DPM 2012 – Certificate Based Protection - The Official System Center Data Protection Manager Team Blog - Site Home - TechNet Blogs

DPM 2012 – Certificate Based Protection

DPM 2012 – Certificate Based Protection

  • Comments 16
  • Likes



DPM 2012 provides the capability to protect Workgroup computers and computers in untrusted domains using Certificates for the purpose of authentication.

If you are already using DPM 2010, you have the ability to protect machines without trust by using NTLM based authentication and local accounts. While this worked, you gave us feedback that you would want a more robust and secure method of authentication. We are happy to share we have addressed your feedback in DPM 2012.

This video (DPM 2012 – Certificate Based Protection) talks in depth about Certification Based Authentication and how you can set it up using DPM 2012.


Following workloads/scenarios are supported using certificate based authentication:

1. SQL Server

2. File Server

3. Hyper-V Server

4. Clustered Backed (For all of the above workloads)

5. Secondary DPM Server (for DR)


- Posted on behalf of

Prateek Sharma | Program Manager | Microsoft Corporation

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • So can one DPM server connect to multiple DPM servers in different AD domains using certificates?

    Also if you are doing DPM to DPM can you backup any load that the target DPM server is backing up? As in you can’t directly backup Exchange or SharePoint with certificate based authentication, but can you backup up DPM server that is backing up Exchange/SharePoint.


  • Would love to see certificate based authentication for clients at some point in the future - to handle that "consumerization of IT" type workload.

  • Christian,

    Primary and Secondary DPM Server need to be in domains trusted by each other.

    Following examples would make it clear

    Let as assume we have four domains Domain-1, Domain-2, Domain-3 and Domain-4

    Domain-1 and Domain-2 trust each other.

    Domain-3 and Domain-4 are not trusted by any other domain.

    Domain-3 and Domain-4 don't trust any other domain

    1, This scenario would work:

    i) Primary DPM is in Domain-1

    ii). Secondary DPM is in Domain-2

    iii) Protected Server is in Domain-3

    In the above scenario a DPM Server in Domain-2 can be used to provide secondary protection to a PS in Domain-3 using Certificates. Note that Domain-1 and Domain-2 trust each other.

    2. This scenario is not supported:

    i) Primary DPM is in Domain-1

    ii) Secondary DPM is in Domain-4

    iii) Protected Server is in Domain-3

  • Orin,

    Thanks for your feedback.

  • Thanks for the answer; I just got confused because the blog post listed "secondary DPM Server (for DR)" as something that was "supported using certificate based authentication".

    So at this point there is no way to put a DPM server in a datacenter and use it to backup many companies DPM servers. This is what is needed for the MSP market to get DPM usage up in the SMB market. I think it’s something you guys should take a close look at.


  • Thanks Christian,

    That is very good feedback and we would definitely consider it going forward.

  • Do you have video in High quality please? I downloaded something that is absolutely horrible :)

  • +1 Please provide high quality video.



    Founder & CEO


  • Agree about the video quality, I'm used to watching CBT during the day and though they aren't amazing, they knock the quality of this into a cocked hat.

    Smooth it out a bit and they're something to keep. I can't even see the screenshot views!

  • So will this work for client based dpm backups as well?

  • No support for system state or BMR in certificate based authentication mode then?

  • In addition to a video that's watchable, it would be nice to include information on how to generate the certificate in the first place.

  • You sir should be ashamed of shipping such a low quality code.

    I'm having all kinds of Null exceptions trying to set this up.

  • Hello Prateek,

    I have a question about the use of certificates to authenticate computers in an untrusted domain with DPM2012 R2 (4.2.1292).

    We have a primary forest (domain level 2008r2) where we have a DPM2012 R2(4.2.1292) server running on Windows 2012R2. We also have a second forest (domain level 2012) running in a separate network. These networks are not connected, they share no DNS, and there are no trust relations. Currently we use client protection with NTLM authentication to back-up data in the second forest to our DPM2012 server in our primary forest. We want to replace the NTLM authentication with certificate authentication. To achieve this we used the following guide:
    The network traffic between the DPM server, the CA and the servers in de second forest is allowed and the FQDN’s are placed in the host files. The CA (enterprise) server is installed on a 2008R2 DC with default settings, web enrollment is used. If we follow the guide within the primary forest and use a Windows 2008 server DPM target then everything works directly and smoothly. If we try to run the procedure on a Windows 2012 R2 server in the second forest then we get an error when we run (phase 4) Attach-ProductionServerWithCertificate.ps1 on the DPM2012 server with the error:
    There is failure while attaching production server with certificates C:\Program Files\Microsoft System Center 2012 R2\DPM\DPM\bin\Attach-ProductionServerWithCertificate.ps1 : DPM CPWrapper Service on the servername.LOCAL computer has encountered a failure and may be in an unusable state. Exception Message = The socket connection was aborted

    Is there any advice you can offer, and can someone confirm this is a supported scenario.