You are browsing the archive for Client Protection.

Getting the non-administrator client recovery working in DPM 2010

8:47 am in Uncategorized by mikeresseler

As said in a previous post, with the latest QFE, it is now possible to give your end-users the possibility to recover data from the DPM server through the DPM Client UI, without them being local administrator on their machine.

This is a feature that many administrators wanted, and now it is finally there.

So after installing the QFE on my environment, I started to test this out.

Now here is the first catch…

There is a mistake in the documentation of the KB.  It states the following:

The administrator of a client computer has to set the name of non-admin users who have permissions to perform end-user recovery of protected data of a client computer.  To do this, the administrator must add the following registry key and value for each of those non-admin users

Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtection and then create a new key called ClientOwner as REG_MULTI_SZ

So first thing is browse to that hive


Second thing was inserting the new registry key


When I couldn’t get it working, I wrote an email to the product team and also digged in to the log files.  There it clearly stood that the key needed to be ClientOwners with an S at the back.

PS: REG_MULTI_SZ = Multi-String Value


I changed that, but it still didn’t work as I expected.  Luckily, the product team replied very fast (thank you Venkat!) and gave me the naming convention to use for placing the non-admin users in that key. (which I had wrong also ofcourse…)

The convention is: DOMAIN\Username



And if you want multiple non-admin users in that registry, then you need to use DOMAIN\Username, DOMAIN\Username2


When that was done, I rebooted the windows computer, waited until a backup was taken and then it worked:



Next post will go deeper into the Client protection



Update: Thanks to Alex Smits, who saw I had the wrong QFE link…

DPM 2010 launch week @ MMS 2010: Part 3: Protecting Windows Clients

6:37 am in Uncategorized by mikeresseler

Hey All,

Here’s part 3 of our DPM 2010 launch week overview

For the full set:

DPM 2010 launch week @ MMS 2010: Part 1: Technical Introduction

DPM 2010 launch week @ MMS 2010: Part 2: Protection Applications

DPM 2010 launch week @ MMS 2010: Part 3: Protecting Windows Clients

DPM 2010 launch week @ MMS 2010: Part 4: Virtualization and Data Protection, better together

DPM 2010 launch week @ MMS 2010: Part 5: Disaster recovery and advanced scenarios

DPM 2010 launch week @ MMS 2010: Part 6: Partner announcements

A session given by Tim Kremer and in backup, you guessed it, Jason Buffington :-)

This session was all about protecting your clients.  First thing we started with was the reason why we wanted to protect clients.  Many companies or IT pro’s will react that users should save their valuable data somewhere on the network or take a backup on their own.  While this probably works with one or two percent of the companies, I’m sure it fails with the other 98 percent.  The reason for that is simple.  When people are travelling, they won’t be uploading their data to a network share, and even when they are in the office and need to copy their data on a Friday evening to the server… guess what will happen :-).  If they need to backup their own data, then you will probably have users that have a 100 copies of their data on a expensive network share and others who never bother or backup to their local drive on their laptops.  So if the laptop gets stolen or the disk is dead….


According to some research companies (something like forrester or gartner or so, forgot which one) about 60% of the intelligence of a company resides on local disk from the users.  Now that’s a lot.  So if we want to protect that knowledge, then we need to find a good way to do that without too much trouble and without disturbing the users or let them do it themselves.  It just won’t happen.  Period.  (This process of letting the end users do the backup their selves is often called the “tax” for the end users)


When designing the solution, the architects @ Microsoft had the following challenges:

  • Mobile workforce
  • Different users with different needs
  • Large scale (many many desktops / laptops)

So they created the following goals:

  • Remove the end user tax
  • Support roaming user backups
  • Allow customizability for specific users
  • Enforce admin defined restrictions
  • Keep IT costs low

How did they solved those requirements.

With the same agent as the one for the servers you can start protecting your clients.  By using your favorite deployment method (SCE, SCCM, AD, MDT…) you can get the agents out there.  Remember, you don’t pay licenses for an agent if you don’t use it.  So deploying it over your entire network is not going to give you a licensing issue.  You start paying the moment you start to protect it.  Period.

Second is that an IT Pro can create different policies.  Let’s say that we want that a client will protect it’s my documents, a specific company directory and maybe some more folders that can be imported for the user such as favorites or something.  But of course, we don’t want the My pictures or My music folder to be protected.  The company is not interested in getting all the vacation pictures or mp3 library of their employees.  (Ok, the IT Pro’s might be interested in the mp3 collection :-)).  By defining a policy and including / excluding folders you can achieve this.  And it get’s even better, you don’t need to know the exact location of the my documents folder.  DPM will use the path variable to define where it is.  And last but not least, you can actually deny certain extensions.  No .mp3 files is a good example for this.  Whether we like it or not, end-users are mostly smart enough to see that certain folders are excluded and will move their “valuable data” to a folder that is protected.


Now what if users want to be able to protect some specific folders?  Folders that are not default in the company but still contain valuable information.  By giving the end-users (or some of them) the rights they can choose their selves certain folders to be protected.


Now what about users on the road?  How is this going to work?  Here’s the answer.

1. They support backup over VPN and direct access.  So whenever a client is connected to the main office over vpn or direct access it has the possibility of synchronizing with the office.  Remember the block-level copy from part 2!  So the data that is sent over is really not that much.

2. DPM provides you with two mechanisms.  While performing a backup, it will send the data to the DPM server if it is reachable.  At the same time, it will keep a local copy on the laptop.  So users will be able to restore from their local cache if necessary.  Will this protect you from hardware failure or from a stolen laptop?  No, it won’t, but users will be able to go to a previous version of a document when it is necessary even if they are working on the road.

3. What about notifications.  Everybody who has ever worked with DPM 2007 or with whatever backup solution for that matter will know that the system will start complaining whenever it can’t reach its clients.  DPM will do that also but they built in a system where you can specify how long it takes before it starts to complain.  Consider the fact that many people take 14 days vacation.  Add the weekends with that and you get 18 days.  So only after 18 days you let the DPM server complain that is missing a connection to a client.  This way you will avoid a lot of false alarms and only those that take more then 2 weeks vacation or those that are travelling longer are going in alert. 

What about the costs?  You can imagine that all the users data will take a lot of disk space.  First you know that you can use low-cost storage to do this and second, because the system is working pretty well you don’t have many human effort.  Compare it with letting the users backing up their own data to a network share.  This is mostly high-end storage which costs a lot, never cleaned by the users and you will probably have many files standing there 50 times.  DPM does not need this because it only contains the changes.  Second, think about the value of the data.  Ask the business what it cost when a road warrior loses its laptop and the data that it contains.  You can do the math quickly.


So how does the end-user sees this?

Below are a few screenshots of the end-user experience


End-user recovery


Agent in the notification area


Agent UI


Want more?  How about this…

A user loses his or hers laptop.  Or the machine just died.  You have a backup of yesterday on your DPM server.  The deployment team quickly prepares a new laptop with their favorite OSD tool.  Agent is installed or sysprepped on it.  You jump behind the DPM console and do a restore to another location.  User gets the data back :-)

Even more?

The DPM agent allows the end-user to synchronize now.  So suppose they made some important changes to a document they can synchronize it whenever they want to the DPM server if they have connection or to the local cache if they are not connected.  So if the end-user really did some important work, then he or she can create a “backup” of their own before flying out or going on a vacation.  With one simple click, the system will do the work.


Till next for part 4



Client-protection: create a protection group and initial synchronization

3:17 pm in Uncategorized by mikeresseler

Hey All,

Last post, I’ve installed remotely a client agent to a workstation in another domain and over VPN.  Now it is time to create a protection group with a policy and do the first synchronization.  Again I want to see how it will react when I do this when the workstation is under a heavy load.  I figured that I might need to do this when a user is working at home or in a hotel and so I need to know if the synchronization will work.

During the first synchronization, I worked on the laptop and I was doing the following tasks:

* VPN open

* Outlook open

* MSN and Office Messenger Open

* Tweetdeck open

* Listening at an internet radio

* Downloading large files from the Microsoft Connect site

* Many programs open and about 30 internet pages open

But first is first, let’s create a protection group



On the second screen, I choose for Clients instead of servers


On the next screen, I can select my clients.  The good part here is that if you select clients that don’t have an agent yet, you can install them now, and those who have an agent but aren’t connected yet to the DPM server will be attached.  In my case, the client already has an agent and is attached, so I just select my client.  Because I installed the agent, it is now visible in the list, although it is in another domain.


Here it becomes very interesting. I can start on this screen by creating inclusions and exclusions for my clients.


Here you can see that I have included My Documents but excluded music and temporary internet files

You can add your own directories to it but you already receive a nice list of possibilities


Also, on that screen is an option where you can allow your users to add directories themselves that need to be protected.  But if you have excluded a folder and they still want to protect it, they will get a notification that it is not possible (see later in this post)


And you also have the possibility to exclude certain file types



I have to choose for Short term protection since I don’t have a tape drive in my test environment


Now this will be one were a lot of discussion will be.  How many times a day do you want to synchronize, what will be the retention range, how long before a disconnected client needs to start alerting?

For the tests I kept it at a minimum but these settings will need to be thought through very good in a real-life situation.


This is the alerting option, as said, it will need some serious thinking what the setting will be here.  Is 14 days (the default) enough?  When you are away for 2 weeks on holiday, then the 14 days is not enough because you are then away from the office for about 18 days (first and last weekend included), so every company will need to think this through.


Now I need to chose my storage.  For this test I will not co-locate my data because I don’t have enough disk space for this in my test environment.  What I have read about it is that you choose co-location from the moment you have 10 clients.  If you are below, you better split-up so that you don’t lose too much storage.

I also let the Automatically grow the volume option on.  This is a very handy new feature and many DPM administrators that are now using DPM 2007 will be very happy with it.  Of course this is a risk as your volumes can keep growing until you are out of disk space, but a good backup admin (I actually prefer Protection and DR admin for this product :-) will check the reports on a regular base so that should not cause any problems.


The summary, which includes the link to Optimize Performance which I will probably discussing later on


And finally the success.


So I finally started the synchronization and waited, waited, waited for a very long time.

Some other screenshots:


Trying to add the music folder to the protected items


DPM Synchronizing

Final Conclusion and lessons learnt

The process seems to be working great.  Although I took it through a heavy test-drive everything worked flawlessly.

The only minor point was the initial synchronization.  It took about half an hour to synchronize 170 MB.  But then again, I was pushing the limits.  But I needed to know how DPM would react because you might need to do this once, and 170 MB of changes will occur on client workstation. 



Getting the Client-protection working

8:43 am in Uncategorized by mikeresseler

Hey All,

One of the exiting features of DPM 2010 is the improved client protection of workstations.  In this post, I’ll give some more information about it.  To make it a bit tricky, I decided to try to install the agent on a workstation
(windows 7, 32-bit) that resides

a. In a different domain (but a fully trusted domain)

b. Is not in the office but connected through a VPN, sitting at home

Since I assume that client protection will be getting more and more attention from companies, I decided to test it out thoroughly.  Both for the installation and the first synchronization I decided not to follow the guidelines but really try to do the worst scenario.


1. The installation

Installing the client is the same as installing a server.  Manuals from the beta (before the RC) mentioned that I should install it manually (or through solutions such as SCCM or SCE) but I thought that it also would be possible to do this through the UI.


I start by taking the "install agent” option since I didn’t installed it yet.  Note also the attach agents that can be used when an agent is installed manually.


Now I need to select the workstation.  He will only list the workstations and servers from the domain that the DPM server resides in, so to connect  to my workstation on another domain, I had to type in the FQDN name in the box


Here I can give in the credentials for a user that has administrative rights on the workstation in that domain


I decided here not to restart the workstation automatically, instead, I wanted to test if it really is necessary to restart which could be a killer in very large environments.


Finally, the summary and ready to install.  Now one little note drew my attention: The computer may momentarily lose network connectivity during installation.

Since the workstation is on a client vpn, this could be tricky :-)

Also, before you can actually do this, you need to make sure that your firewall is configured correctly.  I failed the first time because my firewall was wrong configured.


And then the screen of success came.  Now I didn’t see the client lose network connectivity, and if it did, then it had to be very short because my VPN tunnel didn’t drop so that seems to be working.

Now let’s look a bit at the changes on the client.

First, I found two new services


Second, here’s how the Client UI looks:


This client already has a policy, but how that works I will explain in next post.

Lessons learnt:

* It is possible to install the agent on a workstation through the GUI from DPM itself.

* You can do it over a VPN connection

* Windows 7 doesn’t need to reboot afterwards

* The DPM client UI will demonstrate a small icon in the notification area after the reboot, but you can start it by starting manually the DPM UI without rebooting

* In windows 7, when you want to see this icon, you need to change the notification settings


And this is the icon, and more information when you right-click on it



Last picture is from a client that is disconnect from the server

Allright, next post: Create a protection group and do the first synchronization, over the VPN of course :-)