image

Hello, Chuck Whitson here from the Data Protection Manager Team here in Texas. Lately, we’ve had several customers run into issues with sharing their tape library between multiple DPM servers so I’ve put together some of the things that have been known to interfere with configuring tape library sharing as well as a couple other gotchas. The following steps have resolved most of those cases that we’ve seen.

1. Check SQL Services

Make sure both the ‘SQL Server (MSDPM2010)” service and the “SQL Server Agent (MSDPM2010)” service on each DPM server sharing the library are configured to start as the same domain user account. Below is an example of how the services should be configured:

SQL Server (MSDPM2010) Service Account:

clip_image001[1]

SQL Server Agent (MSDPM2010) Service Account:

clip_image002[1]

Note: The account used to start these services must also be a member of the local administrators group on each DPM server sharing the library.

2. Check the Medium Changer Device in Device Manager

The LCS (Library Control Server) server is the only DPM server that controls the medium changer. All other servers need to have the device disabled in device manager. Open device manager and make sure the device is disabled on all of the client machines and only enabled on the LCS server as shown below:

clip_image003[1]

If you disable or enable the device and are prompted with a message asking you to reboot the server, please do so.

NOTE The medium changer device can zoned to just the server hosting the LCS role on the SAN. This is a supported scenario. However, keep in mind that it will be more difficult to change the server that hosts the LCS role if you ever need to.

3. Windows Firewall

Prior to configuring tape library sharing, you may need to disable the Windows Firewall on each DPM server that will be sharing the library. After tape library sharing has been configured, you can re-enable the Windows Firewall.

To disable the Windows Firewall, open an administrative command prompt and type the following commands, hitting Enter after each line.

netsh
firewall
advfirewall
set allprofiles state off

To re-enable the Windows Firewall, change the last line to read the following:

set allprofiles state on

4. Distributed Transaction Coordinator (MSDTC)

Tape library sharing utilizes the Distributed Transaction Coordinator (MSDTC) service to communicate between the servers sharing the library. Without this service, the configuration or operation will most likely fail. Verify this service is configured to start automatically and is running prior to configuring tape library sharing.

5. DPMLA.xml

The DPMLA service is the service responsible for controlling the library. This service sometimes will leverage the use of the DPMLA.xml file to obtain the SCSI connection configuration of the library and its associated drives. If you’ve ever run DPMDriveMappingTool.exe to generate this file for your library, you will want to make sure that the DPMLA.xml file does not exist on the client DPM servers. The client DPM servers get their library configuration from the LCS server and do not need to leverage the DPMLA.xml file. However, if you ever move your LCS role to a different server, you will want to make sure that you move this file as well to the new server hosting the LCS role. The DPMLA.xml file is located in the “…\Microsoft DPM\DPM\Config” folder.

6. Configure the SQL Port and setting the SPN

A. Discover the dynamic port on which TCP/IP is configured

Open SQL Server Configuration Manager and expand the protocols for SQL Server Network Configuration. Choose the TCP/IP protocol and right-click on it and select properties. Choose the IP Addresses tab and scroll down to the bottom. You should see a window similar to the following showing the TCP Dynamic Port for “IPAll”:

clip_image004[1]

B. Set the Static Port

Take the dynamic port found in the previous step. In this example, the port is 55335. Remove the 0 from the property named “TCP Dynamic Ports” so it is blank. Update the value of “TCP Port” for all IPs listed with the value obtained from step 6A. Here is an example:

clip_image005[1]

Do this on each DPM server sharing the library including the LCS.

C. Set the SPN in Active Directory from a domain controller

For each DPM server that is sharing the library, run the following commands from an administrative command prompt on your domain controller:

setspn -A MSSQLSvc/<HostName of DPM> <DomainName\UserName>

setspn -A MSSQLSvc/<FQDN of DPM> <DomainName\UserName>

setspn -A MSSQLSvc/<HostName of DPM>:<StaticPort> <DomainName\UserName>

setspn -A MSSQLSvc/<FQDN of DPM>:<StaticPort> <DomainName\UserName>

You want to perform each of these commands for each DPM server. Therefore, replace <HostName of DPM> and <FQDN of DPM> with the hostname and fully-qualified domain name of the DPM server. The <StaticPort> is the port discovered in step 6A above. Use the same domain account from step 1 for the <DomainName\UserName>. Remember to do this from the domain controller for each DPM server that is sharing the library.

7. Update AD Delegation of Computer Objects in Active Directory

Open Active Directory Users and Computers and find the computer objects for each DPM server. Right-click on each DPM server that shares the library and choose properties. Select the delegation tab and set the delegation to “Trust this computer for delegation to any service (Kerberos only)” as shown below:

clip_image006[1]

8. Update AD Delegation of User Objects in Active Directory

Open Active Directory Users and Computers and find the user object that is used to start the SQL services in Step 1 above. Right-click on the user object and choose properties. Select the Delegation tab and choose the option “Trust this user for delegation to any service (Kerberos only)” option as shown below:

clip_image007[1]

9. Reboot.

If you made any changes through Step 6-8, you’ll want to reboot for the changes to take.

10. LCS Role Server

In rare situations, moving the LCS role to a different server has resolved issues of the library configuration not getting updated on a specific client DPM server. Remove tape library sharing on all of the servers and configure a different server as the LCS server. Use the batch files in the next step to assist with removing tape library sharing and reconfiguring a different LCS server.

11. Start Over

As a last resort, remove tape library sharing and reconfigure it on all servers. If during the configuration there was ever a failure, you will have to remove tape library sharing and reconfigure it. To help with this, you may want to add the commands necessary to remove and configure tape library sharing in batch files. Here are the batch files we use:

Enable-Server.cmd:

AddLibraryServerForDpm.exe -ShareLibraryWithDpm <CLIENT1_FQDN>

AddLibraryServerForDpm.exe -ShareLibraryWithDpm <CLIENT2_FQDN>

AddLibraryServerForDpm.exe -ShareLibraryWithDpm <CLIENT3_FQDN>

Enable-Client.cmd:

AddLibraryServerForDPM -DPMServerWithLibrary <LCS_FQDN>

SetSharedDPMDatabase -InstanceName <LCS_FQDN>\MSDPM2010

Disable-Server.cmd:

AddLibraryServerForDPM -ShareLibraryWithDPM <LCS_FQDN> -Remove

SetSharedDPMDatabase –RemoveDatabaseSharing

Disable-Client.cmd:

SetSharedDPMDatabase -RemoveDatabaseSharing

AddLibraryServerForDPM -DPMServerWithLibrary <LCS_FQDN> -Remove

Save the above batch files in the …\Microsoft DPM\DPM\Setup folder. Replace <LCS_FQDN> with the fully qualified name of the LCS server and <CLIENT#_FQDN> with the fully qualified name of each client (one for each client). Go ahead and modify / copy each batch file to all servers that way it will be easier to switch the LCS role if at any point you need to.

After any of the library sharing commands above, if you receive the following error:

Incorrect Server Name. Provide Fully Qualified Domain Name. For example: myserver.mydomain.mycompany.com

Set the following registry key on all of your DPM servers:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Entry: MaxTokenSize
Data type: REG_DWORD
Value: 65535

Chuck Whitson | Senior Support Escalation Engineer

App-V Team blog: http://blogs.technet.com/appv/
AVIcode Team blog: http://blogs.technet.com/b/avicode
ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
DPM Team blog: http://blogs.technet.com/dpm/
MED-V Team blog: http://blogs.technet.com/medv/
OOB Support Team blog: http://blogs.technet.com/oob/
Opalis Team blog: http://blogs.technet.com/opalis
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
OpsMgr Support Team blog: http://blogs.technet.com/operationsmgr/
SCMDM Support Team blog: http://blogs.technet.com/mdm/
SCVMM Team blog: http://blogs.technet.com/scvmm
Server App-V Team blog: http://blogs.technet.com/b/serverappv
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center Essentials Team blog: http://blogs.technet.com/b/systemcenteressentials
WSUS Support Team blog: http://blogs.technet.com/sus/

The Forefront Server Protection blog: http://blogs.technet.com/b/fss/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

clip_image001 clip_image002