How to use certificates to authenticate computers in workgroups or untrusted domains

~ John Clyburn | Senior Consultant | Microsoft

System Center 2012 R2 Data Protection Manager (DPM 2012 R2) supports protection of computers in workgroups and untrusted domains using local accounts and NTLM, however in scenarios where an organization does not allow creation of local accounts, this solution does not work. As an alternative, DPM 2012 R2 now allows the use of certificates to authenticate computers in workgroups or untrusted domains. DPM supports the following data sources for certificate-based authentication when they are not in trusted domains:

  • SQL Server
  • File server
  • Hyper-V

Note that DPM also supports the data sources above in clustered deployments.

The following data sources are not supported:

  • Exchange Server
  • Client computers
  • SharePoint Server
  • Bare Metal Recovery
  • System State
  • End user recovery of file and SQL
  • Protection between a Primary DPM server and Secondary DPM server using certs. The Primary DPM server and Secondary DPM server need to be in the same domain or mutually trusted domain. Certificate based authentication between a Primary and Secondary DPM servers is not supported.

If you have this scenario in your environment, we have a new article available that will guide you through all of the steps required for setting up System Center 2012 R2 Data Protection Manager to protect virtual machines (VMs) running in a Windows Server 2012 R2 workgroup, or VMs running in a Windows Server 2012 R2 Hyper-V cluster, in an untrusted forest using certificate authentication. You can download this new whitepaper here.

John Clyburn | Senior Consultant | Microsoft