Deploy and manage backup to Azure for Data Protection Manager (DPM) servers using PowerShell
This article describes how to use PowerShell to set up Azure Backup on a DPM server, and to manage backup and recovery.
Set up the PowerShell environment
Before you can use PowerShell to manage backups from Data Protection Manager to Azure, you need to have the right environment in PowerShell. At the start of the PowerShell session, ensure that you run the following command to import the right modules and allow you to correctly reference the DPM cmdlets:
& "C:\Program Files\Microsoft System Center 2012 R2\DPM\DPM\bin\DpmCliInitScript.ps1"
Welcome to the DPM Management Shell!
Full list of cmdlets: Get-Command
Only DPM cmdlets: Get-DPMCommand
Get general help: help
Get help for a cmdlet: help <cmdlet-name> or <cmdlet-name> -?
Get definition of a cmdlet: Get-Command <cmdlet-name> -Syntax
Sample DPM scripts: Get-DPMSampleScript
Setup and Registration
Note
We recommend that you use the Azure Az PowerShell module to interact with Azure. To get started, see Install Azure PowerShell. To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.
To begin, download the latest Azure PowerShell.
The following setup and registration tasks can be automated with PowerShell:
- Create a Recovery Services vault
- Installing the Azure Backup agent
- Registering with the Azure Backup service
- Networking settings
- Encryption settings
Create a Recovery Services vault
The following steps lead you through creating a Recovery Services vault. A Recovery Services vault is different than a Backup vault.
If you're using Azure Backup for the first time, you must use the Register-AzResourceProvider cmdlet to register the Azure Recovery Service provider with your subscription.
Register-AzResourceProvider -ProviderNamespace "Microsoft.RecoveryServices"
The Recovery Services vault is an ARM resource, so you need to place it within a Resource Group. You can use an existing resource group, or create a new one. When creating a new resource group, specify the name and location for the resource group.
New-AzResourceGroup –Name "test-rg" –Location "West US"
Use the New-AzRecoveryServicesVault cmdlet to create a new vault. Be sure to specify the same location for the vault as was used for the resource group.
New-AzRecoveryServicesVault -Name "testvault" -ResourceGroupName " test-rg" -Location "West US"
Specify the type of storage redundancy to use. You can use Locally Redundant Storage (LRS), Geo-redundant Storage (GRS), or Zone-redundant storage (ZRS). The following example shows the BackupStorageRedundancy option for testVault set to GeoRedundant.
Tip
Many Azure Backup cmdlets require the Recovery Services vault object as an input. For this reason, it's convenient to store the Backup Recovery Services vault object in a variable.
$vault1 = Get-AzRecoveryServicesVault –Name "testVault" Set-AzRecoveryServicesBackupProperties -vault $vault1 -BackupStorageRedundancy GeoRedundant
View the vaults in a subscription
Use Get-AzRecoveryServicesVault to view the list of all vaults in the current subscription. You can use this command to check that a new vault was created, or to see what vaults are available in the subscription.
Run the command, Get-AzRecoveryServicesVault, and all vaults in the subscription are listed.
Get-AzRecoveryServicesVault
Name : Contoso-vault
ID : /subscriptions/1234
Type : Microsoft.RecoveryServices/vaults
Location : WestUS
ResourceGroupName : Contoso-docs-rg
SubscriptionId : 1234-567f-8910-abc
Properties : Microsoft.Azure.Commands.RecoveryServices.ARSVaultProperties
Installing the Azure Backup agent on a DPM Server
Before you install the Azure Backup agent, you need to have the installer downloaded and present on the Windows Server. You can get the latest version of the installer from the Microsoft Download Center or from the Recovery Services vault's Dashboard page. Save the installer to an easily accessible location like C:\Downloads\*
.
To install the agent, run the following command in an elevated PowerShell console on the DPM server:
MARSAgentInstaller.exe /q
This installs the agent with all the default options. The installation takes a few minutes in the background. If you don't specify the /nu option the Windows Update window opens at the end of the installation to check for any updates.
The agent shows up in the list of installed programs. To see the list of installed programs, go to Control Panel > Programs > Programs and Features.
Installation options
To see all the options available via the command line, use the following command:
MARSAgentInstaller.exe /?
The available options include:
Option | Details | Default |
---|---|---|
/q | Quiet installation | - |
/p:"location" | Path to the installation folder for the Azure Backup agent. | C:\Program Files\Microsoft Azure Recovery Services Agent |
/s:"location" | Path to the cache folder for the Azure Backup agent. | C:\Program Files\Microsoft Azure Recovery Services Agent\Scratch |
/m | Opt-in to Microsoft Update | - |
/nu | Do not Check for updates after installation is complete | - |
/d | Uninstalls Microsoft Azure Recovery Services Agent | - |
/ph | Proxy Host Address | - |
/po | Proxy Host Port Number | - |
/pu | Proxy Host UserName | - |
/pw | Proxy Password | - |
Registering DPM to a Recovery Services vault
After you created the Recovery Services vault, download the latest agent and the vault credentials and store it in a convenient location like C:\Downloads.
$credspath = "C:\downloads"
$credsfilename = Get-AzRecoveryServicesVaultSettingsFile -Backup -Vault $vault1 -Path $credspath
$credsfilename
C:\downloads\testvault\_Sun Apr 10 2016.VaultCredentials
On the DPM server, run the Start-OBRegistration cmdlet to register the machine with the vault.
$cred = $credspath + $credsfilename
Start-OBRegistration-VaultCredentials $cred -Confirm:$false
CertThumbprint :7a2ef2caa2e74b6ed1222a5e89288ddad438df2
SubscriptionID : aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e
ServiceResourceName: testvault
Region :West US
Machine registration succeeded.
Initial configuration settings
Once the DPM Server is registered with the Recovery Services vault, it starts with default subscription settings. These subscription settings include Networking, Encryption and the Staging area. To change subscription settings you need to first get a handle on the existing (default) settings using the Get-DPMCloudSubscriptionSetting cmdlet:
$setting = Get-DPMCloudSubscriptionSetting -DPMServerName "TestingServer"
All modifications are made to this local PowerShell object $setting
and then the full object is committed to DPM and Azure Backup to save them using the Set-DPMCloudSubscriptionSetting cmdlet. You need to use the –Commit
flag to ensure that the changes are persisted. The settings won't be applied and used by Azure Backup unless committed.
Set-DPMCloudSubscriptionSetting -DPMServerName "TestingServer" -SubscriptionSetting $setting -Commit
Networking
If the connectivity of the DPM machine to the Azure Backup service on the internet is through a proxy server, then the proxy server settings should be provided for successful backups. This is done by using the -ProxyServer
and -ProxyPort
, -ProxyUsername
and the ProxyPassword
parameters with the Set-DPMCloudSubscriptionSetting cmdlet. In this example, there's no proxy server so we're explicitly clearing any proxy-related information.
Set-DPMCloudSubscriptionSetting -DPMServerName "TestingServer" -SubscriptionSetting $setting -NoProxy
Bandwidth usage can also be controlled with options of -WorkHourBandwidth
and -NonWorkHourBandwidth
for a given set of days of the week. In this example, we aren't setting any throttling.
Set-DPMCloudSubscriptionSetting -DPMServerName "TestingServer" -SubscriptionSetting $setting -NoThrottle
Configure the staging Area
The Azure Backup agent running on the DPM server needs temporary storage for data restored from the cloud (local staging area). Configure the staging area using the Set-DPMCloudSubscriptionSetting cmdlet and the -StagingAreaPath
parameter.
Set-DPMCloudSubscriptionSetting -DPMServerName "TestingServer" -SubscriptionSetting $setting -StagingAreaPath "C:\StagingArea"
In the example above, the staging area will be set to C:\StagingArea in the PowerShell object $setting
. Ensure that the specified folder already exists, or else the final commit of the subscription settings will fail.
Encryption settings
The backup data sent to Azure Backup is encrypted to protect the confidentiality of the data. The encryption passphrase is the "password" to decrypt the data at the time of restore. It's important to keep this information safe and secure once it's set.
In the example below, the first command converts the string passphrase123456789
to a secure string and assigns the secure string to the variable named $Passphrase
. The second command sets the secure string in $Passphrase
as the password for encrypting backups.
$Passphrase = ConvertTo-SecureString -string "passphrase123456789" -AsPlainText -Force
Set-DPMCloudSubscriptionSetting -DPMServerName "TestingServer" -SubscriptionSetting $setting -EncryptionPassphrase $Passphrase
Important
Keep the passphrase information safe and secure once it's set. You won't be able to restore data from Azure without this passphrase.
At this point, you should have made all the required changes to the $setting
object. Remember to commit the changes.
Set-DPMCloudSubscriptionSetting -DPMServerName "TestingServer" -SubscriptionSetting $setting -Commit
Protect data to Azure Backup
In this section, you'll add a production server to DPM and then protect the data to local DPM storage and then to Azure Backup. In the examples, we'll demonstrate how to back up files and folders. The logic can easily be extended to back up any DPM-supported data source. All your DPM backups are governed by a Protection Group (PG) with four parts:
- Group members is a list of all the protectable objects (also known as Datasources in DPM) that you want to protect in the same protection group. For example, you may want to protect production VMs in one protection group and SQL Server databases in another protection group as they may have different backup requirements. Before you can back up any datasource on a production server you need to make sure the DPM Agent is installed on the server and is managed by DPM. Follow the steps for installing the DPM Agent and linking it to the appropriate DPM Server.
- Data protection method specifies the target backup locations - tape, disk, and cloud. In our example, we'll protect data to the local disk and to the cloud.
- A backup schedule that specifies when backups need to be taken and how often the data should be synchronized between the DPM Server and the production server.
- A retention schedule that specifies how long to retain the recovery points in Azure.
Create a protection group
Start by creating a new Protection Group using the New-DPMProtectionGroup cmdlet.
$PG = New-DPMProtectionGroup -DPMServerName " TestingServer " -Name "ProtectGroup01"
The above cmdlet will create a Protection Group named ProtectGroup01. An existing protection group can also be modified later to add backup to the Azure cloud. However, to make any changes to the Protection Group - new or existing - we need to get a handle on a modifiable object using the Get-DPMModifiableProtectionGroup cmdlet.
$MPG = Get-ModifiableProtectionGroup $PG
Add group members to the Protection Group
Each DPM Agent knows the list of datasources on the server that it's installed on. To add a datasource to the Protection Group, the DPM Agent needs to first send a list of the datasources back to the DPM server. One or more datasources are then selected and added to the Protection Group. The PowerShell steps needed to achieve this are:
- Fetch a list of all servers managed by DPM through the DPM Agent.
- Choose a specific server.
- Fetch a list of all datasources on the server.
- Choose one or more datasources and add them to the Protection Group
The list of servers on which the DPM Agent is installed and is being managed by the DPM Server is acquired with the Get-DPMProductionServer cmdlet. In this example, we'll filter and only configure PowerShell with the name productionserver01 for backup.
$server = Get-ProductionServer -DPMServerName "TestingServer" | Where-Object {($_.servername) –contains "productionserver01"}
Now fetch the list of datasources on $server
using the Get-DPMDatasource cmdlet. In this example we're filtering for the volume D:\
that we want to configure for backup. This datasource is then added to the Protection Group using the Add-DPMChildDatasource cmdlet. Remember to use the modifiable protection group object $MPG
to make the additions.
$DS = Get-Datasource -ProductionServer $server -Inquire | Where-Object { $_.Name -contains "D:\" }
Add-DPMChildDatasource -ProtectionGroup $MPG -ChildDatasource $DS
Repeat this step as many times as required, until you've added all the chosen datasources to the protection group. You can also start with just one datasource, and complete the workflow for creating the Protection Group, and at a later point add more datasources to the Protection Group.
Select the data protection method
Once the datasources have been added to the Protection Group, the next step is to specify the protection method using the Set-DPMProtectionType cmdlet. In this example, the Protection Group is set up for local disk and cloud backup. You also need to specify the datasource that you want to protect to cloud using the Add-DPMChildDatasource cmdlet with -Online flag.
Set-DPMProtectionType -ProtectionGroup $MPG -ShortTerm Disk –LongTerm Online
Add-DPMChildDatasource -ProtectionGroup $MPG -ChildDatasource $DS –Online
Set the retention range
Set the retention for the backup points using the Set-DPMPolicyObjective cmdlet. While it might seem odd to set the retention before the backup schedule has been defined, using the Set-DPMPolicyObjective
cmdlet automatically sets a default backup schedule that can then be modified. It's always possible to set the backup schedule first and the retention policy after.
In the example below, the cmdlet sets the retention parameters for disk backups. This will retain backups for 10 days, and sync data every 6 hours between the production server and the DPM server. The SynchronizationFrequencyMinutes
doesn't define how often a backup point is created, but how often data is copied to the DPM server. This setting prevents backups from becoming too large.
Set-DPMPolicyObjective –ProtectionGroup $MPG -RetentionRangeInDays 10 -SynchronizationFrequencyMinutes 360
For backups going to Azure (DPM refers to them as Online backups) the retention ranges can be configured for long term retention using a Grandfather-Father-Son scheme (GFS). That is, you can define a combined retention policy involving daily, weekly, monthly and yearly retention policies. In this example, we create an array representing the complex retention scheme that we want, and then configure the retention range using the Set-DPMPolicyObjective cmdlet.
$RRlist = @()
$RRList += (New-Object -TypeName Microsoft.Internal.EnterpriseStorage.Dls.UI.ObjectModel.OMCommon.RetentionRange -ArgumentList 180, Days)
$RRList += (New-Object -TypeName Microsoft.Internal.EnterpriseStorage.Dls.UI.ObjectModel.OMCommon.RetentionRange -ArgumentList 104, Weeks)
$RRList += (New-Object -TypeName Microsoft.Internal.EnterpriseStorage.Dls.UI.ObjectModel.OMCommon.RetentionRange -ArgumentList 60, Month)
$RRList += (New-Object -TypeName Microsoft.Internal.EnterpriseStorage.Dls.UI.ObjectModel.OMCommon.RetentionRange -ArgumentList 10, Years)
Set-DPMPolicyObjective –ProtectionGroup $MPG -OnlineRetentionRangeList $RRlist
Set the backup schedule
DPM sets a default backup schedule automatically if you specify the protection objective using the Set-DPMPolicyObjective
cmdlet. To change the default schedules, use the Get-DPMPolicySchedule cmdlet followed by the Set-DPMPolicySchedule cmdlet.
$onlineSch = Get-DPMPolicySchedule -ProtectionGroup $mpg -LongTerm Online
Set-DPMPolicySchedule -ProtectionGroup $MPG -Schedule $onlineSch[0] -TimesOfDay 02:00
Set-DPMPolicySchedule -ProtectionGroup $MPG -Schedule $onlineSch[1] -TimesOfDay 02:00 -DaysOfWeek Sa,Su –Interval 1
Set-DPMPolicySchedule -ProtectionGroup $MPG -Schedule $onlineSch[2] -TimesOfDay 02:00 -RelativeIntervals First,Third –DaysOfWeek Sa
Set-DPMPolicySchedule -ProtectionGroup $MPG -Schedule $onlineSch[3] -TimesOfDay 02:00 -DaysOfMonth 2,5,8,9 -Months Jan,Jul
Set-DPMProtectionGroup -ProtectionGroup $MPG
In the example above, $onlineSch
is an array with four elements that contains the existing online protection schedule for the Protection Group in the GFS scheme:
$onlineSch[0]
contains the daily schedule$onlineSch[1]
contains the weekly schedule$onlineSch[2]
contains the monthly schedule$onlineSch[3]
contains the yearly schedule
So if you need to modify the weekly schedule, you need to refer to the $onlineSch[1]
.
Initial backup
When you back up a datasource for the first time, DPM needs creates initial replica that creates a full copy of the datasource to be protected on DPM replica volume. This activity can either be scheduled for a specific time, or can be triggered manually, using the Set-DPMReplicaCreationMethod cmdlet with the parameter -NOW
.
Set-DPMReplicaCreationMethod -ProtectionGroup $MPG -NOW
Change the size of DPM Replica & recovery point volume
You can also change the size of DPM Replica volume and Shadow Copy volume using Set-DPMDatasourceDiskAllocation cmdlet as in the following example: Get-DatasourceDiskAllocation -Datasource $DS Set-DatasourceDiskAllocation -Datasource $DS -ProtectionGroup $MPG -manual -ReplicaArea (2gb) -ShadowCopyArea (2gb)
Commit the changes to the Protection Group
Finally, the changes need to be committed before DPM can take the backup per the new Protection Group configuration. This can be achieved using the Set-DPMProtectionGroup cmdlet.
Set-DPMProtectionGroup -ProtectionGroup $MPG
View the backup points
You can use the Get-DPMRecoveryPoint cmdlet to get a list of all recovery points for a datasource. In this example, we will:
- fetch all the PGs on the DPM server and stored in an array
$PG
- get the datasources corresponding to the
$PG[0]
- get all the recovery points for a datasource.
$PG = Get-DPMProtectionGroup –DPMServerName "TestingServer"
$DS = Get-DPMDatasource -ProtectionGroup $PG[0]
$RecoveryPoints = Get-DPMRecoverypoint -Datasource $DS[0] -Online
Restore data protected on Azure
Restoring data is a combination of a RecoverableItem
object and a RecoveryOption
object. In the previous section, we got a list of the backup points for a datasource.
In the example below, we demonstrate how to restore a Hyper-V virtual machine from Azure Backup by combining backup points with the target for recovery. This example includes:
- Creating a recovery option using the New-DPMRecoveryOption cmdlet.
- Fetching the array of backup points using the
Get-DPMRecoveryPoint
cmdlet. - Choosing a backup point to restore from.
$RecoveryOption = New-DPMRecoveryOption -HyperVDatasource -TargetServer "HVDCenter02" -RecoveryLocation AlternateHyperVServer -RecoveryType Recover -TargetLocation "C:\VMRecovery"
$PG = Get-DPMProtectionGroup –DPMServerName "TestingServer"
$DS = Get-DPMDatasource -ProtectionGroup $PG[0]
$RecoveryPoints = Get-DPMRecoverypoint -Datasource $DS[0] -Online
Restore-DPMRecoverableItem -RecoverableItem $RecoveryPoints[0] -RecoveryOption $RecoveryOption
The commands can easily be extended for any datasource type.
Next steps
- For more information about DPM to Azure Backup see Introduction to DPM Backup