KB: Unable to protect SQL DB from System Center Data Protection Manager 2010

March 26, 2012, 10:53 am

≫ Next: Sign Up for Microsoft Management Summit (MMS) 2012 Focus Groups

Here’s a new Knowledge Base article we published today. This one tells you how to fix and issue were you get error 3055 trying to create a protection group for a SQL database in DPM 2007 or DPM 2010:

=====

Symptoms

While trying to create a protection group for a SQL database in System Center Data Protection Manager 2007 or System Center Data Protection Manager 2010, you may receive the following error:
DPM is unable to enumerate SqlServerWriter on computer ServerHostName.FQDN.COM (ID: 3055)

Cause

This problem occurs when the following conditions are true:

- The SQL server is in an untrusted domain or a workgroup.

- The SQL database is configured with mirroring.

- You are trying to protect a mirrored SQL database on the principle server.

Resolution

Protection of a mirrored SQL database in untrusted domains or workgroups, and even protection of a mirrored SQL database on a Principle server, is not supported by System Center Data Protection Manager 2007 or System Center Data Protection Manager 2010. For more supportability information about SQL protection please see the following:

Managing Protected Computers in Workgroups and Untrusted Domains : http://technet.microsoft.com/en-us/library/ff634170.aspx

=====

For the most current version of this article please see the following:

2691955 : Unable to protect SQL DB from System Center Data Protection Manager 2010

J.C. Hornbeck | System Center & Security Knowledge Engineer

Get the latest System Center news on Facebook and Twitter:

The Forefront Server Protection blog: http://blogs.technet.com/b/fss/
The Forefront Endpoint Security blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

↧

Sign Up for Microsoft Management Summit (MMS) 2012 Focus Groups

March 26, 2012, 1:35 pm

≫ Next: Restoring Exchange 2010 Mailbox Databases to RDB using System Center Data Protection Manager

≪ Previous: KB: Unable to protect SQL DB from System Center Data Protection Manager 2010

The Microsoft Management Summit 2012 is only three weeks away!! We can’t wait to see you all there.

We will be running a series of focus groups at MMS to gather feedback from you on current and future versions of System Center. Participating in a focus group is a great way to directly help shape the future of System Center and to directly engage with some of the engineering team members.

These are the focus group titles, abstracts, and schedule:

(FG001) Windows Server and System Center futures – what comes next in IT management

Focus group participants will see story boards and concepts describing a vision our long term planning team has assembled to guide the direction and investment for the version of Windows and System Center *after* Windows Server 8. Ideal participants for the focus group have already had experience or briefings on Windows Server 8 and System Center 2012

Tuesday, April 17, 2012: 11:45am - 1:00pm

Wednesday, April 18: 11:45am - 1:00pm

(FG002) Taking IT Application Management to the Public Cloud as a Management Service

Are you an IT admin managing applications or leveraging cloud services? Maybe you’re already (or thinking about) taking advantage of SaaS based management solutions to increase your agility, reducing costs and saving you the burden of setting up and managing IT infrastructure. We would like to sit down and explore your needs, insights, and opinions to this rapidly accelerating paradigm.

Tuesday, April 17, 2012: 2:15pm - 3:30pm

Wednesday, April 18, 2012: 2:15pm - 3:30pm

If you would like to sign up for a focus group, please log into the MMS site using your credentials and you will see a link on the left hand navigation bar to sign up for the focus groups.

↧

Restoring Exchange 2010 Mailbox Databases to RDB using System Center Data Protection Manager

April 16, 2012, 11:40 am

≫ Next: System Center Data Protection Manager SharePoint Catalog Task fails with Unknown error (0x8013151a)

≪ Previous: Sign Up for Microsoft Management Summit (MMS) 2012 Focus Groups

Hi everyone, Andy Nadarewistsch here. While the restore process for System Center Data Protection Manager 2007 (DPM 2007) and System Center Data Protection Manager 2010 (DPM 2010) is the same for all versions of Exchange, the procedure on the Exchange side has gone through some changes. Detailed instructions for dealing with Exchange 2010 recovery databases can be found here.

One of the most common restore methods used in DPM is to a recovery database. Let’s do a basic step-by-step process here.

Some general information:

Changing the status of a database from active to passive or vice versa may affect the recovery process. If the database is passive, DPM cannot perform a Volume Shadow Copy Service (VSS) recovery. For further information please refer to Restoring a Database Availability Group Copy

Recovering to the active database is the same as recovering to an Exchange Server 2010 standalone node. The Exchange Server administrator must synchronize the passive copy from the recovered active copy by running the Resume-MailboxDatabaseCopy cmdlet on the Exchange server. You can recover a database only on the node that was protected.

DPM supports the following five types of recovery for Exchange Server 2010 mailbox databases:

Recover the database to its original location: Overwrite the existing copy of the database.
Recover the database to an alternate database: Restore to another database on an Exchange Server.
Recover to an Exchange Recovery database: Recover to an Exchange Recovery database instead of a standard mailbox database.
Recover to network location: Copy the database to a network folder.
Copy to tape: Create an on-tape copy of the database.

As stated, this topic will look at this process in the form of restoring to an Exchange RDB and then restoring a user mailbox. The Exchange page above lists specifics of doing other broader types of recoveries.

The biggest thing that DPM administrators should be concerned with is that there is a recovery database (RDB) created on one of the Exchange servers.

Step 1: Creating an Exchange RDB for restore

The process to do this is through Exchange PowerShell Management.

NOTE You can't use the Exchange Management Console to restore data using an RDB. The only way to do this with Exchange 2010 is using the Exchange Management Shell.

1. On one of the Exchange 2010 servers, open the Exchange Management Shell.

2. Once connected, run the following command:

New-MailboxDatabase -Recovery -Name %RDBName% -Server %ExchangeServerName%

RDBName will be the name of the recovery database and ExchangeServerName will be the name of the exchange server where the RCB will be created

You can also set the location for your RDB using the following commands

New-MailboxDatabase -Recovery -Name %RDBName% -Server %ExchangeServerName% -EdbFilePath %targetDBPath% -logFolderPath %targetlogPath%

IMPORTANT Make sure to create the RDB on an Exchange server that has the protection agent installed from the DPM server where you will be doing the restore from as you can only recover to servers with the agent installed.

To be sure the mailbox database was created, you can run the following command to list all of the mailbox databases in the Exchange organization (or you can pare that down using the –Server %ServerName% to list only mailbox databases on a specific server)

Get-MailboxDatabase

Let’s stop for a second and take a look at what is seen on the Exchange server side.

Open the Exchange Management console >Organization Configuration >Mailbox. If it’s already open click refresh. The first thing is by default the RDB is dismounted and is set to allow to be overwritten.

Right-click on RDB, select Properties. The general should show “dismounted” and maintenance tab will have the “This database can be overwritten by a restore” checked.

There are some restrictions of an RDB due to its purpose. If these are not adhered to, it could cause problems restoring from DPM. Some examples are:

An RDB is created by using the Exchange Management Shell
Exchange 2010 server supports only one Recover Database mounted at a time
An RDB is used for recovering mailbox database data only. RDB can’t be used to recover public folder data
You can't create mailbox database copies of an RDB
An RDB can be used as a target for restore operations, but not backup operations

For a complete list reference see Recovery Databases

Step 2: Doing Restore through the DPM console

1. Once the creation of the recovery mailbox database has been confirmed, open the DPM console and navigate to the Recovery tab.

2. Find the mailbox database with the user’s mailbox you wish to recover and then find the user and the point in time you wish to recover. With the user highlighted, in the Actions menu on the right, click Recover.

3. You will be presented with a Recovery Wizard which will have you confirm the information that you have chosen to restore. Confirm the user mailbox and time/date stamp for the recovered items and click Next.

4. On the Select recovery type page, there are three of recoveries that can be chosen:

a. Recover mailbox to an Exchange server database:

Use this option when restoring to an Exchange server where a recovery database mailbox has been set up. This will allow Exchange administrators to recover information from it.

b. Copy to a network folder:

This will make the database and its log files available to an Exchange administrator for advanced recovery options if so requested.

c. Copy to tape:

This copies the files to a tape to allow you to move the files to an alternate location for recovery. This will be disabled if there is no tape drive/libraries or there are not enough tape drives.

For our example, we will choose the first option and click Next.

5. The Specify Destination screen will now prompt you for the Exchange server and database name. The server will need to be one that has the DPM agent installed from this DPM server. The Exchange server and database name will be the ones specified in Step 2 above. Once confirmed, click Next.

6. For the Specify Recovery Options page, you can select to mount the database after it’s recovered among other settings. Verify you have the selections you want and click Next.

7. For the Summary page, review the selections you have made to make sure everything is correct.

8. Once the restore has completed on the DPM server, the Exchange administrators can now do the restore of the mailbox from the Exchange Management Shell.

9. To restore, use the following command:

Restore-Mailbox –Identity %Username% -RecoveryDatabase %RDBName%

Username will be the email username of the user mailbox being recovered and RDBName will be the name of the recovery database (from Step 2 above)

If we had looked at the Exchange RDB before we did the restore the follow items would be noticed. The RDB would have been mounted and the “This database can be overwritten by a restore” box unchecked.

Remember: Only one RDB can be mounted at a time and the overwrite flag must be set to do a restore. If I tried to do a recovery to the same RDB I would have received the following error:

If I tried to recover to another RDB2 while RDB1 was mounted I would have gotten the following error:

After the failure, the Exchange RDB2 will go into a dismounted state.

To get back to square one just right-click > dismount for all RDBs and ensure the flag for “This database can be overwritten by a restore” is checked.

NOTE You can also dismount an RDB via Exchange PowerShell:

Dismount-Database %RDBName%

Here are some additional resources on the subject:

Recovery Databases - http://technet.microsoft.com/en-us/library/dd876954.aspx

Restore Data Using a Recovery Database - http://technet.microsoft.com/en-us/library/ee332351.aspx

Restore to a Recovery Database - http://msdn.microsoft.com/en-us/library/aa579367(v=exchg.140).aspx

Exchange VSS Writers - http://msdn.microsoft.com/en-us/library/bb204080.aspx

Exchange Management Console - http://technet.microsoft.com/en-us/library/bb123762.aspx

Dismount a Database - http://technet.microsoft.com/en-us/library/bb123903.aspx

Exchange 2010 Cmdlets - http://technet.microsoft.com/en-us/library/bb124413.aspx

Good luck on all your recoveries!

Andy Nadarewistsch | Senior Support Escalation Engineer

Get the latest System Center news on Facebook and Twitter:

↧

System Center Data Protection Manager SharePoint Catalog Task fails with Unknown error (0x8013151a)

April 17, 2012, 10:02 am

≫ Next: How to use certificates to authenticate computers in workgroups or untrusted domains with Data Protection Manager

≪ Previous: Restoring Exchange 2010 Mailbox Databases to RDB using System Center Data Protection Manager

Here’s a new Knowledge Base article we published today. This one walks you through fixing a issue where a DPM SharePoint Catalog Task fails with Unknown error (0x8013151a):

=====

Symptoms

Symptom 1: While attempting to protect a SharePoint 2010 farm with System Center Data Protection Manager 2010 (DPM) you get the following error:

Backup Metadata enumeration failed

Symptom 2: After successfully protecting SharePoint 2010 with System Center Data Protection Manager 2010, after a period of time the SharePoint catalog task fails with the following error and alerts:

Type: SharePoint Catalog Task
Status: Failed
Description: DPM Agent on the SharePoint front-end Web server sp10.corp.local is not configured appropriately. DPM was unable to invoke WssCmdletWrapper DCOM component successfully. (ID 32019 Details: Unknown error (0x8013151a) (0x8013151A))
More information
End time:
Start time:
Time elapsed: 00:00:02
Data transferred: 0 MB (0 bytes)
Source details: name.corp.local
Target details: name.corp.local
Cluster node -

Where ErrorCode: 0x8013151A (-2146233062): COR_E_MEMBERACCESS: Access to this member is denied.

Affected area: Sharepoint Farm\SP10\SharePoint_Config
Occurred since:
Description: DPM could not obtain backup metadata information for SharePoint Farm Sharepoint Farm\SP10\SharePoint_Config on name.corp.local. If the data source is a SharePoint farm then a valid recovery point has been created. However, content databases from this recovery point can be recovered using the alternate location option only. (ID 3134)
More information
Recommended action:
If the data source is a SharePoint farm, then
1) Ensure that "ConfigureSharePoint.exe -EnabledSharePointProtection" has been run on the front-end web server with the current SharePoint farm administrator credentials.
2)Ensure that the SharePoint VSS writer is running on the front-end web server.
Resolution: DPM automatically changes this alert's status to inactive 10 days after it is issued.To dismiss the alert, click below
Inactivate alert

Affected area: Sharepoint Farm\SP10\SharePoint_Config
Occurred since:
Description: DPM failed to gather item level catalog for 3 database(s) of the SharePoint Farm Sharepoint Farm\SP10\SharePoint_Config on name.corp.local. Some of the recovery points for these databases in the farm would be associated with an earlier successful catalog. (ID 3133)
More information
Recommended action:
To re-run the catalog job manually for the farm, run Start-CreateCatalog command in PowerShell.
Resolution: DPM automatically changes this alert's status to inactive 10 days after it is issued.To dismiss the alert, click below
Inactivate alert

If you look in the C:\Program Files\Microsoft Data Protection Manager\DPM\Temp\WSSCMDLETSWRAPPERCURR.ERRLOG on the SharePoint web front end server, the only details after each SharePoint catalog task failure are these three lines.

1278 0C14 05/21 15:53:40.611 31 wsscmdletswrapperfactory.cpp(235) ACTIVITY Principal name HOST/SP10.corp.local@corp.local
1278 0774 05/21 15:53:41.994 31 wsscmdletswrapper.cpp(143) [00000000001DFA50] WARNING CoCreateInstance failed for CLSID_CWSS3Cmdlets : {40B0FC9C-A853-3F52-B677-A81B2D0F17AE}
1278 0774 05/21 15:53:41.995 31 wsscmdletswrapper.cpp(144) [00000000001DFA50] WARNING Failed: Hr: = [0x8013151a] : F: lVal : hr

If you attempt to re-run the ConfigureSharePoint.exe -EnabledSharePointProtection on the Web front end server, it also fails with the below error:

C:\Program Files\Microsoft Data Protection Manager\DPM\bin>configuresharepoint -enablesharepointprotection
Enter the user name for 'WSSCmdletsWrapper': domain\usernamer
Enter the password for WSSCmdletsWrapper:

Unhandled Exception: System.MissingMethodException: Method not found: 'Void Microsoft.Sharepoint.SPRequestManager.Dispose()' .
at Microsoft.SharePoint.StsAdmin.SPStsAdmin.Main(String[] args)
An error occured while trying to start the sharepoint vss writer

Cause

The SharePoint 2010 front end server has the following registry key present:

HKLM\Software\Microsoft\Shared Tools\Web Server Extensions\12.0

DPM interprets the presence of that key as indicating that SharePoint 3.0 is installed on the server, therefore it uses different logic to call into the SharePoint DCOM components by trying to use different or non-existent .dll files.

Resolution

This issue is fixed in the following DPM 2010 rollup fix.

2615782 - A hotfix that enables interoperability with Microsoft System Center Data Protection Manager 2012 RC is available for System Center Data Protection Manager 2010 (http://support.microsoft.com/default.aspx?scid=kb;EN-US;2615782).

=====

For the most current version of this article please see the following:

2182903 : System Center Data Protection Manager SharePoint Catalog Task fails with Unknown error (0x8013151a)

J.C. Hornbeck | System Center & Security Knowledge Engineer

Get the latest System Center news on Facebook and Twitter:

↧

How to use certificates to authenticate computers in workgroups or untrusted domains with Data Protection Manager

April 23, 2012, 1:19 pm

≫ Next: Short Q&A on Bare Metal Restore in System Center Data Protection Manager 2010

≪ Previous: System Center Data Protection Manager SharePoint Catalog Task fails with Unknown error (0x8013151a)

System Center Data Protection Manager 2010 supports protection of computers in workgroups and untrusted domains using local accounts and NTLM, however in scenarios where an organization does not allow creation of local accounts this solution does not work.

System Center 2012 Data Protection Manager (DPM) now allows you to use certificates to authenticate computers in workgroups or untrusted domains. DPM supports the following data sources for certificate-based authentication when they are not in trusted domains:

SQL Server
File server
Hyper-V

DPM also supports these data sources in clustered deployments.

The following data sources are not supported:

Exchange Server
Client computers
SharePoint Server
Bare Metal Recovery
System State
End user recovery of file and SQL
Protection between a Primary DPM server and Secondary DPM server using certs. The Primary DPM server and Secondary DPM server need to be in the same domain or mutually trusted domain. Certificate based authentication between a Primary and Secondary DPM servers is not supported.

The purpose of this article is to provide you with a walkthrough of setting up System Center 2012 Data Protection Manager and a protected server with certificate authentication. This process will cover four phases:

Obtaining and configuring a cert for the DPM server
Obtaining and configuring a cert for the protected server
Running the setdpmserver command on the protected server
Running the attach command on the DPM server

We are operating under the following assumptions:

1. An existing Certificate Authority (CA) and Certificate Revocation List (CRL) are already installed, online and the proper template is configured for web enrollment. See Appendix A for the steps used to create a template and enable it for web enrollment. You can request a certificate in many ways, such as using the MMC if the template is Enrolled, or via Autoenroll with Active Directory. Information on configuring the template for Enrollment or Autoenrollment can be found in Appendix B.

2. DPM is installed, healthy and functioning in the domain.

First we will have to generate a certificate with the following parameters:

X.509 V3 certificate
Enhance Key Usage should have client authentication and server authentication
Key length should be at least 1024 bits
Key type should be exchange
Certificate can NOT be self-signed
Subject name of the certificate and root certificate should not be empty
Certificates shouldn’t be of Cryptography API Next Generation (CNG) Keys. DPM doesn’t support certificates with CNG Keys
The revocation servers of the associated Certificate Authorities are online and accessible by both the protected server and DPM server
The certificate has an associated private key

These options for the template are configured on the CA for us to be able to request them.

Phase 1: Install a certificate on the DPM server

In this phase, we will request a certificate from a Certificate Authority. Once complete, the default location where the certificate is kept is the User store. This is important to note, as we will need to export this certificate from the User store to the Local Computer store for us to use it. In the example provided below, we will request the certificate via web enrollment.

1. We request a certificate from a CA.

2. Select “advanced certificate request”.

3. Select “Create and Submit a request to this CA”.

4. A certificate template has already been created with the following parameters as mentioned above. In this case the template name is DPM Authentication. The highlighted areas below will need to be completed.

Certificate Template: Created on the CA for us to choose for web enrollment.
Name: You must specify a name. Any descriptive name will do.
Key size: This selection must be at least 1024 or higher.
Mark Key as exportable: This must be selected.
Friendly Name: You must specify a name. Any descriptive name will do.

5. Select “Install this certificate”.

6.) As mentioned the certificate is placed in the User store and we need to export and import it to the Local Computer Personal store. As such lets go ahead and add the mmc snap-in for both stores.

Verify that the certificate is in the User store. Here we see the User personal store has the certificate.

7. Move the installed certificate from the User store to the Local Computer store. This involves exporting the certificate from the User store and importing the certificate into the Local Computer store.

Exporting the certificate

Right-click the certificate and select “all tasks” then “export”. The Export wizard will start, select “next”. Select “Yes, export the private key”, then “next”.

In the next screen except the defaults and then “next”.

Supply a password then select “next”.

The next screen you will have to give the export cert a file name and a location.

You will note the extension of the file is *.pfx. Select “next”.

Here you can see the export choices. Select “Finish”.

Importing the Certificate

In the Local Computer\Personal\certificate store, right-click Certificate, All Tasks and then Import.

Select “Next” on the welcome screen. The File to import screen comes up.

Browse to the location where you saved the certificate. Click the drop-down and select “All files”, or select *.pfx in order to see the certificate that you exported.

Next you will be prompted to input the password that you used to export the certificate. Make sure to select “Mark this key as exportable”.

You can select the default to “Place all certificates in the following store”

Select “Next” and you will now see the “Completing the Certificate Import Wizard”.

8. Now that the certificate has been created and placed into the right store, we will use PowerShell to set the DPM credentials to use the certificate. Before we do that we will need to obtain the thumbprint created for this certificate. Go to the certificate in the Local Computer\Personal\certificates store. Note the certificate now imported there. Double-click on it. Select the “Details” tab and scroll down to the thumbprint. Click the thumbprint and in the bottom pane you will see the thumbprint in use. You will have to highlight the thumbprint and copy (Ctrl+c).

Paste the thumbprint into Notepad and remove the spaces as such. This is a very important step as we will supply the thumbprint in our next step. Any spaces present in the thumbprint will cause the command to fail.

9. We will be using the thumbprint to set the DPM credentials. The syntax will be as follows:

Set-DPMCredentials –DPMServerName DPM2012.contoso.com –Type Certificate –Action Configure –OutputFilePath C:\Temp -Thumbprint 493f27f35b2105804afbd49bb5a59bf2e380e00

NOTE The syntax above will have DPM create a *.bin file that will need to be copied to the clients we are protecting. Take note of the syntax above, specifically the c:\Temp directory. A directory needs to exist ahead of time in order for the bin file to be saved to that location. You can name the directory anything you want. In this case we created one named C:\Temp.

10. Once this is done you will go to the C:\Temp directory and retrieve that bin file and copy it to the client server. Copy it to the C:\Program Files\Microsoft Data Protection Manager\DPM\bin directory. It’s not mandatory to copy the file to the bin directory if you do not you will need to specify the full path of the file as a value for “-DPMcredential” parameter.

Phase 2: Installing the certificate on the client

On the client we will assume that the DPM agent is already installed.

This method will be the same as it was for the DPM server and we will select the same certificate parameters as listed above. For clarity I will go over them again for the client side.

1. On the client via web enrollment “request a certificate”

2. Submit an advanced certificate request:

3. Select to “Create and submit a request to this CA

4.During the request we specify the following

5. We then choose to install the certificate. Once done, we need to open up an MMC and add the certificate snap-in for both current user and local computer. Remember that by default the certificate will be installed into the current user store.

We will need to export the certificate and import it into the Local Computer personal store. You can use the steps above to export the certificate as we did for the DPM server. Make sure to choose “Yes export the private key”. Once it’s exported, please import that certificate into the Local Computer store.

Phase 3: Running the setdpmserver command on the protected computer

We will now configure the protected server to recognize the DPM server as being authorized to perform backups. The DPM agent will need to be installed on the protected server before we run the setdpmserver command. If the agent is not already installed, this can be done via the DPM installation media. From the DPM media, launch setup.exe. From the DPM launch screen, choose Install DPM Protection Agent. This will install the files needed to run SetDPMServer.

Now that we have a certificate on the client server to be protected, we will need the thumbprint from the certificate properties.

1. Open up the certificate in the computer personal store that was imported and go to the details tab.

Here we will need the thumbprint of the protected server certificate. Copy the thumbprint and paste it into Notepad. Once done, remove the spaces as in the example below:

We will have to use this output as a parameter for the setdpmserver command.

2. Open a command prompt and navigate to the C:\Program Files\Microsoft Data Protection Manger\DPM\bin directory. Here we will use the following syntax:

setdpmserver –dpmCredential CertificateConfiguration_DPM01.contoso.com.bin –OutputFilePath c:\Temp -Thumbprint <ClientThumbprintWithNoSpaces>

Successful results will be displayed as below:

”CertificateConfiguration_DPM01.contoso.com.bin” is the name of the bin file copied from the DPM server to the client server. Just like on the DPM server, you will have to create or use an already existing directory for the client to save it’s bin file. This bin file, once created, will be placed on the DPM server.

NOTE During the System Center 2012 Data Protection Manager beta, if you did not have the firewall turned on during this command then you would get the following error:

This is no longer an issue in the RTM release of System Center 2012 Data Protection Manager.

3. Go to the C:\Temp directory to retrieve the .bin file created and copy it to the DPM server. Again, you can copy this file to any location on the DPM server but you will need to specify the full path for the ‘PSCredentials” parameter. By default, “Attach-ProductionServerwithCertificate.ps1” checks for the file in the Windows\System32 directory. If you copy the file to this directory then you can specify the filename instead of the full path.

Phase 4: Attach the Client from the DPM server

This is done not via the DPM agent management tab but rather by PowerShell. With the .bin file created by the client copied from the client to the DPM server, we will now open PowerShell and perform the attach. Once the .bin file from the client is saved to DPM, open up PowerShell and type the following command, then hit Enter:

Attach-ProductionServerWithCertificate.ps1

You will see the following prompting you for values:

Supply values for the following parameters:
DPMservername: DPM01
PSCredentials: CertificateConfiguration_MemberServer.bin
NOTE The PSCredentials is asking for the name of the bin file created by the client. Specify the full path unless you copied the bin file to Windows\system32 directory.

IMPORTANT Upon running the Attach-ProductionServerWithCertificate.ps1 command, it is important that you specify the protected server created *.bin file. If you specify the DPM server *.bin file then you will remove all of the protected servers configured for certificate based authentication.

The attach should be completed with no issues and the protected server should show up in the DPM GUI.

NOTE If you do not place the file in the \system32 directory and you do not specify the full path then you will see the warning below.

Appendix A: Creating the DPM certificate template

To create a DPM template for web enrollment, we can copy an existing template from within the “Certificate Templates” snap-in on the Certificate Authority. We will need to pick one that is listed as client authentication and server authentication for intended purposes.

In this example above, the “RAS and IAS Server” template is selected. It is highlighted and we select “Duplicate Template”. We will be prompted for a selection as below:

Leave the default at Windows Server 2003 Enterprise and click OK. Change the Template display name to something distinguishable. In this example we have chosen “DPM Authentication” as the template display name.

There also needs to be a check in the check box for “Publish certificate in Active Directory”. In the Request Handling tab, the Allow private key to be exported should be selected.

Now that we’ve created a new template for DPM authentication, we now need to make the certificate template available for use. Open the Certificate Authority snap-in.

Right-click on “Certificate Templates” and select “New” then choose “Certificate Template to Issue”.

Once this is done you will be provided with a selection of certificate templates to chose from. Select the template we created and click OK.

Appendix B: Configuring the DPM Template for Enrollment or AutoEnrollment

During the creation of the DPM certificate template, you can optionally configure it for Enrollment or Autoenrollment.

a. Selecting Enroll will allow it for selection via MMC.
b. Selecting Autoenroll will allow the certificate to be automatically assigned to computers in the domain.

For Enrollment, if the request will be done directly through the MMC (much easier method), then use Build from this Active Directory information radio button. Change the drop down to use Common name, and the check the box for DNS name. Click OK to accept that.

Only if using the MMC method to request the certificate, go to the Security tab and select Enroll for Authenticated Users. Once done, close out the certificate properties.

Optionally, if Autoenroll is selected, this certificate will be automatically assigned to computers in the domain.

Now that the choice has been made to Enroll the certificates, we should now be able to request the certificate via the MMC. On a server to be protected, in the Certificates (Local Computer) snap-in, expand the Personal store and right click “certificates”. Select “All tasks” then “Request New Certificate”

You should see the certificate enrollment wizard initialized.

Select “Next” and you should see the choice to select “Active Directory Enrollment Policy”.

Select “Next”. You should now see our template that we created as a selection.

You can expand the “Details” and see the properties.

When the properties page opens, select the “General” tab and give it a friendly name. In this example we give it the name of “DPM AuthTest”

Once you select Apply, select Next and you should see a confirmation that the certificate is installed successfully.

Go back to the Certificate Computer personal store and double click on the certificate. Select the “Certificate Path” tab. You can see the friendly name of “DPM AuthTest”

You have now requested a certificate for DPM use via MMC instead of web enrollment.

Shane Brasher | Senior Support Escalation Engineer

Get the latest System Center news on Facebook and Twitter:

↧

Short Q&A on Bare Metal Restore in System Center Data Protection Manager 2010

April 24, 2012, 10:37 am

≫ Next: New Top Solutions feeds for System Center products

≪ Previous: How to use certificates to authenticate computers in workgroups or untrusted domains with Data Protection Manager

Hi Everyone, Vivek Kumar here from the Data Protection Manager (DPM) support team. DPM 2010 comes with Bare Metal Restore (BMR) capabilities that are much talked about and have helped us in many of our crucial disaster recovery scenarios. Many of my friends have talked about backup and restore process for BMR and you can read more about it here:

Data Protection Manager 2010 and Bare Metal Restore - http://blogs.technet.com/b/dpm/archive/2011/11/01/data-protection-manager-2010-and-bare-metal-restore.aspx

Performing a Bare Metal Restore with DPM 2010 - http://blogs.technet.com/b/dpm/archive/2010/05/12/performing-a-bare-metal-restore-with-dpm-2010.aspx

Deciding between System State Backup and Allcritical Backup in Windows Server 2008 - http://blogs.technet.com/b/filecab/archive/2009/05/04/deciding-between-system-state-backup-and-allcritical-backup-in-windows-server-2008.aspx

Below are some of the questions that some of my customer have inquired about while protecting BMR data along with the answers:

NOTE This article applies only to Windows Server 2008 R2 and DPM 2010 and above

Q: When we perform a BMR backup, why don’t we see the data transfer rate in the monitoring tab in the DPM console?

Answer: We don’t see the data transfer rate as BMR backups are using WSB (Windows Server Backup) and we cannot show you the data transfer rate of the WSB thread. We only show you details of DPMRA under monitoring.

Q: We have applied network throttling for a server but our BMR backup doesn’t get throttled. Why is that?

Answer: Bandwidth Throttling is a network related feature (Controlled by QOS) that gets applied on DPMRA and WSB is independent of it, so the rule applied for bandwidth throttling on DPRA won’t be applied on WSB (this is expected behavior). For more information on this see http://technet.microsoft.com/en-us/library/cc161325.aspx.

Q: I restored my BMR backup to a share but why doesn’t the WSB console recognize it?

Answer: This is a key recommendation. When you restore the BMR backup to any drive, you need to restore it to the root of the drive so that the WSB console can recognize it. If it’s under a folder then WSB won’t be able to discover it. For example, you will want to put it in D: or E:, not in D:\Restore\Date, etc. For more information on this see http://technet.microsoft.com/en-us/library/cc731602.aspx#BKMK_no_disk.

Vivek Kumar | System Center Support Engineer

Get the latest System Center news on Facebook and Twitter:

↧

New Top Solutions feeds for System Center products

May 2, 2012, 11:48 am

≫ Next: Exchange 2010 DAG Passive Node Visibility and the EnableVSSWriter Regkey in Data Protection Manager

≪ Previous: Short Q&A on Bare Metal Restore in System Center Data Protection Manager 2010

We are very happy to announce that seven of the Product Solution Centers on http://support.microsoft.com are featuring new Top Solutions sections that pull dynamically from the Top Solutions RSS feeds. The Top Solutions are usually listed on the page for the Key Resources tab.

The following solution centers have dynamic Top Solutions; the rest will be updated in the near future. Check out the new look and functionality!

Windows Server 2008 R2
SQL Server
System Center 2012 – select the tabs for the following products
- Configuration Manager
- Data Protection Manager
- Operations Manager
- Virtual Machine Manager
Lync Server

If you want to keep up to date on all the latest top solutions you’ll definitely want to check these out.

J.C. Hornbeck | System Center & Security Knowledge Engineer

Get the latest System Center news on Facebook and Twitter:

↧

Exchange 2010 DAG Passive Node Visibility and the EnableVSSWriter Regkey in Data Protection Manager

May 8, 2012, 7:57 am

≫ Next: Secondary Protection and Exchange 2010 DAG Node Protection in System Center Data Protection Manager

≪ Previous: New Top Solutions feeds for System Center products

Hi everyone, Andy Nadarewistsch here, and today I want to talk about passive node visibility in System Center Data Protection Manager. To be more specific I would like to discuss why passive nodes would not show in the DPM console. In general, there are only a few reasons why you would not see a passive node or an Exchange DB listed in the DPM console when protecting a DAG:

The agent is not installed on any of the nodes that owns the Mailbox DB attempting to be protected
There are VSS errors causing the datasources not to enumerate
The EnableVSSWriter regkey is set to 1

Looking at the last scenario we will review how DPM responds when the registry key below exists:

HKEY_LOCAL_MACHINE\Software\Microsoft\ExchangeServer\v14\Replay\Parameters\EnableVSSWriter

Let’s see how DPM normally sees passive nodes. In this example I will used a 3 node cluster and I am only going to install agents in two out of the three which are shown below.

Test = Exchange DAG name
5438 = Node 1
54381 = Node 2
54382 = Node 3

The node that does not have the agent installed is Node 3 which will be shown in future screenshots.

Initial setup for active passive is as follows:

	38	381	382
DB01	P	A
DB02	A		P
DB03		P	A

Legend: A = Active, P = Passive

I am going to change a registry key on Node 2 (54381). This key is disabling the Exchange Replication Writer which is why DPM no will not see passive copies for that node.

As previously stated, the registry key is HKEY_LOCAL_MACHINE\Software\Microsoft\ExchangeServer\v14\Replay\Parameters\EnableVSSWriter and we’re going to set it to 0 (disabled).

NOTE By default this registry does not exist and must be created manually. However, there are times when this registry key should be changed and the article below is a good example:

Using Windows Server Backup to Back Up and Restore Exchange Data : http://technet.microsoft.com/en-us/library/dd876851.aspx

Note the important notice that is given in the article:

Default registry key settings:

After making the change:

NOTE DPM is not affected until AFTER the replication service is restarted. What this means is that the registry key change can lay dormant and an Exchange server replication service restart or reboot may trigger abnormal behavior in DPM.

Now let’s see what DPM shows. Going back and re-enumerating the DAG, notice we no longer see DB03. This is because the passive copy was on Node 2 and the active copy was on Node 3 which is not protected by this DPM server or may not protected at all.

However, notice that the Node 2 still shows under DB01 since it holds the active copy.

Now let’s do one final test. I am going to setup Exchange so both the active and passive copies are on nodes protected by this DPM server and the passive copy resides on Node 2. To do this I activated the passive copy for DB01 to Node 1. This switched the active\passive copy configuration.

New Configuration for DB01:

Looking at the DPM console not only is DB03 still gone, Node 2 for DB01 is no longer selectable.

NOTE This behavior can be compounded if the Exchange Registry key is on more than one DAG member.

Summary:

DPM will not see passive copies and\or nodes when the replication writer is disabled. If you find missing components during enumeration please check the following potential causes.

1) The agent is not installed on any of the nodes that owns the mailbox database attempting to be protected. If this is the case, ensure that an agent is installed on the node that holds the Mailbox database you are attempting to protect.

2) The EnableVSSWriter regkey is set to 1 under HKEY_LOCAL_MACHINE\Software\Microsoft\ExchangeServer\v14\Replay\Parameters\EnableVSSWriter. If this is the case, check all nodes of the DAG and ensure that the registry does not exist, or if it does, that EnableVSSWriter is not set to 1. If you make this change, remember to restart the Exchange Replication Service for it to take effect.

3) There are VSS errors causing the datasources not to enumerate. If so, verify that all Exchange Node and Exchange VSS components are functional.

Ensure all databases are mounted and healthy
Run vssadmin list writers – Check to see if the Exchange Writer is in stable state
Review System event log for VSS or Volsnap errors

Don’t be passive about passive copies not showing. If you run into a scenario I haven’t mentioned please reply or review our DPM Exchange forums at http://social.technet.microsoft.com/Forums/en-US/dpmexchbackup/threads.

Andy Nadarewistsch | Senior Support Escalation Engineer

Get the latest System Center news on Facebook and Twitter:

↧

Secondary Protection and Exchange 2010 DAG Node Protection in System Center Data Protection Manager

May 9, 2012, 10:13 am

≫ Next: Open Beta for Private Cloud MOF Guide - Now Available for Download!

≪ Previous: Exchange 2010 DAG Passive Node Visibility and the EnableVSSWriter Regkey in Data Protection Manager

Hi everyone, Andy Nadarewistsch here, and today I want to talk about secondary protection and Exchange 2010 DAG node protection in System Center Data Protection Manager 2010 (DPM). DPM allows for great flexibility when it comes to protecting Exchange DAGs (Database Availability Groups) but this can become confusing if there is not an understanding of how DPM sees nodes that belong to a DAG. That confusion can become compounded when introducing a secondary server. I hope to diffuse some of the confusion surrounding these scenarios and try not to confuse you in the process.

First, there are a few basic ground rules when talking about DPM protection for Exchange DAGs:

1. Only one node can be protected by an DPM server. For example, in a three node DAG, if DPM1 installs an agent on Node1, no other DPM server can install an agent on Node 1. However; any other DPM server can install agents on Node2 or Node3. In a second example; If DPM1 has agents on Node1 and Node2, then Node3 will be the only node that another DPM server can install an agent on.

2. DPM does not care if the mailbox database is active or passive.

References:

Test = Exchange DAG name
5438 = Node1
54381 = Node2
54382 = Node3
DPM1 = Primary DPM
DPM2 = Secondary DPM

Part 1: Agent installation and Protection group setup on the Primary (DPM1)

On initial agent install, DPM will detect if a member of the DAG is not selected. For this scenario, we do not want DPM1 to install agents on all nodes because DPM2 will have an agent installed on Node3 to protect Node3 directly. (See ground rule 1). Here I am explaining that only one agent from a DPM server can be installed on an Exchange node and in this test DPM1 will have agents installed on nodes1 and 2 and DPM will have an agent installed on node3.

The following alerts will show in the alerts tab:

“A protection agent is not installed on ANNA256654382.2566543DOM.com in test.2566543DOM.com server cluster. Protection may fail if a failover occurs to ANNA256654382.2566543DOM.com. (ID 369)”

Below, DPM1 only sees the two nodes that have agents installed. The Exchange nodes will not show the Exchange mailbox databases, the DAG cluster name must be expanded.

Looking at the Exchange management console, MailboxDB02 has its active copy on Node1 and passive copy on Node2.

Node1 owns the active copy and Node3 owns the passive copy for DB03.

If the mailbox databases are expanded in DPM, the nodes they belong to are visible and selectable. Notice how MailboxDB02 sees two nodes but MailboxDB03 only sees Node1. This is because DPM1 does not have an agent installed on Node3 which owns the other copy of MailboxDB03.

NOTE MailboxDB01 at this point does not have any Exchange passive copies created.

NOTE If the passive copy of MailboxDB03 was on Node1, DPM would still see it. DPM does not care if the copy is active or passive (See ground rule 2).

If you activate the passive copy of MailboxDB02 on Node3, making the copy on Node1 passive, Node1 under MailboxDB02 is still visible and selectable for protection because again, DPM does not care which copy is active and which is passive.

Let’s add protection on the primary DPM server. A passive copy for MailboxDB01 has been added and MailboxDB03 has been moved from Node1 to Node2.

Notice that there are two nodes showing for MailboxDB01. A DPM copy backup for one of the MailboxDB01’s nodes can be created.

NOTE Ensure at least one full and one copy backup is selected.

Completed protection group setup:

Part 2: Introducing a secondary DPM Server, installing an agent in Node3 from DPM2, and configuring protection

Again the warning that there are other nodes in the DAG that can be protected is raised.

In this scenario, DPM2 is installing an agent on Node3 directly. As long as there is a mailbox database on Node3, DPM2 will see that database and show the nodes DPM2 knows about for that database. Notice there is no MailboxDB01. This is because there are no copies of MailboxDB01 on Node3.

Now we are going to move a step further and see how DPM2 responds when it becomes secondary protection for DPM1 and is protecting Node3 directly at the same time. Until installing the DPM2 agent on DPM1, DPM2 will not be able to protect any Exchange resources on DPM1. DPM2 will be able to see the DAG because an agent is directly installed on Node3.

NOTE DPM must be at least on patch level 7706 for secondary protection of Exchange DAG to work properly.

After installing DPM2’s agent on DPM1, DPM2 sees both DPM1’s DAG selection list and its own DAG selection list. Notice how DPM1’s DAG selection list shows Node3. Being able to see and protect Node3 through DPM1’s selection list may throw you. DPM shows the node because DPM2 is protecting Node3 directly.

Let’s see how DPM2’s console responds if we remove the Node3 agent from DPM2.

There is no longer an option to select Node3 in the selection list. Moving on, let’s select 1 database from each set.

DPM handles the selection just fine. Please note that during the protection group setup, without a direct datasource being selected there was not a prompt for a full\copy backup. This is due to the protection group settings being configured on DPM1 in part 1.

Adding the agent for Node3 back on DPM2 for direct protection, we again see the option to protect it from either selection list.

Now, since Node3 is being configured for the first time, I do get the option for full or copy backup for all MailboxDB’s however; I have to be careful because as full copy backups have already been configured for MailboxDB01, 02, and 03, on DPM1 in part 1.

In this case I want to select all copy backups for the Mailbox databases.

After protection, notice both protection groups have nodes and mailbox databases selected.

If I modify the protection group, I can edit the datasources protected in their respective protection groups but not datasources protected in other protection groups. Only one datasource can be protected per protection group.

Well everyone, these were the most common scenarios that are seen from customers. Again, this can become complex and confusing but my hope is now you have a better understanding.

Additional DPM resources:

Managing Protected Servers Running Exchange - http://technet.microsoft.com/en-us/library/ff399297.aspx
Installing Protection Agents on Exchange Server 2010 Nodes - http://technet.microsoft.com/en-us/library/ff399324.aspx
DPM 2010 and Exchange 2010 Better Together - http://blogs.technet.com/b/bettertogether/archive/2010/08/12/why-dpm-2010-and-exchange-2010-are-better-together.aspx

Andy Nadarewistsch | Senior Support Escalation Engineer

Get the latest System Center news on Facebook and Twitter:

↧

Open Beta for Private Cloud MOF Guide - Now Available for Download!

May 10, 2012, 8:53 pm

≫ Next: Things you can do to help Data Protection Manager utilize your tapes full capacity

≪ Previous: Secondary Protection and Exchange 2010 DAG Node Protection in System Center Data Protection Manager

Managing and Operating a Microsoft Private Cloud—How to Apply the Microsoft Operations Framework (MOF)

The Microsoft Operations Framework team is working on a new guide: Managing and Operating a Microsoft Private Cloud—How to Apply the Microsoft Operations Framework.

Get the beta here.

This guide leads you through the process of how to manage and operate a Microsoft private cloud using the service management processes of the Microsoft Operations Framework (MOF). The guide applies MOF’s IT service management principles to that conceptual architecture and technology stack. It describes how to maximize the potential of MOF’s people, process, and technical capabilities to manage and operate a Microsoft private cloud.

Follow this guidance for a private cloud that is better aligned to meet your business needs. Employ MOF’s service management functions (SMFs) to help align IT and business goals, which can enable you to perform private cloud activities effectively and cost-efficiently.

This guide focuses on the SMFs in the Operate Phase and the Manage Layer of MOF to give IT pros and managers what they need to know about managing and operating a private cloud. Management reviews—internal controls that ensure goals are met to achieve business value—are also included.

Tell us what you think! Download and review the beta guide, then send your feedback to mofpm@microsoft.com by June 11, 2012. We would especially appreciate feedback in the following areas:

· Usefulness – Is the technical depth of this guide sufficient for the topics covered? Will this guide be useful to you on a day-to-day basis? What portions of the guide are the most useful to your organization?

· Usability – Is the structure or flow of this guide effective? Is the information presented in a clear and logical manner? Can you easily find key content?

· Impact – Do you anticipate that this guide will save you time and accelerate deployment of Microsoft products in your organization? Has this guide had a positive influence on your opinion of the Microsoft technologies it addresses?

Benefits for participation:

· You get an early look at the guide.

· You will be listed on the acknowledgments page for providing usable feedback.

We look forward to hearing from you! Your input helps to make each guide as helpful and useful as possible. Thanks in advance for taking the time to review Managing and Operating a Microsoft Private Cloud—How to Apply the Microsoft Operations Framework (MOF).

Subscribe to the MOF beta program and we will notify you when new beta guides become available for your review and feedback. These are open beta downloads. If you are not already a member of the MOF Beta Program and would like to join, follow these steps:

1. Go here to join the MOF beta program:

https://connect.microsoft.com/site14/InvitationUse.aspx?ProgramID=1880&InvitationID=MOFN-M6H9-PV3X

If the link does not work for you, copy and paste it into the web browser address bar.

2. Sign in using a valid Windows Live^® ID.

3. Enter your registration information.

4. Continue to the MOF program beta page, scroll down to Microsoft Operations Framework, and click the link to join the MOF beta program.

Please send your comments and feedback to mofpm@microsoft.com.

Want to learn more about other MOF guides?

Visit our MOF page for information on the full series of Microsoft Operations Framework guides.

Check out our other Solution Accelerators:

You can see our full catalog of Solution Accelerators here.

Questions & Feedback:

For Microsoft-internal questions and feedback on the guide, please contact us.

↧

Things you can do to help Data Protection Manager utilize your tapes full capacity

May 14, 2012, 10:42 am

≫ Next: Data Protection Manager Support for End User Recovery on Mountpoint Shares

≪ Previous: Open Beta for Private Cloud MOF Guide - Now Available for Download!

Hello, Mike Jacquet here, and today I would like to discuss things you can do to help Data Protection Manager (DPM) utilize your tapes to full capacity. Many customers have reported that DPM tape backups use more tapes than necessary when backing up large data sources or many small data sources across protection groups. For an example, the tape may have a Native capacity of 800GB, but DPM never seems to fill the tape and may even stop using the tape after writing only a few gigabytes. Other customers report that they have no problem filling tapes when the backups are large enough to fill the tape during a single backup session, however if the tape is not filled or marked offsite ready, the tape will still not be used for subsequent backup jobs scheduled on a later day or week.

These appear to be related problems, but in reality, there are several underlying causes that need to be explored and DPM settings explained / configured before optimal tape usage can be achieved.

Tape drive / Library hardware and device drivers.

Data Protection Manager does not ship with or use Microsoft proprietary device drivers for tape drives and libraries; instead, DPM relies on Windows 2008 X64 compatible device drivers from the OEM vendor of the hardware. The guidance we are giving customers is if the library is listed on the Windows server catalog under the hardware / storage section and shows as being compatible with Windows 2008 X64 and Windows 2008 R2, then it should work fine with Data Protection Manager.

Windows Server Catalog: http://www.windowsservercatalog.com

One problem that the DPM product group discovered is that some tape drives did not properly report or process end of media EOM correctly when the end of tape was reached and instead reported an IO_DEVICE_ERROR 0x8007045D error. This problem would cause DPM tape backup jobs to fail anytime a tape filled. Another problem that was discovered is some tape drives did not handle multiple buffers very well and would also result in IO errors being reported. To mitigate both of those problems, some logic was added to the DPM agent to handle these types of problems that were outside of our control.

Today, If the tape driver returns an IO_DEVICE_ERROR, DPM will auto convert IO_DEVICE_ERROR to an END_OF_TAPE_REACHED and span to next media without any issues. However, that brings us to our first reported problem that DPM will not fill tapes and grabs another tape after only writing a few gigabytes.

Now you ask, how can I tell if the tape drive / driver / firmware combination in use is having these behind the scenes / hidden device I/O error 0x8007045D ?

To see if the tape drive is reporting IO error 0x8007045D that equals "The request could not be performed because of an I/O device error", you can run the following commands on the DPM server.

Open an Administrative command prompt.
CD C:\Program file\Microsoft DPM\DPM\Temp
Find /I "0x8007045D" MSDPM*.Errlog >C:\temp\MSDPM0x8007045D.TXT
Notepad C:\temp\MSDPM0x8007045D.TXT
See if there are any entries in the file, if not look in the DPMRA logs
Find /I "0x8007045D" DPMRA*.Errlog >C:\temp\DPMRA0x8007045D.TXT
Notepad C:\temp\DPMRA0x8007045D.TXT

Also search for "-2147023779" which is the decimal equivalent.

NOTE The DPMLA*.errlog may contain that 0x8007045D errors and that is OK, so do not look in that file.

How do I fix this I/O 0x8007045D error problem?

1. I would start by checking with the Tape Drive / Library OEM vendor to see if there are any new firmware or driver updates available, and if so, update them to the latest revision. Check your controller settings and scsi or fiber connections including termination.

2. By Default, DPM will use 10 tape buffers when writing to the tape drive. The below BufferQueueSize registry setting will reduce the number of buffers to three. Most of the time, that is enough to reduce or eliminate the IO error and does not negatively affect tape backup performance. However, you may need to reduce it further if the value of 3 does not help.

NOTE If you need to reduce the setting below 3, it is very possible that backups will succeed without errors, however tape restores or tape library inventory jobs may hang. Should that occur, you will need to increase the BufferQueueSize entry back up to three or more to do the restore, then reduce it again for normal backups.

Copy and Save the below in notepad then save as BufferQ.REG on the DPM server.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent]
"BufferQueueSize"=dword:00000003

Right-click BufferQ.REG and choose the "merge" or "open with registry editor" option to add it to the registry. Stop and restart the DPMRA service.

Another solution that also seems to help resolve the above issue is to add the following Storport key and BusyRetryCount value to each of the tape devices.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\SCSI\<DEVICEID>\<INSTANCE>\DeviceParameters\Storport\
Value - BusyRetryCount
Type - DWORD
Data - 250 Decimal or (0xFA hex)

To get a list of all the tape devices in your DPM Server that needs the registry key added to, run the following command from an administrative command prompt. That will return a list of tape drive Scsi\DeviceID\Instance that you can use to make the above change.

C:\Windows\system32>wmic tapedrive list brief

Below would be the registry keys to add to the DPM server based on the above output from wmic command.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\Sequential&Ven_IBM&Prod_ULTRIUM-TD3\5&31cf2afa&0&000001\Device Parameters\StorpPort]
"BusyRetryCount"=dword:000000fa

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\Sequential&Ven_IBM&Prod_ULTRIUM-TD3\5&31cf2afa&0&000002\Device Parameters\StorpPort]
"BusyRetryCount"=dword:000000fa

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\Sequential&Ven_IBM&Prod_ULTRIUM-TD3\5&31cf2afa&0&000003\Device Parameters\StorpPort]
"BusyRetryCount"=dword:000000fa

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\Sequential&Ven_IBM&Prod_ULTRIUM-TD3\5&31cf2afa&0&000004\Device Parameters\StorpPort]
"BusyRetryCount"=dword:000000fa

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\Sequential&Ven_IBM&Prod_ULTRIUM-TD3\5&31cf2afa&0&000005\Device Parameters\StorpPort]
"BusyRetryCount"=dword:000000fa

Data Protection Manager 2007 / 2010 Specific Configuration Settings

Let us explore some Data Protection Manager specific configuration settings that have a large impact on how long a tape can used for backup jobs.

TAPE CO-LOCATION - This feature allows data sources from different protection groups that share the same recovery goals to be written to the same tape. This helps utilize the tapes by filling it with backups across protection groups. Only protection groups that share the exact same tape recovery goals and encryption settings can be co-located together on the same tape.

NOTE DPM 2012 has an enhanced option that allows you to choose which protection groups can be co-located regardless of retention goals.

The below LT-Goals.PS1 DPM powershell script can be ran on a DPM 2007 / 2010 server to analyze all your protection groups and list which protection groups can be co-located together based in common goals and encryption settings across protection groups.

Copy / Paste the below into notepad and save as LT-Goals.PS1 - then run it in the DPM power shell window.

cls
$confirmpreference='none'
$dpmversion = ((get-process | where {$_.name -eq "msdpm" }).fileversion)
write-host "DPM Version - " $dpmversion "`nCollecting Long Term protection Information. Please wait..." -foreground yellow
$dpmserver = (&hostname)
out-file longterm.txt
$pg = @(get-protectiongroup $dpmserver | where { $_.ProtectionMethod -like "*Long-term using tape*"})
write-host "We have" $pg.count "groups with tape protection"
foreach ($longterm in $pg)
{
    "-----------------------------------------------------------`n" | out-file longterm.txt -append
    "" | out-file longterm.txt -append
    "Protection Group " + $longterm.friendlyname | out-file longterm.txt -append
    "" | out-file longterm.txt -append
    switch ($dpmversion.substring(0,1))
    {
        2 { $policySchedule = @(Get-PolicySchedule -ProtectionGroup $longterm -longterm)}
        3 { $policySchedule = @(Get-PolicySchedule -ProtectionGroup $longterm -longterm tape)}
        default { write-host "NOT TESTED ON THIS DPM VERSION. Exiting script" -foreground red;exit }

    }

    $tb = Get-TapeBackupOption $longterm;
    "Is encryption enabled? " + $tb.OffsiteEncryption | out-file longterm.txt -append
    "" | out-file longterm.txt -append
        $tb.RetentionPolicy | out-file longterm.txt -append
#    $tb = $tb.labelinfo
    $label = @($tb.label);
    $count = $policySchedule.count -1
    while ( $count -ne -1)
    {
        if ($label[$count].length -eq 0 -or $label[$count].length -eq $null)
        {
            "Default Label Name" | out-file longterm.txt -append
        }
        else
        {
            "Tape Label: " + $label[$count] | out-file longterm.txt -append
        }
        $policyschedule[$count] | fl *              | out-file longterm.txt -append
#              (Get-TapeBackupOption $longterm).RetentionPolicy | out-file longterm.txt -append

        $count--
    }
}
#exit
if ($pg.count -gt 1)
{
    $pgcount=0
    while ($pgcount -ne ($pg.count-1))
    {
        $collocation = @($pg[$pgcount].friendlyname)
        write-host $pgcount -background green
                (Get-TapeBackupOption $pg[$pgcount]).RetentionPolicy   | out-file policyretention.txt
        (Get-TapeBackupOption $pg[$pgcount]).OffsiteEncryption | out-file policyretention.txt -append
        write-host "policyretention.txt" -foreground green
        type policyretention.txt
        $pgcountinnerloop = 0
        while ($pgcountinnerloop -ne $pg.count)
        {
            write-host $pgcountinnerloop -background yellow
            if ($pgcount -eq $pgcountinnerloop) {$pgcountinnerloop++}
                    (Get-TapeBackupOption $pg[$pgcountinnerloop]).RetentionPolicy   | out-file policyretention1.txt
            (Get-TapeBackupOption $pg[$pgcountinnerloop]).OffsiteEncryption | out-file policyretention1.txt -append
            write-host "policyretention1.txt" -foreground green
            type policyretention1.txt

            $compare = Compare-Object -ReferenceObject $(get-content policyretention.txt) -DifferenceObject $(Get-content policyretention1.txt)
            if ($compare.length -eq $null)
            {
                if ($pgcountinnerloop -lt $pgcount)
                {
                    Break
                }
                else
                {
                    $collocation = $collocation + $pg[$pgcountinnerloop].friendlyname
                    $collocation
                    write-host "done"
                    $collocationcount++
                }
            }
            $pgcountinnerloop++
        }
        if ($collocation.count -gt 1)
        {
            "-----------------------------------------------------------" | out-file longterm.txt -append
            "Protection Groups that can share the same tape based on recovery goals/Encryption:" | out-file longterm.txt -append
            " " | out-file longterm.txt -append
            write-host $collocation
            foreach ($collocation1 in $collocation)
            {
                $collocation1 | out-file longterm.txt -append
            }
        }
        $pgcount++

}
}

"-----------------------------------------------------------" | out-file longterm.txt -append
$dir = dir longterm.txt; write-host "`nDONE`n`nOutput file Created:" $dir.fullname -foreground yellow
del policyretention*.txt
notepad longterm.txt

Referencing the below Technet articles, after you enable tape co-location, DPM has two configurable options [TapeWritePeriodRatio and TapeExpiryTolerance ] that impact when a tape gets marked offsite ready and if a tape will be used for another backup job if not yet marked offsite ready.

Enabling tape Co-Location:

DPM 2007 - http://technet.microsoft.com/en-us/library/cc964296.aspx
DPM 2010 - http://technet.microsoft.com/en-us/library/ff399230.aspx

When tape colocation is enabled, a tape will be shown as Offsite Ready when any one of the following conditions is met:

- The tape is full or is marked full. (This includes the I/O 0x8007045D error problem described above.)
- One of the datasets has expired.
- Write-period ratio has been crossed.

(By default, this is the first backup time + 15 percent of the retention range.)

When a tape is marked offsite ready, no additional data sets will be written to that tape until ALL recovery points expire. Once a tape is marked as expired, DPM will show the tape as expired in the DPM console and can overwrite the tape during subsequent backups. DPM will always favor a free tape over an expired tape when it searches for a tape to use if a new tape is required.

NOTE If DPM library sharing is enabled, by default only the DPM server that initially wrote to that tape can re-use it unless you manually free the expired tape. Once the tape is marked as free, then any DPM server sharing the library will be able to use that free tape.

TapeWritePeriodRatio - This is a DPM Global property that can be set only when colocation is enabled and indicates the number of days for which data can be written on to a tape as a percentage of the retention period of the first data set written to the tape. This is a global setting and affects all protection groups.

TapeWritePeriodRatio value can be between 0.0 to 1.0 the default value is 0.15 (i.e. 15%)

NOTE DPM 2012 does not have this global property and instead has additional configuration options in the GUI to allow different write periods for different protection groups. This adds greater flexibility in determining how long you want to use a tape at the protection group(s) level.

As an example on the impact of the TapeWritePeriodRatio setting having a default of 15% - if you have a protection group doing daily backups, with a retention period of 2 weeks (14 days), the tape will be marked offsite ready after only 2.1 days regardless of how much / little data was written to the tape. If you desire DPM to write to the tape for a week, you would need to change the TapeWritePeriodRatio to 50% using the DPM power shell command below.

Set-DPMGlobalProperty –DPMServerName <dpm server name> -TapeWritePeriodRatio .5

TapeExpiryTolerance - This is a registry setting and indicates the time window within which the expiry date of the next dataset to be written to the tape must fall. It is expressed as a percentage. The default value is 17 percent if the registry is not present.

This is a DWORD type registry value located under HKLM\Software\Microsoft\Microsoft Data Protection Manager\1.0\Colocation. DPM does not create the CoLocation key automatically. You must manually create the Colocation key then make a new ExpiryToleranceRange value to set it.

There is a misconception that the tape co-location feature will only co-locate data sets for the same recovery goals onto the same tape. IE: A weekly backup will never co-locate on a tape that has Monthly backups already written. That is not correct as DPM will evaluate each tape that is not marked offsite ready and see if the data set about to be written will meet the following check. It does this to help meet the goal of fully utilizing tapes without preventing the tape from expiring on time. If you adjust the ExpiryToleranceRange too high (make it 100%) then you run the risk of placing shorter retention data sets on tapes with a longer retention goal and risk having the tape marked offsite ready prematurely, which defeats the goal fully utilizing tapes. Generally speaking, setting this to 60 will provide a good benefit and should not cause any problems.

Let, Furthest expiry date among the expiry dates of all the Datasets already on the tape = FurthExpDate

Time Window =

FurthExpDate - TapeExpiryTolerance * (FurthExpDate –today’s date) (Lower Bound)
FurthExpDate + TapeExpiryTolerance * (FurthExpDate –today’s date) (Upper Bound)

So, the current dataset will be co-located on the given tape only if its expiry date falls within Time Window (both bounds inclusive)

Using the same example we used before, you have a protection group doing daily backups, with a retention period of 2 weeks (14 days), and you set the TapeWritePeriodRatio to .5 (50%) because you want DPM to use the tape for 1 week. But with the default TapeExpiryTolerance of 17%, you may not achieve that if one backup fails for any reason and you miss a day's backup.

In the below example, I have set the TapeWritePeriodRatio to .50 and the first backup set was written to the tape on 5/7. Notice offsite ready will not be set until after the 7 days as desired based on the 50% TapeWritePeriodRatio setting. The last backup set was written on 5/9 and the next backup set to be written is 5/11 due to a server problem on 5/10 that prevented that day's backup from occurring. With the default 17% TapeExpiryTolerance window, the next dataset expiry date does not fall between the lower and upper bounds. This would result in DPM picking a new tape for the next backup set and since the TapeExpiryPeriodRatio has not been crossed and no recovery point is expired, however that tape would not be marked offsite ready. This is an example of why a tape will not be used for any additional backups, yet there is no visual indication, so it makes you question why DPM is using more tapes than necessary.

Now, changing nothing more than the TapeExpiryTolerance from 17% to 60%, notice how that time window has expanded and allows the next data set on 5/11 to be written on that tape.

I have shared this Excel spreadsheet to help you calculate offsite ready at the following site: http://cid-885774776d4f197a.office.live.com/self.aspx/Public/tape-offsite-ready-calculator.zip

In conclusion, I hope this explains what you may have experienced and helps you configure your DPM server so it can fully utilize your tapes during future backups.

Mike Jacquet | Senior Support Escalation Engineer

Get the latest System Center news on Facebook and Twitter:

↧

Data Protection Manager Support for End User Recovery on Mountpoint Shares

May 21, 2012, 8:06 am

≫ Next: How to install the DPM agent on a Windows Server 2008 R2 Core computer

≪ Previous: Things you can do to help Data Protection Manager utilize your tapes full capacity

Hello, Mike Jacquet here, and today I would like to discuss a fix that has been included in the released version of System Center 2012 Data Protection Manager (DPM) that enables End User Recovery (EUR) for file shares on the root of mountpoints to work properly.

In previous versions of DPM, if you protected a volume or share on a file server, and the share was on the root of a mounted volume, when clients tried looking for previous versions of files and folder located in the root of the target volume it would fail to show any.

To illustrate this, Figure-1 below shows a clustered protected file server called MJLC-ClusterFS with two Volumes. The H: drive labeled HOSTVOL is the HOST volume for a NTFS mountpoint. The folder H:\MountVol is the mountpoint for another volume labeled TARGET. The H:\MountVol folder is shared as MountVol, and client's access data located on the TARGET volume via the network share \\MJLC-ClusterFS\Mountvol path.

MJLC-ClusterFS
           H:\Mountvol --> Target
                                              User Files…
                                              User Folders

Figure-1

In figure-2 below, I show a Windows client mapped to a network drive X: which points to the \\mjlc-clusterfs\Mountvol share. When the user attempts to view Previous Versions of the file called targetfile.txt.txt located in the root of the mountpoint (TARGET), no previous versions are enumerated and instead you see "There are no previous versions available" message.

Figure-2

The root cause for this problem is due to the way that DPM creates the shares on the DPM Server when end user recovery is enabled. To overcome a possible path limitation, DPM creates all shares using a \\?\ prefix. Unfortunately, that prefix prevents vss shadow copies from being enumerated under mounted volumes.

Figure-3 details the shares on the DPM server. Looking specifically at the ones created by DPM for end user recovery, you will see they are prefixed with the \\?\ for the folder path. I have highlighted the problematic MountVol share. If you were to manually re-create the share without the \\?\ prefix DPM would overwrite it when the next synchronization job ran and it will put the \\?\ prefix back on the folder path and would result in the same problem.

Figure-3

SOLUTION

System Center 2012 Date Protection Manager supports a new registry key that you can add to prevent DPM from adding the \\?\ prefix when the end user recovery shares are created.

To allow previous versions to be listed for files located under shared mountpoints perform the following steps:

NOTE: Only shares that are created (re-created) after the registry key is added will no longer be prefixed.

1) On DPM 2012 RTM server make a new registry KEY called DiscardUNCPrefix under the following location:

HKLM\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Configuration

Figure-4

2) On the DPM Server, open Computer Management. Under System Tools – Shared Folder – Shares – locate the share representing the mountpoint and “Stop Sharing” to delete it.

Figure-5

3) In the DPM Console, locate the volume or share that is being protected that represents the mountpoint and make a new recovery point. You can choose either the "Only Synchronize" , or the "Create a recovery point after synchronizing" option, but a synchronization job must be ran and complete successfully before the share will be re-made on the DPM Server.

Figure-6

4) After the new recovery point job completes, verify the share got re-created in Computer Management and no longer has the folder path that starts with the \\?\ prefix.

Figure-7

5) Test end user recovery on the client – it should now list previous versions for the files located under the shared mountpoint.

Figure-8

Now that the prefix was removed from the MountVol share on the DPM 2012 server, figure-8 confirms that previous versions are now working.

As of this writing, it is unclear if this fix will be back-ported for DPM 2010, however if it is I will update this post.

Mike Jacquet | Senior Support Escalation Engineer

Get the latest System Center news on Facebook and Twitter:

↧

How to install the DPM agent on a Windows Server 2008 R2 Core computer

May 22, 2012, 7:47 am

≫ Next: New “How to Participate in the System Center Community” Wiki Page

≪ Previous: Data Protection Manager Support for End User Recovery on Mountpoint Shares

Hello, Mike Jacquet here, and today I would like to discuss some additional configuration steps that need to be performed on Windows Server 2008 R2 Core servers during installation of the Data Protection Manager (DPM) agent.

When pushing the DPM agent from the DPM console to a Windows Server 2008 R2 Core server it may fail. A manual install of the agent may succeed but the DPM server cannot communicate with the agent on the core server. This is because activation and launch permissions for the DCOM application are not configured properly on Windows 2008 R2 Core servers.

The following error may be logged in the DPM console:

Data Protection Manager Error ID: 270
The agent operation failed on <protected server FQDN> because DPM could not communicate with the DPM protection agent. The computer may be protected by another DPM server, or the protection agent may have been uninstalled on the protected computer.

The following error event may be logged on the Windows Server 2008 Core server:

Log Name: System
Source: Microsoft-Windows-DistributedCOM
Date:
Event ID: 10016
Task Category: None
Level: Error
Keywords: Classic
User:
Computer:
Description:
The machine-default permission settings do not grant Remote Activation permission for the COM Server application with CLSID
{DA6AA17A-D61C-4E9C-8CEA-DB25DEA52A95}
and APPID
{2DF31D97-33CC-4966-8FF9-F47C90F7D0F3}
to the user FOURTHCOFFEE\SLIGHT-DPM01$ SID (S-1-5-21-xxxxxxxxxx-xxxxxxxx-xxxxxxxxxx-xxxx) from address 192.168.1.21. This security permission can be modified using the Component Services administrative tool.

There are a few steps to do before configuring the Windows Server 2008 Core DCOM application settings.

Configure group memberships. There are the three groups we need to check. The DPM Server *must* be a member of the following groups.

Distributed COM Users
DPMRADCOMTrustedMachines
DPMRADmTrustedMachines

Do a manual install of the agent on core server. Follow the DPM 2010 steps from TechNet with the following changes:

a. Do use the most recent version of the RA from the DPM server

DPM 2007 +qfe go to \Program Files\Microsoft DPM\DPM\Agents\RA\2.0.xxxx.0\AMD or i386.
DPM 2010 +qfe go to \Program Files\Microsoft DPM\DPM\agents\RA\3.0.xxxx.0\AMD or i386.
DPM 2012 RTM go to \Program Files\Microsoft System Center 2012\DPM\DPM\ProtectionAgents\RA...

b. Do not worry about passing the DPM server name in during the install.

c. Do not reboot at the finish of the install if prompted.

Run setdpmserver.exe on protected core server using the following command:

setdpmserver -dpmservername <DPM server netBIOS name>

NOTE The executable is located in C:\Program Files\Microsoft Data Protection Manager\DPM\bin\

If you get errors running the above command ignore them for now.

Reboot the Windows 2008 R2 core server.

Run Attach-ProductionServer on the DPM server. In the DPM Management Shell, run Attach-ProductionServer.ps1 as follows:

Attach-ProductionServer.ps1 <DPM server name> <production server name> <user name> <password> <domain>

Once the above steps are completed you may receive the errors in the Symptoms section above.

To configure the DCOM permissions you can build DCOMPERM from the SDK sample or you can download the executable from here.

Typically DCOMCNFG run from a remote server against the Windows Server Core server was the method to manage the Core server’s DCOM settings, however in Windows Server 2008 R2, DCOMCNFG.exe is not able to connect remotely to manage these.

Once you have obtained DCOMPERM.exe the following steps are used to find the application ID for the DPM RA service, view the existing permissions, and edit the settings as needed.

List the DCOM application ID for the DPM RA service:
wmic dcomapp |findstr /i dpm
{2DF31D97-33CC-4966-8FF9-F47C90F7D0F3} DPM RA Service DPM RA Service DPM RA Service

View applicaiton access permissions:
dcomperm -aa {2DF31D97-33CC-4966-8FF9-F47C90F7D0F3} list
Access permission list for AppID {2DF31D97-33CC-4966-8FF9-F47C90F7D0F3}:
<Using Default Permissions>

View application launch permissions:
dcomperm -al {2DF31D97-33CC-4966-8FF9-F47C90F7D0F3} list
Launch permission list for AppID {2DF31D97-33CC-4966-8FF9-F47C90F7D0F3}:
<Using Default Permissions>

Set application launch permissions for DPMRA app:
dcomperm -al {2DF31D97-33CC-4966-8FF9-F47C90F7D0F3} set fourthcoffee\slight-dpm01$ permit level:ll,rl,la,ra

            Successfully set the Application Launch ACL.
            Remote and Local launch permitted to NT AUTHORITY\SYSTEM.
            Remote and Local activation permitted to NT AUTHORITY\SYSTEM.
            Remote and Local launch permitted to BUILTIN\Administrators.
            Remote and Local activation permitted to BUILTIN\Administrators.
            Remote and Local launch permitted to NT AUTHORITY\INTERACTIVE.
            Remote and Local activation permitted to NT AUTHORITY\INTERACTIVE.
            Remote and Local launch permitted to FOURTHCOFFEE\SLIGHT-DPM01$.
            Remote and Local activation permitted to FOURTHCOFFEE\SLIGHT-DPM01$.

Now see if agent communications is working correctly, if not, perform these additional steps.

Copy the C:\Program Files\Microsoft DPM\DPM\Setup\SetAgentCfg.exe utility on the DPM Server to the Protected server.
Run the following command:

SetAgentCfg.exe a DPMRA <DPMservername> DPMRADCOMTrustedMachines DPMRADmTrustedMachines

Mike Jacquet | Senior Support Escalation Engineer

Get the latest System Center news on Facebook and Twitter:

↧

New “How to Participate in the System Center Community” Wiki Page

June 5, 2012, 10:46 pm

≫ Next: New Style

≪ Previous: How to install the DPM agent on a Windows Server 2008 R2 Core computer

I’ve put together a new TechNet Wiki page that is a “one stop shopping” index of the following things:

· Forums
· Galleries
· Libraries (aka “docs”)
· Survival Guides
· Wikis
· Engineering Team Blogs
· Microsoft Employee Blogs
· Community Blogs
· MVP Blogs
· Twitter Handles (MVP, Engineering Team, MS employees)
· What Twitter hashtags to use

Check it out!

http://social.technet.microsoft.com/wiki/contents/articles/11504.how-to-participate-in-the-system-center-community.aspx

Feel free to add your Twitter handle, blog, etc. to the list. That’s what a Wiki is all about!

↧

New Style

June 8, 2012, 6:25 pm

≫ Next: Announcing Availability of System Center 2012 SP1 Community Technology Preview 2 (CTP2)

≪ Previous: New “How to Participate in the System Center Community” Wiki Page

Whoa! What’s with the new style?! The System Center engineering team blogs are now part of the Server & Tools blog network which is a select few top tier blogs from the Server and Tools division. This network is part of a larger network that represent the best blogs on some of the most important topics across both the TechNet and MSDN blogs.

Random factoid: Did you know that taken together, the System Center Engineering Team blogs are #5 on all of TechNet by page views only trailing such venerable blogs as the Exchange blog and the Hey Scripting Guys blog.

We are excited to be a part of this blog network. This will provide some design consistency across our blogs in the network and make it easier to discover and navigate to other great blogs in the Server & Tools network.

You can find all our System Center blogs under the System Center category:

Note: the System Center Configuration Manager engineering team blog is also going to be included soon.

I also need to go back through and put all of our sidebar and social media content back. I’ll do that sometime next week.

The design is probably going to evolve a bit so if you have some feedback please let us know!

Hint: This is the root page for the blog network. You can see all the categories and drill into them from here:

http://blogs.technet.com/b/serverandtools/

↧

Announcing Availability of System Center 2012 SP1 Community Technology Preview 2 (CTP2)

June 15, 2012, 9:51 am

≫ Next: Announcing the Availability of System Center 2012 CTP2 – Data Protection Manager

≪ Previous: New Style

As I write this post flying back from TechEd, North America (check out Day 1 keynote), it never ceases to amaze me how technology has really changed our lives!!! Speaking of which, what an honor that all of you voted System Center 2012 as best Microsoft Product at TechEd. Thank you for your support! We here have worked incredibly hard over the past few years to develop System Center to meet your needs and having this award means a lot to us. Below is a picture of the award; not the best picture I admit. It’s going to find a home in building 44 at the Microsoft Campus.

And now for what we all have been waiting for... YES, it is here!! We are super excited to announce the availability of CTP2 of System Center 2012 SP1. With the recent release of Windows Server 2012, Release Candidate, this release of System Center is targeted at supporting that. While at TechEd, the buzz about Windows Server 2012 was evident and we are thrilled to be able to release CTP2 which supports this incredible release of Windows Server. Given the plethora of capabilities in Windows Server 2012, this release of System Center has significant investments to provide you a management solution based on a rich platform.

While at TechEd, we had a session which talks about what’s coming in System Center 2012 SP1. Given the breadth of capabilities in SP1, I was able to cover only a few key things, but it’s a good place to start your journey with CTP2. The recording was not up as I write this, but should be available by early next week. In addition there were deeper dive sessions on each of the System Center components which you should check out at the TechEd site.

This release contains updates to all the System Center components. See below for more information and stay tuned for additional posts describing the component updates.

Upgrade: CTP1 cannot be upgraded to CTP2 and CTP2 will not be upgradable to Beta.

Production Use: This release is not intended for production deployments. It’s targeted at giving you an early preview of some of what’s coming in this SP1 release.

Scenarios: We specifically focused on a key set of scenarios documented here for this release.

FEEDBACK, FEEDBACK, FEEDBACK – Please give us your feedback on use of Windows Server 2012, Release Candidate and CTP2 of System Center 2012 SP1 by visiting http://connect.Microsoft.com/SC

What’s New

All components now support Windows Server 2012 RC and SQL Server 2012.

Component	What’s New	More Info
App Controller	· Ability to migrate a VM from VMM to Azure · Support for using Service Provider Foundation to create and operate VMs in VMM · Azure IaaS enhancements: Ability to deploy VMs from an image or disk, start and stop VMs, and add VMs to a service	More Info
Configuration Manager	· Support for Windows 8, including deploying Windows 8 applications and the ability to detect 3G and 4G network connections to prevent delivering software at a time when data charges may apply. · Additional operating support to extend manageability to Mac OS X and Unix/Linux servers.
Data Protection Manager	· Improved backup performance of Windows Server 2012 Hyper-V over CSV 2.0 deployments · Protect Hyper-V over remote SMB share · Protect Windows 8 de-duplicated volumes · VM Live Migration: Uninterrupted data protection	More Info
Operations Manager	APM enhancements, including: · Support for IIS8 · Monitoring of WCF, MVC and .NET NT services · Azure SDK support	More Info
Orchestrator & Service Provider Foundation	· Supports existing System Center and 3^rd-Party Integration Packs · Service Provider Foundation, which provides a rich set of web services that manage VMM: o Create, change, and operate VMs o Manage VMM Self-service User Roles o Manage multiple VMM stamps and aggregate results from multiple stamps o Integration with App Controller to use hosted capacity	More Info
Service Manager	· Ability to apply price sheets to VMM Clouds · Create VM chargeback reports · Ability to pivot by Cost Center, VMM Clouds, and Price sheets	More Info
Server App-V	· Support for applications that create scheduled tasks during the packaging process · Ability to create virtual application packages from applications installed natively on a remote server
Virtual Machine Manager	· Improved support for network virtualization · Ability to convert VHD to VHDX and to use VHDX as a base operating system image · Support for the Windows Standards-Based Storage Management Service, thin provisioning of logical units, and discovery of SAS storage · You can now create Add-Ins that extend the VMM console.	More Info

There is a lot that still has to come after CPT2!! Enjoy!!!

Vijay Tewari

Group Program Manager, System Center

Download the CTP2 release here:

Download	Location
Installation packages for all components	http://go.microsoft.com/fwlink/?LinkId=254659
Documentation for all components	http://go.microsoft.com/fwlink/?LinkId=254803

↧

Announcing the Availability of System Center 2012 CTP2 – Data Protection Manager

June 15, 2012, 9:52 am

≫ Next: System Center 2012 Self-Study Guide ( Data Protection Manager and Endpoint Protection)

≪ Previous: Announcing Availability of System Center 2012 SP1 Community Technology Preview 2 (CTP2)

As Vijay announced, the System Center 2012 SP1 CTP2 is now available for download! We’d like to provide some additional information about what’s shipping in CTP2 for the DPM component:

Efficient data protection of VMs deployed on Hyper-V over CSV:

Windows 2012 CSV 2.0 enhanced its CSV capabilities that will make the backup more efficient. DPM has enabled Expressfull backup feature for Hyper-V CSV. This takes out the big pain point of customer going through CC mode for all backups. DPM protection performance has improved by 90% compared to CSV 1.0 deployments on Win2K8R2. The performance is further improved by allowing parallel backups, taking owner-nonowner node dependencies. All these features are possible without customer deploying expensive hardware providers.

Efficient data protection of VMs deployed on Hyper-V over SMB:

Windows 2012 Hyper-V can now store its data not only on local storage or CSV but also can store its data on a remote SMB file share. Using this, customers can benefit of live migration of VMs from standalone/cluster to another standalone/cluster without storage migration using Windows 2012 platform. Customers also get great benefit of storage consolidation and cheaper cluster solutions. DPM will now be able to protect VMs deployed on this configuration. DPM continue to do the efficient backup of VM even after live migration when the source and target Hyper-V platforms are using same remote SMB file share which can be deployed on standalone file server or scale out SMB cluster. DPM can do protection seamlessly in both scenarios.

VM Live Migration – Uninterrupted & Efficient VM backup:

Windows 2012 allows customers to do live migration inter cluster, intra cluster, cluster to standalone, standalone to cluster with or without storage migration. DPM, tightly integrated with VMM, is now able to detect and continue backup even if the VM is live migrated. DPM now has intelligence to detect that VM has gone to other machine and is able to protect from there. This technology combined with Hyper-V over Remote SMB share can now help customers continue to have efficient backups even when the VM live migration happens across hosts that share remote SMB. Another great feature that provides flexibility and power to customer.

Efficient Dedupe protection:

Windows 2012 has introduced Dedupe functionality that will help customers reduce their storage consumption. This is great for customers who have huge file servers that are mainly archival that do not have much churning. Thanks to DPM’s new support, DPM is now able to protect the “Windows 2012” Deduped file systems efficiently. DPM is not only intelligent to detect that the file system is Deudpe enabled but also transfer the data on the wire efficiently and store it efficiently. All of this is achieved without rerunning the Dedupe logic on the DPM server side.

Reminders:

· CTP1 cannot be upgraded to CTP2 and CTP2 will not be upgradable to Beta.

· CTP2 is not supported for production use.

· Procedures not covered in the documentation might not work.

Download:

Location	Description
http://go.microsoft.com/fwlink/?LinkId=254659	The entire installation of System Center 2012 Service Pack 1 CTP2.
http://go.microsoft.com/fwlink/?LinkId=254803	Documentation for all the components.

-Neela Syam Kolli

↧

System Center 2012 Self-Study Guide ( Data Protection Manager and Endpoint Protection)

June 20, 2012, 12:14 pm

≫ Next: DPM Certificate Troubleshooting–Part 1: General Troubleshooting

≪ Previous: Announcing the Availability of System Center 2012 CTP2 – Data Protection Manager

Microsoft’s very own Scott Rachui put together another great self-study guide for System Center 2012, this time focusing exclusively on Data Protection Manager and Endpoint Protection. If you’re wanting a head start in mastering these technologies then these are a great place to start.

=====

In part 4 of this series, I turn to Data Protection Manager and I revisit Endpoint Protection. For those of you who might have seen earlier one of my earlier study guides, you will see that I have already put out a study guide for Forefront Endpoint Protection. In this post, I will focus exclusively on Endpoint Protection as it relates to System Center 2012.

As I did in Part 2 of this series, I want to start with a brief explanation of these two components of System Center 2012. I do this with the lesser-known components of the System Center suite for those who may not know what these tools do. Hopefully these brief explanations are helpful in setting the stage.

Data Protection Manager -"enables disk-based and tape-based data protection and recovery for servers such as SQL Server, Exchange Server, SharePoint, virtual servers, file servers, and support for Windows desktops and laptops. DPM can also centrally manage system state and Bare Metal Recovery (BMR)."

Endpoint Protection - "Microsoft System Center 2012 Endpoint Protection (previously known as Forefront Endpoint Protection 2010) allows you to consolidate desktop security and management in a single solution. "

You can continue reading Scott’s article here.

J.C. Hornbeck | System Center & Security Knowledge Engineer

Get the latest System Center news on Facebook and Twitter:

↧

DPM Certificate Troubleshooting–Part 1: General Troubleshooting

July 23, 2012, 9:26 am

≫ Next: DPM Certificate Troubleshooting–Part 2: Registry

≪ Previous: System Center 2012 Self-Study Guide ( Data Protection Manager and Endpoint Protection)

The spirit of this document is to provide you with a quick guide to troubleshooting System Center 2012 Data Protection Manager (DPM) Certificate authentication issues. This document assumes that you are already familiar with DPM 2012 and have a healthy certificate infrastructure. This document also assumes that you have setup certificates in accordance with the following blog post:

How to use certificates to authenticate computers in workgroups or untrusted domains with Data Protection Manager:
http://blogs.technet.com/b/dpm/archive/2012/04/23/how-to-use-certificates-to-authenticate-computers-in-workgroups-or-untrusted-domains-with-data-protection-manager.aspx

We will cover briefly at a high level some of the common caveats that you will come across when using certificates with DPM protection and how to assess what may be the root cause. I have included screenshots of some of the DPM GUI errors, event log errors and some log snippets. Admittedly the log reading is not very intuitive so I just highlighted the relevant portions.

Services

1. Make sure the DPMRA service can be started.

2. Make sure the DPM CPWrapper Service can be started. I can’t stress this enough. Upon my testing I performed various actions to simulate a failure.

a.) Removed the DPM cert
b.) Removed the client cert
c.)Removed the DPM reg key on the DPM server
d.) Removed the Member Server regkey on the DPM server
e.) Removed the DPM regkey on the Member server
f.) Removed the Member Server regkey on the Member Server.

After each failure I would either place the cert or regkey back and almost each time I would have to restart the DPM CPWrapper Service. In light of this you should make it a very common practice to restart the DPM CPWrapper Service during your troubleshooting.

3. Make sure the Cryptographic Services are started

Ports

1.) Remember that DPM certificate use relies on port 6076 for Certificate protection. You may have to adjust any intermediate firewall settings to allow for this port to be opened for certificate based protection. You can use the netstat command to verify if port 6076 is listening for communication from both the ends.

Type in: netstat –ano
or
netstat –ano |findstr 6076

a = Displays all connections and listening ports

n = Displays addresses and port numbers in numerical form.

o = Displays the owning process ID associated with each connection.

|findstr 6076 will show only the associations for that port.

Using the following: netstat –ano |findstr 6076

We see that the port 6076 is listening:

You could also use TCPView found at http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx for a GUI interface to show what services are listening to which ports.

Example:

The use of certificates for authentication DOES NOT remove the need for other ports for types of domain communication such as name resolution, Kerberos and LDAP. These ports will still be needed for proper DNS or NetBIOS name resolution and AD authentication.

http://technet.microsoft.com/en-us/library/ff399341.aspx

Firewall

If on the target server you have the firewall turned off and you go through the setdpmserver command, the command will NOT create the necessary firewall rule for TCP port 6076. If you leave the firewall turned off , then there will be no issue. If at a later date you turn the firewall back on, your communication will fail because this rule is NOT created. To correct this you can do one of three things:

a.) Leave the integrated firewall off
b.) Manually create the rule yourself
c.) Re-run the setdpmserver command.

Verification that the ports have been added.

Firewall Rule Created

This firewall rule created specifies a local port of 6076 and a remote port of “all ports”.

4.) If testing with DPM beta If the firewall is turned off on the client you will get the following error:

You will have to have the firewall turned on. Again, this has been fixed in RTM for DPM 2012.

Certificate

By default, with web enrollment the certificate is saved in the Current User store but needs to exported with the private key and imported into the Local computer store. Again, this is if you are using web enrollment. If certs are configured for “enroll” then it can be specified to be placed in the local computer store.

The thumbprint in the command syntax (AttachProductionServerWithCertificate and the Set-DPMCredentials commands) needs to NOT have spaces when specifying it in the commands.

An example would be as follows.
Here is the DPM server cert:

Notice the spaces in the thumbprint.

When we use the certificate thumbprint to generate the bin file we need to remove the spaces.

Notice the Set-DPMCredentials command syntax used in this case.

Set-DPMCredentials –DPMServerName DPM2012.contoso.com –Type Certificate –Action Configure –OutputFilePath C:\Temp -Thumbprint 493f27f35b2105804afbd49bb5a59bf2e380e00

This is the thumbprint for the DPM server certificate without the spaces.

The certificate must specify certain parameters:

X.509 V3 certificates
Enhance Key Usage should have client authentication and server authentication.
Key length should be at least 1024 bits.
Key type should be exchange.
Certificate can NOT be self signed.
Subject name of the certificate and root certificate should not be empty.
Certificates shouldn’t be of Cryptography API Next Generation (CNG) Keys. DPM doesn’t support
certificates with CNG Keys.
The revocation servers of the associated Certificate Authorities are online and accessible by both the
protected server and DPM server.
The certificate has an associated private key

You can use the following command to verify the certificate parameters of the certs in use on a server.
certutil –store –v my

C:\>certutil -store -v my

================ Certificate 1 ================

X509 Certificate: <<<<<Denotes x.509>>>>>

Version: 3 <<<<<Denotes V3>>>>>

Serial Number: 5da52bdc000226d4c235

Signature Algorithm:

Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA

Algorithm Parameters:

05 00

Issuer:

CN=Corp NAP CA 1

NotBefore: 9/14/2011 7:31 AM

NotAfter: 9/17/2011 7:31 AM

……….

Public Key Length: 2048 bits <<<<<Denotes length>>>>>

Public Key: UnusedBits = 0

0000 30 82 01 0a 02 82 01 01 00 97 3c 11 94 27 58 47

0010 4a 51 55 60 a5 b6 32 8a 4e 4b 59 1d 56 1f ac 53

……….

Application Policies

[1]Application Certificate Policy:

Policy Identifier=Server Authentication <<<<<Denotes server>>>>>

[2]Application Certificate Policy:

Policy Identifier=Client Authentication <<<<<Denotes client>>>>>

……….

CERT_KEY_PROV_INFO_PROP_ID(2):

Key Container = {57CE5453-2951-4AE2-A036-E685FC52AB83}

Unique container name: bed058e40c5ed733d5da8a6655583c3d_d5520479-582f-4563-8c84-e153a68e8fe2

Provider = Microsoft Enhanced Cryptographic Provider v1.0 <<<<<Denotes provider - must be cryptographic provider and NOT Key Storage Provider >>>>>

ProviderType = 1

Flags = 60

KeySpec = 1 -- AT_KEYEXCHANGE <<<<<Denotes type is Exchange>>>>>

……….

Private key is NOT exportable

Encryption test passed

This output has been trimmed down and the key points have been bolded above.

If the certificate is invalid then when you run the command you may see an error like this.

Example Error
***********

C:\Program Files\Microsoft Data Protection Manager\DPM\bin>SetDPMServer -dpmCredential CertificateConfiguration_DPM2012.contoso.com.bin -Outputfilepath c:\temp

-Thumbprint 4301114a1d05b44bc834f34f04f4cb4333433bac

Error(Id= 33234), Details : The certificate provided with thumbprint 4301114a1d05b44bc834f34f04f4cb4333433bac on the personal machine store of machine MemberServerTest does not correspond to the requirements of DPM. The following requirements are not met for the certificate.

The certificate is not trusted on the local machine.

Please make sure certificate fulfills the following requirements:

1) The certificate is trusted on the local machine and has not expired.
2) The revocation servers of the associated Certificate Authorities are online.
3) The certificate has an associated private key with a valid exchange algorithm.
4) The certificate's public key length is greater than or equal to 1024 bits.
5) The certificate should have both Server and Client Authentication if EnhancedKey Usage is enabled.
6) The subject of the certificate and its root CA should not be empty.
7) DPM does not support certificates with Cryptography API Next Generation (CNG)keys.

For more details see help.
SetDpmServer failed with errorcode =0x809909b4, error says: (null)

Note the 33234 error which equates to an invalid cert. Most likely the cert used does NOT meet our requirements. Again you can use the command certutil –store –v my to verify our certs in use.

Troubleshooting the Attach-ProductionServerWithCertificate and the SetDPMServer commands

Attach-ProductionServerWithCertificate

1.) On the DPM server upon the attach attempt If you get the following error:

You will need to place the client bin file on the DPM server system32 directory OR specify the full path of the bin file. In the example above we specified:

DPMServerName: DPM2012
PSCredential: CertificateConfiguration_MemberServer.Contoso.com.bin <----This is not the full path so it will, by default, search the system32 directory.

If we placed the cert in a folder named C:\Cert then we would specifiy:

DPMServerName: DPM2012
PSCredential: C:\Cert\CertificateConfiguration_MemberServer.Contoso.com.bin <--This is a full path to the certificate we wish to use.

2.) On the DPM server the Attach-ProductionServerWithCertificate on the DPM server creates a registry key for the protected computer with the certificate.

HKLM\Software\Microsoft\Microsoft Data Protection Manager\Agent\2.0\Certificates\<Protected ComputerName>

Note the Certificate name and port number.

If the Attach-ProductionServerWithCertificate fails, then the following needs to be looked at:

a.) There is a network issue between the DPM Server and Protected Computer. You can use the telnet command to verify if port 6076 is open for communication from both the ends.

b.) Certificate used for DPM server is not trusted on the Protected Computer. In Certificates MMC verify that ROOT CA Certificate is present in the Trusted Root Certification Authorities. Go to the Workstation and check the DPMRACurr.errlog files for failures.

SetDPMServer

1.) Specifying a Wrong Bin file on the Target server

In this case the SetDPMServer command was used to setup protection. We purposely used the wrong bin file for the DPM server to simulate an error.

2.) On the DPM server, when running the Set-DPMCredential the following registry key is created:

HKLM\Software\Microsoft\Microsoft Data Protection Manager\Agent\2.0\Certificates\<DPMServerName>

Note the Certificate name, port number and thumbprint specified.

The Set-DPMCredentail command also enables the DPM CPWrapper Service and configures it to use the certificate.

3.) Failures while running this are logged in the DPM management Shell, MSDPM*.errlog and the CAP12 event viewer logs.

Sample Errors

Error in DPM Management Console:
***************************
Set-DPMCredentials : Unable to find certificate with the thumbprint 8d8bddbc15d73f3c20c3faf3faab9b69075e582c on the personal machine store of machine DPM2012.contoso.com. (ID: 33231)

Error in MSDPMCurr.errlog
************************
ConfigureCertificates.cs(400) NORMAL Getting certificate for thumbPrint : 8d8bddbc15d73f3c20c3faf3faab9b69075e582c

CertificatesHelper.cs(51) NORMAL Looking for Certificate with thumbprint: 8d8bddbc15d73f3c20c3faf3faab9b69075e582c in store: My at location: LocalMachine

CertificatesHelper.cs(88) NORMAL Could not find Certificate with thumbPrint: 8d8bddbc15d73f3c20c3faf3faab9b69075e582c in store :My at location :LocalMachine

ConfigureCertificates.cs(133) WARNING Getting certificate for thumbPrint : 8d8bddbc15d73f3c20c3faf3faab9b69075e582c failed

ConfigureCertificates.cs(256) WARNING Failed to configure the dpm credentials with exception: Microsoft.Internal.EnterpriseStorage.Dls.Utils.DlsException: Getting certificate for thumbPrint : 8d8bddbc15d73f3c20c3faf3faab9b69075e582c failed

ConfigureCertificates.cs(256) WARNING at Microsoft.Internal.EnterpriseStorage.Dls.CertificateHelper.ConfigureCertificates.GetCertificateByThumbPrint(String thumbPrint)

ConfigureCertificates.cs(256) WARNING at Microsoft.Internal.EnterpriseStorage.Dls.CertificateHelper.ConfigureCertificates.ConfigureDPMCredentials(String certificateThumbPrint, String authCAThumbprint, String outputFilePath, Boolean generateFileOnly)

Conclusion

This concludes Part 1 of DPM Certificate Based Authentication. Part 2 will entail troubleshooting missing or corrupt registry keys and their symptom and Part 3 will go over missing or invalid certificates.

Shane Brasher | Senior Support Escalation Engineer

Get the latest System Center news on Facebook and Twitter:

↧

DPM Certificate Troubleshooting–Part 2: Registry

July 24, 2012, 10:11 am

≫ Next: Update Rollup 2 for System Center 2012 is now available for download

≪ Previous: DPM Certificate Troubleshooting–Part 1: General Troubleshooting

Hello, Shane Brasher here again. This article picks up from where DPM Certificate Troubleshooting–Part 1: General Troubleshooting left off. We are going to jump right in and look at a few failed scenarios when your DPM certificate related registry keys are missing or corrupt.

When you have everything setup and working, the certs are in the right store and the proper command syntax has been used, there are specific registry entries placed on both the DPM server and the member server being protected. In this next section we will go over what errors you can expect to see when either the certificates or the registry keys are missing.

Theme: “Certs check, registry check, DPMCPWrapperService restart check. Rinse. Repeat.”
This troubleshooting theme should be strictly adhered to during your certificate based authentication troubleshooting. In the scenarios below, after I would remove a reg key or cert, in order to get things back into a working state I would have to repeat those steps. This is so important that it warrants repeating. When troubleshooting DPM certificate based authentication:

a.)Check the registry keys on both the DPM server and protected server.
b.) Check the certificate in use
c.) Restart the DPM CPWrapper service.

Registry Entries

We will look at the following scenarios:

DPM Server
Missing DPM cert reg key (it’s own key)
Missing Member cert reg key

Member Server
Missing DPM cert reg key
Missing Member server cert reg key (it’s own key)

We will note the following:
Error in the DPM gui
Error in the DPM alerts event log
Error in the MSDPMCurr.errlog
Errors in the DPMRACurr.errlog
Errors in the DPM CPWrapper log

After running both the SetDPMserver command on the member server or the Attach-ProductionServerWithCertificate command on the DPM server, registry entries are placed on the servers to associate the certificate with the DPM server and the protected server.

The default location is HKLM\Software\Microsoft\MicrosoftTDataProtectionManager\Agent\2.0\Certificates\<DPMServerName> or <ProtectedServerName>

DPM SERVER Registry Keys

DPM Server side registry keys

DPM Server Missing DPM cert reg key (its’ own reg key)

In this example we will look at the errors in the:
a.) DPM management tab
b.) DPM Alerts Event log
c.) MSDPMCurr.errlog

After the Set-DPMCredentail command is run, if the registry key on the DPM Server for the DPM server itself is missing or deleted for some reason then you can expect the following error in the DPM GUI:

Reg Key:
HKLM\Software\Microsoft\MicrosoftTDataProtectionManager\Agent\2.0\Certificates\<DPMServerName>

DPM Management Agent Status
****************************

Although this error suggests to check the CPWrapper service on the member server, which is not a bad idea, the issue in this case is with the DPM server itself. Remember this error was produced by removing the DPM certificate registry key.

Usually the 33304 indicates an issue with the DPM CPWrapper Service. In this case the related registry keys that bind to that service. (There is a list of the common causes for this error discussed in Part 3 of this series.) If this DPM registry key is missing then you may also see the DPM CPWrapper service in a “starting” state if not then a restart of this service may fail when attempting to bind the service with that missing registry key. You would also see a crash log generated in the following directory: C:\Program Files\Microsoft System Center 2012\DPM\DPM\Temp directory. The crash log name itself will be such as: DPMCPWrapperServiceCurr.errlog.2012-04-30_19-25-50

If the DPM registry key is missing then a consistency check and\or a recovery point on a protected datasource using certificate authentication will fail with the following errors.

DPM Alerts Event Log Error
*************************
You may get one if not all of the alerts listed below.

DPM Alerts Event Log: Event ID 3122 Warning

DPM Alerts Event Log: Event ID 3115 Warning

DPM Alerts Event Log: Event ID 3170 Critical

MSDPMCurr.errlog
******************
WARNING Failed: Hr: = [0x80990940] pDpmCmdProcObject->SubmitRequest failed on server MEMBERSERVER.Contoso.com, hrOriginal = 0x80990940, No further retry

WARNING CCommandProcessor::SendOutboundCommandUsingCertificate failed for Server: MEMBERSERVER.Contoso.com

4b0d-8401-d9773b85e7ab" xmlns="http://schemas.microsoft.com/2003/dls/StatusMessages.xsd">

WARNING <ErrorInfo ErrorCode="33304" DetailedCode="-2137454272" DetailedSource="2" ExceptionDetails="" xmlns="http://schemas.microsoft.com/2003/dls/GenericAgentStatus.xsd">

C2797F36-E616-4D5C-AC68-D9DA2216CE2D WARNING <Parameter Name="exceptionmessage" Value="The CPWrapper WCF Service encountered an unknown communication error" />

Solution: In this case to where the registry key is missing for the DPM Server itself on the DPM Server, the following needs to be done.

1.) Restore the key via registry backup, if no backup is available for this key and\or you do not feel comfortable with this measure then proceed to the next step.

2.) Verify that a valid certificate is in place on the DPM server. Once done, rerun the Set-DPMCredentials command to recreate that key. This being done taking care to use the proper syntax and correct thumbprint. Please reference the resource link below. Once done make sure the DPM reg key is present.
Example:

Resource: http://blogs.technet.com/b/dpm/archive/2012/04/23/how-to-use-certificates-to-authenticate-computers-in-workgroups-or-untrusted-domains-with-data-protection-manager.aspx

DPM Server Missing the Member Server Reg key

After Attach-ProductionServerWithCertificate command is run on the DPM server, if the registry key on the DPM server for the protected server is missing or corrupted for some reason then you can expect to see the following errors listed below.

In this example we will be noting the errors in the:
a.) DPM monitoring tab
b.) DPM management tab
c.) DPM events alerts tab
d.) MSDPMCurr.errlog

Reg Key:
HKLM\Software\Microsoft\Microsoft Data Protection Manager\Agent\2.0\Certificates\<Protected ComputerName>

DPM Management Tab--Agent Status
*******************************

DPM Monitoring Tab
*******************

Agent refresh error

DPM Alerts Event Logs—Event 3122

DPM Monitoring Tab--Protected server Consistency Check failure

MSDPMCurr.errlog
================

2C1A3335-C179-4D87-A993-CBD5B8B8A7C1 WARNING Failed: Hr: = [0x80070005]

0C9C 0F78 04/30 15:17:21.846 68 RornTaskDef.cs(488) 2C1A3335-C179-4D87-A993-CBD5B8B8A7C1 NORMAL RORN TaskDef: Task 2c1a3335-c179-4d87-a993-cbd5b8b8a7c1 stopped with error code 302

0C9C 0F78 04/30 15:17:21.846 02 EventManager.cs(98) 2C1A3335-C179-4D87-A993-CBD5B8B8A7C1 NORMAL Publishing event from AgentJobs.cs(747): JobProgress, [JobID=9470259c-538c-4e3d-8dc6-aff5bcee9d3c]

0C9C 0F78 04/30 15:17:21.847 07 AgentJobs.cs(751) 2C1A3335-C179-4D87-A993-CBD5B8B8A7C1 NORMAL refresh failed with error AMAgentAccessDenied; -2147024891; WindowsHResult

0C9C 0F78 04/30 15:17:21.847 01 TaskExecutor.cs(843) 2C1A3335-C179-4D87-A993-CBD5B8B8A7C1 FATAL Task stopped (state=Failed, error=AMAgentAccessDenied; -2147024891; WindowsHResult), search "Task Diagnostic Information" for details.

Solution: In the case of the DPM server missing the proper reg key for the protected member server, the following needs to be done:

1.) Restore the key via registry backup, if no backup is available for this key and\or you do not feel comfortable with this measure then proceed to the next step.

2.) Make sure you have the proper .bin file generated by the member server. Once done, then run the Attach-ProductionServerWithCertificate.ps1 command specifying the correct .bin file. Please reference the resource link below. Once done verify the member server registry key is present.

Example:

Resource: http://blogs.technet.com/b/dpm/archive/2012/04/23/how-to-use-certificates-to-authenticate-computers-in-workgroups-or-untrusted-domains-with-data-protection-manager.aspx

Protected Server Side Registry Keys
Now we will focus on the protected server. We will experiment with both removing the Protected server registry key and the DPM registry key off of the Protected server. Once done we will take note of the common errors shown as a result.

We look at the following:
a.) DPM management tab
b.) DPM events alerts tab
c.) MSDPMCurr.errlog
d.) DPMRACurr.errlog

Member Server with Reg Key for itself missing.

If after running the setdpmserver –dpmCredential command, on the protected server if the registry key for itself is missing or deleted you may see the following errors below:

Reg Key:

HKLM\Software\Microsoft\MicrosoftDataProtectionManager\Agent\2.0\Certificates\<protectedServerName>

DPM Management Tab-Agent Status

DPM Alert Event Log-Event ID 3122

MemberServer Event Log –Event ID 85

MemberServer DPMRA.currerrlog
==========================

schannelutils.cpp(129) 7F9E668E-2A1D-4D55-A498-D7FA318B6068 WARNING Failed: Hr: = [0x80070002] : Error trying to open RegKey [HKLM\Software\Microsoft\Microsoft Data Protection Manager\Agent\2.0\Certificates\MemberServer.Contoso.com]

0EF075F8-504F-48E4-9BAF-85418F0DBD68 WARNING Logging event for error: 33304, detailed: 0x30bf80

Note: Error 33304 has numerous causes listed at the later on in Part 3 of this series. This is the same indication as we saw when we removed the DPM registry key. In this case it is the member server missing its own registry key.

DPM MSDPMCurr.errlog
===============

034C 0FD4 04/30 15:55:09.481 07 AMUtil_expanded.cs(3590) 92CBF7B2-BA70-4ACF-B0DA-16FE40E43376 WARNING CheckTimeoutMessage: code[0x20000102], detailedCode[0x8099090e], errMgs[Internal error code: 0x8099090E]

TaskInstance.cs(798) 92CBF7B2-BA70-4ACF-B0DA-16FE40E43376 WARNING <q1:ErrorInfo ErrorCode=”316” DetailedCode=”-2137454322” DetailedSource=”2” ExceptionDetails=”” xmlns:q1=”http://schemas.microsoft.com/2003/dls/GenericAgentStatus.xsd”>

TaskInstance.cs(798) 92CBF7B2-BA70-4ACF-B0DA-16FE40E43376 WARNING <q1:Parameter Name=”servername” Value=”MEMBERSERVER.Contoso.com” />

RornTaskDef.cs(488) 92CBF7B2-BA70-4ACF-B0DA-16FE40E43376 NORMAL RORN TaskDef: Task 92cbf7b2-ba70-4acf-b0da-16fe40e43376 stopped with error code 316

92CBF7B2-BA70-4ACF-B0DA-16FE40E43376 FATAL Task stopped (state=Failed, error=AMAgentNotResponding; -2137454322; WindowsHResult),

Solution: If member server itself is missing it’s own registry key the we will need to perform the following:

1.) Restore the key via registry backup, if no backup is available for this key and\or you do not feel comfortable with this measure then proceed to the next step.

2.) Make sure we have the proper certificate in the computer\personal store on the member server.

3.) Make sure we have the correct .bin file created from the DPM server when you ran the Set-DPMCredentials on the DPM server.

4.) Run the SetDPMServer command on the member server taking care to make sure the correct DPM .bin file is specified along with the correct member server thumbprint from the certificate. Please reference the resource listed below.

Resource: http://blogs.technet.com/b/dpm/archive/2012/04/23/how-to-use-certificates-to-authenticate-computers-in-workgroups-or-untrusted-domains-with-data-protection-manager.aspx

MemberServer with Missing DPM reg Key

If after running the setdpmserver –dpmCredential command, on the protected server if the registry key for the DPM Server is missing or deleted you may see the following errors:

Reg Key:

HKLM\Software\Microsoft\MicrosoftDataProtectionManager\Agent\2.0\Certificates\<DPMServerName>

DPM Management Tab- Agent Status

DPM Monitoring Tab

DPM Alerts Event Log—Event ID 3122

Log Name: DPM Alerts
Source: DPM-EM
Date: 4/28/2012 6:34:44 AM
Event ID: 3122
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: DPM2012.Contoso.com
Description:The DPM protection agent on MEMBERSERVER.Contoso.com could not be contacted. Subsequent protection activities for this computer may fail if the connection is not established. The attempted contact failed for the following reason: (ID: 3122)

The DPM CPWrapper Service authorization failed on the MEMBERSERVER.Contoso.com computer. Exception Message = Access is denied.. (ID: 33303)

Note the 3303 error which indicates that the client was not authorized by the service.

DPM Alerts Event Log—Event ID 3170

MSDPMCurr.errlog
****************
0DF4 0634 04/30 15:30:28.570 01 TaskInstance.cs(798) 51A021F9-8D5E-477B-94D4-73A986EEBDC0 WARNING <q1:ErrorInfo ErrorCode="33303" DetailedCode="-2146233087" DetailedSource="2" ExceptionDetails="" xmlns:q1="http://schemas.microsoft.com/2003/dls/GenericAgentStatus.xsd">

0DF4 0634 04/30 15:30:28.570 01 TaskInstance.cs(798) 51A021F9-8D5E-477B-94D4-73A986EEBDC0 WARNING <q1:Parameter Name="servername" Value="MEMBERSERVER.Contoso.com" />

0DF4 0634 04/30 15:30:28.570 01 TaskInstance.cs(798) 51A021F9-8D5E-477B-94D4-73A986EEBDC0 WARNING <q1:Parameter Name="exceptionmessage" Value="Access is denied." />

0DF4 0634 04/30 15:30:28.573 01 TaskExecutor.cs(843) 51A021F9-8D5E-477B-94D4-73A986EEBDC0 FATAL Task stopped (state=Failed, error=WCFServiceAuthorizationFailed; -2146233087; WindowsHResult), search "Task Diagnostic Information" for details.

Note: the 33303 error which indicates that the client was not authorized by the service.

Solution: This will be the same steps done for the member server missing it’s own registry entry.
Those steps will recreate both the DPM server and member server registry key.

Conclusion: As a precautionary measure, a proactive step of backing up the server side and DPM side registry keys are suggested. This can be done via System state or BMR backup but should you not want to rollback to a previous system state or BMR snapshot, then just backing up those keys would work. In addition should you wish to backup the individual keys the restore would be much quicker vs. a system state and BMR restore.

This concludes Part 2 of DPM Certificate Troubleshooting. Part 3 will cover troubleshooting missing or invalid certificates.

Shane Brasher | Senior Support Escalation Engineer

Get the latest System Center news on Facebook and Twitter: