- Azure Sentinel—A real-world example - Tue, Oct 12 2021
- Deploying Windows Hello for Business - Wed, Aug 4 2021
- Azure Purview: Data governance for on-premises, multicloud, and SaaS data - Wed, Feb 17 2021
The scoped DPM console
The Central Console also enables another nifty troubleshooting feature – the scoped DPM console. When an alert is raised in SCOM you can click the Troubleshoot button which will take you to a DPM console which only shows the data sources, backup jobs and agents that are affected by this particular issue. Even better, once you have resolved the underlying cause you can run a test backup with a single click before resuming the entire backup job. It also provides context; the ticket number, alert and DPM server is listed in an area at the top of the scoped console.
Centralizing management inside of SCOM doesn’t just mean an aggregated view of all backups across many DPM servers; it also lets you work on more important issues first, for instance by showing issues that affect multiple data sources. Segregating errors into infrastructure and backup failures enables Tier 1 or 2 support to focus on backup failure alerts, whereas Backup Admins work on infrastructure problems and Tape Admins focus on tape errors.
Smaller environments can use the Remote Administration feature which lets you install the DPM console on a workstation and then connect that console to any remote DPM server.
The Scoped Console will be a real time saver in troubleshooting scenarios.
Role Based Access in DPM 2012
Another sign that DPM is stepping up to the big league is the application of Role Based Access (RBA) similar to how other Microsoft products (Exchange, SCOM) are approaching authorization for particular tasks in big organizations. Be aware that the DPM 2012 RBA model only covers the task itself, i.e. this user can recover data but you can’t further limit this by objects, i.e. this user can only recover Exchange data from these databases.
DPM comes with a set of seven built in roles with descriptive names: Read-Only User, Recovery Operator, Reporting Operator, Tape Operator and Tape Admins as well as the all-powerful DPM admin. The last two are Tier-1 Support (help desk) who can resume backups and take automated recommended action and the Tier-2 Support (escalation) who also can run backups on demand and take corrective actions such as enabling / disabling agents. Note that the roles are respected by the SCOM console and scoped DPM consoles that are opened from within the SCOM console but are NOT respected in the DPM console on the DPM server itself.
Incorporating the DPM user roles using the SCOM user role approach is another great way of integrating DPM into SCOM.
In part three we’ll over other improvements in DPM 2012.
Does this mean that you can’t set user access roles inside DPM without having a SCOM server on-site? If so, that’s completely insane!
Hi Ian,
“Insane” seems like a bit of a strong statement :-). Basically Microsoft sees that if you’re a small business with a single DPM server (or maybe 2-3) you can get away with Administrators being able to backup everything. But you wouldn’t need a centralized console to manage a few servers, hence no need for SCOM. If however you’re a big business with lots of DPM servers all over the place, you’ll really want to use the OM / Centralized console to manage them all in one place. And in that scenario you definitely want to be able to delegate permissions for DPM (again, across all DPM servers, not on a per server basis). Also, DPM is part of System Center so you already have the license for OM and DPM.
Hope that makes sense.
“Insane” may be a little strong but it still seems silly to leave out such a basic bit of functionality. I can see their reasoning I guess but I don’t agree with it. I can set access roles inside SCVMM without SCOM. I can set them in SCCM without SCOM as well. On that basis, why make SCDPM different? In every other bit of backup software that I’ve used, I’ve not had to use another piece of software to set access rights. I don’t want to use an account with Domain Admin rights on a day-to-day basis but I’m forced to use a domain admin account to run the DPM console if I don’t want SCOM on my network.
I know that I can run SCOM with my SC license, however we have another solution to monitor our systems as we found SCOM to be cumbersome to say the least.
I agree with Ian. It is quite annoying not being able to used RBAC within DPM without having to invest time and resources into SCOM setup.
For what it’s worth I agree with you both (Ian and Steve) on this. I haven’t had time to look at TP3 of DPM 2016 yet but I’m hoping for some improvements. DPM is one of those products (in my personal view, I have no inside MS information) that’s a bit on the fringe. Not as far as out as AppController (R.I.P), but far enough that it’s not a big star in the lineup, hence it gets less attention.