none
DPM and Catch 22 RRS feed

  • Question

  • New user to dpm working great for me so far.   So I decided to test some disaster situations(Dead DC) walking thourgh the steps for documentaion purposes.   I am doing a BMR on my dc.

    I realized in creating a restore to folder for my BMR I would have to log in localy since with a DC I might not be able to log in with my domain account on the DPM server.

    As soon as I start the DPM Consol on the DPM server I get an event ID 3754. 

    3754  --

    DPM Administrator Console can be opened only by a user belonging to a domain.

    So dead DC no way to recover since I can not log into the DPM consol.    What mistake am I making with pactices?

     


    Eric
    Tuesday, July 26, 2011 8:31 PM

Answers

  • I realize cached credentials would work but the disaster scenario I was working on.   Compromised Domain Accounts.    DC's are all up and running but all the domain addmins are locked out by a hacker/Disgruntled employee.    And for the sake are argument the DMP server was not formated.   So all I have is the local admin login on the DPM server.  Not saying its likly but planning for the worst and hoping for sunny days.
    Eric

    Hi Eric,

    That would be a very bad situation. There would be a way to recover from it but it would not be easy. If you have the volumes that the DPM replicas are backed up to you can expose the drive in windows disk management. You do this by assigning it a drive letter. You should be able to do this no matter who you are logged in as and without needing the DPM admin console. You simply need to be able to see the volumes in Windows disk management. You can then drill down into the drive until you find the WindowsImageBackup folder of your domain controller. This contains the BMR data. You can copy this data on to an external drive, plug that into your DC and perform a BMR restore.

     

    This is not recommend and should only be a last resort. You will want to find out what volume your DC’s BMR is being backed up to and record that information before your DC is down. You can do this by going to the Protection area….Expand the Protection Group in the DPM console, select the protected BMR data and in the lower pane click on “Click to view details” next to “Replica Path:”. This will pop-up a window with the path in it. You can copy this information.  Here is an example of what it will look like:

     

    Computer\System Protection\Bare Metal Recovery on SERVERNAME.DOMAIN.com      C:\Program Files\Microsoft DPM\DPM\Volumes\Replica\Non VSS Datasource Writer\vol_05ec9c78-7c84-407d-ad8f-0f94daaa6e6c\c73989f3-f150-41c8-a064-fb4c63994096\Full\C-Vol\


    My Blog | www.buchatech.com | www.dpm2010.com
    Friday, July 29, 2011 5:45 AM
    Moderator

All replies

  •    It is my understanding you cannot back up DCs with DPM.  We are using Windows native backup to create backups on each DC that dump to a disk on another server and that data is put to tape from that destination server.
    Thursday, July 28, 2011 2:47 AM
  • New user to dpm working great for me so far.   So I decided to test some disaster situations(Dead DC) walking thourgh the steps for documentaion purposes.   I am doing a BMR on my dc.

    I realized in creating a restore to folder for my BMR I would have to log in localy since with a DC I might not be able to log in with my domain account on the DPM server.

    As soon as I start the DPM Consol on the DPM server I get an event ID 3754. 

    3754  --

    DPM Administrator Console can be opened only by a user belonging to a domain.

    So dead DC no way to recover since I can not log into the DPM consol.    What mistake am I making with pactices?

     


    Eric
    Hi Eric,

    You should be able to log into the DPM server even with he DC down. You will need to use a domain account that has successfully logged onto the server at least one time before the DC went down. The domain credentials should be cached allowing you to login. See this article for some more info on cached domain creds: http://4sysops.com/archives/cached-domain-logon/ . Once logged in you should be able to do the BMR restore to a local folder. Then copy off to a removable drive bring it to the DC and do restore from there using Windows Server media. I have tested logging into DPM server with no communication to DC and I was able to open DPM.

    Let me know if you need more help.
    My Blog | www.buchatech.com | www.dpm2010.com
    Thursday, July 28, 2011 7:09 AM
    Moderator
  • I realize cached credentials would work but the disaster scenario I was working on.   Compromised Domain Accounts.    DC's are all up and running but all the domain addmins are locked out by a hacker/Disgruntled employee.    And for the sake are argument the DMP server was not formated.   So all I have is the local admin login on the DPM server.  Not saying its likly but planning for the worst and hoping for sunny days.
    Eric
    Thursday, July 28, 2011 12:42 PM
  • I realize cached credentials would work but the disaster scenario I was working on.   Compromised Domain Accounts.    DC's are all up and running but all the domain addmins are locked out by a hacker/Disgruntled employee.    And for the sake are argument the DMP server was not formated.   So all I have is the local admin login on the DPM server.  Not saying its likly but planning for the worst and hoping for sunny days.
    Eric

    Hi Eric,

    That would be a very bad situation. There would be a way to recover from it but it would not be easy. If you have the volumes that the DPM replicas are backed up to you can expose the drive in windows disk management. You do this by assigning it a drive letter. You should be able to do this no matter who you are logged in as and without needing the DPM admin console. You simply need to be able to see the volumes in Windows disk management. You can then drill down into the drive until you find the WindowsImageBackup folder of your domain controller. This contains the BMR data. You can copy this data on to an external drive, plug that into your DC and perform a BMR restore.

     

    This is not recommend and should only be a last resort. You will want to find out what volume your DC’s BMR is being backed up to and record that information before your DC is down. You can do this by going to the Protection area….Expand the Protection Group in the DPM console, select the protected BMR data and in the lower pane click on “Click to view details” next to “Replica Path:”. This will pop-up a window with the path in it. You can copy this information.  Here is an example of what it will look like:

     

    Computer\System Protection\Bare Metal Recovery on SERVERNAME.DOMAIN.com      C:\Program Files\Microsoft DPM\DPM\Volumes\Replica\Non VSS Datasource Writer\vol_05ec9c78-7c84-407d-ad8f-0f94daaa6e6c\c73989f3-f150-41c8-a064-fb4c63994096\Full\C-Vol\


    My Blog | www.buchatech.com | www.dpm2010.com
    Friday, July 29, 2011 5:45 AM
    Moderator
  • Hi Buchatech

    Thank you very much for you answer.   Hopefuly I will never need to access this part of my disatery recovery doc's.

     


    Eric
    Friday, July 29, 2011 12:28 PM
  • Hi Eric,

     

    NP. Yeah I hope you don’t ever have to go down that road.


    My Blog | www.buchatech.com | www.dpm2010.com
    Friday, July 29, 2011 3:24 PM
    Moderator
  • Hello Buchatech,

     

    Sorry to re-open this thread, but I have a question regarding your suggestion on accessing data directly from a DPM replica by adding a drive letter to it.....

     

    You mentioned that this is "not recomended and should only be a last resort".   Why is this the case?  Does adding a drive letter to a replica cause any negative side affects that we would need to be aware of?   If we were to copy what we needed out of the replica, then remove the drive letter, would that replica still be functional and accessible/writable in DPM? 

    We weren't aware that we could access data from within a DPM replica *without* having to use DPM for the restore.  We know using DPM is the Microsoft Supported way of doing this, but this information could be very important in the case of a disaster senario. 

    We are also currently trying to plan on disaster senarios using DPM at our company and are strugging with the same senario as the original poster:  If we need to re-build a DPM server (but still have the DPM replicas intact) and restoring the DPM Database from tape (or disk replica) how would we go about getting DPM back on line to do restores from the replica?

     

    If accessing data directly from the DPM replicas (by utilizing your drive letter suggestion) is a vialble option, this could dramatically change how we map out our disaster recovery senarios.   We just need to know what negative side-affects doing this could cause.   

    Any additional info you can provide on this would be much appreciated.

    Ted

    Monday, December 19, 2011 3:51 PM
  • Good question. Also wanting to see the answer for this.
    Tuesday, December 20, 2011 3:29 PM
  • I will Second it.
    Eric
    Wednesday, December 21, 2011 4:18 PM
  • Hello Buchatech,

     

    Sorry to re-open this thread, but I have a question regarding your suggestion on accessing data directly from a DPM replica by adding a drive letter to it.....

     

    You mentioned that this is "not recomended and should only be a last resort".   Why is this the case?  Does adding a drive letter to a replica cause any negative side affects that we would need to be aware of?   If we were to copy what we needed out of the replica, then remove the drive letter, would that replica still be functional and accessible/writable in DPM? 

    We weren't aware that we could access data from within a DPM replica *without* having to use DPM for the restore.  We know using DPM is the Microsoft Supported way of doing this, but this information could be very important in the case of a disaster senario. 

    We are also currently trying to plan on disaster senarios using DPM at our company and are strugging with the same senario as the original poster:  If we need to re-build a DPM server (but still have the DPM replicas intact) and restoring the DPM Database from tape (or disk replica) how would we go about getting DPM back on line to do restores from the replica?

     

    If accessing data directly from the DPM replicas (by utilizing your drive letter suggestion) is a vialble option, this could dramatically change how we map out our disaster recovery senarios.   We just need to know what negative side-affects doing this could cause.   

    Any additional info you can provide on this would be much appreciated.

    Ted

    Hi Ted,

    This is a great question. I see this is a popular question as well. I will do my best to answer it.

    There are no negative side effects that I have run into. I have added a drive letter on a few different DPM servers and then removed it later. DPM continues to operate normally. The not recommend part comes into play because Microsoft did not design the volumes in DPM's storage pool to have drive letters assigned to them. This is because it is intended for DPM to manage the storage and for us to interact with it via the DPM console. Keep in mind you can already access this data without even adding a drive letter through the Replica Path. These volumes exist as mount points here C:\Program Files\Microsoft DPM\DPM\Volumes\Replica\ but are not labeled in a easily readable format for humans. The DPM console does the mapping of these replicas to the data for us. There is third party application called dbeamer!DPM that does its own mapping. dbeamer!DPM is a utility that gives you a browser like experience to your protected data outside of DPM and it functions even if your DPM database and services are down (http://www.instavia.com/dbeamerdpm-for-it-administrators).

    In Regards to recovery as stated above simply make sure you can recover at least your domain controller and your DPM. This will get your DPM back up and running so you can recover the rest of your data.

    I hope that answers your questions.


    My Blog | www.buchatech.com | www.dpm2010.com
    Friday, December 23, 2011 9:10 AM
    Moderator