Configuring DPM Agents, Non-domain using Certificates

Hi All,

Lots of articles on this, Microsoft’s own documentation is far more detailed for 2012 R2 than it is for 2016. The concept remains the same.

My problems started as the cert authority (being comprised of an offline root CA and domain enterprise subordinate CA) forming the certificate chain, could not be contacted by agents on the other side of a firewall (without making swiss cheese of the firewall and allowing port 80 to the CRL distribution point, or standing up an alternative CRL location)

Follow the cert template setup guide here.

In the settings for the template, change the subject name handling to supply in the request. These certs are for non domain machines.

certs

Make sure permissions to the template allow read & enroll. Then we can add the template to the CA for use and head for the MMC console + local computer cert snap-in on your DPM server.

Add the cert to your DPM server following the guide above, generate the BIN file, copy to the agent.

If your agent is behind a firewall, make sure to open the additional TCP 6076 port required for the certificate communication.

If your non-domain agent is unable to access the CRL distribution point (required for initial verification of the cert) then you will need to manually import the CRL files. Open explorer to your cert server \\yourcertserver\certenroll – here you will find your CRL files.

Import your CRL files (copied from the CA) using:

certutil -addstore CA “C:\CRLfolderpath\CRLfilename.CRL”

Remember to import the full chain of valid CRL files, once added in, run your DPM agent setup command – then you will have a BIN file with which to complete setup.

Support

Bizarrely – Microsoft doesn’t support backup of machines in a “Perimiter Network” – https://technet.microsoft.com/en-us/library/hh757801(v=sc.12).aspx

I’m not sure about anyone else, but I make extensive use of VLANs, which are subject to firewall rule sets and agents work fine in these scenarios. So why would a “perimiter network” be any different?

I suspect this is just noted as MS have not fully tested support of agents in this scenario, but I do not see any reason why it should not work.

However, follow best practice and remember that if backup of a system is essential, you are best sticking to the official supported guidelines 🙂

Deploy DPM Remote Management Console 2016 + UR2

Unlike all the other system center products, which can normally accept a straight forward setup.exe /install /client and install silently – DPM is different (no shock there then!)

After a long search for documentation on the available install switches, it lead me to a blog post by Steve Buchanan which is for the 2012 console install.

So, 2016 follows the same principle, but for some very bizarre reason – source media contains:

2012 Console,

2012 SP1 Console,

2012 R2 Console and….

2016 Console.

The only command line for install – Setup.exe /i /cc /client – installs all 4 versions – FAIL.

So, the only way round as far as I can see is to live with it and then remove the unnecessary components after install, then apply UR2.

Follow Steve’s post to getting it into config manager (i’m not rewriting his post) – in the source directory, add your source media, a copy of the UR2 console patch (you can extract the file and grab the MSP – it’s called: DPMMANAGEMENTSHELL2016-KB3209593.MSP ) and finally a batch file for install and reference that instead.

so – your file layout should look something like this:

install-folder

In your batch file:

start /wait cmd /c “Setup.exe /i /cc /client”

start /wait cmd /c “msiexec.exe /x {DFF93860-2113-4207-A7AC-3901ABCE8002} /passive”

start /wait cmd /c “msiexec.exe /x {FF6E79E3-66E5-4079-BE10-2B9CFBE3B458} /passive”

start /wait cmd /c “msiexec.exe /x {88E17747-6E2C-48A0-88CC-396AC8D9C5BB} /passive”

start /wait cmd /c “msiexec.exe /f {BF23ED54-5484-4AC1-8EA7-6ACAFBBA6A45} /qn”

start /wait cmd /c “msiexec.exe /update DPMMANAGEMENTSHELL2016-KB3209593.MSP /qb”

So, we are installing all consoles, then removing 3 of 4 versions. This for me caused the 2016 console icons to go awry – so a quick repair of the 2016 one before finally installing the UR2 MSP.

Dont forget to reference Visual C++ 2008 Redist x64 in your dependencies list in SCCM – otherwise it won’t install 🙂

Enjoy!

 

System Center 2016 UR3

It’s out now –

https://support.microsoft.com/en-hk/help/4020906/update-rollup-3-for-system-center-2016

A lot of good VMM fixes in there – which I will be testing soon. Bulk host agent update script is in Charbel’s blog here: https://charbelnemnom.com/2017/05/update-rollup-3-for-system-center-2016-is-now-available-sysctr-systemcenter-scvmm/

Details of SCOM fixes in Kevin’s blog here: http://kevingreeneitblog.blogspot.co.uk/2017/05/scom-2016-update-rollup-3-ur3-now.html

I’m a little disappointed to see DPM missed an update in UR3. VMware support is still missing from 2016 – but all will be forgiven if this turns up in UR4 along with fixes for woes experienced with UR2 currently:

Tape Library Sharing – 2012 OS cannot remove TL sharing & re-establishing 2016 OS TL required a manual DB cleanout (with Premier Support).

Console Crashing on PG alteration – requires DLL from MS (see my previous posts)

Mount points, whilst supported for the storage (see my other posts) uncover a known issue with DPM mouting the VHDX files for Modern backup Storage – the workaround for this is to add a drive letter to the storage.

If you don’t urgently need supported SQL 2016 backups / SharePoint 2016 protection from DPM, I would seriously consider sticking to UR1 for now.

Roll on UR4! 🙂

 

 

DPM 2016 agent installations – Making your life easier with SCCM

Take the pain away from manual deployment – grab the agent and put it into SCCM. The command lines for agent install (2016 UR2) are:

DPMAgentInstaller_KB3209593_AMD64.exe /q /IAcceptEULA

DPMAgentInstaller_KB3209593.exe /q /IAcceptEULA (for x86)

Just make sure all the agent pre-reqs are in place (WMF 4.0 for 2008 R2 etc…) and make the detection of those a pre-req for the SCCM deployment.

If you know what DPM server you are going to protect with – simply add the server name to the install above – that will open the ports and make the agent ready to be attached.

If you dont just yet – then run a second SCCM task to call a batch file running the setdpmserver.exe (in the DPM agent Bin directory) to configure the agent.

Run an “Application deployment type compliance details” report in SCCM, using your target collections, application, deployment type and status of “Success” to generate a CSV file of the installed agents.

Take the computer name column in excel, append your domain name (using concatenate) and put the resulting list into a .txt file (no headings or any other info required)

Open the DPM console – select Install, Attach Agents, click add from file and point to your txt file.

Output from SCCM report, manipulate and import in ~10 mins saving many hours of manual config.

Job Done!