none
DPM 2012 - Secondary DPM server (DR) via certificate protection over Internet w/out trust? RRS feed

  • Question

  • I'm finding conflicting information on whether or not I can protect my DPM 2012 server via certificate based protection over the Internet to a second DPM 2012 server.

    Background:

    *Both servers (DPM01 and DPM02) running DPM 2012

    *Servers are separated geographically over the Internet (no VPN, no trust) via high speed WAN link

    Ideally, I'd like to have a complete copy of my onsite DPM server (DPM01) over the Internet via certificate based authentication to DPM02 in the event the building burns down or some other disaster.

    Please advise.

    Thanks,

    Scott

    Wednesday, June 20, 2012 1:34 AM

All replies

  • Hi Scott,

    DPM Team Blog : Protection between a Primary DPM server and Secondary DPM server using certs. The Primary DPM server and Secondary DPM server need to be in the same domain or mutually trusted domain.

    http://blogs.technet.com/b/dpm/archive/2012/04/23/how-to-use-certificates-to-authenticate-computers-in-workgroups-or-untrusted-domains-with-data-protection-manager.aspx

    this article provide a walkthrough of setting up System Center 2012 Data Protection Manager and a protected server with certificate authentication.

    I think that Technet is unclear ^^ "DPM supports protecting the secondary server that is in an untrusted domain if it is in the same domain as the primary server.".

    http://technet.microsoft.com/en-us/library/hh916530

    Stephane.


    Please remember to click “Mark as Answer” on the post that helps you. This posting is provided "AS IS" with no warranties. knowledge is valid only if it is shared by All.

    Wednesday, June 20, 2012 7:50 AM
  • Just to be clear - if I join the second DPM server to the same domain and then enable certificate based protection, this will work without a VPN?

    I guess I'm not seeing the benefit of certificate based protection if I must maintain a trust and/or vpn...can anyone elaborate?

    Thanks!

    Wednesday, June 20, 2012 5:17 PM
  • Hi Scott,

    DPM team blog may also lead to confusion...

    Protection between a Primary DPM server and Secondary DPM is not supported with Certs.

    Stephane


    Please remember to click “Mark as Answer” on the post that helps you. This posting is provided "AS IS" with no warranties. knowledge is valid only if it is shared by All.

    Wednesday, June 20, 2012 6:36 PM
  • Hi Scott and Stephane,

    Communications between primary and secondary DPM servers can only work using normal DPM Agent configuration (not certs) and both DPM Servers must be in a trusted domain.


    DPM 2012 provides the capability to protect Workgroup computers and computers in untrusted domains using Certificates for the purpose of authentication.
    If you are already using DPM 2010, you have the ability to protect machines without trust by using NTLM based authentication and local accounts. While this worked, you gave us feedback that you would want a more robust and secure method of authentication.

    This video talks in depth about Certification Based Authentication and how you can set it up using DPM 2012:

    (DPM 2012 – Certificate Based Protection) http://download.microsoft.com/download/7/1/2/7126E78A-F1C8-4E66-BA22-21524CE002E1/Certificate Based Authentication.wmv

    This BLog has step-by-step details on enabling certificate based protection:

    http://blogs.technet.com/b/dpm/archive/2012/04/23/how-to-use-certificates-to-authenticate-computers-in-workgroups-or-untrusted-domains-with-data-protection-manager.aspx

     

    Following workloads/scenarios are supported using certificate based authentication:

    1. SQL Server
    2. File Server
    3. Hyper-V Server
    4. Clustered Backed (For all of the above workloads)
    5. Secondary DPM Server (Has to be within a trusted domain of Primary DPM Server but can be in a domain not trusted by the Protected Server)

    What we support using certificates are the two scenarios:

     a) Production server – primary DPM (In trusted domain with secondary)
     b) Production Server (switched protection) – secondary DPM (in trusted domain with primary)
     
    Setting up a secondary DPM server is still the same as before since nothing has changed in the communication flow.
    The only change is that if you need to enable secondary protection of production servers which are configured using certs, you’ll need a certificate for the secondary dpm server also.
    That certificate can just be configured using Set-DPMCredentials cmdlet.
    Once the secondary server is configured with the Set DPMCredentials and the bin file is generate, you will then need to take the bin file to the protected server and use it in the SetDPMserver cmdlet.
    Basically the same steps as you did for the primary DPM server on generating the bin files.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    Sunday, June 24, 2012 6:04 PM
    Moderator