(For more resources related to this topic, see here.)

Protecting DFS with DPM

DFS stands for Distributed File System . It was introduced in Windows Server 2003, and is a set of services available as a role on Windows Server operating systems that allow you to group file shares held in different locations (different servers) under one folder known as DFS root . The actual locations of the file shares are transparent to the end user. DFS is also often used for redundancy of file shares.

For more information on DFS

Windows Server 2008:

http://technet.microsoft.com/en-us/library/cc753479%28v=ws.10%29.aspx

Windows Server 2008 R2 and Windows Server 2012:

http://technet.microsoft.com/en-us/library/cc732006.aspx

Before DFS can be protected it is important to know how it is structured. DFS consists of both data and configuration information:

• The configuration for DFS is stored in the registry of each server, and in either the DFS tree during standalone DFS deployments, or in Active Directory when domain-based DFS is deployed.

• DFS data is stored on each server in the DFS tree. The data consists of the multiple shares that make up the DFS root. Protecting DFS with DPM is fairly straightforward. It is recommended to protect the actual file shares directly on each of the servers in the DFS root.

When you have a standalone DFS deployment you should protect the system state on the servers in the DFS root, and when you have a domain-based DFS deployment we recommend you protect your Active Directory of the domain controller that hosts the DFS root. If you are using DFS replication it is also recommended to protect the shadow copy components on servers that host the replication data, in addition to the previously mentioned items. These methods would allow you to restore DFS by restoring the data and either system state or Active Directory depending on your deployment type.

Another option is to use the DfsUtil tool to export/import your DFS configuration. This is a command-line utility that comes with Windows Server that can export the namespace configuration to a file. The configuration can then be imported back into a DFS server to restore a DFS namespace. DPM can be set up to protect the DFS export. You would still need to protect the actual data directly.

An example of using the DfsUtil tool would be:

Run DfsUtil root export domainnamerootname dfsrootname.xml to export the DFS configuration to an XML file, then run DfsUtil root import to import the DFS configuration back in.

For more information on the DfsUtil tool, visit the following URL:

http://blogs.technet.com/b/josebda/archive/2009/05/01/using-the-windows-server-2008-dfsutil-exe-command-line-to-manage-dfs-namespaces.aspx

That covers the backing up of DFS with DPM.

Protecting Dynamics CRM with DPM

Microsoft Dynamics CRM is Microsoft’s customer relationship management (CRM) software in the CRM market. Microsoft Dynamics CRM Version 1.0 was released in 2003. It then progressed to Version 4.0 and the latest one is 2011. CRM is a part of the Microsoft Dynamics product family. In this section we will cover protecting Versions 4.0 and 2011.

Note that when protecting Microsoft Dynamics CRM on either Version 4.0 or 2011, you should keep a note of your update-rollup level some place safe, so that you can install CRM back to that level in the event of a restore. You will need to restore the CRM database and this could lead to an error if CRM is not at the correct update level.

To protect Microsoft Dynamics CRM 4.0, back up the following components:

• Microsoft CRM Server database

  • This is straightforward; you simply need to protect the SQL CRM databases. The two databases you want to protect are the following:

    • The configuration database: MSCRM_CONFIG

    • The organization database: OrganizationName_MSCRM

• Microsoft CRM Server program files

  • By default, these files will be located at C:Program FilesMicrosoft CRM.

• Microsoft CRM website

  • By default the CRM website files are located in the C:Inetpubwwwroot directory.

  • The web.config file can be protected. It only needs protecting if it has been changed from the default settings.

• Microsoft CRM registry subkey

  • Back up the HKEY_LOCAL_MACHINESOFTWAREMicrosoftMSCRM key.

• Microsoft CRM customizations

  • To protect customizations or any third-party add-ons you will need to understand the specific components to back up and protect.

• Other components to back up for protecting Microsoft CRM include the following:

  • System state of your domain controller.

  • Exchange server if the CRM’s e-mail router is used.

To protect Microsoft Dynamics CRM 2011, back up the following components:

• Microsoft CRM 2011 databases

  • This is straightforward, you simply need to protect the SQL CRM databases. The two databases you want to protect are:

    • The configuration database: MSCRM_CONFIG

    • The organization database: OrganizationName_MSCRM

• Microsoft CRM 2011 program files

  • By default, these files will be located at C:Program FilesMicrosoft CRM.

• Microsoft CRM 2011 website

  • By default the CRM website files are located in the C:Program FilesMicrosoft CRMCRMWeb directory.

  • The web.config file can be protected. It only needs protecting if it has been changed from the default settings.

• Microsoft CRM 2011 registry subkey

  • Back up the HKEY_LOCAL_MACHINESOFTWAREMicrosoftMSCRM subkey.

• Microsoft CRM 2011 customizations

  • To protect customizations or any third-party add-ons you will need to understand the specific components to back up and protect.

• Other components to back up for protecting Microsoft CRM 2011 include:

  • System state of your domain controller.

  • Exchange server if the CRM’s e-mail router is used.

  • SharePoint if CRM and SharePoint integration is in use.

Note that for both CRM 4.0 and CRM 2011, you could have more than one OrganizationName_MSCRM database if you have more than one organization in CRM. Be sure to protect all of the OrganizationName_MSCRM databases that may exist.

That wraps up the Microsoft Dynamics CRM protection for both 4.0 and 2011. You simply need to configure protection of the mentioned components with DPM. Now let’s look at what it will take to protect another product from the Dynamics family.

Protecting Dynamics GP with DPM

Dynamics GP is Microsoft’s ERP and accounting software package for mid-market businesses. GP has standard accounting functions but it can do more such as Sales Order Processing, Order Management, Inventory Management, and Demand Planner for forecasting, thus making it usable as a full-blown ERP. GP was once known as Great Plains Software before acquisition by Microsoft. The most recent versions of GP are Microsoft Dynamics GP 10.0 and Dynamics GP 2010 R2.

GP holds your organization’s financial data. If you use it as an ERP solution, it holds even more critical data, and losing this data could be devastating to an organization. Yes, there is a built-in backup utility in GP but this does not cover all bases in protecting your GP. In fact, the built-in backup process only backs up the SQL database, and does not cover items like:

• Customized forms

• Reports

• Financial statement formats

• The sysdata folder

These are the GP components you should protect with DPM:

• SQL administrative databases: Master, TempDB, and Model

• Microsoft Dynamics GP system database (DYNAMICS)

• Each of your company databases

• If you use SQL Server Agent to schedule automatic tasks, back up the msdb database

• forms.dic (for customized forms) can be found in %systemdrive%Program Files (x86)Microsoft DynamicsGP2010

• reports.dic (for reports) can be found in %systemdrive%Program Files (x86)Microsoft DynamicsGP2010

Backing up these components with DPM should be sufficient protection in the event a restore is needed.

Protecting TMG 2010 with DPM

Threat Management Gateway (TMG ) is a part of the Forefront product family. The predecessor to TMG is Internet Security and Acceleration Server (ISA Server ).

TMG is fundamentally a firewall, but a very powerful one with features such as VPN, web caching, reverse proxy, advanced stateful packet, WAN failover, malware protection, routing, load balancer, and much more.

There have been several forum threads on the Microsoft DPM TechNet forums asking about DPM protecting TMG, which sparked the inclusion of this section in the book. TMG is a critical part of networks and should have high priority in regards to backup, right up there with your other critical business applications. In many environments, if TMG is down, there are a good amount of users that cannot access certain business applications which causes downtime. Let’s take a look at how and what to protect in regards to TMG.

The first step is to allow DPM traffic on TMG so that the agent can communicate with DPM. You will need to install the DPM agent on TMG and then start protecting it from there. Follow the ensuing steps to protect your TMG server:

1. On the TMG server, go to Start | All Programs | Microsoft TMG Server .

2. Open the TMG Server Management MMC.

3. Expand Arrays and then TMG Server computer , then click on Firewall Policy .

4. On the View menu, click on Show System Policy Rules .

5. Right-click on the Allow remote management from selected computers using MMC system policy rule. Select Edit System Policy .

   

6. In the System Policy Editor dialog box, click to clear the Enable this configuration group checkbox, and then click on OK .

   

7. Click on Apply to update the firewall configuration, and then click on OK .

8. Right-click on the Allow RPC from TMG server to trusted servers system policy rule. Select Edit System Policy .

9. In the System Policy Editor dialog box, click to clear the Enforce strict RPC compliance checkbox, and then click on OK .

   

10. Click on Apply to update the firewall configuration, and then click on OK .

11. On the View menu, click on Hide System Policy Rules .

12. Right-click on Firewall Policy .

13. Select New and then Access Rule .

14. In the New Access Rule Wizard window, type a name in the Access rule name box. Click on Next .

15. Check the Allow checkbox and then click on Next .

    

16. In the This rule applies to list, select All outbound traffic from the drop-down menu and click on Next .

    

17. On the Access Rule Sources page, click on Add .

    

18. In the Add Network Entities dialog window, click on New and select Computer from the drop-down list.

    

19. Now type the name of your DPM server and type the DPM server’s IP address in the Computer IP Address field. Click on OK when you are done.

    

20. You will then see your DPM server listed under the Computers folder in the Add Network Entities window. Select it and click on Add . This will bring the DPM computer into your access rule wizard. Click on Next .

    

21. In the Add Rule Destinations window click on Add . The Add Network Entities window will come up again. In this window expand the Networks folder, and then select Local Host and click on Add .

    

22. Now click on Next .

    

    Your rule should have both the DPM server and Local Host listed for both incoming and outgoing.

    

23. Click on Next , leave the default All Users entry in the This rule applies to requests from the following user sets box, click on Next again.

    

24. Click on Finish .

25. Right-click on the new rule (DPM2010 in this example), and then click on Move Up .

    

26. Right-click on the new rule, and select Properties .

    

27. In the rule name properties dialog box (DPM2010 Properties ), click on the Protocols tab, then click on Filtering .

    

28. Now select Configure RPC Protocol .

    

29. In the Configure RPC protocol policy dialog box, check the Enforce strict RPC compliance checkbox, and then click on OK twice.

    

30. Click on Apply to update the firewall policy, and then click on OK .

Now you will need to attach the DPM agent for the TMG server. Follow the ensuing steps to complete this task:

1. Open the DPM Administrator Console.

2. Click on the Management tab on the navigation bar.

3. Now click on the Agents tab.

4. On the Actions pane, click on Install .

5. Now the Protection Agent Install Wizard window should pop up.

6. Choose the Attach agents checkbox.

7. Choose Computer on trusted domain , and click on Next .

   

8. Select the TMG server from the list and click on Add and then click on Next .

9. Enter credentials for the domain account. The account that is used here needs to have administrative rights on the computer you are going to protect. Click on Next to continue.

   

10. You will receive a warning that DPM cannot tell if the TMG server is clustered or not. Click on OK for this.

    

11. On the next screen click on Attach to continue.

Next you have to install the agent on the TMG firewall and point it to the correct DPM server. Follow the ensuing steps to complete this task:

1. From the TMG server that you will be protecting, access the DPM server over the network and copy the folder with the agent installed in it down to the local machine. Use this path DPMSERVERNAME%systemdrive%program filesMicrosoft DPMDPMProtectionAgentsRA3.03.0.7696.0i386.

2. Then from the local folder on the protected computer, run dpmra.msi to install the agent.

   

3. Open a command prompt (make sure you have elevated privileges), change directory to C:Program FilesMicrosoft Data Protection ManagerDPMbin then run the following:

   SetDpmServer.exe -dpmServerName <serverName> userName <userName>

   Following is the example of the previous command:

   SetDpmServer.exe -dpmServerName buchdpm

4. Now restart the TMG server.

5. Once your TMG server comes back, check the Windows services to make sure that the DPMRA service is set to automatic, and then start it.

   

That is it for configuring DPM to start protecting TMG, but there are a few more things that we still need to cover on this topic.

With TMG backup you can choose to back up certain components of TMG, depending on your recovery needs. With DPM you can back up the TMG hard drive, TMG logs that are stored in SQL, TMG’s system state, or BMR of TMG. Following is the list of components you should back up depending on your circumstances:

What can be included in TMG server backup:

• TMG configuration settings (exported through TMG)

• TMG firewall settings (exported through TMG)

• TMG logfiles (stored in SQL databases)

• TMG install directory (only needed if you have custom forms for things such as an Outlook Web Access login screen

• TMG server system state

• TMG BMR

None of the previous components are required for protection of TMG. In fact, protecting the SQL logfiles tends to cause more issues than it helps, as they change so often. These SQL log databases change so often that DPM will send an error when the old SQL databases no longer shown under protection. The logfiles are not required to restore your TMG. For a standard TMG restore, you will need to reinstall TMG, reconfigure NIC settings, import any certificates, and restore TMG configuration and firewall settings. For more information on backing up TMG 2010, visit the following page: http://technet.microsoft.com/en-us/library/cc984454.aspx.

DPM cannot back up the TMG configuration and firewall settings natively. This needs to be scripted and scheduled through Windows Task Scheduler, and then placed on the local hard drive. DPM can back up the .XML settings for TMG export from there. You can find the TMG server’s export script at http://msdn.microsoft.com/en-us/library/ms812627.aspx. Place this script into a .VBS file, and then set up a scheduled task to call this file to run. This automates the export of your TMG server settings.

There is another way to back up the entire TMG server. This is a new type of protection, specific to TMG 2010. This protection is BMR and is available because TMG is now installed on top of Windows Server 2008 and Windows Server 2008 R2. Protecting the BMR of your TMG gives you the ability to restore your entire TMG in the event that it fails-configuration and firewall settings included. BMR will also bring back certificates and NIC card settings.

Note that BMR of TMG restored on a virtual machine can’t use its NIC card settings. It only on the same hardware.

Well that covers how to protect TMG with DPM. As you can see that there are some improvements through BMR, and if you do not employ BMR protection you can still automate the process of protecting TMG.

How to protect IIS

Internet Information Services (IIS ) is Microsoft’s web server platform. It is included for free with Windows Server operating systems. Its modular nature makes it scalable for different organization web server need. The latest version is IIS 8. It can be used for more than standard web hosting, for example as an FTP server or for media delivery . Knowing what to protect when it comes to IIS will come in handy in almost any environment you may work in. Backing up IIS is one thing but you need to ensure that you understand the websites or web applications you are running, so that you know how to back them up too. In this section, we are going to look at the protection of IIS.

To protect IIS, you should backup the following components:

• IIS configuration files

• Website or web applications data

• SSL certificates

• Registry (only needed if website or web application required modifications of the registry)

• Metabase

The IIS configuration files are located in the %systemdrive%windowssystem32inetsrvconfig directory (and subdirectories).

The website or web application files are typically found in C:inetpubwwwroot. Now this is the default location but the website or web application files can be located anywhere on an IIS server.

To export SSL certificates directly from IIS, follow the ensuing steps:

1. Open the Microsoft IIS 7 console.

2. In the left-hand pane, select the server name.

3. In the center pane click on the server certificates icon.

4. Right-click on the certificate you wish to export and select export .

5. Enter a file path, name the certificate file, and give it a password.

6. Click on OK and your certificate will be exported as a .pfx file in the path you specified.

Metabase is an internal database that holds IIS configuration data. It is made up of two files: MBSchema.xml and MetaBase.xml. These can be found in %SystemRoot%system32inetsrv.

A good thing to know is that if you protect the system state of a server, then IIS configuration will be included in this backup. This does not include the website or web application files, so you will still need to protect these in addition to a system state backup.

That covers the items you will need to protect IIS with DPM backup.

Protecting Lync 2010 with DPM

Lync 2010 is Microsoft’s Unified Communication platform complete with IM, presence, conferencing, enterprise video and voice, and more. Lync was formerly known as Office Communicator. Lync is quickly becoming an integral part of business communications. With Lync being a critical application to organizations, it important to ensure this platform is backed up.

Lync is a massive product with many moving parts. We are not going to cover all of Lync’s architecture as this would need its own book. We are going to focus on what should be backed up to ensure protection of your Lync deployment. Overall, we want to protect Lync’s settings and configuration data. The majority of this data is stored in the Lync Central Management store. The following are the components that needs to be protected in order to back up Lync:

• Settings and configuration data

  • Topology configuration (Xds.mdf)

  • Location information (Lis.mdf)

  • Response group configuration (RgsConfig.mdf)

• Data stored in databases

  • User data (Rtc.mdf)

  • Archiving data (LcsLog.mdf)

  • Monitoring data (csCDR.mdf and QoeMetrics.mdf)

• File stores

  • Lync server file store

  • Archiving file store

  These stores will be file shares on the Lync server, named in the format lyncservernamesharename. To track down these file shares if you don’t know where they are, go to the Lync Topology Builder and look in the File stores node.

  Note the files named Meeting.Active should not be backed up. These files are in use and locked while a meeting takes place.

• Other components as follows:

  • Active Directory (User SIP data, a pointer to the Central Management store, and objects for Response Group and Conferencing Attendant)

  • Certification authority (CA) and certificates (if you use an internal CA)

  • Microsoft Exchange and Exchange Unified Messaging (UM) if you are using UM with your Exchange

  • Domain Name System (DNS) records and IP addresses

  • IIS on Lync Server

  • DHCP Configuration

  • Group Chat (if used)

  • XMPP gateways if you are using XMPP gateway

  • Public switched telephone network (PSTN) gateway configuration, if your Lync is connected to one

  • Firewall and Load Balancer (if used) configurations

Summary

Now that we had a chance to look at several Microsoft workloads that are used in organizations today and how to protect them with DPM, you should have a good understanding what it takes to back them up. These workloads included Lync 2010, IIS, CRM, GP, DFS, and TMG. Note there are many more Microsoft workloads that DPM cannot protect natively, which we were unable to cover in this article.

Resources for Article :

---

Further resources on this subject:

• Overview of Microsoft Dynamics CRM 2011 [Article]
• Deploying .NET-based Applications on to Microsoft Windows CE Enabled Smart Devices [Article]
• Working with Dashboards in Dynamics CRM [Article]

---