Configuring DPM Agents, Non-domain using Certificates

Hi All,

Lots of articles on this, Microsoft’s own documentation is far more detailed for 2012 R2 than it is for 2016. The concept remains the same.

My problems started as the cert authority (being comprised of an offline root CA and domain enterprise subordinate CA) forming the certificate chain, could not be contacted by agents on the other side of a firewall (without making swiss cheese of the firewall and allowing port 80 to the CRL distribution point, or standing up an alternative CRL location)

Follow the cert template setup guide here.

In the settings for the template, change the subject name handling to supply in the request. These certs are for non domain machines.


Make sure permissions to the template allow read & enroll. Then we can add the template to the CA for use and head for the MMC console + local computer cert snap-in on your DPM server.

Add the cert to your DPM server following the guide above, generate the BIN file, copy to the agent.

If your agent is behind a firewall, make sure to open the additional TCP 6076 port required for the certificate communication.

If your non-domain agent is unable to access the CRL distribution point (required for initial verification of the cert) then you will need to manually import the CRL files. Open explorer to your cert server \\yourcertserver\certenroll – here you will find your CRL files.

Import your CRL files (copied from the CA) using:

certutil -addstore CA “C:\CRLfolderpath\CRLfilename.CRL”

Remember to import the full chain of valid CRL files, once added in, run your DPM agent setup command – then you will have a BIN file with which to complete setup.


Bizarrely – Microsoft doesn’t support backup of machines in a “Perimiter Network” –¬†

I’m not sure about anyone else, but I make extensive use of VLANs, which are subject to firewall rule sets and agents work fine in these scenarios. So why would a “perimiter network” be any different?

I suspect this is just noted as MS have not fully tested support of agents in this scenario, but I do not see any reason why it should not work.

However, follow best practice and remember that if backup of a system is essential, you are best sticking to the official supported guidelines ūüôā

Deploy DPM Remote Management Console 2016 + UR2

Unlike all the other system center products, which can normally accept a straight forward setup.exe /install /client and install silently – DPM is different (no shock there then!)

After a long search for documentation on the available install switches, it lead me to a blog post by Steve Buchanan which is for the 2012 console install.

So, 2016 follows the same principle, but for some very bizarre reason – source media contains:

2012 Console,

2012 SP1 Console,

2012 R2 Console and….

2016 Console.

The only command line for install –¬†Setup.exe /i /cc /client – installs all 4 versions – FAIL.

So, the only way round as far as I can see is to live with it and then remove the unnecessary components after install, then apply UR2.

Follow Steve’s post to getting it into config manager (i’m not rewriting his post) – in the source directory, add your source media,¬†a copy of the UR2 console patch (you can extract the file and grab the MSP – it’s called:¬†DPMMANAGEMENTSHELL2016-KB3209593.MSP ) and finally¬†a batch file for install and reference that instead.

so – your file layout should look something like this:


In your batch file:

start /wait cmd /c “Setup.exe /i /cc /client”

start /wait cmd /c “msiexec.exe /x {DFF93860-2113-4207-A7AC-3901ABCE8002} /passive”

start /wait cmd /c “msiexec.exe /x {FF6E79E3-66E5-4079-BE10-2B9CFBE3B458} /passive”

start /wait cmd /c “msiexec.exe /x {88E17747-6E2C-48A0-88CC-396AC8D9C5BB} /passive”

start /wait cmd /c “msiexec.exe /f {BF23ED54-5484-4AC1-8EA7-6ACAFBBA6A45} /qn”

start /wait cmd /c “msiexec.exe /update DPMMANAGEMENTSHELL2016-KB3209593.MSP /qb”

So, we are installing all consoles, then removing 3 of 4 versions. This for me caused the 2016 console icons to go awry – so a quick repair of the 2016 one before finally installing the UR2 MSP.

Dont forget to reference Visual C++ 2008 Redist x64 in your dependencies list in SCCM – otherwise it won’t install ūüôā



System Center 2016 UR3

It’s out¬†now –

A lot of good VMM fixes in there – which I will be testing soon. Bulk host agent update script is in Charbel’s blog here:¬†

Details of SCOM fixes in Kevin’s blog here:¬†

I’m a little disappointed to see DPM missed an update in UR3. VMware support is still missing from 2016 – but all will be forgiven if this turns up in UR4 along with fixes for woes experienced with UR2 currently:

Tape Library Sharing – 2012 OS cannot remove TL sharing & re-establishing 2016 OS TL required a manual DB cleanout (with Premier Support).

Console Crashing on PG alteration – requires DLL from MS (see my previous posts)

Mount points, whilst supported for the storage (see my other posts) uncover a known issue with DPM mouting the VHDX files for Modern backup Storage – the workaround for this is to add a drive letter to the storage.

If you don’t urgently need supported SQL 2016 backups / SharePoint 2016 protection from DPM, I would seriously consider sticking to UR1 for now.

Roll on UR4! ūüôā



DPM 2016 agent installations – Making your life easier with SCCM

Take the pain away from manual deployment – grab the agent and put it into SCCM. The command lines for agent install (2016 UR2) are:

DPMAgentInstaller_KB3209593_AMD64.exe /q /IAcceptEULA

DPMAgentInstaller_KB3209593.exe /q /IAcceptEULA (for x86)

Just make sure all the agent pre-reqs are in place (WMF 4.0 for 2008 R2 etc…) and make the detection of those a pre-req for the SCCM deployment.

If you know what DPM server you are going to protect with – simply add the server name to the install above – that will open the ports and make the agent ready to be attached.

If you dont just yet – then run a second SCCM task to call a batch file running the setdpmserver.exe (in the DPM agent Bin directory) to configure the agent.

Run an “Application deployment type compliance details” report in SCCM, using your target collections, application, deployment type and status of “Success” to generate a CSV file of the installed agents.

Take the computer name column in excel, append your domain name (using concatenate) and put the resulting list into a .txt file (no headings or any other info required)

Open the DPM console – select Install, Attach Agents, click add from file and point to your txt file.

Output from SCCM report, manipulate and import in ~10 mins saving many hours of manual config.

Job Done!

DPM 2016 – Modern Backup Storage (MBS) Volumes

An excellent feature of 2016 and not to be missed. Gone is the LDM limitation and the volume mess of 2012. This is by far the best improvement on the table for DPM.

I followed some guides to test Рmounting 64tb of backup storage as drive letters to windows makes it a target for temporary storage РVERY IRRITATING INDEED

You will quickly find your DPM volume has attracted itself as a temporary dumping ground for hotfixes and patches. This is not acceptable.

To avoid this – simply create yourself a folder on C: – in this case ‘MountPoints’, create yourself two empty folders – then mount your backup storage in there – rather than assigning a drive letter.


Open DPM, refresh disks and click add – you will see the two volumes available for use.

Windows wont see them in it’s drive letter searches and thusly – they will remain clutter free and available for DPM use only!

As long as you make sure they have a volume label – SCOM will happily monitor the health of drives mounted in this manner.

Update – Aug 2017

Currently under UR2, we experience errors pertaining to DPM being unable to mount certain files under the mount points. It’s a known issue and current workaround is to also add a drive letter to the disks (can be added along side the mount point, no need to change anything else).

This should be resolved in further updates.


DPM 2016 – Installation – SQL 2016 SP1


Just a quick snippet from Technet as it’s easily overlooked. When installing DPM 2016 RTM, you need to make sure that SQL 2016 does NOT have SP1 installed.

Once DPM is installed and you have applied UR2, you can patch SQL to SP1.

Don’t forget to enable browser service, named pipes (for Library sharing) and clear all pending reboots…


DPM 2016 – UR2 – MMC console crashes – event ID 999

Once you are running DPM 2016 UR2 – you may experience console crashes (services unaffected) with event ID’s 999:

The description for Event ID 999 from source MSDPM cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

An unexpected error caused a failure for process 'mmc'.  Restart the DPM process 'mmc'.
Problem Details:

19009/05/2017 13:29:28DpmThreadPool.cs163TrueNullReferenceExceptionObject reference not set to an instance of an object.System.NullReferenceException: Object reference not set to an instance of an object.

   at Microsoft.Internal.EnterpriseStorage.Dls.UI.ObjectModel.Inquiry.MultiDatasourceSizeInquiry.ResultUniquePath(InquiryPath junctionlessPath, InquiryPath startNodeRelativePath, String serverName)

   at Microsoft.Internal.EnterpriseStorage.Dls.UI.ObjectModel.Inquiry.MultiDatasourceSizeInquiry.ProcessResults(InquiryTaskInformation taskInfo)

   at Microsoft.Internal.EnterpriseStorage.Dls.UI.ObjectModel.Inquiry.MultiDatasourceSizeInquiry.OnInquiryResultsArrival(InquiryResult result)

   at Microsoft.Internal.EnterpriseStorage.Dls.UI.ObjectModel.Inquiry.MultiDatasourceSizeInquiry.rornTaskDef_TaskProgress(Object sender, EventMatchedEventArgs eventEntry)

   at Microsoft.Internal.EnterpriseStorage.Dls.EngineUICommon.RORN.RornTaskDef.Task_TaskProgress(Object sender, EventMatchedEventArgs e)

   at Microsoft.Internal.EnterpriseStorage.Dls.EventManagement.BaseEventFilter.Send(EventMatchedEventArgs args)

   at Microsoft.Internal.EnterpriseStorage.Dls.EventManagement.EventManager.PollingThreadProc(Object data)

   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)

   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)

   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)

   at System.Threading.ThreadHelper.ThreadStart(Object obj)

the message resource is present but the message is not found in the string/message table

These occur when adding secondary protection (DPM to DPM) to an existing Protection Group, as soon as you reach the storage calculation screen – bang, MMC crashes.

The issue resides with objectmodel.dll (in the BIN directory) – a replacement from MS was supplied and immediately resolved the issue.

If this is the case, currently the fix exists as a private hotfix only and must be obtained by logging a call with MS support.

I have asked if it will be made public and will update the blog when I hear back.

Update 10 May 2017

Premier Support have advised that the fixed DLL will be part of a future UR pack, but could not confirm if it would be UR3 or 4. So my advice is you test your environment with a few machines and see if you encounter the error – if you do, contact support and request the fixed DLL before you proceed into full production use.