Monitoring Large DPM Deployments with SCOM

DPM can backup a variety of workloads as SQL, SharePoint, Exchange, Hyper-V VMs, File Servers, among others. One way to monitor the DPM servers centrally is using SCOM. In this blog, our guest, John Joyner,  talks about leveraging Central Console for multi site backup management.

The combination of DPM and SCOM is beneficial to distributed enterprises and service providers as a cost effective remote-managed backup solution that scales extremely well. Microsoft System Center Data Protection Manager (DPM) is the backup and disaster recovery component of System Center. DPM excels at backing up Microsoft workloads such as Hyper-V Virtual Machines, SQL Server databases, Exchange databases, file shares, and SharePoint farms. DPM even provides host level protection of VMware VMs.

The DPM Server application runs on the Windows Server operating system (OS), either a physical computer or a virtual machine. DPM Servers can backup to disk storage, tape, and directly to Azure. DPM is actually a great backup engine with these strategic benefits:

  • DPM is economical because it is included in the System Center or Operations Management Suite (OMS) licenses the customer already uses for management, monitoring, and automation.
  • DPM is ubiquitous since it leverages the native and familiar volume shadow copy service… you will find DPM works perfectly in Azure as well.
  • DPM is manageable, with ready access to a monitoring and automation framework, using tools like System Center Operations Manager (SCOM), Service Management Automation (SMA), Azure Automation, and PowerShell.
  • DPM is scalable since each DPM Server is an autonomous backup engine instance. You deploy DPM Servers in quantities, locations, and configurations as needed for optimal function and economy.

While a Windows Server OS license may be required to host a DPM instance, instances of DPM Server incur no additional System Center license costs.
DPM’s native cloud integration to Azure Backup makes customers’ lives easier managing offline backups and long term retention—the ultimate solution to replace tape backup media.

DPM + SCOM = DPM Central Console

This article is going to focus on the ease of monitoring large DPM deployments with SCOM, a product combination known as the DPM Central Console. Basically, using a single instance of SCOM to monitor and manage many instances of DPM. This capability lets IT architects confidently deploy or support DPM in both scale-up and scale-out scenarios: High density backup environments, such as a single datacenter with multiple DPM servers, as well as distributed environments with many remote DPM servers. The business goal is detecting and remediating backup failures in real time across hundreds or even thousands of backup jobs: This is possible using DPM and SCOM without incurring undue management burden.

If you are already using SCOM to manage your infrastructure, this move brings another discipline (backup) into the holistic view SCOM provides. SCOM can manage just the DPM instance, or SCOM can additionally manage the workloads being backed up by DPM, such as virtual machines, SQL, Exchange, and SharePoint. Remember a single System Center management license covers SCOM and DPM (as well as all other components in the System Center suite), so if you have one why not use both?

Installing the Central Console is simple; you basically install the DPM management console on a computer where the SCOM console is also installed. Then you import some DPM-specific management packs into SCOM. Following these preparations, any DPM Server instance managed by SCOM effortlessly surfaces in the DPM Central Console.

Simply put, you can easily view the live status of hundreds of DPM Servers from a single SCOM console configured with this solution. These DPM Servers can reside inside a large enterprise wide area network, or they can exist anywhere in the world and be managed remotely by a service provider. Figure 1 shows a possible deployment across three (3) customer environments.

Figure 1 – Leveraging DPM Central Console for management across multiple environments

The Challenge of Multi-Site Backup Management

Out of the box, DPM has its own alerting capability using e-mail suitable for a small organization. Once you have two or more DPM instances in your estate, SCOM with DPM Central Console immediately becomes the preferred management solution. Most enterprise backup products with multi-site management features do include proprietary applications and interfaces. The complexity of some enterprise backup management software is notorious.

The Microsoft solution, to connect two excellent applications into a functional framework that requires no ‘net new technology investment’ for Microsoft shops is elegant and simple. SCOM excels at management, and especially remote management of Microsoft workloads. The large enterprise or service provider architect can leverage mature System Center management technologies like gateways, certificate-based authentication, and orchestration automation at no sacrifice to the fidelity of the backup process.

Figure 1 demonstrates three models to manage DPM with SCOM in the service provider model. In each scenario only one computer at the site requires a SCOM authentication certificate to communicate with the service provider. A single outbound TCP 5723 connection from that one computer over the Internet to the service provider is all that is required for remote management of the site.

  1. Customer site “A” represents a small site where the SCOM gateway component is installed on the DPM Server computer and all computers at the site are remotely managed through the gateway. Only the DPM server computer needs a SCOM authentication certificate.
  2. Customer site “B” shows the SCOM gateway installed on a separate computer at the site, managing the DPM server and protected workload computers.
  3. Customer site “C” is the minimum implementation, with only a SCOM agent on the DPM Server. The service provider manages the DPM server status and jobs only and has no access to the DPM protected workloads.

A large enterprise in a trusted Active Directory environment might employ SCOM gateways at large sites to consolidate agent communication. Similar architecture to Customer site “B” would exist in this scenario, except that there is no Internet path involved and no authentication certificates would be required on any computer.

Figure 2 exposes the health model of a DPM Protection Group in the SCOM console, in this case for protected virtual machines that are Domain Controllers. Each green checkmark represents a health monitor that otherwise would change to Warning or Critical state and generate an alert in the SCOM console.

Figure 2 – The SCOM Health Model for a DPM Protection Group monitors for dozens of error conditions.

What do you need to use the DPM Central Console?

  • Microsoft or VMware workloads to protect
  • DPM 2012 R2, or DPM 2016 instances to manage
  • DPM Server instances are Agent Managed Computers in SCOM 2012 R2 or SCOM 2016
  • Full function of all DPM Central Console features requires routed network connectivity between the SCOM console and the DPM Server computer, in the same or a trusted Active Directory domain.
  • A slightly reduced functionality is present for the service provider model that uses certificates for authentication, and does not require routed network access to a managed DPM Server (like that shown in Figure 1). To use the service provider model, a publically accessible Certificate Authority (CA) is also required.

What do you get with the DPM Central Console?

You get Out of Box (OOB) central management of many DPM instances, that is, freedom from jumping between DPM consoles and no longer depending on e-mail alerts configured on each DPM server. All SCOM features like views, dashboards, alert subscriptions, reports for DPM optimization, trending, and SLA compliance become available.

The primary benefit is centralized monitoring of DPM servers from a single location, and that includes monitoring different versions of DPM, and tracking the status of servers, tasks, protected resources, tape libraries, available storage and disk space.

SCOM Tasks are the force multiplier when supporting multiple remote DPM instances. DPM Central Console operators can take direct action from the SCOM console using the Action Task panel and the DPM tasks. Figure 3 shows this time-saver in action. A DPM Replica inconsistent alert is observed to be due to DPM being out of disk space. From the Modify disk allocation task, you can adjust the disk allocation directly from the central console with no need to log into a DPM console.

Figure 3 – The remote management power of the DPM Central Console is evident in the ability to launch remediation tasks against DPM jobs and servers without ever leaving the SCOM console.

Modern IT architects will be hard pressed to find a more economical, extensible, and full featured backup and business continuity solution than the DPM Central Console.