none
System Center Data Protection Manager hosted solution for untrusted domains?? RRS feed

  • Question

  • Hi there,

     

    We have a number of small clients that we would like to see if we can host a SCDPM solution for them.  I have few questions after doing some research on how this can work.

     

    Question 1:

    Can the DPM traffic between our domain and client's untrusted domain be encapsulated into some single port or protocol?

    SCDPM appears to be designed in such a way that bi-directional communication is required between DPM agent and DPM server.  The communication happens in two channels, control channel at DCOM protocol and data channel at some specific TCP ports.  Basically the traffic is design to traverse LAN but not the Internet.

    That poses a problem to our solution where our client's data has to go through the Internet to reach the DPM server on our network.  I know that people are suggesting using VPN to wrap everything up and to protect them, but that is not a solution, rather a workaround.

    My research on the SCDPM 2012 doesn't appear to give me any different news.

     

    Question 2:

    In SCDPM 2012, can a DPM server be placed in a untrusted domain?

    I know SCDPM 2010 cannot do it, hoping I hear difference from version 2012.

     

    Question 3:

    This might well be the show stopper.  How does SCDPM recover from a complete disaster scenario?

    Imagine this, your whole building just got burned down, all you have left are just offsite tapes.  Now you need to recover from that.  So the first thing to do is to rebuild your DPM server so that you can use it to restore data from tapes.  Guess what?  DPM will refuse to install when you haven't got a working domain environment!  But, how could I have my domain back without having a working DPM server to restore my DC data????  Isn't that a chicken and egg dilemma?  Without a domain, you cannot recover DPM server, without a DPM server, you cannot recover your domain!!

    A workaround, again note that just a workaround I reckon, is that you can temporarily build a brand new domain, install DPM server to that domain, then use it to recover your proper domain from tapes, then rebuild your orginal DPM server in your proper domain.  It is from my view an unnecessarily complicated process compared with competing backup solutions.

    I will be excited if SCDPM 2012 changed all that, please tell me so...

     

    Regards.

    Johnmen

    Tuesday, October 4, 2011 10:55 PM

Answers

  • Hello,

    Yes, you are correct, you will need a VPN or some form of secure tunnel between the two.
    Trying to have DPM replication over the internet "can" work in theory assuming the DPM servers have a public IP address.  The problem comes into play due to the routers\switches\firewalls in use over the wire did not allow all the ports that DPM uses.  

    I've only seen one attempt at this before which ultimately failed.

     

    Thanks
    Shane

    Friday, October 7, 2011 2:58 PM

All replies

  • Question1:

    You cannot transfer data through the internet using DPM. I had the same problem backup a costomer servers all over the world and i had to build a VPN to each location to take backup.

    The traffic must be granted outgoing and incomming in both sides. as well as you have to assure that the following ports are open. http://technet.microsoft.com/en-us/library/ff399341.aspx

     

    Question2:

    DPM 2010 can be placed in a domain and can protect servers in untrusted domain with the above ports open. All you have to do after openning the ports is to install the agent on untrusted domain using setdpmserver.exe with the parameter -isnondomainserver. and then from dpm you can attach untrusted domain server and everything will work.

     

    Question3:

    A question for you. What you will do if you have a backup program installed on your domain and the building went on fire?? guess what, you have to build the domain to make the backup program working. :)

    Its the same principle, DPM is a Data Protection Manager a program made to protect the data. So to protect your enviorment from such tsonami recovery, Build another domain controller in another data center, Build a secondary DPM on the other data center to protect the primary DPM server. By that you save your enviroment first and your backup.

     

    Hope that helps.

    Laith.

    Wednesday, October 5, 2011 5:25 AM
  • Hello,


    Question #2:  http://technet.microsoft.com/en-us/library/ff634193.aspx and http://technet.microsoft.com/en-us/library/ff634197.aspx

    Question #3:  It would be to your advantage to have a Primary\Secondary DPM server if at all possible.
    http://technet.microsoft.com/en-us/library/ff399707.aspx  Of course if the whole building burned down then yes, that'd be a problem unless if the secondary DPM server is in a different site belonging to the same domain. 

    Let's assume that you have DPM Primary at the main site.  DPM secondary different site\same domain. Secondary site also has a DC.
    You've been taking BMR backups of critical servers. The BMR backups are to tape kept at the secondary site. 
    The main site burns down. You'd still be able to perform a BMR restore from the BMR saved to tapes.

    Let's assume that funding is limited. No secondary DPM server, no separate site belonging to the same domain. All you have is BMR backups to tape. Tapes are kept in a separate location.  The main site burns down and all you are left with are the tapes.  You will have to build another DPM server and import those tapes in order to perform a restore. Yes, this new DPM server will need to belong to a domain.  If you encrypt the tapes via certificate, that certificate will also need to be placed on the DPM server to decrypt those tapes. Either way you can follow the steps outlined in the BMR walkthrough below for the restore.

    BMR: http://www.microsoft.com/showcase/en/us/details/bec0b1c6-d1fd-41f0-b4bc-df5791dfc68d

    Tape Encryption:  http://blogs.technet.com/b/dpm/archive/2010/10/04/demo-video-using-dpm-to-encrypt-data-to-tape-using-a-self-signed-certificate.aspx

     

    Thanks
    Shane

    • Proposed as answer by ShaneB. _ Friday, October 7, 2011 2:53 PM
    Thursday, October 6, 2011 2:04 PM
  • Thanks Laith and Shane for the replies, I will go through the provided links and have a good thought about it.

     

    One thing sadly I believe can be confirmed is that DPM traffic is not Internet friendly, hence needs some other means to facilitate and protect it.  It complicate things because we then need to design a VPN solution that can accommodate different clients that are using the same private IP ranges.

     

    Regards.

    Johnmen

    Thursday, October 6, 2011 8:48 PM
  • Hello,

    Yes, you are correct, you will need a VPN or some form of secure tunnel between the two.
    Trying to have DPM replication over the internet "can" work in theory assuming the DPM servers have a public IP address.  The problem comes into play due to the routers\switches\firewalls in use over the wire did not allow all the ports that DPM uses.  

    I've only seen one attempt at this before which ultimately failed.

     

    Thanks
    Shane

    Friday, October 7, 2011 2:58 PM