6 min. Read

Azure backup is an Azure-based service that you can use to back up (or protect) and restore your data in the Microsoft cloud service. Azure backup replaces an existing on-premises or off-site backup solution with a reliable, secure, and cost-effective cloud-based solution. System Center Data Protection Manager (SC DPM) and Microsoft Azure Backup Server (MABS) can be integrated Azure backup service so that you can protect your data in the cloud despite a Ransomware attack and data corruption.

For more information on Azure Backup, see my recently published Whitepaper here.

When you plan to integrate System Center Data Protection Manager (SC DPM) and Microsoft Azure Backup Server (MABS) with Azure backup, there are several steps involved, such as:

  1. Healthy DPM environment.
  2. Create a new recovery service container for Azure.
  3. Specify the appropriate storage replication type (Geo-redundant / Locally-redundant).
  4. Download the latest Microsoft Azure Recovery Services (MARS) agent.
  5. Download the Azure Recovery Vault tag file.
  6. Install the Microsoft Azure Recovery Services (MARS) Agent.
  7. Register the DPM server with Azure Backup Service.
  8. Configure DPM cloud settings, such as (cloud recovery phase region directory, network, and password encryption key)
  9. Finally, keep the passphrase key secure once it is set, because you cannot recover data from Azure without this password.

So it’s a long process and time consuming, especially if you have multiple DPM servers that you want to integrate with Azure Backup.

Microsoft has a detailed document on how to back up Azure is backed up with DPM, so if you are interested in a manual approach, check the following guide.

In this blog post, I will share with you how to automate the entire Cloud Backup integration process DPM and Azure backup.

I recently worked on a PowerShell tool to help me automate the cloud integration process with Azure Backup. So instead of repeating the same steps above every time, I developed that tool to automate the whole process. When you run this tool on a DPM server, it installs the necessary PowerShell modules, then loads the latest Microsoft Azure Recovery Services (MARS) agent, and then installs it in silent mode if it is not already installed. You will be prompted to authenticate to Azure, the tool will create a new recovery service vault and specify its storage replication type. It then registers the DPM server with Azure Backup for online security, then configures the DPM cloud settings, and finally stores the Encryption Password key in the Azure Key Vault.

To use this tool and watch its magic:

.Register-DPMCloud.ps1 -AzureSubscription "Subscription ABC" -ResourceGroupName "backup-dpm-rg" -KeyVault "BackupKeyVault" -StagingArea D: -StorageType LRS -Verbose

Open Azure portal and verify that your DPM server is successfully registered Azure backup service.

Automate cloud backup integration in #DPM using #AzureBackup and #PowerShell @SCDPM @AzureBackup 2

Browse Azure keys and verify that the password encryption key is stored securely. Keep in mind that you can’t recover data from Sky blue without this password key.

Automate cloud backup integration in #DPM with #AzureBackup and #PowerShell @SCDPM @AzureBackup 3

Finally, start the DPM Admin Console and you are ready to begin securing workloads Azure backup.

Automate cloud backup integration in #DPM with #AzureBackup and #PowerShell @SCDPM @AzureBackup 4

The complete script is detailed below to automate the entire cloud service integration process:

<#
.SYNOPSIS
Register DPM in Azure Backup Service.

.DESCRIPTION
Automate Cloud Backup Integration With DPM and Azure Backup.

.NOTES
File Name : Register-DPMCloud.ps1
Author    : Charbel Nemnom
Version   : 1.0
Date      : 03-September-2018
Update    : 13-September-2018
Requires  : PowerShell Version 5.1 or later
Module    : AzureRM Version 6.8.1

.LINK
To provide feedback or for further assistance please visit:
Cover Page
.EXAMPLE .Register-DPMCloud.ps1 -AzureSubscription [Azure Subscription Name] -ResourceGroupName [Resource Group Name] -KeyVault [Azure Key Vault Name] -StagingArea [Volume] -StorageType [LRS/GRS] -Verbose This example will install the required PowerShell modules, then download and install the latest Microsoft Azure Recovery Services (MARS) agent if it's not installed. You will prompted to authenticate to Azure, the tool will create a new Recovery Services Vault and set it's storage replication type. Then it will register DPM server with Azure Backup service for online protection, configure DPM cloud settings, and finally store the Encryption Passphrase Key in Azure Key Vault. .EXAMPLE .Register-DPMCloud.ps1 -AzureSubscription "Subscription ABC" -ResourceGroupName "backup-dpm-rg" -KeyVault "BackupKeyVault" -StagingArea D: -StorageType LRS -Verbose This example will install the required PowerShell modules, then download and install the latest Microsoft Azure Recovery Services (MARS) agent if it's not installed. You will prompted to authenticate to Azure, the tool will create a new Recovery Services Vault and set it's storage replication type. Then it will register DPM server with Azure Backup service for online protection, configure DPM cloud settings, and finally store the Encryption Passphrase Key in Azure Key Vault. #> [CmdletBinding()] Param ( [Parameter(Position=0, Mandatory=$true, HelpMessage = 'Please Provide Azure Subscription Name')] [Alias('AzureSub')] [String]$AzureSubscription, [Parameter(Position=1, Mandatory=$true, HelpMessage='Please Provide Azure Resource Group Name')] [Alias('AzureRG')] [String]$ResourceGroupName, [Parameter(Position=2, Mandatory=$true, HelpMessage='Please Specify Azure Key Vault Name')] [Alias('KeyVault')] [String]$BackupKeyVault, [Parameter(Position=3, Mandatory=$true, HelpMessage='Please Specify Cloud Recovery Staging Area Volume')] [Alias('Volume')] [String]$StagingArea, [Parameter(Position=4, Mandatory=$true, HelpMessage='Please Specify Storage Replication Type')] [ValidateSet("LRS", "GRS")] [String]$StorageType ) Function Install-NuGet { Install-PackageProvider NuGet -Force -Confirm:$false -Verbose:$false } Function Install-PowerShellGet { Set-PSRepository -Name PSGallery -InstallationPolicy Trusted -Verbose:$false Install-Module -Name PowerShellGet -Force -Confirm:$false -Verbose:$false } Function Install-AzureRM { Set-PSRepository -Name PSGallery -InstallationPolicy Trusted -Verbose:$false Install-Module -Name AzureRM -Force -Confirm:$false -Verbose:$false } Function Check_MARS_Installed ( $programName ) { $Check = ((Get-ChildItem "HKLM:SOFTWAREMicrosoftWindowsCurrentVersionUninstall") | ` Where-Object {$_.Name -like "*$programName*"}).Length -gt 0; return $Check} #! Check volume drive letter Try { $Vol = ($StagingArea -replace (":|",'')) $CheckVolume = Get-PSDrive -Name $Vol -ErrorAction Stop } Catch { Write-Warning -Message "No volume found for drive letter: `"$Vol`", Please specify a correct volume" Break } #! Check NuGet Provider Try { Import-PackageProvider -Name NuGet -ErrorAction Stop -Verbose:$false | Out-Null Write-Verbose "Importing NuGet Provider..." } Catch { Write-Warning "NuGet Provider was not found..." Write-Verbose "Installing NuGet Package Provider..." Install-NuGet } #! Check PowerShellGet Module Try { Import-Module -Name PowerShellGet -ErrorAction Stop -Verbose:$false | Out-Null Write-Verbose "Importing PowerShellGet Module..." } Catch { Write-Warning "PowerShellGet Module was not found..." Write-Verbose "Installing the latest PowerShellGet Module..." Install-PowerShellGet } #! Check AzureRM PowerShell Module Try { Import-Module -Name AzureRM -ErrorAction Stop -Verbose:$false | Out-Null Write-Verbose "Importing Azure RM PowerShell Module..." } Catch { Write-Warning "Azure Resource Manager PowerShell Module was not found..." Write-Verbose "Installing Azure Resource Manager PowerShell Module..." Install-AzureRM } #! Check Azure Cloud Connection Try { Write-Verbose "Connecting to Azure Cloud..." Login-AzureRmAccount -Environment AzureCloud -Subscription $AzureSubscription -ErrorAction Stop | Out-Null } Catch { Write-Warning "Cannot connect to Azure environment. Please check your credentials. Exiting!" Break } #! Check C:Temp directory if exists and create if not $TempDir = "C:Temp" if (!(Get-Item $TempDir -ErrorAction SilentlyContinue)) { New-Item -ItemType Directory -Path $TempDir | Out-Null } #! Download the latest Microsoft Azure Recovery Services Agent (MARS) Write-Verbose "Downloading Microsoft Azure Recovery Services Agent..." $URL = 'http://aka.ms/azurebackup_agent' $wc = New-Object System.Net.WebClient $wc.DownloadFile($url, $($TempDir + "MARSAgentInstaller.exe")) # Installing MARS Agent in silent mode if it's not installed $MARS = Check_MARS_Installed("Windows Azure Backup") If (!$MARS) {Start-Process -FilePath $($TempDir + "MARSAgentInstaller.exe") -ArgumentList "/q"} While ($MARS -eq $false) { Write-Verbose "Installing Microsoft Azure Recovery Services Agent in silent mode..." $MARS = Check_MARS_Installed("Windows Azure Backup") Sleep 10 } #! Creating a new Recovery Services Vault and configure it's storage type Write-Verbose "Creating a new Recovery Services Vault named $env:ComputerName" New-AzureRmRecoveryServicesVault -Name $env:ComputerName -ResourceGroupName $ResourceGroupName ` -Location (Get-AzureRmResourceGroup -Name $ResourceGroupName).location -Confirm:$false -Verbose:$false | Out-Null Write-Verbose "Configuring Storage Replication Redundancy to $StorageType..." $RSVault = Get-AzureRmRecoveryServicesVault -ResourceGroupName $ResourceGroupName If ($StorageType -eq "LRS" ) { Set-AzureRmRecoveryServicesBackupProperties -Vault $RSVault -BackupStorageRedundancy LocallyRedundant } #! Downloading Recovery Vault Credentials file Write-Verbose "Downloading Azure Recovery Vault Credentials file..." $RSVaultFile = Get-AzureRmRecoveryServicesVaultSettingsFile -Backup -Vault $RSVault -Path $TempDir #! Registering DPM with Azure Backup Service Write-Verbose "Registering DPM with Azure Backup Service..." Start-DPMCloudRegistration -DPMServerName $env:ComputerName -VaultCredentialsFilePath (Get-ChildItem -Path $TempDir -Filter *.VaultCredentials).FullName #! Configuring DPM Initial Cloud Settings Write-Verbose "Cloud Initial configuration settings..." $Setting = Get-DPMCloudSubscriptionSetting -DPMServerName $env:ComputerName #! Configure Staging Area Write-Verbose "Configuring Cloud Recovery Staging Area directory..." $Destination = "$(($Vol)+":")"+"StagingArea" if (!(Get-Item $TempDir -ErrorAction SilentlyContinue)) { $Destination = New-Item -Name "StagingArea" -Path $(($Vol)+":") -ItemType Directory -Force Set-DPMCloudSubscriptionSetting -DPMServerName $env:ComputerName -SubscriptionSetting $Setting -StagingAreaPath $Destination.FullName } Else { Set-DPMCloudSubscriptionSetting -DPMServerName $env:ComputerName -SubscriptionSetting $Setting -StagingAreaPath $Destination } #! Configure Proxy Settings Write-Verbose "Configure DPM cloud networking..." Set-DPMCloudSubscriptionSetting -DPMServerName $env:ComputerName -SubscriptionSetting $Setting -NoProxy Set-DPMCloudSubscriptionSetting -DPMServerName $env:ComputerName -SubscriptionSetting $setting -NoThrottle #! Configure Encryption Settings Write-Verbose "Configuring Encryption Passphrase Key..." $Passphrase = (New-Guid).Guid $EncryptionPassPhrase = ConvertTo-SecureString -string $Passphrase -AsPlainText -Force Set-DPMCloudSubscriptionSetting -DPMServerName $env:ComputerName -SubscriptionSetting $setting -EncryptionPassphrase $EncryptionPassPhrase #! Commit the changes Set-DPMCloudSubscriptionSetting -DPMServerName $env:ComputerName -SubscriptionSetting $setting -Commit #! Add DPM Backup Encryption Key to Azure Key Vault Try { Write-Verbose "Adding DPM Backup Encryption Key to Azure Key Vault" Set-AzureKeyVaultSecret -VaultName $BackupKeyVault -Name $env:ComputerName -SecretValue $EncryptionPassPhrase -ContentType "Passphrase Encryption Key" -ErrorAction Stop | Out-Null } Catch { Write-Warning "$_ Exiting!" Break } # Clean-up Temp Environment Write-Verbose "Clean-up Temp Environment..." Remove-Item -Path $TempDir -Recurse -Force

I will improve this tool in the future. This is still version 1.0. If you have any feedback or changes that everyone should get, leave a comment below.

Until then … Stay protected DPM and Azure backup.

__
Thanks for locking my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

LEAVE A REPLY

Please enter your comment!
Please enter your name here