Deployment Best Practices

  • Article

Applies To: Data Protection Manager, System Center Data Protection Manager 2007

This topic describes best practices related to the deployment of System Center Data Protection Manager (DPM) 2007.

DPM 2007 System Requirements

  • Before you install System Center Data Protection Manager (DPM) 2007, you need to ensure that the DPM server and the computers and applications it is going to protect meet network and security requirements. You must also ensure that they are running on supported operating systems and that they meet the minimum hardware and software requirements.

    For information about DPM 2007 System Requirements, see DPM 2007 System Requirements (https://go.microsoft.com/fwlink/?LinkId=108683).

Network Requirements

  • If you are protecting data over a wide area network (WAN), there is a minimum network bandwidth requirement of 512 kilobits per second (Kbps).

Hardware Requirements

  • We recommend that you install DPM on a 64-bit machine.

  • You can install DPM on the same volume that the operating system is installed on, or you can install DPM on a different volume that does not include the operating system. However, you cannot install DPM on the disk that is dedicated to the storage pool, which is a set of disks on which the DPM server stores the replicas and recovery points for the protected data.

  • If you have critical data that you want to store, you can use a high-performance logical unit number (LUN) on a storage area network rather than the DPM-managed storage pool.

Software Requirements

  • DPM is designed to run on a dedicated, single-purpose server that cannot be either a domain controller or an application server.

  • To administer multiple DPM servers remotely, install DPM Management Shell on computers other than the DPM server.

Installing DPM 2007

  • You must properly configure Windows Server 2003 to support a DPM 2007 installation. For more information about installing Windows Server 2003, see How to Install Windows Server 2003 (https://go.microsoft.com/fwlink/?LinkID=100243).

  • DPM 2007 requires a clean installation of DPM. Before you install DPM 2007, you must first uninstall System Center Data Protection Manager 2006 (DPM 2006) and its associated prerequisite software, as well as any previous versions of DPM. Because of the architectural differences between DPM 2006 and DPM 2007, you cannot directly upgrade a computer running DPM 2006 to DPM 2007. However, DPM 2007 includes an upgrade tool that enables you to migrate your DPM 2006 protection group configurations to DPM 2007.

    For more information about upgrading from DPM 2006 to DPM 2007, see Upgrading DPM 2006 to DPM 2007 (https://go.microsoft.com/fwlink/?LinkId=66737).

  • If you choose to install DPM or prerequisite software products from a shared folder, DPM Setup adds the Universal Naming Convention (UNC) path of the shared folder to the Internet Explorer local intranet security zone for the duration of the installation.

  • You cannot install DPM 2007 on the same computer on which your Microsoft Exchange Server is running.

  • You can install DPM only on a local drive, and you cannot install it in read-only folders, in hidden folders, or directly to local Windows folders such as Documents and Settings or Program Files. (DPM can, however, be installed to a subfolder of the Program Files folder.)

  • After installation is complete, apply all available Windows Server 2003 service packs and updates. All Windows updates are available from Microsoft Windows Update (https://go.microsoft.com/fwlink/?LinkID=451).

Use a Remote Instance of SQL Server

  • We recommend a clean installation on the remote instance of Microsoft SQL Server or when installing the dedicated instance of SQL Server for DPM, and that you use the following settings:

    • Default failure audit setting.

    • Default Windows Authentication mode.

    • Assign a strong password to the sa account.

    • Enable password policy checking.

    • Install only the SQL Server Database Engine and Reporting Services components.

    • Run SQL Server by using the least-privileged user account.

  • If SQL Server Reporting Services is installed on a remote SQL Server, DPM Setup will use that Reporting Service. If SQL Server Reporting Services is not installed on the remote computer running SQL Server, you must install and configure the service on the remote computer running SQL Server before continuing with DPM Setup.

DPM Server Software Requirements

Using a Remote Instance of SQL Server

  • To use an instance of SQL Server on a remote computer, run sqlprep.msi, which is located on the DPM product DVD in the DPM2007\msi\SQLprep folder.

  • Verify that the user account you will be using to run the SQL Server service and the SQL Server Agent service has read and execute permissions to the SQL Server installation location.

  • The remote instance of SQL Server cannot be on a computer that is running as a domain controller.

Protected Computer Requirements

  • Each computer that DPM 2007 protects must meet the protected computer requirements.

    For information about all protected computer requirements, see Protected Computer Requirements (https://go.microsoft.com/fwlink/?LinkId=100473).

  • Protected volumes must be formatted as an NTFS file system. DPM cannot protect volumes formatted as FAT or FAT32.

    To simplify recovery in the event of system partition failure, install DPM to a partition that is separate from the system partition. Also, the volume must be at least 1 gigabyte (GB) for DPM to protect it. DPM uses the Volume Shadow Copy Service (VSS) to create a snapshot of the protected data, and VSS will create a snapshot only if the volume size is greater than or equal to 1 GB.

  • Before you install protection agents on the computers you are going to protect, you must apply hotfix 940349. For more details, see Microsoft Knowledge Base article 940349, "Availability of a Volume Shadow Copy Service (VSS) update rollup package for Windows Server 2003 to resolve some VSS snapshot issues" (https://go.microsoft.com/fwlink/?LinkId=99034).

    After installing Knowledge Base article 940349 and then restarting the DPM server and/or the protected server, we recommend that you refresh the protection agents in DPM Administration Console.

    To refresh the agents, in the Management task area, click the Agents tab, select the computer, and then in the Actions pane, click Refresh information. If you do not refresh the protection agents, Error ID: 31008 might appear because DPM refreshes the protection agents only every 30 minutes.

Protection for computers running SQL Server 2005 Service Pack 1 (SP1)

  • You must start the SQL Server VSS Writer Service on computers running SQL Server 2005 SP1 before you can start protecting SQL Server data.

    The SQL Server VSS Writer Service is turned on by default on computers running SQL Server 2005. To start the SQL Server VSS Writer Service, in the Services console, right-click SQL Server VSS writer, and then click Start.

Protection for computers running Exchange Server 2007
Protection for computers running Virtual Server
Protection for computers running Windows SharePoint Services

  • Before you can protect Windows SharePoint Services (WSS) data, you must do the following:

    • Install Knowledge Base article 941422, "Update for Windows SharePoint Services 3.0" (https://go.microsoft.com/fwlink/?LinkId=100392).

      Note

      You must install Knowledge Base article 941422 on all protected servers on which Windows SharePoint SharePoint Services 3.0, Microsoft Office SharePoint Server 2007, and Microsoft Office SharePoint Server 2007 SP1 are installed.

    • Start the WSS Writer service on the WSS Server and then provide the protection agent with credentials for the WSS farm.

    • Update the instance of SQL Server 2005 to SQL Server 2005 SP2.

Repairing DPM 2007

  • In most cases, you do not need to uninstall the DPM prerequisite software to reinstall DPM. However, if the Microsoft SQL Server 2005 binaries become corrupted, you might need to uninstall and reinstall SQL Server 2005 as well.

  • You do not need to uninstall the protection agents from the protected computers to reinstall DPM.

  • Before starting a reinstallation of DPM 2007, we strongly recommend that you archive the DPM database, Report database, and replicas to tape or other removable storage medium. For instructions, in the DPM Operations Guide, see Disaster Recovery (https://go.microsoft.com/fwlink/?LinkId=91860).

Uninstalling DPM 2007

  • If you plan to retain your existing data protection configuration after uninstalling DPM, disable end-user recovery on the DPM server and run synchronization jobs for each data source in your protection groups before you start the uninstallation. These steps help ensure that users to whom you deny access to files on the server cannot access the replicas of those files on the DPM server.

  • After you uninstall the DPM system requirements, you must restart the computer to complete the uninstall.

Configuring DPM 2007

  • Before you can start protecting data by using System Center Data Protection Manager (DPM) 2007, you must verify that each computer that DPM is going to protect meets the protected computer software requirements.

    For information about the DPM 2007 software requirements, see Software Requirements (https://go.microsoft.com/fwlink/?LinkId=100242).

  • To successfully protect your data using DPM 2007, you must complete the following configuration tasks:

    • Add one or more disks to the storage pool. (DPM does not support USB/1394 disks.)

    • Adding a disk to the storage pool is not a requirement if you are going to use custom volumes to protect your data sources or if you are going to use disk-to-tape protection only.

    • DPM cannot use space in any pre-existing volumes on disks added to the storage pool. Although a pre-existing volume on a storage pool disk might have free space, DPM can use only space in volumes that it creates. To make the entire disk space available to the storage pool, delete any existing volumes on the disk, and then add the disk to the storage pool.

    • Configure tape libraries and stand-alone tape drives if you want to protect data on tape.

    • Install a protection agent on each computer that you want to protect.

    • Start and configure the Windows SharePoint Services VSS Writer Service (WSS Writer service), and provide farm administration credentials for the protection agent.

    • Perform this task only if you are protecting server farms on servers running Windows SharePoint Services 3.0 or Microsoft Office SharePoint Server 2007.

    • Create one or more protection groups.

Configuring Tape Libraries

  • You use the Rescan operation on the Libraries tab to check for and refresh the state of all new tape libraries and stand-alone tape drives when you make changes to your hardware.

    If the stand-alone tape drives listed on the Libraries tab in DPM Administrator Console do not match the physical state of your stand-alone tape drives, in the DPM 2007 Operations Guide see Managing Tape Libraries (https://go.microsoft.com/fwlink/?LinkId=91964). For example, if drives from a tape library are listed as stand-alone tape drives, or if a stand-alone tape drive displays incorrectly as a drive in a tape library, you need to remap the tape drive information.

Installing and Configuring Protection Agents

  • DPM supports protecting computers across domains within a forest; however, you must establish a two-way trust across the domains. If there is not a two-way trust across domains, you must have a separate DPM server for each domain. DPM 2007 does not support protection across forests.

    If a firewall is enabled on the DPM server, you must configure the firewall on the DPM server. To configure a firewall on a DPM server, you must open port 135 to Transmission Control Protocol (TCP) traffic, and you must enable the DPM service (Msdpm.exe) and the protection agent (Dpmra.exe) to communicate through the firewall.

Configuring Windows Firewall on the DPM Server

  • If Windows Firewall is enabled on the DPM server when you install DPM, DPM Setup configures the firewall automatically.

    You must open port 5718 to enable communication with the agent coordinator and port 5719 to enable communication with the protection agent.

Installing Protection Agents

Clustered Data

  • You must install the protection agent on all nodes of the server cluster to successfully protect the clustered data. The servers must be restarted before you can start protecting data. This restart is necessary to ensure that the protection agent is installed correctly. Because of the time required to start services, it might take a few minutes after a restart is complete before DPM can contact the server.

    DPM will not restart a server that belongs to Microsoft Cluster Server (MSCS). You must manually restart a server in an MSCS cluster.

Starting and Configuring the WSS Writer Service

  • Before you can start protecting server farms on servers running Windows SharePoint Services 3.0 or Microsoft Office SharePoint Server 2007, you must start and configure the Windows SharePoint Services VSS Writer Service (WSS Writer service).

    If your Windows SharePoint Services farm has multiple Web Front End (WFE) servers, you must select only one WFE server when you configure protection in the Create New Protection Group Wizard.

    You must rerun ConfigureSharepoint.exe whenever the Windows SharePoint Services farm administrator password changes.

Creating Protection Groups

  • To use DPM Administrator Console, you must be logged on to a DPM server with an account that has administrative privileges on that server.

    Before you can start protecting data, you must create at least one protection group. For guidelines about protection groups, in Planning a DPM 2007 Deployment, see Planning Protection Groups (https://go.microsoft.com/fwlink/?LinkId=91849).

Long-Term Protection

  • On a stand-alone tape drive, for a single protection group, DPM uses the same tape for daily backups until there is insufficient space on the tape. For multiple protection groups, DPM requires separate tapes. Therefore, we recommend that you minimize the number of protection groups that you create if you are using a stand-alone tape drive for your backups.

Replica Creation

  • We recommend that you chose to manually create the replica when synchronizing large amounts of data across a slow WAN connection for the first time. For more information about manual replica creation, in the DPM 2007 Operations Guide, see "Creating Replicas Manually" in Managing Performance (https://go.microsoft.com/fwlink/?LinkId=91859).

    If you choose manual replica creation, you must know the details of the source (protected server) and the replica path (DPM server). It is critical that you retain the same directory structure and properties, such as time stamps and security permissions for the data that you are protecting.

Subscribing to Alert Notifications

  • You can configure System Center Data Protection Manager (DPM) 2007 to notify you by e-mail of critical, warning, or informational alerts, and the status of instantiated recoveries.

    Before you can subscribe to notifications, you must configure the Simple Mail Transfer Protocol (SMTP) server that you want DPM to use to send the notifications. For instructions, see Configuring the SMTP Server.

Co-existing with Other Backup Applications

If you want DPM to co-exist with other backup applications (for example, while you are evaluating DPM, but still want to continue backups with your existing solution), we recommend that you adhere to the following guidelines.

DPM 2007 can co-exist with other SQL Server backup applications as long as the other backup applications perform only full backups. Only one application at a time can perform log backups on a SQL Server database. Therefore, administrators should ensure that they do full backups only with other backup applications. Full backups do not impact the log chain in any way, and therefore DPM backups can continue without any problems.