準備好部署 DPM 伺服器Get ready to deploy DPM servers


已不再支援此版本的 Data Protection Manager (DPM),建議升級至 DPM 2019This version of Data Protection Manager (DPM) has reached the end of support, we recommend you to upgrade to DPM 2019.

開始部署 System Center Data Protection Manager (DPM) 伺服器之前,需要考慮幾個規劃步驟:There are a few planning steps to consider before you begin to deploy your System Center Data Protection Manager (DPM) servers:

規劃 DPM 伺服器部署Plan for DPM server deployment

首先,決定需要的伺服器數目:First determine how many servers you'll need:

  • DPM 可以保護多達 600 個磁碟區。DPM can protect up to 600 volumes. 若要提供最大容量的保護,DPM 會需要每部 DPM 伺服器 120 TB。To protect this maximum size, DPM needs 120 TB per DPM server.

  • 單一 DPM 伺服器可以保護多達 2000 個資料庫 (建議的磁碟大小 80 TB)。A single DPM server can protect up to 2000 databases (recommended disk size 80 TB).

  • 單一 DPM 伺服器可以保護多達 3000 部用戶端電腦和 100 部伺服器。A single DPM server can protect up to 3000 client computers and 100 servers.

    • 如需 DPM 伺服器容量規劃,您可以使用 DPM 儲存計算器For DPM server capacity planning you can use the DPM storage calculators. 這些計算器會是 Excel 工作表,且為工作負載專用。These calculators are Excel sheets and are workload specific. 它們提供所需 DPM 伺服器數目、處理器核心、RAM 和虛擬記憶體建議和所需儲存容量的相關指引。They provide guidance about the number of DPM servers required, processor core, RAM, and virtual memory recommendations, and required storage capacity. 因為這些計算機為工作負載專用,所以您必須結合建議的設定,並與系統需求、您的特定商務拓撲和需求 (包括資料來源和儲存位置)、相容性與 SLA 需求,以及災害復原需求一起考量。Because these calculators are workload-specific you'll need to combine the recommended settings and consider them together with the system requirements, and your specific business topology and requirements, including data source and storage locations, compliance and SLA requirements, and disaster recovery needs. 請注意,計算器是針對 DPM 2010 所發行的,但會在更新的 DPM 版本中保留相關項目。Note that the calculators were released for DPM 2010 but remain relevant for later DPM versions.

接著了解如何放置伺服器︰Then figure out how to locate the servers:

  • DPM 必須部署在 Active Directory 網域中 (Windows Server 2008 之後的版本)。DPM must be deployed in an Active Directory domain (Windows Server 2008 onwards).

  • 在決定 DPM 伺服器的置放位置時,請將 DPM 伺服器與受保護電腦之間的網路頻寬納入考量。When deciding where to locate your DPM server, consider the network bandwidth between the DPM server and the protected computers. 如果您要透過廣域網路 (WAN) 來保護資料,最低的網路頻寬需求為每秒 512 KB (Kbps)。If you are protecting data over a wide area network (WAN), there is a minimum network bandwidth requirement of 512 kilobits per second (Kbps).

  • DPM 支援組合網路介面卡 (NIC)。DPM supports teamed network adapters (NICs). 組合 NIC 是多張實體介面卡,設定為要讓作業系統當成單一介面卡來處理。Teamed NICs are multiple physical adapters that are configured to be treated as a single adapter by the operating system. 組合 NIC 可提供增加的頻寬,方法是使用每張介面卡結合可用頻寬,並在介面卡失敗時容錯移轉至其餘的介面卡。Teamed NICs provide increased bandwidth by combining the bandwidth available using each adapter and failover to the remaining adapter when an adapter fails. DPM 可以使用 DPM 伺服器上透過使用組合介面卡實現的增量頻寬。DPM can use the increased bandwidth achieved by using teamed adapter on the DPM server.

  • DPM 伺服器置放位置的另一個考量事項,在於您需要手動管理磁帶和磁帶媒體櫃 (例如,將新磁帶加入媒體櫃或取下磁碟以便異地封存)。Another consideration for the location of your DPM servers is the need to manage tapes and tape libraries manually, such as adding new tapes to the library or removing tapes for offsite archive.

  • DPM 伺服器可以保護網域內的資源,或保護與 DPM 伺服器所在網域具有雙向信任關係的樹系內跨網域的資源。A DPM server can protect resources within a domain, or across domains within a forest that has a two-way trust relationship with the domain that the DPM server is located in. 如果沒有跨網域的雙向信任,則每個網域都必須有個別的 DPM 伺服器。If there isn't a two-way trust across domains, you need a separate DPM server for each domain. 如果樹系之間具有樹系層級的雙向信任,則 DPM 伺服器可以跨樹系保護資料。A DPM server can protect data across forests if there's a forest-level two-way trust between the forests.

  • 請考量 DPM 伺服器和受保護電腦之間的網路頻寬。Consider the network bandwidth between the DPM server and the protected computers. 如果您要透過 WAN 保護資料,最低的網路頻寬需求為 512 Kbps。If you are protecting data over a WAN there's a minimum network bandwidth requirement of 512 Kbps. 請注意,DPM 支援可提供增加的頻寬 (透過結合每張網路介面卡的可用頻寬) 和介面卡失敗時容錯移轉的組合 NIC。Note that DPM supports teamed NICs that provide increased bandwidth by combining bandwidth available for each network adapter, and failover if an adapter fails.

規劃防火牆設定和使用者權限Plan firewall settings and user permissions

防火牆設定Firewall settings

在 DPM 伺服器上、您想要保護的電腦上,以及用於 DPM 資料庫的 SQL Server 上 (如果在遠端執行),需要部署 DPM 的防火牆設定。Firewall settings for DPM deployment are required on the DPM server, on machines you want to protect, and on the SQL Server used for the DPM database if you're running it remotely. 如果在您安裝 DPM 時已啟用 Windows 防火牆,則 DPM 安裝程式會自動在 DPM 伺服器上進行防火牆設定。If Windows Firewall is enabled when you install DPM then DPM setup automatically configures the firewall settings on the DPM server. 下表摘要說明這些防火牆設定。The firewall settings are summarized in the following table.

位置Location 規則Rule 詳細資料Details 通訊協定Protocol 連接埠Port
DPM 伺服器DPM server System Center Data Protection Manager DCOM SettingSystem Center Data Protection Manager DCOM Setting 用於 DPM 伺服器與受保護電腦之間的 DCOM 通訊Used for DCOM communication between DPM server and protected machines DCOMDCOM 135/TCP 動態135/TCP Dynamic
DPM 伺服器DPM server System Center Data Protection ManagerSystem Center Data Protection Manager Msdpm.exe (DPM 服務) 的例外狀況。Exception for Msdpm.exe (the DPM service). 在 DPM 伺服器上執行Runs on the DPM server 所有通訊協定All protocols 所有連接埠All ports
DPM 伺服器DPM server

受保護的電腦Protected machines
System Center 資料保護管理複寫代理程式System Center Data Protection Management Replication Agent Dpmra.exe 的例外狀況 (用來備份和還原資料的保護代理程式服務)。Exception for Dpmra.exe (protection agent service used to back up and restore data). 在 DPM 伺服器和受保護的電腦上執行。Runs on the DPM server and on protected machines. 所有通訊協定All protocols 所有連接埠All ports
受保護的電腦Protected machines 設定 sqserv.exe 的傳入例外狀況Configure incoming exception for sqserv.exe
受保護的電腦Protected machines DPM 透過代理程式的 DCOM 呼叫,對保護代理程式發出命令。DPM issues commands to the protection agent with DCOM calls to the agent. 您需要開啟上層的連接埠 (1024-65535),讓 DPM 進行通訊You'll need to open the upper ports (1024-65535) for DPM to communicate DCOMDCOM 135/TCP 動態135/TCP Dynamic
受保護的電腦Protected machines DPM 資料通道是 TCP。The DPM data channel is TCP. DPM 伺服器和受保護的電腦都會起始連線。Both the DPM server and the protected machines initiate connections. DPM 會在連接埠 5718 上與代理程式協調員通訊,並在連接埠 5719 上與保護代理程式通訊DPM communicates with the agent coordinator on port 5718 and with the protection agent on port 5719 TCPTCP 5718/TCP5718/TCP

受保護的電腦Protected machines 用於 DPM/受保護電腦與網域控制站之間的主機名稱解析Used for host name resolution between DPM/protected machine, and the domain controller DNSDNS 53/UDP53/UDP
受保護的電腦Protected machines 用於 DPM/受保護電腦與網域控制站之間的主機名稱解析Used for authentication of the connection endpoint, between DPM/protected machine, and the domain controller KerberosKerberos 88/UDP88/UDP

受保護的電腦Protected machines 用於 DPM 伺服器與網域控制站之間的查詢Used for queries between the DPM server and the domain controller LDAPLDAP 389/TCP389/TCP

受保護的電腦Protected machines 用於下列兩者之間的其他操作 1) DPM 與受保護的電腦之間、2) DPM 與網域控制站之間 3) 受保護電腦和網域控制站之間。Used for miscellaneous operations between 1) DPM and protected machines, 2) DPM and the domain controller 3) Protected machines and the domain controller. 也用於直接裝載於 TCP/IP 上的 SMB 來執行 DPM 功能Also used for SMB directly hosted on TCP/IP for DPM functions NetBIOSNetBIOS 137/UDP137/UDP



遠端 SQL ServerRemote SQL Server 使用下列項目為 SQL Server 的 DPM 執行個體啟用 TCP/IP:預設失敗稽核;啟用密碼原則檢查Enable TCP/IP for the DPM instance of SQL Server with the following: default failure audit; enable password policy checking
遠端 SQL ServerRemote SQL Server 為 SQL Server 的 DPM 執行個體啟用 sqservr.exe 的傳入例外狀況,以允許連接埠 80 上的 TCP。Enable incoming exception for sqservr.exe for DPM instance of SQL Server to allow TCP on port 80. 報表伺服器會在連接埠 80 上接聽 HTTP 要求。The report server listens for HTTP requests on port 80.
遠端 SQL ServerRemote SQL Server 資料庫引擎的預設執行個體會在 TCP 連接埠 1443 上進行接聽。Default instance of database engine listens on TCP port 1443. 可以進行修改Can be modified

使用 SQL Server Browser 服務在非預設連接埠集 UDP 通訊埠 1434 上連線To use the SQL Server Browser service to connect on non-default port set UDP port 1434
遠端 SQL ServerRemote SQL Server SQL Server 的具名執行個體預設會使用動態連接埠。Named instance of SQL Server uses Dynamic ports by default. 可以進行修改。Can be modified.
遠端 SQL ServerRemote SQL Server 啟用 RPCEnable RPC

授與使用者權限Grant user permissions

開始 DPM 部署之前,請確定已為適當使用者授與可執行各種工作的必要權限。Before you begin a DPM deployment, verify that appropriate users have been granted required privileges for performing the various tasks. 下表將摘要說明這些報表:These are summarized in the following table.

DPM 工作DPM task 所需權限Permissions needed
將 DPM 伺服器新增至網域Add the DPM server to a domain 網域系統管理員帳戶,或者可將工作站新增到網域的使用者權限Domain admin account, or user right to add workstation to domain
安裝 DPMInstall DPM DPM 伺服器上的系統管理員帳戶Admin account on the DPM server
在要保護的電腦上安裝 DPM 保護代理程式Install DPM protection agent on machine you want to protect 位於電腦上本機 Administrators 群組中的網域帳戶Domain account that's in the local administrators group on the machine
延伸 AD 架構以啟用使用者復原Extend AD schema to enable end-user recovery 網域的架構系統管理員權限Schema admin privileges for the domain
建立 AD 容器以啟用使用者復原Create AD container to enable end-user recovery 網域系統管理員權限Domain admin privileges
將變更容器內容的權限授與 DPM 伺服器Grant DPM server permission to change container contents 網域系統管理員權限Domain admin privileges
啟用 DPM 伺服器上的使用者復原Enable end-user recovery on DPM server DPM 伺服器上的系統管理員帳戶Admin account on the DPM server
在受保護的電腦上安裝復原點用戶端軟體Install recovery point client software on protected machine 電腦上的系統管理員帳戶Admin account on machine
從受保護的電腦存取舊版的受保護資料Access previous versions of protected data from protected machine 具備受保護共用存取權的使用者帳戶User account with access to protected share
復原 SharePoint 資料Recover SharePoint data SharePoint 伺服器陣列管理員,同時也是已安裝保護代理程式之前端網頁伺服器上的管理員。SharePoint farm admin that's also an admin on the front-end Web server on which the protection agent is installed.


DPM 伺服器與受保護的電腦會使用 DCOM 進行通訊。DPM server and protected computer communicates using DCOM. 在 DPMRA 安裝期間,DPM 伺服器的帳戶會新增至受保護的電腦上的 [Distributed COM Users] 安全性群組。During DPMRA installation, DPM server’s account is added to the Distributed COM Users security group on the protected computer.

針對網域控制站保護,將會為每部受保護的網域控制站建立 Active Directory 安全性群組,安全性群組的名稱為 DPMRADCOMTRUSTEDMACHINES$DCNAMEDPMRADMTRUSTEDMACHINES$DCNAMEDPMRATRUSTEDDPMRAS$DCNAMEFor domain controller protection, Active Directory security groups will be created for each of the protected domain controller, with the names DPMRADCOMTRUSTEDMACHINES$DCNAME, DPMRADMTRUSTEDMACHINES$DCNAME, and DPMRATRUSTEDDPMRAS$DCNAME.