Hi, Michael Vargo here, and I wanted to take a minute and talk about how you can provide redundancy for End User Recovery of DFS shared data using Data Protection Manager.
The environment diagram below provides a baseline for an explanation of the options that can be utilized to provide redundancy for End User Recovery (EUR) of Distributed File System (DFS) shared data. Note that Microsoft does not “officially” support EUR redundancy with DPM but it can be achieved.
The decisions that must be made regarding which redundancy plan you will implement is primarily based on what resources in the environment are most likely to fail. Are you planning for a failure of a DFS server, a DPM server or an entire site?
In the event that a fileserver#1 should fail you will not need to have a separate copy of the DFS data backed up to another DPM server for users to be able continue accessing previous versions of DFS data. The clients accessing the DFS data will be redirected to fileserver#2 and can still access the recoverable data (previous versions) from DPM#1. However, DPM #1 will no longer be backing up the DFS data if fileserver#1 is down. This problem can only be addressed by having redundant DPM servers. If fileserver#1 will only be down for a short period, you may not want to make any changes to DPM and EUR.
If you are planning for a DPM server failure, you can establish redundancy through the use of secondary DPM protection or another DPM server protecting the replica of the DFS data on fileserver#2. Secondary protection is achieved by connecting the protection agent to DPM#1 from DPM#2. You will then be presented with a “Protected Server” option when enumerating data sources under DPM#1 from DPM#2 which allows you to create a redundant copy of the DFS data on DPM#2. You can then choose to “switch disaster protection” should DPM#1 go down. However, the use of a secondary DPM server provides no benefit to DFS protection and EUR. Switching protection does not recreate the required shares on the new primary DPM server or update any Active Directory objects. We will discuss these items in more detail shortly.
The information above is provided to explain why we recommend the use of a second DPM server that has no association with DPM#1 to provide redundancy for DFS backups and EUR. DPM#1 backs up DFS data on fileserver#1 and DPM#2 backs up the replicated DFS data on fileserver#2. This will provide the ability to continue DPM backups of the DFS data and EUR access to the DFS data should fileserver#1, DPM#1 or site#1 become unavailable. DPM#1 and DPM#2 should both be configured to meet your data retention requirements. Optimally we would enable EUR for DPM#1 and DPM#2, but DPM only supports enabling EUR on one DPM server at a time in Active Directory when protecting the same DFS shares from separate DPM Servers. You will need to disable EUR for DPM#1 by deleting the AD objects that get created when enabling EUR in the event we need to implement the disaster recovery plan.
There are two categories of items that get added when enabling EUR. The first is a set of AD objects that get created with the Extension of the AD schema as a result of enabling EUR. The second is a set of shares that get created on the DPM server.
The first AD object that gets created is cn=ms-sharemapconfiguration,cn=system,dc=domain,dc=local object. This gets created as a result of running DPMADSchemaExtension.exe . It is available on the DPM server in the c:\program files\Microsoft DPM\DPM\End User Recovery directory. It is run when enabling end-user recovery from the DPM options on the End-user Recovery tab. We frequently see issues where enabling end-user recovery fails when run from DPM where it fails with a message similar to “The Active Directory could not be configured.” You can also copy DPMADSchemaExtension.exe to a domain controller and run it manually as a user who is a member of both the "Schema Admins" and "Enterprise Admins" security groups.
The additional items will not be created until you successfully synchronize the DPM server with the protected DFS data after the schema extension. After the synchronization job you will see an object created under the cn=ms-sharemapconfiguration container for each DFS name space protected by DPM. It has a name in the format CN=GUID and a class of ms-srvShareMapping. The import information in this object includes the ms-backupSrvShare attribute which points to the DPM server that is protecting the DFS data and the ms-productionSrvShare which indicates the DFS node that is being protected by DPM.
The second set of items created upon the completion of a synchronization job after the schema is update are shares on the DPM server. These are the shares that users’ access when viewing the “previous versions” tab in the properties of an object on a EUR enabled DFS share. There will be one share for each protected DFS namespace. The screen shot below shows the shares for DFS namespaces Namespace1 and public. They are associated the name space on Sharepoint01 with the location of the replica of the files in the DPM storage pool.
The AD objects under cn=ms-sharemapconfiguration,cn=system,dc=domain,dc=local will automatically be removed if you uncheck “enable end-user recovery” from the DPM options on the End-user Recovery tab. However, if the DPM server has crashed or is otherwise unavailable you must manually remove these entries. The recommended tool to access and remove these objects is ADSIedit.msc. It will allow you to drill down to the cn=ms-sharemapconfiguration,cn=system,dc=domain,dc=local container and see all of the child objects that represent each of the DFS name spaces. All of the child objects representing the failed DPM#1 server must be removed before you enable EUR on DPM#2.
You can use repadmin.exe to create a query that will list all of the AD objects associated with the DFS name space being protected by a failed DPM server.
repadmin /showattr dc01 ncobj:domain: /filter:"(&(objectclass=ms-srvsharemapping)(ms-productionsrvshare=\\sharepoint01\namespace1))" /subtree
The above command would connect to a DC named dc01 and dump all attributes for all objects with an objectclass of ms-srvsharemapping where the ms-productionsrvshare attribute contains a value of \\sharepoint01\namespace1.
You could limit the output with the /atts: option to just dump specific values from the object. For example:
repadmin /showattr dc01 ncobj:domain: /filter:"(&(objectclass=ms-srvsharemapping)(ms-productionsrvshare=\\sharepoint01\namespace1))" /subtree /atts:name > ms-productionshare.txt
Michael Vargo | Senior Support Escalation Engineer | Microsoft CTS Management and Security Division
Get the latest System Center news on Facebook and Twitter:
System Center All Up: http://blogs.technet.com/b/systemcenter/ System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/ System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/ System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/ System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/ System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm
Windows Intune: http://blogs.technet.com/b/windowsintune/ WSUS Support Team blog: http://blogs.technet.com/sus/ The AD RMS blog: http://blogs.technet.com/b/rmssupp/
The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/ The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/ The Forefront TMG blog: http://blogs.technet.com/b/isablog/ The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/
Excellent information Mike that should clear up some confusion in regards to EUR. Well done.