In this fourth and last part of this DPM 2012 review series we’ll look at a new authentication mechanism for servers in untrusted domains or workgroups and we look at some improvements that should be added to DPM and conclude the series with some overall comments.
DPM 2010 provides the ability to protect servers in workgroup or non-trusted domains, using local accounts and NTLM based authentication. This capability proved less than popular in large enterprises because of the inherent weakness in NTLM, auditing difficulties and local account management. DPM 2012 adds another authentication method (the previous capabilities are still available); certificate based authentication. The following workloads are supported; SQL Server, File Server, Hyper-V and these can be clustered as well as standalone (note the missing pieces here, no Exchange, SharePoint, System State / Bare Metal Recovery or client computers). A secondary DPM server for DR can also use this authentication method.
All protection in DPM is done around the concept of Protection Groups.
The required certificates can’t be self-signed; hence an internal CA needs to be in place. Setting up certificate based protection is quite involved, first each DPM server has to be configured; generate a certificate from the CA for the DPM server, import this certificate on the DPM server and then configure the DPM server to use certificate based protection. For each server you want to protect you’ll need to install the agent and attach to the DPM server, generate a certificate for the server from the CA, import the certificate on the local computer and configure the DPM agent to use certificate based authentication. When the time comes to renew certificates, DPM will issue a warning alert 30 days before expiry and a critical alert one day before expiry.
A glaring problem in DPM 2010 that’s not addressed in DPM 2012 unfortunately is Exchange single item restore. Some competing backup products offer the ability to restore individual items from a mailbox. The fault doesn’t directly lie with the DPM team however as the methods used by third party software aren’t supported by Microsoft.
From a customer’s point of view it’s a bit odd though that DPM is so good at backing up most Microsoft workloads but falls flat in this one area. It’s time for the Exchange team to step up their game and provide a supported method for single item recovery as soon as possible.
A minor problem (compared to the Exchange issue) is that even though DPM recognizes Active Directory as a data source, single item recovery is again not possible. Another irritating issue is that if I select the Hyper-V node of a Hyper-V server one would assume that any VMs that are created after the creation of the Protection Group would be automatically protected but they’re not. Whilst it’s possible to do this with a PowerShell script it’s surprising that this wasn’t incorporated in this new version as default behavior.
Apart from these issues DPM 2012 is an excellent product, following the already successful earlier versions with a product that’s more enterprise friendly, eminently capable whilst still easy to use and administer. The new Central console is going to save many hours in large environments; the streamlined troubleshooting is a real winner and Role Based Access along with numerous other improvements makes this “best for backing up Microsoft products” even better.