Continuous Protection With Microsoft's DPM 2007
Microsoft’s Data Protection Manager (DPM) 2007 is a next generation backup and restore solution that protects Microsoft file and application servers, focusing on block-level continuous data replication to disk for fast recovery, and tape storage for long-term archiving. With comprehensive functionality and reliability, coupled with unusual simplicity in configuration and operation, DPM simplifies IT operations with a streamlined restore procedure for stress-free recovery in the event of a disaster.
Installing DPM 2007
In comparison with other Microsoft server products, Data Protection Manager is easy to install on Windows Server 2008. With the exception of the Single Instance Storage (SIS) component, all prerequisite software is included and installed as part of setup. Because DPM must run on a dedicated machine, there are no other services or applications that might break, allowing the setup procedure to do all the heavy lifting.
DPM can be installed on Windows Server 2003 or 2008 and requires a minimum of 2 gigabytes of RAM. Both 32- and 64-bit architectures are supported. Storage for replicated data can be provided by direct attached storage (DAS) or a storage area network (iSCSI or Fibre Channel), but USB and firewire disks are not supported. Tape drives and libraries must be physically attached to the DPM server. Microsoft provides a handy spreadsheet for estimating the amount of storage required, but currently only estimates the space needed to replicate Exchange workloads.
In addition to licensing the DPM server, each device that needs to be protected requires a management license: either standard or enterprise. Standard management licenses are for protecting file servers and system state data. An enterprise management license is required for everything else, including the DPM System Recovery Tool (SRT), which provisions bare-metal recovery to similar hardware and is provided as a separate download.
Add Disks to the DPM Storage Pool
While not compulsory, DPM is better able to manage storage if disks are added to the storage pool. You should note that DPM cannot use space that is assigned to volumes using Windows Disk Management on disks that are part of the storage pool. Let’s add a disk that’s directly attached to the DPM server to the storage pool:
- Log on to the DPM server and open the DPM 2007 Administrator Console from the Start menu.
- Select the Management tab, then Disks.
- Click Add in the Actions pane.
- Disks that DPM is able to add to the storage pool will be shown in the dialog. Select the disks you want to add under Available disks, click Add and then OK.
- If the selected disks are basic, you will be warned that DPM will convert them to dynamic. Click Yes to continue.
Your disk(s) should now appear as part of the storage pool in the Disks tab (Figure 1).
Installing Server Agents
Unlike some other backup solutions, one agent covers all workloads that DPM is capable of protecting. In principle, DPM agents can be push-installed using the administrator console, but the recommended method is to manually install the agent on servers that DPM will protect or use Group Policy software distribution. When you install the agent manually on a server, it will make the necessary changes to Windows Firewall to allow communication with the DPM server. On a server that you want DPM to protect:
- Log on with an account that has local administrative privileges.
- Map a network drive to the DPM server and open a command prompt in the \Program Files\Microsoft DPM \DPM\Agents\RA\2.0.5820.0 directory on the remote DPM server. Open the amd64 or i386 folder, depending on the architecture of your server hardware.
- Run the following command: DPMAgentInstaller_AMD64.exe <DPM server name>, where <DPM server name> is the fully qualified domain name (FQDN) of your DPM server. The command might look something like this:
For i386 architectures, note that the executable is DPMAgentInstaller.exe.
To connect the DPM agent and server, we need to run a PowerShell script on the DPM server:
- Open the DPM Management Shell from the Start menu.
- Run the following command: .\Attach-ProductionServer.ps1 <Server> <Agent>, where <Server> is the FQDN of the DPM server and <Agent> the FQDN of the server where the DPM agent that you want to connect is installed. The command might look something like this:
.\Attach-ProductionServer.ps1 dpm2007.ad.contoso.com sccm.ad.contoso.com
Creating a Protection Group
Protection Groups allow you to collect data sources protected by DPM, such as SQL databases, and assign shared protection configuration. For instance, one Protection Group might contain all databases that need continuous protection, while another group contains file shares that are backed up daily. Let’s create our first Protection Group:
- In the DPM 2007 Administrator Console, select the Protection tab and then select Create protection group in the Actions pane.
- Click Next past the welcome screen.
- The Select Group Members dialog (Figure 2) will show objects available for protection on all servers in your Active Directory (AD) forest where the DPM agent has been installed. Select the objects that you want to protect under Available members and click Next.
- Give the Protection Group a name; check I want short-term protection using Disk and click Next.
- Click Next to accept the default settings in the Specify Short-Term Goals dialog (Figure 3).
- Assuming you have adequate disk space in the storage pool, no changes should be necessary in the disk allocation dialog. Click Next to continue.
- Click Next in the Choose Replica Creation Method dialog and then Create Group to complete the procedure. DPM will now create the first replica. Click Close when the replicas have been created successfully.
Figure 4 shows the administrator console Protection tab after all replicas have been successfully created.
Users can restore files from DPM recovery points without intervention from the help desk. This functionality is not enabled by default, it requires the Active Directory schema to be extended, and pre-Vista clients must have the Shadow Copy Client software installed.
Because of security changes in Windows Server 2008, extending the AD schema to support DPM End-user Recovery with the administrator console fails, so I advise using the following method, which works with Windows Server 2003 and 2008 domains:
- Log on to the DPM server with an account that has Domain Admin and Enterprise Admin privileges.
- Double click DPMADSchemaExtension.exe in the \Program Files\Microsoft DPM \DPM \End User Recovery directory.
- Click Yes to configure Active Directory in the first dialog.
- Enter the DPM server name and click OK.
- Enter the FQDN of your AD domain and click OK.
- It’s important to leave the Enter Protected Computer Domain Name dialog empty if your DPM server and domain controller that hosts the schema master role are in the same domain. If not, you should enter the FQDN of the domain that contains servers protected by DPM and click OK.
- Click OK in the dialog asking you to wait a few minutes. You will be prompted again when the update process is successfully completed.
Now that the AD schema has been updated, open the DPM 2007 Administrator Console from the Start menu:
- Select the Management tab and then Options in the Actions pane.
- Select the End-user Recovery tab in the Options dialog, check Enable end-user recovery and click OK.
Users will now be able to see previous versions of files provided by DPM recovery points by right clicking a file in Windows Explorer, selecting Properties from the menu and then the Previous Versions tab.
The restore process is simple and reliable, and provides almost zero data loss for applications such as Exchange and SQL by restoring to the last recovery point and then replaying transaction logs to bring databases up to date. DPM simplifies complicated recovery procedures with wizards, providing options for different recovery scenarios. In this example, we’ll restore a file to get a feel for the recovery process:
- In the DPM 2007 Administrator Console, select the Recover tab and then click Search.
- To quickly locate the file to be restored, specify the UNC path of the file share under Location and the file name under Folder or file name and click Search.
- Four versions of the file are found from different recovery points. Select the most recent and click Recover in the Actions pane (Figure 5).
- Click Next in the review dialog. Let’s recover to the original location and click Next.
- Accept the default recovery options by clicking Next again.
- Click Recovery in the summary dialog and then close the Recovery Wizard.
DPM 2007 Overview
Troubleshooting Incompatible Filter Driver Errors
Microsoft Knowledge Base article containing information about how to configure IIS after applying SQL 2005 service pack 2. See Problem 2 at the bottom of the article.
DPM 2007 falls short of receiving full marks, as there are some scenarios during configuration where simple guidance is omitted, such as a warning when adding disks that contain volumes to a storage pool. Other minor annoyances are that applying SQL 2005 Service Pack 2 breaks reporting in DPM, incompatible filter drivers on protected servers might cause replica synchronization to fail, and extending the AD schema to support End- User Recovery in the administrator console fails for Windows Server 2008 domains. However, once these problems are resolved, DPM proves to be a reliable product.
Monitoring and alerting capabilities are comprehensive, and while the built-in reports are limited, custom reports can be created with the help of the included SQL views. An additional bonus for some organizations may be that DPM 2007 SP1 supports integration with offsite backup provider Iron Mountain.
When faced with the prospect of restoring a complex application server, such as Exchange 2007, you want to be sure that your backup software will provide a simple, intuitive and reliable solution, increasing the chances of a quick and successful restore. DPM provides a refreshing change from complicated and error-prone backup solutions, but its biggest disadvantage is lack of support for non-Microsoft products.
- Block-level continuous disk replication to directly attached disks or storage area networks
- Tape media for long-term encrypted backups
- Uses Windows native Volume Shadow Copy Service (VSS) technology to back up Exchange (2003 SP2 and later), SQL (2004 and later), SharePoint Server, Windows SharePoint Services (WSS), Hyper-V, Virtual Server 2005 (R2 SP1), file servers, Windows Server system state and files on XP/Vista
- Restore Exchange storage groups, mailbox databases and individual mailboxes
- Remote backup (DPM to DPM server)
- Supports servers where Single Instance Storage (SIS) is enabled