DPM 2007

Backup (and Recovery)

I’ve spent a bit of time recently looking at backup solutions for Windows 2008 Server. For those who don’t know Windows 2008 has no native support tape devices which have been replaced by removable disk storage e.g. external USB hard disks. Microsoft have replaced the old NTBackup utility with Windows Backup in Windows 2008. A free download version of NTBackup that allows you to restore files from historical backups.

One limitation of Windows Backup is that it only supports direct attached disks when scheduling jobs. A manual backup job can use a UNC file path but can’t be scheduled. The solution to this issue is to use the Windows Scheduler to run this command (with updated UNC path and drive letters):

  • wbadmin start backup -backupTarget:\\servername\share\folder -include:C:,D: -allCritical -vssFull -quiet

Other limitations are around the ability to backup other server products such as Exchange, SQL, Sharepoint etc. Microsoft provide Data Protection Manager (DPM 2007) which supports these more advanced requirements.

Data Protection Manager Posts

If your requirements are for a more traditional disk to tape backup model then a number of third party backup solutions are available for Windows 2008 e.g. BackupExec, ArcServe, Data Protector Express etc


Backup is a critical function of any IT Infrastructure and should be high on the list of priorities for everyone. Backup can be a complicated thing to understand so here are 3 things to consider when choosing a solution:

  • How often should we backup?
  • How long do backups need to be kept for?
  • How long will it take to get data back from backup?

It is also a good idea to ensure backups are stored off site incase of fire or other disaster onsite. It should also be secured because backup contains all of your customer information, intellectual property, sales data, email messages etc

It is important to ensure you monitor your backups so that you know they are working and assign someone the responsibility of managing the backup process and ensuring data is stored securely offsite.


It is important to understand the recovery process and set reasonable expectations for the length of time it will take to recovery data. Factors that will determine the time required include access to backup media, data transfer rate, complexity of the restore process and amount of data being restored.

Some backup solutions give end users the ability to restore data themselves for disk copies. This is useful for small recovery jobs e.g. a deleted file or folder containing user data. In other situations it may be necessary to collect backup media from offsite storage and the require a systems administrator to restore data e.g. recovery of Active Directory, Exchange or SQL databases.

Some systems have special recovery requirements that should be taken into consideration e.g. document level recovery of Sharepoint may require a “Recovery Sharepoint farm” or Exchange item level restore may need a large amount of disk space to restore the entire EDB file before extracting data.


Data Protection Manager 2007 overview

System Centre Data Protection Manager 2007 (DPM) is Microsoft’s enterprise backup solution. Here is a short overview of the key features and a couple of gotcha’s.

DPM supports backup of Microsoft Operating Systems including Windows 2003 or greater and Windows XP. It supports backups for a wide range of Microsoft applications including Sharepoint, Exchange and SQL.

Disk to Disk to Tape

DPM is a disk to disk to tape backup solution. The DPM server can take snap shots of protected servers throughout the day and store those snap shots on DAS or SAN storage (note that it does not support USB drives). Snapshots can then be backed up to tape. This is an effective way of removing backup window issues and is probably the biggest selling point of this type of solution. It also allows recovery up to the last snapshot, reducing the size of any data lost should a major failure occur during the day.

The recommended amount of disk space for snapshots is 1.5 times the size of the data being protected. This should be taken into account when selecting hardware to run on.

Take a careful look at the supported tape drive list on the DPM 2007 homepage too.

Service Packs and Hotfixes.

Service Pack 1 for DPM 2007 is a major improvement and must be installed if you want to get a good result from this product. A post service pack 1 roll up package is also available and fixes many issues too.

Agents need to be redeployed following the updates, so it is best to install and patch DPM before deploying agents. Servers with agents need to be rebooted before the agent will communicate.


If you choose to backup the System State of a server, DPM uses Windows Backup to dump the system state to the local C: drive of the protected server. The catch here is that you can run out of C: drive space and that is not good. This can be changed by editing an XML file on the protected server.

Tape backups run 7 days a week, can only be scheduled on the hour and you can’t eject the tape from DPM. These 3 issues are in my opinion limit the ability for DPM to be used as a purely tape backup solution. Having a run now option would useful be useful.

DPM 2007 can’t backup the server it is installed on. This should be taken into account when choosing a server to deploy DPM on.

Finally remember that DPM is a Microsoft backup solution and doesn’t include agents for non-Microsoft Operating Systems or products. If you want to backup Oracle, Notes or Linux you will need a second backup solution.
DPM 2007 homepage

Forefront TMG with EBS 2008 overview

The second server installed during the EBS 2008 installation process is the security server. This server is the gateway between the internal LAN and the internet. The server requires two network cards and a minimum of 2GB of RAM and 40GB of disk space.

Forefront Threat Management Gateway (TMG) is the product formerly known as ISA. TMG is included as a component of EBS 2008 Server and installs on to the Security Server. TMG runs on a 64bit edition of Windows 2008 where ISA only supports 32bit environments. TMG is only available with EBS 2008 currently or as a beta version for other server versions. Small Business Server (SBS) 2003 included ISA 2004, however this option has been removed from SBS 2008.

EBS 2008 automatically installs Forefront TMG a part of the security server installation process. Anyone who is familiar with ISA 2004 or ISA 2006 will instantly recognise the console and be able to find the key areas without too much trouble. The installation automatically creates rules, configures web listeners and assigns the self-signed certificate generated during the installation. Network sets are correctly defined based on a couple of questions asked during the installation process.

I found that I only needed to make a couple of minor changes to the default configuration to allow my environment to function properly. The first was turning off strict RPC checking to allow the Data Protection Manager (DPM) agent to install and then allow traffic to and from the DPM server. Interesting that RPC compliance is not conformed to by DPM. The second change was creating a custom rule to allow TCP 3101 outbound for Blackberry (an additional server in this environment was running Blackberry), achieved by running a wizard that is almost identical to that in ISA 2006.

The first obvious change I noticed in TMG rules is the option to scan traffic for malware. End users see this when downloading files from the internet, a webpage appears showing the attachment scanning process before the user can save the file to disk. Other area’s of improvement include seperate tabs for Firewall rules and Web rules making it easy to manage both rule types. Many of the publishing aspects of TMG are improved e.g. Exchange 2007 support and Sharepoint publishing. VPN functionality is improved in many areas including support for a variety of third party IPSEC solutions, stateful packet inspection and VPN quarantine.

TMG as an incremental improvement to ISA 2006 with most of the improvements focused on the latest generation of Microsoft server products and a move to 64bit.

A full list of features can be found here: Microsoft Forefront TMG features