none
DPM 2019 - Secondary server dont see Protected Servers from primary RRS feed

  • Question

  • Hi,

    We have the following scenario:

    [workgroup_vm1]  --> [dpm1]  <---- VPN & DPMs--are-in-same-domain---> [dpm2]  <-- [workgroup_vm2]

    dpm1 backup workgroup_vm1 (it works)

    dpm2 backup workgroup_vm2 (it works)

    The goal with DPM2 is to take backup of DPM1, including content of replicas stored on dpm1.   DPM2 doesn't have access to workgroup_vm1 (untrusted machine).

    According to the MS documentation that should work.  DPM1 "agent" has been added to Management section of DPM2.  Same for DPM2 in DPM1 management.

    Problem is:  when I create a protection group from DPM2 to Protect DPM1 replicas,  "Protected Servers" is not listed. 

    I tried recreating all PG on DPM1 (retain data), rebooted all servers, tried the check-productionserver.ps1,  No luck I never see DPM1 Protected Servers.   

    Wednesday, July 8, 2020 7:43 PM

Answers

  • Hi,

    A secondary DPM can protect a primary DPM server as long as both primary and secondary DPM servers are in the same or trusted domain.

    DPM does not support secondary protection of computers that are in a workgroup or untrusted domain.

    In your case I would suggest backing up the primary DPM server's database & workloads to Azure, this also works as a disaster recovery.

    Best regards,
    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:

    Wednesday, July 8, 2020 9:34 PM

All replies

  • Hi Chris,

    If Workgroup_VM1 is protected from DPM 1 using NTLM authentication, then you wont be able to have secondary protection for this datasource. Secondary DPM also make sure that Protected server on Primary DPM servers, are also reachable from secondary DPM server.

    In NTLM authentication, Primary DPM uses local username and password (Available on Primary DPM local user and PS) to authenticate the Protected server and since Secondary DPM is not aware or have access to the Local ID and password for the Workgroup_VM1 protection, it can not protect its replica under Primary DPM server. 

    So you can opt for cert based authentication to leverage secondary protection. 

    Note: However you should still see Protected Server when you enumerate the Primary DPM server from secondary DPM's UI but it wont let you protected the workgroup server replicas


    Wednesday, July 8, 2020 8:03 PM
  • Thanks for you reply.    I tried certificate authentication too.  But in that case, DPM2 still dont have network access to vm1. 

    I think there is confusion with the secondary DPM.   In my case I don't want the secondary DPM to provide protection for workgroup_vm1 in case DPM1 is unavailable.  I'm looking for a DR scenario where I loose the primary site (vm1 and dpm1).   In that case I want to be able to recreate vm1 from DPM2.   Where the need to have backup of the replicas stored from DPM1.  Is that possible?

    Wednesday, July 8, 2020 8:14 PM
  • Well, if your secondary DPM doesn't have network access to VM1 then it wont let you complete the wizard. During the PG creation, it will try to connect to the VM1 and if it fails to connect, the PG creation wizard will error out with some Access denied or with some generic error.

    You can opt for online backup or take backup to tapes and ship the tapes to an offsite location for DR


    Wednesday, July 8, 2020 8:45 PM
  • Hi,

    A secondary DPM can protect a primary DPM server as long as both primary and secondary DPM servers are in the same or trusted domain.

    DPM does not support secondary protection of computers that are in a workgroup or untrusted domain.

    In your case I would suggest backing up the primary DPM server's database & workloads to Azure, this also works as a disaster recovery.

    Best regards,
    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:

    Wednesday, July 8, 2020 9:34 PM
  • Ah so that makes sense If I don't see the Protected Servers listing.   DPMs are in the same domain, but they protect only untrusted servers.  Too bad DPM doesn't cover well this scenario.  I thought it was quite simple and straightforward, Dpm to Dpm backup - nothing else involved.  

    So when you say "secondary DPM can protect a primary DPM server as long as both primary and secondary DPM servers are in the same or trusted domain.",  the statement is inline with the documentation, but it's just half true (and misleading), as the type of protected computers on DPM makes the solution viable (domain joined and accessible servers) or not supported (untrusted computers).

    thanks again for the clarification!


    • Edited by Chris Rousseau Wednesday, July 8, 2020 11:11 PM correction
    Wednesday, July 8, 2020 11:10 PM
  • Yes it can be misleading, they should add a "star" stating something like:

    *DPM does not support secondary protection of computers that are in a workgroup or untrusted domain.

    Anyhow I hope this answers your question, if you have any further questions, do no hesitate to ask.

    (Please also mark helpful replies as answer, thanks!)


    Blog: https://thesystemcenterblog.com LinkedIn:


    • Edited by Leon Laude Wednesday, July 8, 2020 11:16 PM
    Wednesday, July 8, 2020 11:16 PM
  • Hi, 

    I would like to clarify on statement quoted as: DPM does not support secondary protection of computers that are in a workgroup or untrusted domain -: This is not true. You can have a secondary Protection of a datasource which is in untrusted/Workgroup using certification authentication, provided that you have network accessibility between the secondary DPM and the Protected server. Read here and  here for more information.

    Following workloads/scenarios are supported using certificate based authentication:


    1. SQL Server

    2. File Server

    3. Hyper-V Server

    4. Clustered Backed (For all of the above workloads)

    5. Secondary DPM Server (for DR)

    Please note that Primary DPM server and Secondary DPM server need to be in the same domain or mutually trusted domain. Certificate based authentication between a Primary and Secondary DPM servers is not supported, it is because we must push the DPM agent from Secondary DPM's UI so that it can set the DECOM permissions on Primary DPM server and update some necessary SQL tables. When the agent is pushed from UI, it will automatically use Kerberos authentication so there is no supported way to configure certificate based authentication between the Primary and Secondary DPM server. 


    Thursday, July 9, 2020 6:08 AM
  • Yes, you will need to use certificate based authentication for the protected machines that are located in a workgroup/untrusted domain, then that will work for secondary protection.

    To make things easier to understand, I created a Visio of how this scenario can work:


    Blog: https://thesystemcenterblog.com LinkedIn:

    Thursday, July 9, 2020 8:27 AM