DAGs Protection Hints – DPM 2010

DPM 2010 provides node based protection so the state of the database on the node - whether it is an Active copy or a Passive copy of the Exchange 2010 DB does not matter. The state of the database may switch back and forth from Active to Passive, but DPM will continue to protect the DB as long as the Exchange server is up and running. 

As for how many copies to protect - it is recommended that you protect at least two copies of the DB, especially if your Exchange server implementation is based on JBODs/SATA drives. In this situation, it is possible that the database will switch states due to the higher probability of disk failures with SATA drives.  So if you only protect one copy, you will not have protection when the protected copy goes offline.  You will have to manually add protection for another copy after the failure. This has a further disadvantage that you will incur the heavy cost of Initial Replication where you will be backing up the entire database which could be time consuming and will expose you to the risk of not having a consistent backup in this interim. 

If you choose to protect at least two databases, you will not incur the cost of Initial Replication every time a disk goes offline. It can also be shown that the storage consumed on the Recovery Point volume when protecting two databases  is less than twice the amount  of the space consumed when protecting only one server.  In fact, if you expect to switch the databases from Active to Passive frequently, the space consumed by Recovery Points decreases.

If you are using RAID higher end disks then protecting only one copy of the DB with DPM may suffice. By the way, in either case, we recommend that you use RAID 5 disks.

Log file truncation - when you setup protection, in the Protection Group wizard, you are required to configure a database to either be a "Full Backup" or a "Copy Backup". With DPM 2010 you need to configure at least one Full Backup. The Full Backup will backup the databases and the log files and then truncate the log files. If you are protecting more than one copy of the Exchange database, then you should configure one Exchange database for Full Backup and the rest of the copies for "Copy Backup".  Copy backup will not truncate the log files.

The next challenge we faced was getting DPM to backup using the assigned (using Add-BackupNetworkAddress) backup network. The post at https://technet.microsoft.com/en-us/library/ff399746.aspx seems to indicate that the NICS for the backup network should register their IPs in DNS.

Some customers complain that if they add the primary IP address of the DPM server to another “Add-BackupNetworkAddress” statement (-SequenceNumber2) the backup works but it goes over the primary address. Alternatively this would be a workaround but with the respective risks… Hosts file is the name…

I tested several other approaches first though. On my network the backup network NICs do not register themselves in DNS. In fact, they do not even talk to the domain controllers where DNS is located. As memory serves this is what I found:

  • I tried manually entering the backup addresses in DNS, but the problem there is that everyone can see and resolve those addresses. Backup traffic can be restricted to the backup network by DPM using PowerShell, but there is nothing to prevent other SMB traffic from using that network as well. When two machines communicate, both with backup NICs, nothing prevents them from using the backup network. I have internal firewalls, and normal traffic must be be constrained to move through the firewall. The backup network is higher performance and cuts across multiple security zones. Indeed, the fact that it is faster than the firewalled network pretty much guarantees that traffic will flow preferentially through the backup network (I have round robin load balancing via DNS turned off).
  • I also tried entering a different host name in DNS for the backup network. For example, if the host name is "Server1" I would manually enter a DNS host record for "Server1-BK" using the backup network address. Same for the DPM server. I can ping from either machine to the other using the "-BK" names just fine, but I could not add the machine to DPM as a client in this case. I think DPM was checking AD for the machine name (with the -BK), and failed to find it.
  • The hosts file approach works for backup, but it remains a security risk. All traffic, not just backup traffic, between the DPM server and the DPM clients goes over the backup network and bypasses the firewall.

To use hosts files, put an entry in each client's hosts file with the name of the DPM server and the backup network address of the DPM server. In the DPM server's hosts file put an entry for each client list the client host name and the backup address for that client. Do not create entries for the normal, non-backup network addresses. At that point ping by name in both directions should resolve to and use the backup network. If not, you might have other name resolution methods in place. Check out https://support.microsoft.com/kb/142309 (old, but as far as I am aware the resolution order has not changed) or do a search for "host name resolution". I have no LMHOSTS entries, no WINS, etc. so all I needed to do was put the above entries in the hosts file and it worked. I did not run the PowerShell cmdlet to inform DPM of a dedicated backup network.  As far as DPM was concerned, all communication was over that network.  I verified during backups that the traffic did stay on the backup network.

Would like to thanks Anne Soilleux, one of our brilliant Escalation Engineers, who actually grab me in the office making me DPM questions and coz of that I end up researching, blogging and posting! Cheers Anne!!!