System Center Data Protection Manager 2016 Delegated Administrator

I recently had a requirement to add a delegated administrator to DPM 2016. While it’s possible to configure self-service recovery, there doesn’t appear to be any way that I can configure another user to perform the delegated admin role as there is in some other System Center products.

It is possible to configure another user to be a delegated DPM admin if you’re willing to roll up your sleeves and get a little grubby with the config however! Note that I’m fairly sure that doing this will impact support, but it’s easy to undo if required.

The problem:

  1. There’s nothing in the DPM interface that appears to allow configuration of a delegated admin.
  2. Adding a user as a local admin of the DPM server still doesn’t allow the user concerned to administer DPM. When trying to launch the DPM console, the following error is shown:
    Unable to connect to DPM server error
  3. Granting the user logon locally permissions still requires that the user elevates when launching the DPM console, so realistically they should be made a local admin on the DPM server.

The solution:

  1. Grant the user local admin rights on the DPM server. I’d strongly suggest creating a dedicated admin account for the user rather than using their day-to-day account for this purpose.
  2. On the SQL instance that DPM uses, configure the following:
    1. Create a new login for the account that will be used as a delegated admin.
    2. Right-click the new account and select ‘Properties’.
    3. Select the DPM database and in the database role membership section of the dialog, select the appropriate DPM-related permissions for the user. To give the user full admin permissions on DPM, select all of the ‘MSDPM…’ role checkboxes:
      DPM delegated admin SQL rights
    4. Click OK to close the dialog.
    5. Check that the user can a) log onto the DPM server and b) successfully launch the DPM admin console and administer the service.

DPM Protection for Windows 10 Anniversary Edition

Attempting to add protection to a Windows 10 Anniversary Edition workstation recently failed with the DPM server showing the workstation as ‘unavailable’ when looking at the ‘Production Servers’ list in the console.

It appears that the upgrade to Anniversary Edition removes a file that the DPM agent relies on, ‘sisbkup.dll’, and that as a consequence the services cannot start on the protected workstation.

The resolution is to copy the ‘sisbkup.dll’ file from c:\Windows\System32 on an older version of Windows 10 into C:\Windows\System32 on the Anniversary Update machine and then retry the connection from DPM.

DPM 2012 R2 UR7 Known Issue

There’s a known issue with Update Rollup 7 for System Center Data Protection Manager 2012 R2 that stops expired recovery points being removed, thus leading (eventually) to DPM consuming all available disk space attached to it. This leads to messages such as:

DPM does not have sufficient storage space available...

and

image

Which mean that new recovery points are not being created and therefore changes are not being backed up.

The fix, which involves replacing the ‘pruneshadowcopiesDpm2010.ps1’ file with a corrected version, can be downloaded from https://www.microsoft.com/en-in/download/details.aspx?id=48694

The procedure is:

  1. Ensure that you are running DPM 2012 R2 UR7 (version 4.2.1338.0) from the ‘About DPM’ menu item under the ‘Action’ menu.
  2. Download the revised pruneshadowcopiesDpm2010.ps1 file from the URL above.
  3. Copy the original file to another location (just in case!)
  4. Replace the original pruneshadowcopiesDpm2010.ps1 with the one downloaded from the URL above. On one of our servers (that was upgraded from 2012 to 2012 R2), this location was C:\Program Files\Microsoft System Center 2012\DPM\DPM\bin and on a new installation, this location was C:\Program Files\Microsoft System Center 2012 R2\DPM\DPM\bin.
  5. Allow the system to run the PowerShell script at midnight (the default time) and the old recovery points should be removed.
  6. You may need to shrink the disk space allocated to the recovery point if DPM has automatically grown the disk space allocated. To to this, for each protection group, right click the protection group and click ‘Modify disk allocation’. Against each entry for the protection group, click ‘shrink’. DPM will calculate the new volume size. Click OK to complete the process.

Note: Repeated small shrink operations cause free space fragmentation, so use with care.

Additional notes: UR7 was re-released to fix this issue, so if you updated your DPM system after August 25th, you should be okay. The original script looks like this:

image

The modified version looks like this:

image

DPM 2012 R2 SQL Backups Failing After November 2014 OS Updates

Following the installation of the November 2014 OS updates and the updated DPM agent (to update rollup 4) onto a number of servers, I saw failures when attempting to perform a backup of SQL Server 2012 databases hosted on Windows Server 2012. These manifested as ‘replica is inconsistent’ in the DPM console:

DB Replica Inconsistent

On the affected SQL Server, the following error was appearing in the server event log each time a consistency check was triggered:

Event 4354 - Failed to fire the RequestWriterInfo method

The COM+ Event System failed to fire the RequestWriterInfo method on event class {FAF53CC4-BD73-4E36-83F1-2B23F46E513E} for publisher  and subscriber . The display name of the subscription is “{E6057DCA-9DE3-42FC-9A6E-A057156277B4}”. The HRESULT was 80042318.

I tried a number of things to resolve the issue:

  1. Modified the protection group. Initially, the protection group wizard did not show the ‘SQL Server’ option and I could not re-add the SQL Server databases. The agent required an update (again) and following this, I could then re-add the SQL Server databases, however when synchronised, the databases were still reporting ‘replica is inconsistent’.
  2. Removed the protection from the affected server, removed the DPM agent, rebooted, then reinstalled and attached the DPM agent and re-added the SQL Server databases to the protection group. This also had no effect, with the databases still reporting as ‘replica is inconsistent’.
  3. Updated the affected server to SQL Sever 2012 SP2 CU2 as the cumulative update mentioned VSS related fixes. Again this had no effect.

I have a Microsoft support call open at the moment in an effort to determine the root cause of the issue, but have found that removing a specific update appears to resolve the issue. The update in question is KB3000853. KB3000853 is an update rollup for Windows 8, Windows RT and Windows Server 2012 and contains a number of fixes including KB2996928 which is a backup related hotfix that references VSS. My suspicion is that this update is what has caused the issue, but will update this post when I get a final resolution from Microsoft support.

Update:

I’ve had this confirmed as an issue with KB3000853 by the Microsoft engineer I’ve been working with.
The workaround for the moment is to either change the account that runs the SQL VSS Writer service to the domain admin account (I assume an account that has local admin permissions, but have not tested this so far), or remove KB3000853, at which point the backups start functioning correctly again.
There is currently no confirmed release date for an updated version of KB3000853.

Update 2:

There’s now a revised hotfix to correct the issue experienced above. The steps to correct the issue are:

  1. Install KB3000853.
  2. Install hotfix KB2996928.

This combination corrects the issues on the servers on which I have installed them.