none
DPM 2012 infrastructure design RRS feed

  • Question

  • Hi!

    We are planning to deploy DPM 2012 into our environment, but are not very familiar with Microsoft products nor MS infrastructure. So I would greately appreciate some feedback on the quality of our plans before we start. We have been reading the white papers on these matters, but still have some questions regarding the design.

    Our need is to take backup of serveral servers in separate domains, same forest. Sharepoint, SQL, file, DC etc.

    We have a relatively small environment with four domains:

    A, B, C and D. For security reasons there is NO trust between any of these, and there will never be.

    Because of Sharepoint we are not able to use the sertificate approach.

    Our goal is to minimize the number of servers as far as possible within the limits set by our security design.

    What we hope to be able to do is to create a separate and exclusive domain for our DPM-servers, create a one way trust between the DPM-domain and each of our other domains, but NOT between the other domains.

    Our hypothesis is: This will make it possible to take backup of all domains with only two DPM servers, and with no security issues.

    The two DPM-servers will be at separate locations in Chaining configuration. Long term backup will go to virtual tape library on EMC DataDomain.

    As said, I would greately appreciate opinions on our plans. Thank you!

    Kind regards, Mrs. Siri-Brit Sømming


    Tuesday, February 19, 2013 1:16 PM

Answers

  • Hi,

    A one way trust will not work, DPM requires two way trust.

    Network Requirements
    http://technet.microsoft.com/en-us/library/hh758176.aspx

    For domains that have workloads that support workgroup protection or certificate protection, you can get away with using a single DPM server for those workloads.  Workloads that don't support workgroup or certificates, you will need a DPM Server in that domain to protect those workloads.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    Tuesday, February 19, 2013 11:21 PM
    Moderator

All replies

  • Hi,

    A one way trust will not work, DPM requires two way trust.

    Network Requirements
    http://technet.microsoft.com/en-us/library/hh758176.aspx

    For domains that have workloads that support workgroup protection or certificate protection, you can get away with using a single DPM server for those workloads.  Workloads that don't support workgroup or certificates, you will need a DPM Server in that domain to protect those workloads.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    Tuesday, February 19, 2013 11:21 PM
    Moderator
  • Thank you so much, Mike! That essential piece of information must have slipped my eye. We will test the solution with two way trust - it seems to be within our security demands.

    Wednesday, February 20, 2013 9:35 AM