System Center Data Protection Manager backup to Windows Azure

At %dayjob% we have been using Microsoft Data Protection Manager since 2007 and we are currently at DPM 2012 SP1 level (not the new R2 release).

One of the new features is being able to backup to Windows Azure as an option. We had looked at cloud backup in the past with Iron Mountain but at the time the pricing was prohibitive. Now with Azure we can store 5Gb a month in the cloud for free so it was worth dipping our toes in.

First things first is to create and account on the Windows Azure website – this takes all of 5 minutes and after handing over credit card details for any data over the 5Gb I was away.

Next step is to create the certificate that we are going to use to validate that the DPM server is trusted by Azure. The documentation goes on about using MakeCert.exe from the Windows SDK but as we have a Domain Certificate Authority I decided to try to use that instead. The problem was there appears to be no information from Microsoft on how to achieve this – in fact all documentation from Microsoft about getting Azure to connect to on-prem stuff is very poor IMHO.

First we have to create a certificate template that matches what you need according to the documentation:
http://msdn.microsoft.com/en-us/library/dn169036.aspx
http://www.microsoft.com/en-us/download/details.aspx?id=34608

• The certificate should be an x.509 v3 certificate.
• The key length should be at least 2048 bits.
• The certificate must have a valid ClientAuthentication EKU.
• The certificate must be currently valid with a validity period that does not exceed three years. You must specify an expiry date; otherwise, a default setting that is valid for more than three years will be used.

First thing was to create a certificate template that fits the above requirements. To do this I connect to our Domain CA and opened the Certificate Templates Console.

Within here I duplicated the Web Server template. And hit my first stumbling block. When duplicating the following screen comes up:



And being a modern man I though – lets use Windows Server 2008…..

That was a mistake, later when I was attempting to use the that certificate  I generated to connect to Azure I was getting errors that the certificate specified was not associated with any backup vaults:



After checking the Agent logs in: Program Files\Windows Azure Backup Agent\Temp\ CBEngineCurr.errlog
I saw the following line:

WARNING --->System.Security.Cryptography.CryptographicException: Invalid provider type specified.

This turns out to be a problem if the software (I’m guessing the Agent) can not understand the newer CA versions (http://serverfault.com/questions/475525/the-private-key-for-the-certificate-that-was-configured-could-not-be-accessed)

So at this point – choose Windows Server 2003 Enterprise.

Give the new Template a name and make a note of it – you’ll need this later.
Choose to Publish the Certificate in Active Directory




Under Extensions -> Application Policies add in client authentication (http://social.technet.microsoft.com/Forums/windowsserver/en-US/0e039144-1cf2-4370-a0a8-0f4e8ca4aff4/problem-issuing-web-server-certificate-with-enhanced-key-usage?forum=winserversecurity)



At this point you want to take a walk, or do something so that the Template has time to get replicated into Active Directory. Make a coffee/leave for the weekend this will all depend on the size of your Active Directory estate.

Now on the DPM server we want to create a certificate. To do this we are going to use certreq  (http://technet.microsoft.com/library/cc725793.aspx)

I created a request.inf file with the following parameters:

[NewRequest]
Subject = "CN=SERVERNAME.DOMAIN.local"
ExportableEncrypted = TRUE
KeyLength = 2048
[RequestAttributes]
CertificateTemplate="DPMCertificate"

Note that the Certificate Template to use is the one I told you to make a note of earlier.

Now from a command line: certreq –new
And select the inf file you created earlier
(if at this point you get an error “Template not found.  Do you wish to continue anyway?” then either your template name is wrong or its not yet available in the certificate authority.)
Save the resulting request file.

From the command line type: certreq –submit
Select your certificate authority (if applicable) and then save the resulting Certificate file.

This Certificate file is what we need to submit to Azure so remember where it is saved.

We might as well upload the certificate into the local machine personal store now so it appears here:




I now switched back to my Azure account and started to provision my cloud storage, this part I had to research a little to find which would be the best region to place the store at.



After a bit of Binging I choose North Europe based on http://www.robblackwell.org.uk/2011/04/12/azure-northern-europe-is-dublin-and-western-europe-is-amsterdam.html (as an aside you can see your fastest connection at a point in time by using http://azurespeedtest.azurewebsites.net/)

Click Create Vault.


After a bit of flashing, whizzing and popping we get a new backup vault under recovery services



Clicking on the vault name you created earlier takes you to this page where you can upload the certificate (Manage Certificate):



We get another nice flashy upload graphic



If you certificate is invalid for some reason you’ll get an error which will help you to correct the problem and create a new one (I saw this a lot!):



Once you have a good certificate:




Now to download the DPM agent:


The agent can be downloaded from: http://go.microsoft.com/fwlink/?LinkId=288905

Now for some install screens (I'm sure if you've read this far you know how to click Next and Finish)
 



 









 
 
Once the Agent is installed and patched to the latest version (Windows Update). Then you can go on with the configuration within the DPM Console, click Online and then Register:



Click the browse button and any valid certificates are shown – select the one that corresponds to the one you uploaded (if need be compare the thumbprints)





Once the certificate has been compared to other certificates on Azure then your associated backup vault should then become visible:

(if at this stage you are getting errors then it could be proxy authentication  - check the agent error log again).

Now we get the chance to add in a proxy server (hey Microsoft – how about you do this earlier so we don’t get proxy authentication issues!)

Much like when we are setting up servers to backup we get the chance to choose how much bandwidth we give over to DPM:

We now need to choose where restores will go if/when we want to restore from Azure:

At this stage you create the Passphrase that DPM will encrypt your backup with before it is sent to the cloud. You can click generate passphrase and then Microsoft will helpfully give you a nice 36 digit GUID to use or you can generate your own by mashing the keyboard!
 

Success:
 
 
You now need to add online protection to a supported datasource within DPM and perfom a cloud backup. Once the backup is complete you can see from the Azure Management Portal the amount of data being held:
 
This information is also available in the DPM console:
 
I hope that someone finds this information helpful, the pricing of Azure Storage makes this a very attractive option for having an cold offsite backup and I look forward to more DPM workloads being supported in the future (hint SharePoint).
 
Comments as always are very welcome.
 
Update 22/10/2014: You no longer need to do the certificate creation according to this document: http://azure.microsoft.com/blog/2014/09/11/getting-started-with-azure-backup


No comments:

Post a comment