DPM 2012 – Certificate Based Protection - The Official System Center Data Protection Manager Team Blog - Site Home - TechNet Blogs

DPM 2012 – Certificate Based Protection

DPM 2012 – Certificate Based Protection

  • Comments 15
  • Likes



DPM 2012 provides the capability to protect Workgroup computers and computers in untrusted domains using Certificates for the purpose of authentication.

If you are already using DPM 2010, you have the ability to protect machines without trust by using NTLM based authentication and local accounts. While this worked, you gave us feedback that you would want a more robust and secure method of authentication. We are happy to share we have addressed your feedback in DPM 2012.

This video (DPM 2012 – Certificate Based Protection) talks in depth about Certification Based Authentication and how you can set it up using DPM 2012.


Following workloads/scenarios are supported using certificate based authentication:

1. SQL Server

2. File Server

3. Hyper-V Server

4. Clustered Backed (For all of the above workloads)

5. Secondary DPM Server (for DR)


- Posted on behalf of

Prateek Sharma | Program Manager | Microsoft Corporation

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • So can one DPM server connect to multiple DPM servers in different AD domains using certificates?

    Also if you are doing DPM to DPM can you backup any load that the target DPM server is backing up? As in you can’t directly backup Exchange or SharePoint with certificate based authentication, but can you backup up DPM server that is backing up Exchange/SharePoint.


  • Would love to see certificate based authentication for clients at some point in the future - to handle that "consumerization of IT" type workload.

  • Christian,

    Primary and Secondary DPM Server need to be in domains trusted by each other.

    Following examples would make it clear

    Let as assume we have four domains Domain-1, Domain-2, Domain-3 and Domain-4

    Domain-1 and Domain-2 trust each other.

    Domain-3 and Domain-4 are not trusted by any other domain.

    Domain-3 and Domain-4 don't trust any other domain

    1, This scenario would work:

    i) Primary DPM is in Domain-1

    ii). Secondary DPM is in Domain-2

    iii) Protected Server is in Domain-3

    In the above scenario a DPM Server in Domain-2 can be used to provide secondary protection to a PS in Domain-3 using Certificates. Note that Domain-1 and Domain-2 trust each other.

    2. This scenario is not supported:

    i) Primary DPM is in Domain-1

    ii) Secondary DPM is in Domain-4

    iii) Protected Server is in Domain-3

  • Orin,

    Thanks for your feedback.

  • Thanks for the answer; I just got confused because the blog post listed "secondary DPM Server (for DR)" as something that was "supported using certificate based authentication".

    So at this point there is no way to put a DPM server in a datacenter and use it to backup many companies DPM servers. This is what is needed for the MSP market to get DPM usage up in the SMB market. I think it’s something you guys should take a close look at.


  • Thanks Christian,

    That is very good feedback and we would definitely consider it going forward.

  • Do you have video in High quality please? I downloaded something that is absolutely horrible :)

  • +1 Please provide high quality video.



    Founder & CEO


  • Agree about the video quality, I'm used to watching CBT during the day and though they aren't amazing, they knock the quality of this into a cocked hat.

    Smooth it out a bit and they're something to keep. I can't even see the screenshot views!

  • So will this work for client based dpm backups as well?

  • No support for system state or BMR in certificate based authentication mode then?

  • In addition to a video that's watchable, it would be nice to include information on how to generate the certificate in the first place.

  • You sir should be ashamed of shipping such a low quality code.

    I'm having all kinds of Null exceptions trying to set this up.