Wednesday 1 August 2012

Configuring Data Protection Manager

With DPM now installed, the next task is to look at the additional configuration options and setting up backup jobs.  I first created an Active Directory user account to be used by DPM for notifications.  The advantage of using a dedicated account for this rather then re-using say the SCOM account that is used for notifications allows easier management of alerts for recipients. (Such as setting rules to move SCOM alerts to one folder and DPM alerts to another folder).
As it's also generally a bad idea to have emails going out that don't have a valid return address, I gave the user a Mailbox.  Back in DPM I went into options, and configured the SMTP server and authentication details.
I then did a send test email and verified the test email showed up in OWA.
I then enabled email alerts for warnings and critical errors.
I then logged onto the SCOM server and imported the DPM 2012 Management packs.  These don't appear to be in the online catalogue - I had to add them from the DPM install media.
These imported successfully
I then ran Discovery in SCOM which picked up the two DPM servers.
Agent deployment completed successfully.
Next, back on the first DPM server (I'll be using DPM1 for Exchange backups), I added the Exchange 2003 Back-End and Front-End, in the agent deployment wizard.
I entered the administrator credentials to be used to install the agents.
I set the wizard not to automatically restart the machines if required, once the agent had been installed.
After that, a summary is presented.
The install succeeded.
The computers showed up in the console with reboot pending status.
I logged onto each of the Exchange Servers, and whilst on there took the opportunity to apply the hotfix from MS kb940349 which is an update rollup for a number of VSS issues. Two reboots later I had two healthy agents.
I then switched to the protection screen and clicked to create a new protection group.
I'll be backing up servers.
For this protection group, I'll be protecting Exchange Databases.   There's no data in the database on the Front-End, so I'll ignore that, but I added both Storage Groups from the Back-End.
I entered a name for the protection group, and selected short term protection on disk.
For now I left the option to use eseutil to verify enabled.  I'll keep a close eye on how DPM impacts other components on this same disk, and if I do see issues arising may look at disabling it.  Having this option enabled requires copying of ese.dll and eseutil.exe from the Exchange 2007 install media (seeing as this DPM server is x64)  to the DPM server.
I set a retention range of 7 days and configured synchronisations on an hourly basis.  I left express full at the default of 20:00 daily.
I modified the disk allocation, giving 20GB to the replica volume for each storage group, and 10GB for the Recovery Point volumes.  The data size isn't zero because of the earlier pass with LoadGen.  I could have blown away and recreated the edb and stm files (seeing as there is no valid data in them), but decided to keep them as backing up some data is a better test of DPM than backing up a couple of empty 2MB files.
I disabled the option to automatically grow the volumes.  This should be manageable for the small number of databases in this environment, even after I add additional Exchange servers, although I have found having it disabled in environments with large numbers of databases, can lead to a lot of administrative overhead and failed jobs, unless you can afford to massively over provision disk space.
I set it to create the replica immediately.
I allowed DPM to kick off a consistency check automatically if a replica becomes inconsistent.
After that, a summary is displayed.
The configuration tasks completed successfully.
The protection group then shows up in the main console with replica creation in progress shown for each storage group.
An hour and a half later, I have a pair of healthy replicas.
Next, on the same DPM server, I configured System State backups for both Exchange servers.
I won't go over the options I selected in too much detail as I've already done one set of screenshots for the Exchange Database protection group, aside from mentioning the fact that I went for 7 day protection and backups at 20:00 again.
This protection group created quite quickly.
Next, I logged onto the second DPM server, and repeated the configuration changes I made above in the options window.  After that, I went to agent deployment, and added all servers aside from the two Exchange servers, and the other DPM server.
Agent install succeeded for the single Windows 2003 server, but failed for all the Windows 2008 servers.  This was down to the Windows Firewall not being configured to allow the DPM agent to receive inbound connections.  The two options here are generally either install the agent manually, or temporarily disable the firewall, but both of these are rather unsatisfactory.  So I decided to go the route of adding the required firewall rules via GPO.  In group policy there is the option to merge any rules defined with rules already configured on each local machine, which is the route I have decided to take, meaning I don't have to worry about copying all the default rules into the GPO, nor worry about any individual rules that may have been created on a per server basis when certain software was installed.  I logged onto one of the DC's and decided to first manually install the DPM Agent to this one server take a look at the agent install path and what ports I will need to allow.  The agent installer can be found at \\DPMSERVER\c$\Program Files\Microsoft System Center 2012 \DPM\DPM\ProtectionAgents\RA\4.0.1908.0\amd64.
Before the manually installed agent will be able to start, you need to set the DPM server, this can be done via the SetDPMServer.exe command line tool in the Program Files\Microsoft Data Protection Manager\DPM\bin directory.

Lets take a look at the firewall rules that were created as part of that step.
These are the two I am really interested in, the other two were already effectively enabled by other default rules.  There's one tweak relevant to my environment that I will make to those, and that is limiting the remote addresses to

I loaded Group Policy management, created a new GPO named DPM Firewall Rule GPO and navigated to the inbound rules section.
Here, I replicated the two rules that had been created earlier.
I then went into properties in the Windows Firewall with Advanced Security node, and into customise, and under rule merging set Apply local connection security rules to Yes. (Not configured will result in merging by default, it's just nice to have that additional bit of confidence that all existing rules won't suddenly disappear).
I linked the GPO to the root of the domain and configured it to apply to Domain Computers and Domain Controllers.
After running a GPUPDATE /Force, I re-attempted to deploy the agent to one server as a test. It still failed. Taking a closer look through the event logs, I could see the DPMAC service was being installed, but whereas with a manual install the agent was placed in Program Files, with automated deployment, the agent was being placed in the Windows directory.
So I went back to Group Policy, added a new firewall rule with the Windows path instead of the Program Files path, (I kept the rule for the program files location in there, that way manually installed agents will have an exception applied by group policy too).  The full windows location I entered was %systemroot%\Microsoft Data Protection Manager\DPM\ProtectionAgents\AC\4.0.1908.0\DPMAC.exe.

So the final three rules I ended up with were as in the screenshot below.
With those three rules applied Agent deployment succeeded for one server I added as a test.
I repeated the process for the remaining servers and the final result was all desired machines having the Protection Agent installed.
I then created three protection groups. I won't go into the details of creating them, I just split them between 2003/2008 System Protection, and SQL protection.
Next up, I'll be looking at the central console.

Sunday 29 July 2012

Deploying System Center 2012 – Data Protection Manager

For the next stage of this lab build, I'm going to be looking at Data Protection Manager.  One of the key new pieces of functionality of the latest version is a centralized console.  In order to take a look at this functionality, I have decided to deploy two DPM servers.  As I will be growing the Exchange side of the lab quite significantly, I have decided to split the purpose for the two DPM servers into Exchange and non-Exchange.  I'll be assigning each of these two servers 500GB to use for backups which will leave half of the space on the 2TB for VM's.  The backup requirements will therefore not exceed 1TB from the SAS disk plus 240GB from the SSD.  However, as the SAS drive will also contain things that will not be backed up by DPM (such as OS images, templates etc), I'm not too worried about having given DPM less than 50% of the overall storage.  I'll be keeping the number of snapshots of any given object to a minimum, and for this lab environment, I expect any differences between snapshots to be extremely minimal anyway.

With the above in mind, I deployed two VM's from template.
With the VM's created, the 500GB volumes assigned, and the DPM install files downloaded, I logged onto the existing SQL server, and ran SQLPrepInstaller_x64.exe to install the SQL Pre-Requisites.
As DPM requires it's own SQL instance, I re-ran the SQL installer, selecting new installation or add shared features.
After accepting the license agreement and entering the product key I selected the Database Engine Services, SQL Server Replication, Full-Text search and reporting services. (The Management tools and SQL Client Connectivity SDK are also requirements, but these shared features were already installed for the Operations Manager instance.)
After some additional checks had run, I entered the name for the instance of INS02.
To keep things simple, I matched the Service accounts to those used for the Operations Manager instance.
I kept the default settings on the next 4 screens, after that, a summary is shown.
The install completed successfully.
To keep the network and firewall config simple for this second instance I loaded SQL server configuration manager and disabled dynamic port allocation, setting a static port of 1432.
I then copied the windows firewall rule I created earlier for the default instance and modified the name, program and port to match the second instance.
I then created a temporary rule in the Windows Firewall, to permit inbound UDP on port 1434 to the SQL browser service.  I should be able to disable this rule once setup completes.

After that, I restarted the Database Engine for INS02, and logged onto the first DPM server and launched the DPM installer.
For now, I'll just be installing DPM itself.  Clicking Data Protection Manager in the above window installs .NET framework 3.5.1 and then launches the DPM Setup Wizard.
I entered the Instance of SQL Server in the format SERVERNAME\INSTANCENAME.
Next, I entered the product key.
I'll be installing DPM to the local system drive.
I then entered a password for DPM to use for it's local user accounts.
I opted not to use Microsoft update.
Opted not to join the CEIP.
After that, you get a summary of options selected.
The install completed successfully.
I then computer Management, and initialized the 500GB volume.
Next, I loaded the DPM console, and went into administration and add disk.  Here I added the 500GB volume to the storage pool.
I then repeated the above process to install DPM on the second DPM server.  I'll cover additional configuration and agent deployment in a subsequent post.