Manage VMware with DPM

Updated: November 4, 2016

This article explains how to configure VMware for DPM protection. Once Update Rollup 11 is installed, configure the VMware credentials and establish a secure connection between DPM and the VMware vCenter Server or VMware vSphere Hypervisor (ESXi) server. If you use both vCenter Server and ESXi server, configure only vCenter Server to work with DPM. You don't need to add ESXi servers to DPM.

To manage a VMware server, DPM needs valid credentials to access VMware servers.

DPM does not use an agent to communicate with a VMware server. Instead DPM uses a user name and password credential to authenticate its remote communication with the VMware server. Each time DPM communicates with a VMware server, DPM must be authenticated. As it can be necessary to change credentials, and a data center can have multiple vCenter servers requiring unique credentials, tracking these credentials can be a problem. However, DPM has a Manage VMware Credentials feature to securely store and manage credentials.

Note the following details about credentials.

• One credential can be used to authenticate multiple VMware servers.

• Once credential details such as: Description, User name or Password are updated, DPM uses these credentials to communicate with all VMware servers.

• A credential can be deleted only if it is not being used to authenticate a VMware server.

To open the Manage VMware Credentials feature

1. In the DPM Administrator Console, click Management.

   

2. In the list of assets to manage, click Production Servers.

3. In the tool ribbon, click Manage VMware Credentials.

   The Manage Credentials dialog opens. Using the Manage Credentials dialog, you can add, update, or delete credentials.

   

   See the following sections for detailed information on adding, updating, or deleting credentials.

Add VMware server credentials

You add a credential to the DPM server so you can pair it up with credential on the VMware server. Remember, the credential on the DPM server must be identical to the credential on the VMware server. To add a credential, in the Manage Credentials dialog:

1. Click Add.

   The Add Credential dialog opens.

   

2. Type your information in the Name, Description, User name, and Password fields. Once you've added text in the required fields, the Add button becomes active.

   • Name is what appears in the Credential column of the Manage Credentials dialog. Name is a required field and is the identifier for the credentials. This field cannot be edited later. If you want to change the name of a credential, you must add a new credential.

   • Description is descriptive text or an alternate name so you can recognize or distinguish the credentials in the Manage Credentials dialog. The Description text is an optional field and appears in the Description column of the Manage Credentials dialog.

   • User name and Password are the user name and password for the user account used to access the server. Both field are required.

3. Click Add to save your new credentials.

   Once you have created credentials, you can use them to authenticate with a VMware server.

Update VMware server credentials

Most organizations need to update credentials due to security reasons or personnel changes. When VMware server credentials are changed, the credentials used by DPM also need to be updated. If a VMware server's credentials have changed - that is, the user name and password have been changed. Then, you need to add matching credentials in DPM.

Once you have matching credentials in DPM, update the VMware server credentials using the following steps:

1. In the DPM Administrator console, click Management.

2. In the list of assets to manage, click Production Servers.

3. In the list of computers, select the VMware Server whose credentials need to be updated.

   In the example image, demovcenter1.Contoso.com is the VMware server with broken credentials.

   

4. On the Administrator Console tool ribbon, click Change Settings.

   The Change Settings dialog opens. It displays all credentials on the DPM server. In the example image, demovcenter_002 is the DPM credential to pair with demovcenter1.Contoso.com.

   

5. From the list, select the credential on the DPM server to match the VMware credential and click Update.

   In the image, notice demovcenter_002 authenticates a production server, and demovcenter1.Contoso.com is now protected.

   

Delete VMware server credentials

When you delete credentials, you are removing the credential from the list on the DPM server. To prevent accidentally breaking authentication between DPM and VMware, DPM won't allow you to delete a credential being used to authenticate a production server.

To delete a credential

1. In the System Center 2012 R2 DPM Administrator Console, click Management, click Production Servers, and in the tool ribbon, click Manage VMware Credentials.

   The Manage Credentials dialog opens.

2. In the Manage Credentials dialog, select the credential. Make sure the credential is not associated with any Production Servers.

3. Click Delete to remove the credential from the list.

DPM communicates with the VMware server securely over an HTTPS channel. To create the secure communication, install a trusted certificate on both the VMware server and DPM server. If the connection to your vCenter is not secure, you can secure it by installing a certificate on the DPM server. Use the same certificate to make a secure connection with the VMware server.

To verify there is a secure communication channel between DPM and vCenter, open a browser on the DPM server and access the VMware server. If you are using Chrome, and you do not have a valid certificate you will see the strikethrough in the URL, like this:

Or if you are using Internet Explorer, and you do not have a valid certificate, you will see this message when you access the URL:

To fix the error, install a valid certificate on the DPM server and the VMware server. In the previous images, the DPM server has a valid certificate, but the certificate is not in the trusted root certification authority store. To fix this situation we need to add the certificate to the VMware server.

1. On the Certificate dialog, on the Certification Path tab, click View Certificate.

   

   A new Certificate dialog opens.

2. In the new Certificate dialog, click the Details tab, and then click Copy to File to open the Certificate Export Wizard.

   

   The Certificate Import Wizard opens.

3. In the Certificate Export Wizard, click Next, and on the Export File Format screen, select DER encoded binary X.509 (.CER), then click Next.

4. On the File to Export screen, type a name for your certificate and click Next.

5. Click Finish to complete the Certificate Export Wizard.

6. Go to the location where you exported the certificate, and right-click the certificate and select Install Certificate.

   

   The Certificate Import Wizard opens.

7. In the Certificate Import Wizard, click Local Machine and then click Next.

8. On the Certificate Store screen, click Place all certificates in the following store and click Browse to find the location where you want to place the certificate.

9. In the Select Certificate Store dialog, select Trusted Root Authority Certificate and click OK.

   

10. Click Next and then click Finish to import the certificate successfully.

Once you've added the certificate, log on to your vCenter server to verify that the connection is secure.

DPM uses your user name and password as credentials for communicating and authenticating with VMware server. An authenticated user has, at least the following privileges, which are required for successfully protecting a VM:

• Global.ManageCustomFields

• Network.Assign

• Datastore.AllocateSpace

• VirtualMachine.Config.ChangeTracking

• VirtualMachine.State.RemoveSnapshot

• VirtualMachine.State.CreateSnapshot

• VirtualMachine.Provisioning.DiskRandomRead

• VirtualMachine.Interact.PowerOff

• VirtualMachine.Inventory.Create

• VirtualMachine.Config.AddNewDisk

• VirtualMachine.Config.HostUSBDevice

• VirtualMachine.Config.AdvancedConfig

• VirtualMachine.Config.SwapPlacement

The recommended steps for assigning these privileges:

1. Create a role, for example, BackupAdminRole.

   1. In the vSphere Web Client, from the Navigator menu, click Administration > Roles.

   2. From the Roles provider drop-down menu, select the vCenter Server to which the role applies.

   3. On the Roles pane, click '+' to create a role.

      

      The Create Role dialog opens.

   4. Name the role, BackupAdminRole.

   5. Select the privileges (identified in the list above) for the role and click OK.

2. Create a new user, for example, BackupAdmin. When you create a user, that user must be in the same domain as the objects you want to protect.

   1. In the vSphere Web Client, on the Navigator menu, click Administration.

   2. In the Administration menu, click Users and Groups.

   3. To create a new user, on the Users tab, click '+'.

      The New User dialog opens.

   4. Provide a User name and password for the role.

      Use BackupAdmin as the User name. Additional information is optional.

3. Assign the role, BackupAdminRole, to the user, BackupAdmin.

   1. In the vSphere Web Client, on the Navigator menu, click Administration.

   2. In the Administration menu, click Global Permissions.

   3. On the Global Permissions pane, click the Manage tab.

   4. On the Manage tab, click '+' to open the Add Permission dialog.

   5. In the Add Permissions dialog, click Add.

   6. In the Select Users/Groups dialog, choose the correct domain from the Domain menu, then in the User/Group column select BackupAdmin, and click Add.

      The user name appears in the Users field in the format: domain\BackupAdmin.

   7. Click OK to return to the Add Permissions dialog.

   8. In the Assigned Role area, from the drop-down menu, select the role, BackupAdminRole, and click OK.

      The new user and role association appears in the Manage tab.

Add a new VMware server and select production server tab as shown below.

1. In the DPM Administrator Console, click Management.

   

2. Click Production Servers.

3. In the tool ribbon, click Add.

   The Production Server Addition Wizard opens.

   

4. On the Select Production Server type screen, select VMware Servers, and click Next.

5. On the Select Computers screen, provide the following information:

   • Server Name/IP Address: enter the VMware server fully qualified domain name (fQDN) or IP address.

   • SSL Port: select the SSL port number used to communicate with the VMware server. DPM uses Https to communicate with VMware servers over a secured connection. To successfully communicate with VMware servers, DPM requires the SSL port number configured for that VMware server. If the VMware servers are not explicitly configured with different SSL ports, continue with default port, 443.

   • Specify Credential: Select the credential needed to authenticate with this VMware server. If the required credential has not yet been added to DPM, choose Add New Credential and provide the Name, Description, User name, and Password for the credential.

   Once you have filled out the fields, click Add to add the server to the list of VMware Servers. If you would like to add more VMware servers to the list, repeat this step. If you are finished adding servers to the list, click Next.

6. On the Summary screen, select the server you want to add, and click Add.

   After adding the VMware servers to DPM, see Protect VMware virtual machines for information about the available methods of protection.

If your organization does not want to use secure communication protocol (HTTPS), you can create a registry key to disable it. To create this registry key:

1. Copy and paste the following text into a .txt file.

   Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\VMWare]
"IgnoreCertificateValidation"=dword:00000001

2. Save the file with the name, DisableSecureAuthentication.reg, to your DPM server.

3. Double-click the file to activate the registry entry.