none
DPM 2007 to DPM 2010 Tape Encryption Problems. RRS feed

  • Question

  • I have done an upgrade from DPM 2007 to DPM 2010 that included moving to new hardware.  I was encrypting tapes, so I exported the certificates from the original server to import on the new server.  I also have a secondary DPM server that I am trying to read tapes on.  Both give the same error:

    Affected area: N:\
    Occurred since: 7/1/2010 1:24:16 PM
    Description: The recovery jobs for Volume N:\ that started at Thursday, July 01, 2010 1:22:25 PM, with the destination of icbackup.icsystem.com, have completed. Most or all jobs failed to recover the requested data. (ID 3111)
     This DPM server is not authorized to read or write to this encrypted tape because there is no valid certificate in DPMBackupStore and DPMRestoreStore which can decrypt data. (ID 24071)
     More information
    Recommended action: 1) Make sure that DPMBackupStore has the certificate to decrypt this tape.
    2)Use this tape on a DPM server which is authorized to read this tape.
    See "How to Encrypt Data in a Protection Group " in DPM Help for more information about certificates.
     On the Jobs tab in the Monitoring tasks area, group jobs by type to view details of the recovery jobs.
     Retry the recovery job...
    Resolution: DPM automatically changes this alert's status to inactive 10 days after it is issued.To dismiss the alert, click below
     Inactivate alert

    Is there a way to identify the certificate that was used to encrypt the tape?  This should be using a certificate from our local cert authority, so I should be able to find the cert that I need.

     

    Thursday, July 1, 2010 6:27 PM

Answers

  • This is all unfortunately true.  I am unable to export the private key of the default domain computer certificate, because the template for the certificate does not allow the key to be exported.  The key is also not saved in the cert database, so it cannot be recovered.  At this point I am stuck with trying to reattach the old server to the tape library and see if any tapes are recoverable.  The server itself has had an OS upgrade.  It also looks like the DPM upgrade may wipe out the contents of the two DPM certificate folders, but I can't verify this.  I just know that the folders are now empty on the old server.

    The takeaway from this situation is that the documentation for using certificates and in particular certificates from a Microsoft Certificate authority need to be much more explicit for DPM, especially when upgrading or moving a DPM installation.  I am going to create a new post for help creating a certificate for DPM use, since using the default computer certificate should not be recommended. 

    • Marked as answer by Johnnynjr Tuesday, July 6, 2010 6:28 PM
    Tuesday, July 6, 2010 6:28 PM

All replies


  • Can you verify for me that when you exported the certificate on the other DPM server that you chose to also export the private key.   If you did, then the exported file will have a .pfx extension.

    If the exported certificate did not contain a private key, the extension will be .cer and cannot be used to decrypt tapes encrypted on the the other dpm server.

    You can also verify it's in the DPMRestoreStore and if you double-click the certificate, below the dates showing it validity, it should say:  You have a private key that corresponds to this certificate.

    Confirm this was the procedure you used to import certificates to DPMBackupStore once it has exported from the original server.

    run MMC.exe
    Add snap in from file menu
    select Certificates
    select "Computer account"
    select "Local computer"
    ok
    go to DPMBackupStore
    Right click -> all tasks-> import
    browse or give name of cert file with .pfx extension.
    add to DPMBackupStore.

    I am not aware of any way to detemine what certificate was used to encrypt the tape.


    Regards, Mike J [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.
    Thursday, July 1, 2010 7:22 PM
    Moderator
  • This is all unfortunately true.  I am unable to export the private key of the default domain computer certificate, because the template for the certificate does not allow the key to be exported.  The key is also not saved in the cert database, so it cannot be recovered.  At this point I am stuck with trying to reattach the old server to the tape library and see if any tapes are recoverable.  The server itself has had an OS upgrade.  It also looks like the DPM upgrade may wipe out the contents of the two DPM certificate folders, but I can't verify this.  I just know that the folders are now empty on the old server.

    The takeaway from this situation is that the documentation for using certificates and in particular certificates from a Microsoft Certificate authority need to be much more explicit for DPM, especially when upgrading or moving a DPM installation.  I am going to create a new post for help creating a certificate for DPM use, since using the default computer certificate should not be recommended. 

    • Marked as answer by Johnnynjr Tuesday, July 6, 2010 6:28 PM
    Tuesday, July 6, 2010 6:28 PM