Robert Hedblom a System Center MVP & DPM specialist sat with me just about a month ago to discuss some options on how we could get through the steps of using Azure backup with DPM. This blog post will walk you through the complete configuration from a System Center Data Protection Manager perspective.
With the System Center 2012 SP1 release Microsoft presented a new feature that provided a solid online protection solution for the companies’ production data. Within the Windows Azure Management Portal, Microsoft created something called a backup vaultthat can easily be connected to both DPM servers but also the Windows Server Backup (WSB) feature for Windows 2012 Server. Using certificates and explicit passphrases Microsoft can assure not just a great feature to reduce the tape management for companies on a global scale but also a high security.
The steps to get started is to first sign up for Azure services, install a Windows Azure Backup agent on your DPM server and finally register your DPM server.
* If you are not currently using Windows Azure, go here and sign up for a free trial! http://www.windowsazure.com/en-us/pricing/free-trial/
This blog post will cover:
- Considerations for using Azure backup with your DPM server
- How to configure your DPM servers to enable the online protection using Azure
- How to register your DPM servers
- How to configure the protection groups to enable online protection
- How to manually create online recovery points
- How to recover production data from Azure
Considerations for using Azure backup with your DPM server
The online protection will provide you a great possibility to place your production data in Azure meaning that you can securely and fully optimized provide an off-site replication for the company production data.
There are some considerations that you must keep in mind:
- The online protection is only available for primary DPM servers
- The retention time for your production data in Azure is 120 days
- You can place two recovery points per day in your backup vault provided in Azure
- You can provide online protection for Hyper-V, SQL and File
- You must have a DPM disk pool attached to the DPM server
- Windows Azure Backup Agent will use Windows Identity Foundation 3.5 feature.
The certificate used for the backup vault in Azure must fulfill the following prerequisites:
- To upload to the certificate to the vault, you must export it as a .cer format file that contains the public key.
- The certificate should be an x.509 v3 certificate.
- The key length should be at least 2048 bits.
- The certificate must have a valid ClientAuthentication EKU.
- The certificate should be currently valid with a validity period that does not exceed 3 years.
- The certificate should reside in the Personal certificate store of your Local Computer.
- The private key should be included during installation of the certificate.
- You can create a self-signed certificate using the makecert tool, or use any valid SSL certificate issued by a Certification Authority (CA) trusted by Microsoft, whose root certificates are distributed via the Microsoft Root Certificate Program.
How to configure your DPM servers to enable the online protection using Azure
Before you can register your DPM server you need to have a Backup Vault up and running in Azure. First you must register an account for Azure services, when that is done go to your DPM console and click on Management followed by clicking on the Manage subscriptionbutton in the top left of the console.
Your DPM server will open the windows Azure web page, provide your credentials to log in. First you must register a Recovery Service. To do this click on Recovery Service on the left hand side of the Azure portal.
Next you must create your Backup Vault by clicking on the link CREATE A NEW VAULTin the middle of the portal.
Click on BACKUP VAULT
Click on QUICK CREATE
Enter a NAME for the backup vault and choose the REGION of where the backup vault should be placed or located. To finish your configuration click on CREATE VAULT.
In the Azure portal you will now notice the backup vault being created.
When Azure is finished the STATUS will change from Creating to Active.
Now it’s time to create a certificate that must be used between your DPM server and your backup vault in Windows Azure. You should use the MakeCert executable that is available as part of the Windows SDK which you can download from this URL: http://msdn.microsoft.com/en-US/windows/desktop/bg162891
Open an elevated command prompt and use the following syntax for your certificate configuration “makecert.exe -r -pe -n CN=CertificateName -ss my -sr localmachine -eku 184.108.40.206.220.127.116.11.2 -len 2048 -e 01/01/2016 CertificateName.cer”
Change the CertificateNameto any name you prefer. Keep in mind that the certificate must:
- Have a key length of 2048 bits
- Have a valid validity period that does not exceed 3 years
The certificate will be placed under the same catalogue as the MakeCert executable. Next you must upload the certificate to your Windows Azure backup vault, go to your Windows Azure Management Portal.
After you have successfully created your certificate you must provide the certificate to the Windows Azure Backup Vault. Click on the Manage Certificateon the center of the Windows Azure Portal.
Browse for the certificate you just created and click on the check to continue.
The certificate will now be uploaded to the Windows Azure Backup Vault.
When your certificate has successfully been uploaded to your Windows Azure Backup Vault you must install the Windows Azure Backup Agent. Click on the Download Agent link to continue.
Next you must choose which version of the Windows Azure Backup Agent you want to download and install. Choose the Windows Azure Backup Agent for Data Protection Manager and click on the check to continue.
The Windows Azure Backup Agent will be downloaded after you have chosen your download options. Click on Run to continue.
You will be prompted with a Supplemental Notice. Choose “I accept the terms of the Supplemental Notice.” And click on OK to start the installation of the Windows Azure Backup Agent.
The Windows Azure Backup Agent consists of three steps:
- Prerequisites Check
- Installation Settings
You will be prompted with a Prerequisites Check that verifies that you have the Windows Identity Foundation feature installed on the DPM server and Microsoft .NET framework 4. Click on Next to continue.
Under the installation settings you can configure the installation path for the Windows Azure Backup Agent and the Cache Location. Windows Azure Backup Agent must have a cache location to keep track of the files the DPM server backs up. The Windows Azure Backup Agent must have at least 2,5 GB of local free space for the cache location but 15 GB is recommended.
Click on Install to continue the installation of the Windows Azure Backup Agent.
After the installation has finished the installation will present a summary and the next step that is the registration of your DPM server.
How to register your DPM servers
Open the DPM console and on the left hand side choose Management, then online followed by Register of the top left part of the console.
Click on Browse to point out your certificate.
Choose the certificate you just created by marking it and click on OK.
Now choose your backup vault and click on Next.
In the next step you have the option to configure the Proxy configuration. Enter the address, port and if needed username and password used by your DPM server so the Windows Azure Backup Agent can communicate with Azure. When you are finished click on Next to continue.
In the next step you will configure the Throttle Settings for your Windows Azure Backup Agent. If you have the scenario of a limited network bandwidth you have the possibility of define your business hours and how much bandwidth the Windows Azure Backup Agent can consume. When you have finished your configuration click on Next to continue.
The Recovery Folder Settings will help you define where you want to temporarily place the restored data from Azure before you let DPM move the data from the recovery folder to the production servers via the DPM agent. A recommendation is to use a separate disk for this purpose, in my example I have used a specific restore disk for my Azure protected production data. Click on Browse to point out your catalogue and click on Next to continue to the next step.
In the Encryption Setting step it is important to remember one thing, copy the passphrase to the clipboard. Click on Generate Passphrase followed by Copy to clipboard. You will receive a message that your passphrase has been copied to the clipboard. It is now a very good idea to open notepad and paste the passphrase from the clipboard and save the file, also print the file and lock it away. Click on Register to register your DPM server with your Backup Vault.
You will receive a message that your DPM server is successfully with your backup vault in Azure. Click on Close to continue to the next step, enable the online protection.
How to configure the protection groups to enable online protection
After you have registered your DPM server with your Azure Backup Vault you are ready to configure your protected production data. Worth mentioning again is that you can place the following workloads in your backup vault:
You can either create a new Protection Group or modify an already configured Protection Group for online protection. In this example I already have a Protection Group and will show you how to add the online protection for my DPMDB that is a SQL database that is supported for online protection.
The modify wizard for a Protection Group contains a few steps that are specific for online protection. The first one is Select Data Protection Method step. To enable the online protection for your protected production data just check the checkbox for I want online protection followed by Next.
The second step is the Specify Online Protection Data step. In this step you will choose which workloads you would like to enable for online protection. Check the checkbox and for your production data and click on Next.
The next step is the Specify Online Protection Goals. Here you can define your online protection goals by using a daily or weekly synchronization frequency, this blog post will cover both scenarios. As mentioned in the previously in this blog post you have the possibility to store data for 120 days and also synchronize your DPM server data twice per day.
For the weekly synchronization frequency you can choose specific weekdays and if the synchronization should occur every week or biweekly. You can have your DPM server synchronize your protected data up to every fourth week.
After you have run through those steps you will notice that your production data is enabled for online protection in the DPM console.
How to manually create online recovery points
In some scenarios you want to manually create recovery points for your production data. The prerequisites id that you have the online protection enabled for the data source present in your Protection Group.
To create a recovery point manually for your protected production data right click the data source and choose Create recovery point.
You will now be prompted with the Create recovery point wizard. Choose Online protection in the dropdown menu followed by clicking on the OK button.
Now your DPM server will create a backup and store it in Azure, you can follow the progress in the Create recovery point task window.
The progress could also be monitored in the DPM console monitoring part.
Always keep in mind that bandwidth is very important. It’s always an important thing to verify your network performance from on-premises to Azure. You can use the following tool http://azurespeedtest.azurewebsites.net/to verify your network latency depending on your closest Azure datacenter.
How to recover production data from Azure
As mentioned in the introduction of this article the restore process from Azure is a two-step process for DPM. During the registration phase we pointed out something called “Recovery Folder Setting”, this folder comes now into play during the restore process. As you probably already knows DPM’s focus is to be an easy restore function in a modern datacenter, this also applies for the Azure restore operations. To restore your production data from Azure you must go to Recovery within the DPM console.
On the left hand side of the console you will find your protected data sources both active and inactive. Start by expanding the tree so that your data source will be visible, in my case it’s the C drive of my SQL server.
Next you must choose the right date followed by choosing the right time from the drop-down list.
Finally to start the restore right click the data source and choose recover.
The Recovery Wizard will open and present the actual restore process. Click Next to continue.
Now you need to choose the recovery type for the restore operation. You can choose to restore the data to its original location or an alternate location, in this example I will choose to restore my data to its original location. Mark the radio-button and click on Next to continue.
Last you must choose your Recovery Options that will manage your Existing version behavior, security settings and so on. Click on Next to get to the Summary.
At the Summary step you need to verify your suggested restore operation. If it fits your need click in the Recover button to start the recovery process.
During the restore process you can either monitor the work progress in Recovery Status window or in the DPM console under Monitoring and applying the filter All jobs in progress.
When the restore operation is finished DPM will raise an alert regarding the status of the restore job indicating the status of the restore. In this case the restore was successful so the DPM server raised an informational alert.
Keep in mind that Azure is applicable for all kind of company sizes. Orgnaizations should be able to perform daily or weekly backup of the DPMDB, this is a great solution of how a DR scenario for DPM could be setup.
About Robert Hedblom
Robert Hedblom is a SR Consultant and DPM specialist for company in Sweden. A Cloud and Datacenter Management MVP, Robert blogs about DPM, and many other components in the System Center suite. Robert is happy to answer any questions around DPM and can be reached at any of the links below. Robert is an awesome guy, and I wanted to thank him for working through this solution with me!
You can reach Robert and find out more about him here:
MVP Profile: http://mvp.microsoft.com/en-us/MVP/Robert%20Hedblom-4030660
Christian Booth (ChBooth) | Sr. Program Manager | System Center