all stalled backups. Note: After you click Resume backups for a consolidated alert and launch scoped console, you will not be able to see all the jobs that were started because DPM will have already marked some alerts as resolved. To see a complete list of jobs open the scoped console for the consolidated alerts source, rather than the alert. Take recommended action: If there is a recommended action associated with the alert, clicking this option runs the recommended action. Troubleshoot: Brings up the scoped Administrator console for the alert.

Advanced Troubleshooting using Central Console

Sometimes, it is not just enough to resume a backup or do the recommended action. If you want to drill down to the reason for an alert, use the Troubleshoot option. The Troubleshoot option brings up a scoped DPM console. This console resembles the DPM Administrator console, but in fact is scoped to only show the object you are working with. Using the console, you can drill down to see all the constituent alerts in case of a consolidated alert. You can also check to see if there is a pattern to when the alert is raised so you can final a long-term solution to the problem. Apart from the scoped options available, the console has the following differences from the main DPM Administrator console: A more informative title bar. The title bar of the scoped Administrator console will give you the following information the ticket number (if a ticketing system is in use) and the alert from where the console was launched. A context bar that gives you details about the object that is affected by the alert.

The Alerts Production Server Agent not reachable (3122) Agent incompatible (3121)

Agent ownership required (3107) Backup to tape failed with VSS datasource unavailable Configure protection failed with agent not responding End-user recovery permissions update failed (3123). Recovery point creation failed with access denied on production server Recovery point creation failed with active node not found Recovery point creation failed with agent not responding Recovery point creation failed with exchange log chain broken Recovery point creation failed with host unreachable Recovery point creation failed as prepare CSV failed Recovery point creation failed with snapshot out of resource Recovery point creation failed with SQL command failure Recovery point creation failed with SQL DB missing Recovery point creation failed with SQL log chain broken Recovery point creation failed with SQL server refusing connection Recovery point creation failed with VSS datasource unavailable Recovery point creation failed with VSS error retryable Recovery point creation failed with VSS infrastructure error Replica inconsistent with bit map file corrupt Replica inconsistent with production server crashed Replica is inconsistent with prepare CSV failed Synchronization failed with access denied Synchronization failed with host unreachable

DPM Server DPM server availability Global DPMDB Database Not Accessible Alert Notification (24091) No agent on cluster node (369) Tape encryption certificate expiration (24059) Database Auto Protection Failed (32511) Database size threshold exceeded (3168)

SharePoint Recovery point creation failed (3114) Replica is inconsistent (3106) Backup metadata enumeration failed(3134) Backup to tape failed (3311) Consolidation of recovery points of the replica failed (3178) Cannot verify tape data (3309) SharePoint Item Level Catalog failed (3133)

Tape copy failed (3310) Tape data integrity issues found(3317) Unable to configure protection for application datasource (3170)

Data Source Recovery point creation failed (3114) Replica is inconsistent (3106) Backup to tape failed (3311) Cannot verify tape data (3309) Tape copy failed (3310) Tape data integrity issues found(3317)

Protection Group Backup to tape failed with archive critical IO error Backup to tape failed with cancelled on restart Backup to tape failed with no dataset found on shadow copy for archive Recovery point creation failed with cancelled on restart Recovery point creation failed with replica is inconsistent Replica inconsistent with cancelled on timeout Replica inconsistent with diff area IO error Replica inconsistent with replica is in invalid state

DPM Library Free tape threshold reached (3305) Library devices were disabled (32572) Library not available (3301) Library not functioning efficiently (3302) Backup to tape failed with drive resource not online Backup to tape failed with media could be cleaner Backup to tape failed with media resource not online Job waiting for tape (3315)

Application Data Source Recovery point creation failed (3114) Replica is inconsistent (3106) Backup to tape failed (3311) Consolidation of recovery points of the replica failed (3178) Cannot verify tape data (3309) Tape copy failed (3310)

Tape data integrity issues found(3317) Unable to configure protection for application datasource (3170)

DPM Disk Disk missing (3120)

Tape Drive Library drive is not functioning (3303)

Replica Volume Volume missing (3101) Recovery point creation failed with not enough space on replica Recovery point creation failed with shadow copy storage insufficient Recovery point creation failed with shadow copy area full Recovery Point Volume threshold exceeded (3169) Replica inconsistent with shadow copy area full Replica disk threshold exceeded (3100) Synchronization failed with shadow copy area full

File System Data Source Recovery point creation failed (3114) Replica is inconsistent (3106) Synchronization failures (3115) Backup to tape failed (3311) Cannot verify tape data (3309) Tape copy failed (3310) Tape data integrity issues found(3317)

Optimized SharePoint Item Level Recovery

Item level recovery for SharePoint farms is already supported by DPM 2010. However, the process was time consuming as it required the transfer of the entire database on a recovery point over the network to a staging location before you could recover an item. DPM v4 reduces the time and storage space required to restore an item by not requiring the entire database to be recovered and mounted, instead it attaches database files on the recovery point to a SQL Server instance remotely and recovers the item from the database. This enhancement does not affect the protection or recovery of a SharePoint farm or database. For detailed steps on how to perform item-level recovery on SharePoint farms, see Recovering SharePoint Items (http://technet.microsoft.com/en-us/library/ff634182.aspx). Important: The SQL Server instance must run under an account that can be resolved by Active Directory services. This means that the SQL service must be running under a domain account, or under Local System or Network Service of the computer. This feature is available for farms on SharePoint 2007 and SharePoint 2010.

Item-Level Recovery of Filestream Items

You must set the following registry key on the DPM server to enable SharePoint item-level recovery for items in SQL Server Filestream content databases. Key Value Data Type DWORD HKLM\Software\Microsoft\Microsoft Data Protection Manager\Configuration\SharePoint AutoTriggerUnOptimizedILR

Known Issues
When you try to recover a Filestream item, you will see a critical alert for recovery failure followed by an informational alert for a successful recovery. You should ignore the critical alert.

Limitations
Item-level recovery for items in Filestream databases will not be optimized. Tape recovery will not be optimized. DPM does not support item-level recovery for SharePoint sites using Variations. For more information about Variations, see Variations overview.

Certificate-based Authentication for Computers in Untrusted Domains

Introduction
DPM 2010 supports protection of computers in workgroups and untrusted domains using local accounts and NTLM. However, in scenarios where an organization does not allow creation of local accounts, this solution does not work. DPM allows you to use certificates to authenticate computers in workgroups or untrusted domains. Currently, DPM supports the following data sources for certificate-based authentication when they are not in trusted domains: SQL Server File server Hyper-V

DPM also supports these data sources in clustered deployments. The following data sources are not supported: Exchange Server Client computers SharePoint Server Bare Metal Recovery System State

Prerequisites
.Net 3.5 SP1 on the protected computer Each machine (virtual machines included) must have their own certificate.

Certificate Requirements
X.509 V3 certificates Enhance Key Usage should have client authentication and server authentication. Key length should be at least 1024 bits. Key type should be exchange. DPM does not support self-signed certificates.

Setting up DPM to protect computers using certificates

1 2 Generate a certificate from the certificate authority for the DPM Server Import the certificate to the personal certificate store of Local Computer account and then run Set-DPMCredentials to configure the DPM server. This generates a metadata file that is required at the time of each agent install in untrusted domain.

Note: If this file is lost or deleted, you can recreate it by running Set-DPMCredentials -action regenerate. 3 The DPM server is now successfully configured for use with certificates.

Repeat these steps on every DPM server that will protect a computer in a workgroup or in an untrusted domain.

Setting up a computer for protection by DPM

1 2 3 4 Install the DPM protection agent on a computer and then attach it to the DPM server. Generate a certificate from the certificate authority for the computer you want to protect. Import the certificate to the personal certificate store of Local Computer. Run SetDPMServer.exe to complete the setup. The program saves a file locally with the certificate metadata. Later, this file is used to attach this agent to the DPM server. Note: If this file is lost or deleted, you can recreate it by running SetDPMServer.exe. Repeat these steps on every computer you want to protect that is in a workgroup or in an untrusted domain.

Attaching an untrusted computer to DPM

1. Run Attach-ProductionServerWithCertificate.ps1 to attach an untrusted computer to the DPM server. 2. Repeat the step for every untrusted computer

Using Set-DPMCredentials
Syntax: Set-DPMCredentials [DPMServerName <String>] [Type <AuthenticationType>] [Action <Action>] [OutputFilePath <String>] [Thumbprint <String>] [ AuthCAThumbprint <String>] Example 1: Set-DPMCredentials -DPMServerName dpmserver.contoso.com -Type Certificate -Action Configure -OutputFilePath c:\CertMetaData\ Thumbprint cf822d9ba1c801ef40d4b31de0cfcb200a8a2496 Where dpmserver.contoso.com is the name of the DPM server and cf822d9ba1c801ef40d4b31de0cfcb200a8a2496 is the thumbprint of the DPM server certificate. This cmdlet will generate a file in c:\CertMetaData\ with name CertificateConfiguration_<DPM SEVER FQDN>.bin Parameter Description Value

Type Action OutputFilePath

Thumbprint AuthCAThumbprint

Type of authentication. Intent for running the command Location of the output file (used in Set-DPMServer on protected computer) Thumbprint of the certificate (to be used on DPM server) Thumbprint of the certifying authority in the trust chain of the certificate. Optional. If not specified, Root will be used.

Certificate Regenerate, Configure

Example 2: Set-DPMCredentials -DPMServerName dpmserver.contoso.com -Type Certificate -OutputFilePath c:\CertMetaData\ -Action Regenerate This cmdlet will regenerate the lost configuration file in the folder c:\CertMetaData\.

Using SetDPMServer
Syntax: SetDPMServer.exe -dpmCredential CertificateConfiguration_<DPMServerFqdn>.bin -OutputFilePath <Output File Path> -Thumbprint <Certificate Thumbprint> [AuthCAThumbprint <authorized CA thumbprint>] Example: C:\Program Files\Microsoft Data Protection Manager\DPM\bin>SetDpmServer.exe -dpmcredential CertificateConfiguration_dpmserver.contoso.com.bin -OutputFilePath c:\CertMetaData\ -Thumbprint "5b3db055d3f769bc58e2f6c0703bac4ea8fbd8da Where CertificateConfiguration_dpmserver.contoso.com.bin is the DPMServerCertificateConfiguration file which was generated on DPM server by running SetDPMCredentials and 5b3db055d3f769bc58e2f6c0703bac4ea8fbd8da is the CertificateThumbprint of the protected computer certificate. This will generate PS certificate configuration file at C:\CertMetaData with name CertificateConfiguration_ <PSServerFqdn>.bin. Parameter DPMCredential OutputFilePath Description Value The credential file that was the output of Set-DPMCredentials. Location of the output file (used in AttachProductionServerWithCertificate

Thumbprint AuthCAThumbprint

on DPM server) Thumbprint of the certificate (to be used on protected computer) Thumbprint of the certifying authority in the trust chain of the certificate. Optional. If not specified, Root will be used.

Using Attach-ProductionServerWithCertificate
Syntax: Attach-ProductionServerWithCertificate.ps1 [-DPMServerName <String>] [PSCredential <String>] [<CommonParameters>] Example: Attach-ProductionServerWithCertificate.ps1 -DPMServerName dpmserver.contoso.com PSCredential CertificateConfiguration_DocServer.fourthcoffee.com.bin For a workgroup machine: Attach-ProductionServerWithCertificate.ps1 -DPMServerName dpmserver.contoso.com PSCredential CertificateConfiguration_WorkgroupMachine1.bin Parameter PSCredential Description The credential file that was the output of Set-DPMServer. Value

Renewing Certificates
When acquiring a new certificate, you must ensure the following: The value in the Issued to field must exactly match the original certificate. The value in the Issued by field must be ROOT.

Disaster Recovery
You can protect the DPM server protecting computers in untrusted domains using a secondary DPM server. The only condition is that both the DPM servers should be in domains that trust each other.

Troubleshooting
1. If you are facing repeated authentication failures, refer CAPI2 event viewer logs on both DPM and protected computer.

Tape Optimization
Introduction to tape optimization
The tape optimization feature in DPM allows you to allow multiple protection groups to share a tape to store their backups. DPM aims to improve the support for this feature to allow more flexibility to you around what you colocate and how. In order to optimize tape usage, DPM uses protection group sets. A protection group set is nothing more than a set of protection groups whose backups the DPM administrator wants to colocate on to a tape. However, just because a set of protection groups belong to a set, it does not mean that they will be colocated to a tape. This is decided by the write period and expiration tolerance values. Write period is the length of time for which a tape is available for writing new backups. The tape is marked as Offsite Ready after this. Expiration tolerance is the maximum length of time for which an expired recovery point can remain on a tape until the tape is marked as expired. Scenario 1 Protection Groups 1,2,3 1,2,3 1,2

Frequency 1 Day 1 Week 1 Month

Retention 1 Week 1 Month 1 Year

Occurs on Daily Every Monday 1st of every month

Conditions 1. For a given retention range, all backups happen on the same day across the protection groups. 2. Tapes are taken out every week from the library. 3. Month retention tapes are sent to one physical vault and year retention tapes are taken to another. 4. Corporate policy dictates that datasets cannot lie expired on tapes. (Zero tolerance policy) Policy/Intent The admin sets the following co-location policy: 1. 2. 3. Do not co-locate different retention ranges to same tape. Write Period should be 0. I.e. tape can be written to only on the day of the first backup to that tape. Expiry Tolerance is 0.

Tape Usage Tapes will be used in the following manner:

1. 2.

3.

Every day at least one tape will be offsite ready. It will have the daily backups of protection groups 1, 2 and 3 co-located. This tape will expire at midnight of the eighth day. Every Monday, all the weekly backups of protection groups 1, 2 and 3 will get co-located. These tapes will be offsite ready after the last backup is written and will expire a month later. On the 1st day of every month, all the monthly backups of protection groups 1 and 2 will get co-located. These tapes will get offsite ready after the last backup is written and will expire a year later.

Scenario 2 Frequency 1 Day 1 Week 1 Month

Retention 1 Week 1 Month 1 Year

Occurs on Protection Group1 Every day Monday 1st of every month

Protection Group2 Every day Wednesday 2nd of every month

Protection Group3 Every day Friday NA

Conditions 1. For a given retention range (except a weeks retention), backups are staggered across days across the protection groups. 2. Tapes are taken out every week from the library. 3. Month retention tapes are sent to one physical vault and yearly retention tapes are taken to another. 4. Corporate policy dictates that datasets may lay expired on tapes but for not more than a week. (Low tolerance policy) Policy/Intent 1. Do not co-locate different retention ranges to same tape. 2. Write Period is6 days. I.e. tape can be written to till 6 days after the first backup day. 3. Expiry Tolerance is 6 days. Tape Usage Tapes will be used in the following manner: 1. 2. Every week at least one tape will be offsite ready. It will have the daily backups of protection groups 1, 2 and 3 co-located. This tape will expire at midnight of the fifteenth day. Every Monday, Wednesday and Friday weekly backups of protection group 1, 2 and 3 respectively will get co-located. This tape(s) will be offsite ready on the Sunday of the week and will expire a month later.

3.

On the 1st and 2nd day of every month, the monthly backups of protection groups 1 and 2 respectively will get co-located. This tape(s) will get offsite ready after the write period is over and will expire a year later.

Scenario 3 Frequency 1 Week 1 Month 1 Month

Retention 2 Weeks 1 Month 1 Year

Occurs on Every Saturday 2nd of every month 1st of every month

Protection Groups 1,2 1,2,3 1,2,3

Conditions 1. For a given retention range, all backups happen on the same day across the protection groups. 2. 1 year retention backups are sent outside the library. There is no need to co-locate them. 3. Datasets lying expired on tapes is tolerable for up to a month. (Medium tolerance policy) Policy/Intent 1. Allow to co-locate different retention ranges to same tape. 2. Write Period is 13 days. I.e. tape can be written to till 13 days after the first backup day. 3. Expiry Tolerance is 1 month. Tape Usage Tapes will be used in the following manner: 1. Every second week at least one tape will be offsite ready. It will have the weekly backups of protection groups 1 and 2 co-located. This tape may also have one monthly backup of each protection group.

2.

The 1-year retention backups will not co-locate as their expiry range is beyond the tolerance of one month. Hence they will go to another tape.

Creating a new protection group set

1. Click Optimize tape usage on the Actions pane of the Library view. 2. Click Create on the Optimize Tape Usage dialog box. 3. On the Create Protection Group screen you can: a. Type a name for the protection group set. b. Select the protection groups you want to add to the protection group set. c. Select the checkbox to allow backups of different retention periods to collocate on the same tape. d. Click Advanced to set Write Period Ratio and Expiration Tolerance. 4. Click Ok to save the information and close the dialog box. You can also create protection group sets from the create and modify protection group wizards.

Modifying a protection group set

1. Click Optimize tape usage on the Actions pane. 2. Select the protection group set you want to modify and then click Modify on the Optimize Tape Usage dialog box. 3. On the Modify Protection Group screen you can: a. Edit the name for the protection group set. b. Add or remove protection groups from the protection group set. c. Select the checkbox to allow backups of different retention periods to collocate on the same tape. d. Click Advanced to set Write Period Ratio and Expiration Tolerance. 4. Click Ok to save the information and close the dialog box. Example: Tape T1 has datasets DS1, 2 and 3 written. All of them are daily backups which happened from day 1 to 3 respectively. Retention of each is one week. Write Period = 7 days Expiry Tolerance = 7 days.

Now the protection group of dataset DS2 is modified. The retention range of DS1 now changes from 1 week to 1 month.

Dataset DS4 now arrives on day 4. Its retention range is one week, so expiry date is day 11. DS4 will be a candidate for co-location in tape T1. Applying the expiry tolerance formula - Exp_Max X <= Exp_DS <= Exp_Min + X (Refer design section 4.2) Exp_Max = 32, Exp_Min = 8, X = 7 32-8 is not <= 10. Since expiry tolerance formula is not satisfied, DS4 will not co-locate to this tape. This is expected behavior now, because we are honoring users intent of expiry tolerance and not allowing any new datasets to lie expired for more than the tolerance period. In case all the datasets DS1 to DS3 were modified to have a retention range of 1 month, then other datasets having monthly retention would co-locate on that tape, provided the constraints of write period and expiry tolerance are met.

Deleting a protection group set

1. Click Optimize tape usage on the Actions pane. 2. Select the protection group set you want to delete and then click Delete on the Optimize Tape Usage dialog box.

3. Click Ok to close the dialog box. Note: You cannot delete a protection group set that has protection groups associated with it.