Install the DPM protection agent
Updated: May 13, 2016
Applies To: System Center 2012 SP1 - Data Protection Manager, System Center 2012 - Data Protection Manager, System Center 2012 R2 Data Protection Manager
You install the Protection Agent on computers and servers you want to protect using the Protect Agent Installation Wizard to install protection agents that are located outside of a firewall, and you can manually install protection agents on computers that are located behind a firewall, or that are located in a workgroup or a domain that does not have a two-way trust relationship with the domain that the System Center 2012 – Data Protection Manager (DPM) server is located in. After you install a protection agent manually, you then need to attach the agent in DPM Administrator Console to enable protection. To install protection agents on computers that are located behind a firewall, see Install the agent on a computer behind a firewall [DPM2012_Web]. To install protection agents on computers that are in a workgroup or a domain that does not have a two-way trust relationship with the domain that the DPM server is located in, see Install the agent on a computer in a workgroup or untrusted domain [DPM2012_Web].
Install the Protection Agent from the DPM console—Use this procedure to install the agent on computer outside a firewall or on a computer on which the firewall can be modified by the procedure to allow communication between the agent and the DPM server.
Install the Protection Agent manually—Use this procedure if the computer is behind a firewall thats block traffic between the agent and the DPM server, or if you encounter network or permission related issues.
Install the Protection Agent on computers in a workgroup on untrusted domain—In this scenario you’ll need to configure a certificate for authentication purposes and then install the agent. For more information see Back up and restore workloads in workgroups and untrusted domains.
Install the Protection Agent on a RODC— You can install the agent on a read-only domain controller (RODC). Note that if a firewall is enabled on the RODC, you must either turn the firewall off or run the following commands before installing the agent.
Install the Protection Agent using a server image— You can use a server image to install a protection agent without specifying the DPM server by using DPMAgentInstaller.exe. After the image is applied to the computer and the computer is brought online, you run SetDpmServer.exe to complete the configuration and create the firewall exceptions.
Install the Protection Agent using System Center Configuration Manager — You can use System Center Configuration Manager to install a DPM protection agent on targeted systems if you are familiar with application creation and deployment within System Center Configuration Manager. For more information about creating applications in Configuration Manager, see How to Create Applications in Configuration Manager.
In DPM Administrator Console, click Management > Agents. Click Install on the tool ribbon to open the Protection Agent Installation Wizard.
On the Select Agent Deployment Method page, click Install agents > Next.
On the Select Computers page, DPM displays a list of available computers that are in the same domain as the DPM server. Add the required computer.
The first time you use the wizard DPM queries Active Directory to get a list of available computers. After the first installation, DPM stores the list of computers in its database, which is updated once each day by the auto-discovery process.
To find a computer in another domain that has a two-way trust relationship with the domain that the DPM server is located in, you must type the fully qualified domain name of the computer that you want to protect (for example, <Computer1>.Domain1.contoso.com, where Computer1 is the name of the computer that you want to protect, and Domain1.contosa.com is the domain to which the target computer belongs.
The Advanced button page is enabled only when there is more than one version of a protection agent available for installation on the computers. You can use this option to install a previous version of the protection agent that was installed before you upgraded DPM server to a more recent version.
On the Enter Credentials page, type the user name and password for a domain account that is a member of the local Administrators group on all selected computers.
In the Domain box, accept or type the domain name of the user account that you are using to install the protection agent on the target computer. This account may belong to the domain that the DPM server is located in or to a domain that has a two-way trust relationship with the domain that the DPM server is located in.
If you’re installing a protection agent on a computer across a trusted domain, enter your current domain user credentials. You can be a member of any domain that has a two-way trust relationship with the domain that the DPM server and you must be member of the local Administrators group on all selected computers on which you want to install an agent.
If you select a node in a cluster, DPM detects all additional nodes in the cluster and displays the Select Cluster Nodes page.
On the Select Cluster Nodes page, select an option that you want DPM to use for installing agents on additional nodes in the cluster, and then click Next.
On the Choose Restart Method page, select the method to use to restart the selected computers after the protection agent is installed. The computer must be restarted before you can start protecting data. A restart is necessary to load the volume filter that DPM uses to track and transfer block-level changes between DPM server and the protected computers.
If you select to restart the computers later the protection agent installation status isn’t refreshed automatically on the Agents tab in the Management task area after the computer restart, and you’ll need to click Refresh Information.
Note that you don’t need to restart the computer if you are installing a protection agent on another DPM server.
If any of the computers that you selected are nodes in a cluster, an additional Choose Restart Method page appears that you can use to select the method to restart the clustered computers. You’ll need to install a protection agent on all nodes in a cluster to successfully protect the clustered data. The computers must be restarted before you can start protecting data. Because of the time required to start services, it might take a few minutes after a restart before DPM can contact the agent on the cluster.
DPM will not automatically restart a computer that belongs to a Microsoft Cluster Server (MSCS) cluster. You must manually restart computers in an MSCS cluster.
On the Summary page, click Install to begin the installation. If the EULA appears accept it for installation to start. On the Task tab of the Installation page you can see whether the installation is successful. You can click Close before the wizard is finished and monitor the installation progress in Agents tab in the Management task area. If the installation is unsuccessful, you can view the alerts in the Monitoring task area on the Alerts tab.
Note: After you install a protection agent on a computer that is part of a Windows SharePoint Services farm, each of the computers in the farm will not appear as protected computers on theAgents tab in the Management task area, only the computer that you selected. However, if the Windows SharePoint Services farm has data on the selected computer, DPM protects the data on all of the computers in the farm, provided all of them have the protection agent installed.
If you install the agent on a computer behind a firewall, you need to make sure that the agent can be pushed out through the firewall.
For example, you can run the following command on the computer to configure Windows Firewall: netsh advfirewall firewall add rule name="Allow DPM Remote Agent Push" dir=in action=allow service=any enable=yes profile=any remoteip=<IPAddress>, where IPAddress is the address of the DPM server.
To configure the ports exception on the firewall, see Configure firewall exceptions for the agent.
On the computer that you want to protect, open an elevated Command Prompt window, and then run the following commands:
To assign a drive letter, type:
net use Z: \\<DPMServerName>\c$
where Z is the local drive letter that you want to assign and <DPMServerName> is the name of the DPM server that will protect the computer.
To change the directory, do the following:
For a 64-bit computer type cd /d <assigned drive letter>:\Program Files\Microsoft DPM\DPM\ProtectionAgents\RA\3.0.<build number>.0\amd64** where <assigned drive letter> is the drive letter that you assigned in the previous step and <build number> is the latest DPM build number. For example: cd /d X:\Program Files\Microsoft DPM\DPM\ProtectionAgents\RA\3.0.7696.0\amd64
For a 32-bit computer type: cd /d
:Program FilesMicrosoft DPMDPMProtectionAgentsRA3.0. .0i386**
is the drive that you mapped in the previous step and is the latest DPM build number.
To install the protection agent open an elevated Command Prompt window, and then run one of the following commands:
For a 64-bit computer type: DpmAgentInstaller_x64.exe <DPMServerName>
where <DPMServerName> is the fully qualified domain name (FQDN) of the DPM server.For example: DPMAgentInstaller_x64.exe DPMserver1.contoso.com
For a 32-bit computer type: DpmAgentInstaller_x86.exe <DPMServerName>
where <DPMServerName> is the fully qualified domain name of the DPM server.
To perform a silent installation, you can use the /q option after the DpmAgentInstaller_x64.exe command.For example: DpmAgentInstaller_x64.exe /q <DPMServerName>
To accept the EULA manually in a silent installation use DpmAgentInstaller_x64.exe /q <DPMServerName> /IAcceptEULA
If you specify a DPM server name in the command line, it installs the protection agent, and automatically configures the security accounts, permissions, and firewall exceptions necessary for the agent to communicate with the specified DPM server. If you didn’t specify a server name, open an elevated Command Prompt on the targeted computer and do the following:
To change the directory type: cd /d <system drive>:\Program Files\Microsoft Data Protection Manager\DPM\bin
Type: SetDpmServer.exe –dpmServerName
. This configure security accounts, permissions, and firewall exceptions for the agent to communicate with the server.
If you added the computer to the DPM server before you installed the agent, the DPM server begins to create backups for the protected computer. If you installed the agent before you added the computer to the DPM server, you must attach the computer before the DPM server begins to create backups. See Attach the DPM protection agent.
Either turn the firewall off on the RODC or run the following commands on the RODC before you install the agent:
netsh advfirewall firewall set rule group="@FirewallAPI.dll,-29502" new enable=yes
netsh advfirewall firewall set rule group="@FirewallAPI.dll,-34251" new enable=yes
netsh advfirewall firewall add rule name=dpmra dir=in program="%PROGRAMFILES%\Microsoft Data Protection Manager\DPM\bin\DPMRA.exe" profile=Any action=allow
netsh advfirewall firewall add rule name=DPMRA_DCOM_135 dir=in action=allow protocol=TCP localport=135 profile=Any
On the primary domain controller, create and then populate the following security groups, where the protected server name is the name of the RODC on which you plan to install the protection agent:
Create a security group named DPMRADCOMTRUSTEDMACHINES$PSNAME, and then add the DPM server machine account as a member.
Create a security group named DPMRADMTRUSTEDMACHINES$PSNAME, and then add the DPM server machine account as a member.
Create a security group named DPMRATRUSTEDDPMRAS$PSNAME , and then add the DPM server machine account as a member.
Add the DPM server machine account as a member of the Builtin\Distributed Com Users security group.
Ensure that the security groups that you created earlier have replicated on the RODC. Then manually install the protection agent on the RODC.
On the RODC server, perform the following steps to grant launch and activation permissions for the DPMRA service:
Open DPM Management Shell, and then run the command dcomcnfg.exe.
The Component Services window opens.
In the Component Services window, expand Computers, expand My Computerexpand DCOM Config, right-click theDPM RA service, and then click Properties.
Click General, and then set the Authentication Level to Default.
Click Location, and then ensure that only Run application on this computer is selected.
Click Security, select Customize under Launch and Activation Permissions, select Customize, and then click Edit to open the Launch Permission dialog box.
In the Launch Permission dialog box, assign permissions for Local Launch, Remote Launch, Local Activation, and Remote Activation for the DPM server machine account.
Click OK to close the dialog box.
Navigate to %programfiles%\Microsoft System Center 2012 R2\DPM\DPM\setup on the DPM server, copy the following files to a folder on the RODC server.
On the RODC, from an elevated command prompt, run the command setagentcfg.exe a DPMRA domain\DPMserver from the location that you specified in the previous step.
On the RODC server, browse to the C:\Program Files\Microsoft Data Protection Manager\DPM\bin folder and run the setdpmserver command:
Setdpmserver -dpmservername DPMSERVER
Attach the protection agent to the DPM server. See Attach the DPM protection agent.
On the computer on which you want to install the protection agent, at a command prompt, type DpmAgentInstaller.exe.
Apply the server image to a physical computer, and then bring the computer online.
Join the computer to a domain, and then log on with a domain user account that is a member of the local Administrators group.
At a command prompt, go to cd <system drive letter>:\Program Files\Microsoft Data Protection Manager\bin, and run SetDpmServer.exe <dpm server name>.
Specify the fully qualified domain name (FQDN) for the DPM server. For the protected computer’s domain or for unique computer names across domains, specify only the computer name.
You must run SetDpmServer.exe from <drive letter>:\Program Files\Microsoft Data Protection Manager\bin. If you run the program from any other location, the operation will fail.
Attach the agent. See Attach the DPM protection agent.
To create an application for the DPM protection agent, you must provide the following to the Configuration Manager administrator:
A share path to the DpmAgentInstaller.exe and DpmAgentInstaller_AMD64.exe files.
A list of servers on which you want to install the protection agents.
The name of the DPM server.
The SCCM application for the agent should invoke one of the following command lines:
For x86 computers, run DPMAgentinstaller.exe /q
<FQDN DPM server name> /IAcceptEula .
For x64 computers, run DPMAgentInstaller_x64.exe /q
To install an X64 protection agent using SCCM:
Create an application that runs DPMAgentinstaller_x64.exe /q
<FQDN DPM server name> /IAcceptEula .
Create a computer collection of target systems that use the same agent type for every DPM server. Target the application to systems that will be mapped to the specified DPM computer.