Wednesday, 1 August 2012

Configuring Data Protection Manager

With DPM now installed, the next task is to look at the additional configuration options and setting up backup jobs.  I first created an Active Directory user account to be used by DPM for notifications.  The advantage of using a dedicated account for this rather then re-using say the SCOM account that is used for notifications allows easier management of alerts for recipients. (Such as setting rules to move SCOM alerts to one folder and DPM alerts to another folder).
As it's also generally a bad idea to have emails going out that don't have a valid return address, I gave the user a Mailbox.  Back in DPM I went into options, and configured the SMTP server and authentication details.
I then did a send test email and verified the test email showed up in OWA.
I then enabled email alerts for warnings and critical errors.
I then logged onto the SCOM server and imported the DPM 2012 Management packs.  These don't appear to be in the online catalogue - I had to add them from the DPM install media.
These imported successfully
I then ran Discovery in SCOM which picked up the two DPM servers.
Agent deployment completed successfully.
Next, back on the first DPM server (I'll be using DPM1 for Exchange backups), I added the Exchange 2003 Back-End and Front-End, in the agent deployment wizard.
I entered the administrator credentials to be used to install the agents.
I set the wizard not to automatically restart the machines if required, once the agent had been installed.
After that, a summary is presented.
The install succeeded.
The computers showed up in the console with reboot pending status.
I logged onto each of the Exchange Servers, and whilst on there took the opportunity to apply the hotfix from MS kb940349 which is an update rollup for a number of VSS issues. Two reboots later I had two healthy agents.
I then switched to the protection screen and clicked to create a new protection group.
I'll be backing up servers.
For this protection group, I'll be protecting Exchange Databases.   There's no data in the database on the Front-End, so I'll ignore that, but I added both Storage Groups from the Back-End.
I entered a name for the protection group, and selected short term protection on disk.
For now I left the option to use eseutil to verify enabled.  I'll keep a close eye on how DPM impacts other components on this same disk, and if I do see issues arising may look at disabling it.  Having this option enabled requires copying of ese.dll and eseutil.exe from the Exchange 2007 install media (seeing as this DPM server is x64)  to the DPM server.
I set a retention range of 7 days and configured synchronisations on an hourly basis.  I left express full at the default of 20:00 daily.
I modified the disk allocation, giving 20GB to the replica volume for each storage group, and 10GB for the Recovery Point volumes.  The data size isn't zero because of the earlier pass with LoadGen.  I could have blown away and recreated the edb and stm files (seeing as there is no valid data in them), but decided to keep them as backing up some data is a better test of DPM than backing up a couple of empty 2MB files.
I disabled the option to automatically grow the volumes.  This should be manageable for the small number of databases in this environment, even after I add additional Exchange servers, although I have found having it disabled in environments with large numbers of databases, can lead to a lot of administrative overhead and failed jobs, unless you can afford to massively over provision disk space.
I set it to create the replica immediately.
I allowed DPM to kick off a consistency check automatically if a replica becomes inconsistent.
After that, a summary is displayed.
The configuration tasks completed successfully.
The protection group then shows up in the main console with replica creation in progress shown for each storage group.
An hour and a half later, I have a pair of healthy replicas.
Next, on the same DPM server, I configured System State backups for both Exchange servers.
I won't go over the options I selected in too much detail as I've already done one set of screenshots for the Exchange Database protection group, aside from mentioning the fact that I went for 7 day protection and backups at 20:00 again.
This protection group created quite quickly.
Next, I logged onto the second DPM server, and repeated the configuration changes I made above in the options window.  After that, I went to agent deployment, and added all servers aside from the two Exchange servers, and the other DPM server.
Agent install succeeded for the single Windows 2003 server, but failed for all the Windows 2008 servers.  This was down to the Windows Firewall not being configured to allow the DPM agent to receive inbound connections.  The two options here are generally either install the agent manually, or temporarily disable the firewall, but both of these are rather unsatisfactory.  So I decided to go the route of adding the required firewall rules via GPO.  In group policy there is the option to merge any rules defined with rules already configured on each local machine, which is the route I have decided to take, meaning I don't have to worry about copying all the default rules into the GPO, nor worry about any individual rules that may have been created on a per server basis when certain software was installed.  I logged onto one of the DC's and decided to first manually install the DPM Agent to this one server take a look at the agent install path and what ports I will need to allow.  The agent installer can be found at \\DPMSERVER\c$\Program Files\Microsoft System Center 2012 \DPM\DPM\ProtectionAgents\RA\4.0.1908.0\amd64.
Before the manually installed agent will be able to start, you need to set the DPM server, this can be done via the SetDPMServer.exe command line tool in the Program Files\Microsoft Data Protection Manager\DPM\bin directory.

Lets take a look at the firewall rules that were created as part of that step.
These are the two I am really interested in, the other two were already effectively enabled by other default rules.  There's one tweak relevant to my environment that I will make to those, and that is limiting the remote addresses to 10.0.0.0/24.

I loaded Group Policy management, created a new GPO named DPM Firewall Rule GPO and navigated to the inbound rules section.
Here, I replicated the two rules that had been created earlier.
I then went into properties in the Windows Firewall with Advanced Security node, and into customise, and under rule merging set Apply local connection security rules to Yes. (Not configured will result in merging by default, it's just nice to have that additional bit of confidence that all existing rules won't suddenly disappear).
I linked the GPO to the root of the domain and configured it to apply to Domain Computers and Domain Controllers.
After running a GPUPDATE /Force, I re-attempted to deploy the agent to one server as a test. It still failed. Taking a closer look through the event logs, I could see the DPMAC service was being installed, but whereas with a manual install the agent was placed in Program Files, with automated deployment, the agent was being placed in the Windows directory.
So I went back to Group Policy, added a new firewall rule with the Windows path instead of the Program Files path, (I kept the rule for the program files location in there, that way manually installed agents will have an exception applied by group policy too).  The full windows location I entered was %systemroot%\Microsoft Data Protection Manager\DPM\ProtectionAgents\AC\4.0.1908.0\DPMAC.exe.

So the final three rules I ended up with were as in the screenshot below.
With those three rules applied Agent deployment succeeded for one server I added as a test.
I repeated the process for the remaining servers and the final result was all desired machines having the Protection Agent installed.
I then created three protection groups. I won't go into the details of creating them, I just split them between 2003/2008 System Protection, and SQL protection.
Next up, I'll be looking at the central console.