Configuring DPM Agents, Non-domain using Certificates

Hi All,

Lots of articles on this, Microsoft’s own documentation is far more detailed for 2012 R2 than it is for 2016. The concept remains the same.

My problems started as the cert authority (being comprised of an offline root CA and domain enterprise subordinate CA) forming the certificate chain, could not be contacted by agents on the other side of a firewall (without making swiss cheese of the firewall and allowing port 80 to the CRL distribution point, or standing up an alternative CRL location)

Follow the cert template setup guide here.

In the settings for the template, change the subject name handling to supply in the request. These certs are for non domain machines.

certs

Make sure permissions to the template allow read & enroll. Then we can add the template to the CA for use and head for the MMC console + local computer cert snap-in on your DPM server.

Add the cert to your DPM server following the guide above, generate the BIN file, copy to the agent.

If your agent is behind a firewall, make sure to open the additional TCP 6076 port required for the certificate communication.

If your non-domain agent is unable to access the CRL distribution point (required for initial verification of the cert) then you will need to manually import the CRL files. Open explorer to your cert server \\yourcertserver\certenroll – here you will find your CRL files.

Import your CRL files (copied from the CA) using:

certutil -addstore CA “C:\CRLfolderpath\CRLfilename.CRL”

Remember to import the full chain of valid CRL files, once added in, run your DPM agent setup command – then you will have a BIN file with which to complete setup.

Support

Bizarrely – Microsoft doesn’t support backup of machines in a “Perimiter Network” – https://technet.microsoft.com/en-us/library/hh757801(v=sc.12).aspx

I’m not sure about anyone else, but I make extensive use of VLANs, which are subject to firewall rule sets and agents work fine in these scenarios. So why would a “perimiter network” be any different?

I suspect this is just noted as MS have not fully tested support of agents in this scenario, but I do not see any reason why it should not work.

However, follow best practice and remember that if backup of a system is essential, you are best sticking to the official supported guidelines 🙂

DPM 2016 agent installations – Making your life easier with SCCM

Take the pain away from manual deployment – grab the agent and put it into SCCM. The command lines for agent install (2016 UR2) are:

DPMAgentInstaller_KB3209593_AMD64.exe /q /IAcceptEULA

DPMAgentInstaller_KB3209593.exe /q /IAcceptEULA (for x86)

Just make sure all the agent pre-reqs are in place (WMF 4.0 for 2008 R2 etc…) and make the detection of those a pre-req for the SCCM deployment.

If you know what DPM server you are going to protect with – simply add the server name to the install above – that will open the ports and make the agent ready to be attached.

If you dont just yet – then run a second SCCM task to call a batch file running the setdpmserver.exe (in the DPM agent Bin directory) to configure the agent.

Run an “Application deployment type compliance details” report in SCCM, using your target collections, application, deployment type and status of “Success” to generate a CSV file of the installed agents.

Take the computer name column in excel, append your domain name (using concatenate) and put the resulting list into a .txt file (no headings or any other info required)

Open the DPM console – select Install, Attach Agents, click add from file and point to your txt file.

Output from SCCM report, manipulate and import in ~10 mins saving many hours of manual config.

Job Done!

DPM 2016 – UR2 – MMC console crashes – event ID 999

Once you are running DPM 2016 UR2 – you may experience console crashes (services unaffected) with event ID’s 999:

The description for Event ID 999 from source MSDPM cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

An unexpected error caused a failure for process 'mmc'.  Restart the DPM process 'mmc'.
Problem Details:

19009/05/2017 13:29:28DpmThreadPool.cs163TrueNullReferenceExceptionObject reference not set to an instance of an object.System.NullReferenceException: Object reference not set to an instance of an object.

   at Microsoft.Internal.EnterpriseStorage.Dls.UI.ObjectModel.Inquiry.MultiDatasourceSizeInquiry.ResultUniquePath(InquiryPath junctionlessPath, InquiryPath startNodeRelativePath, String serverName)

   at Microsoft.Internal.EnterpriseStorage.Dls.UI.ObjectModel.Inquiry.MultiDatasourceSizeInquiry.ProcessResults(InquiryTaskInformation taskInfo)

   at Microsoft.Internal.EnterpriseStorage.Dls.UI.ObjectModel.Inquiry.MultiDatasourceSizeInquiry.OnInquiryResultsArrival(InquiryResult result)

   at Microsoft.Internal.EnterpriseStorage.Dls.UI.ObjectModel.Inquiry.MultiDatasourceSizeInquiry.rornTaskDef_TaskProgress(Object sender, EventMatchedEventArgs eventEntry)

   at Microsoft.Internal.EnterpriseStorage.Dls.EngineUICommon.RORN.RornTaskDef.Task_TaskProgress(Object sender, EventMatchedEventArgs e)

   at Microsoft.Internal.EnterpriseStorage.Dls.EventManagement.BaseEventFilter.Send(EventMatchedEventArgs args)

   at Microsoft.Internal.EnterpriseStorage.Dls.EventManagement.EventManager.PollingThreadProc(Object data)

   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)

   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)

   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)

   at System.Threading.ThreadHelper.ThreadStart(Object obj)

the message resource is present but the message is not found in the string/message table

These occur when adding secondary protection (DPM to DPM) to an existing Protection Group, as soon as you reach the storage calculation screen – bang, MMC crashes.

The issue resides with objectmodel.dll (in the BIN directory) – a replacement from MS was supplied and immediately resolved the issue.

If this is the case, currently the fix exists as a private hotfix only and must be obtained by logging a call with MS support.

I have asked if it will be made public and will update the blog when I hear back.

Update 10 May 2017

Premier Support have advised that the fixed DLL will be part of a future UR pack, but could not confirm if it would be UR3 or 4. So my advice is you test your environment with a few machines and see if you encounter the error – if you do, contact support and request the fixed DLL before you proceed into full production use.