Microsoft



System CenterData Protection Manager 2012 R2How to use Certificates to Authenticate Computers in Workgroups or Untrusted domains with Data Protection Manager?Microsoft CorporationPublished: January?2017This document is provided “as-is”. Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it.Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred.This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. You may modify this document for your internal, reference purposes.? 2012 Microsoft Corporation. All rights reserved.Microsoft, Active Directory, Hyper-V, SQL Server, Windows, Windows PowerShell, Windows Server, and Windows Vista are trademarks of the Microsoft group of companies.All other trademarks are property of their respective owners.Contents TOC \o "1-5" \h 1Overview PAGEREF _Toc466812057 \h 42Purpose PAGEREF _Toc466812058 \h 53Scenario/Assumptions PAGEREF _Toc466812059 \h 64Set up Protection with Certificate Base Authentication PAGEREF _Toc466812060 \h 74.1Create the DPM Certificate Template PAGEREF _Toc466812061 \h 74.1.1General PAGEREF _Toc466812062 \h 74.1.2Adding HTTP CRL Distribution Point PAGEREF _Toc466812063 \h 84.2Create the DPM Certificate Template PAGEREF _Toc466812064 \h 84.3Configure the Certificate on the DPM Server PAGEREF _Toc466812065 \h 104.4Install the DPM Protection Agents on the Protected Systems PAGEREF _Toc466812066 \h 124.5Set Hyper-V Cluster Node Permission PAGEREF _Toc466812067 \h 144.6Configure the Certificate on the Protected Computer PAGEREF _Toc466812068 \h 144.7Attach the Computer PAGEREF _Toc466812069 \h 174.8Test Backing Up the VMs PAGEREF _Toc466812070 \h 17OverviewHow to use certificates to authenticate computers in workgroups or untrusted domains with Data Protection Manager.System Center Data Protection Manager 2012 R2 supports protection of computers in workgroups and untrusted domains using local accounts and NTLM, however in scenarios where an organization does not allow creation of local accounts this solution does not work.System Center 2012 R2 Data Protection Manager (DPM) now allows you to use certificates to authenticate computers in workgroups or untrusted domains. DPM supports the following data sources for certificate-based authentication when they are not in trusted domains:SQL Server File server Hyper-V DPM also supports these data sources in clustered deployments.The following data sources are not supported: Exchange Server Client computers SharePoint Server Bare Metal Recovery System State End user recovery of file and SQL Protection between a Primary DPM server and Secondary DPM server using certs. The Primary DPM server and Secondary DPM server need to be in the same domain or mutually trusted domain. Certificate based authentication between a Primary and Secondary DPM servers is not supported. PurposeThe purpose of this article is to provide a step by step procedures for setting up System Center 2012 R2 Data Protection Manager to protect VMs running in a Windows Server 2012 R2 workgroup or VMs running in a Windows Server 2012 R2 Hyper-V cluster in an untrusted forest using certificate authentication. Scenario/AssumptionsIn the scenario below, we are operating under the following assumptions:There are at least two Windows 2012 R2 forests (TRUSTED and UNTRUSTED). Or one Windows 2012 R2 forest and one Windows Server 2012 R2 running in a Workgroup.There is no trust relationship between the two forests.There is network connectivity between the two forest or the workgroup and the forest.DPM is installed, healthy and functioning in the TRUSTED forest. There is an enterprise Certificate Authority in TRUSTED forest. The existing Certificate Authority (CA) and Certificate Revocation List (CRL) are online. VMs are being housed on a Microsoft Hyper-V hypervisor.In the case of a Hyper-V cluster, VMs are stored on a CSV volume/folder.All required firewall ports are open between the two forests.Names in Scenarios:ForestTrusted forest: TRUSTEDDomainDNS Name: TRUSTED.LOCALUntrusted Forest: UNTRUSTEDDomanDNS Name: UNTRUSTED.LOCALServers:DPM Server in TRUSTED forest: SRV-DPM-01Hyper-V Nodes in UNTRUSTED Forest: SRV-HYPER-01/SRV-HYPER-02Certification Server:Enterprise Certificate Server: SRV-CA-01Set up Protection with Certificate Base AuthenticationOverall Steps:Create the DPM Certificate TemplateConfigure the certificate on the DPM Server.Install the DPM Agents on the Protected SystemsSet Hyper-V Node Permission (If using a Hyper-V Cluster)Configure the Certificate on the Protected ComputerAttach the ComputerTest Backing Up the VMsCreate the DPM Certificate TemplateGeneralYou can deploy DPM to protect computers in workgroups and untrusted domains. You can handle authentication using NTLM or certificates. This topic describes how to set up protection with certificate authentication.General:The certificate you use for authentication must comply with the following:X.509 V3 certificateEnhanced Key Usage (EKU) should have client authentication and server authentication.Key length should be at least 1024 bits.Key type should be exchange.The subject name of the certificate and the root certificate should not be empty.The revocation servers of the associated Certificate Authorities are online and accessible by both the protected server and DPM serverThe certificate should have associated private keyDPM doesn’t support certificates with CNG KeysDPM does not support self-signed certificates.Each computer you want to protect (including virtual machines) must have its own certificateAdding HTTP CRL Distribution PointOn the CA make sure the following is set:Connect to the Enterprise CA in TRUSTED forest with the appropriate credentials and open the Certification Authority console.Right click the CA name and select properties.On the Extensions tab, check the following:Select the: the lower box check the following:Include in CRLs. Clients us this to find Delta CRL LocationInclude in CDP extensions of issued certificates.Click Apply.On the dialog box Restart the CA service.Click OK.When a certificate is added to a system and you launch Certlm, navigate to Personal-Certificate.After adding new certificate, Edit the properties of it.Click on CRL Distribution Points.Scroll to the bottom and you should see:URL= NAME.FQDN>/Certenroll/CA_DomanName.CRLFinish. Create the DPM Certificate TemplateComplete the following steps on the Enterprise CA in the TRUSTED forest. The server should have the Active Directory Certificate Services installed and configured as your Enterprise CA.Connect to the Enterprise CA with the appropriate credentials and open the Certification Authority console.Expand the certification authority so that you can see Certificate Templates.Right-click Certificate Templates and then click Manage. Note if you don't see these options, then run the following command: certtmpl.msc to open the Certificate Templates console. In the details pane of the Certificate Templates console, right-click the RAS and IAS Server template and then click Duplicate Template. On the Compatibility tab, select:Certificate Authority: Windows Server 2003In the Resulting Changes box click Ok.Note the certificate authority has to be set to windows server 2003 for the template to show up in the advanced Certificate Request page under Certificate Template on Web Enrollment pages. If you set it to 2012 or 2012 R2 it won’t show up on the protected computer.Certificate Recipient: Windows 8.17/Server 2012 R2In the Resulting Changes box click Ok.On the General tab, under Template display name, type:DPM AUTHNote this name should NOT include spaces. Although, the Template Name is actually used when referencing the template, it is a best practice to set the Template Display Name to be the same.Note a name that you want to use for the template. For example, SSL Certificates. Again, ensure it has no spaces in the name.Template Name: DPMAuthValidity Period: <5> YearsRenewal Period: 6 WeeksSelect Publish certificate in Active DirectoryOn the Request handling tab, select:Allow private key to be exported.On Cryptography tab type/select:Minimum key size: 2048Requests must use one of the following providers:Providers: Microsoft RSA Schannel Cryptographic ProviderOn the Subject tab select:Supply in the Request.Note the certificate authority has to be set to windows server Supply in the request for the template to show up in the advanced Certificate Request page under Certificate Template on Web Enrollment pages on a system in an untrusted forest/workgroup. If its set to Build from this active directory information, it won’t show up.Select: Use subject information from existing certificate for autoenrollment renewal requests.On the Security tab, you must ensure the computer account has the ability to enroll for the template. Set the following to Enroll: Authenticated UsersSet the entry to at least Enroll permissions grant them:EnrollClick OK. Close the Certificate Templates console and return to the Certificate Authority console.Close the Certificate Templates Console window.In the Certification Authority window, right-click on Certificate Templates in the left navigation pane and then select New - Certificate Template to Issue.In the Enable Certificate Templates?window, select:DPM AUTHClick the OK button.Configure the Certificate on the DPM Server In this scenario, the DPM server is in the TRUSTED forest.You must generate a certificate from a CA for the DPM server, via web enrollment or some other method. If you use the web enrollment, select advanced certificate required, and Create and Submit a request to this CA. Make sure the key size is 1024 or higher, and that Mark key as exportable is selected. Note this option allows you to select the desired Certificate Template (DPM AUTHENTICATION) that was published earlier.In this document, we will use the CERTLM program to install the certificate on the DPM server in TRUSTED forest. In the steps below, you will Request and Enroll the new DPM Server Certificate on the DPM Server.On the DPM server (SRV-DPM-01), open a command prompt and type:CERTLMThen press ENTER. In Select Computer the Local computer is selected by default. Click Finish and then click OK. Expand Certificates - Local Computer and then right-click Personal. Click All Tasks, and then click Request New Certificate.On the Before You Begin, page click Next.On the Select Certificate Enrollment Policy page, ensure that Active Directory Enrollment Policy is selected and then click Next. On Certificate Enrollment page, select the new template:DPM AUTHSelect More information…Click on Click here to configure settings.Subject Name: Common NameValue: SRV-DPM-01.TRUSTED.LOCALClick Add.Alternative name:Type: DNSValue: SRV-DPM-01.TRUSTED.LOCALClick Apply, then Ok.Click on the General tab and type the following:Friendly Name: SRV-DPM-01-CERTClick Ok.Click Enroll. Click Finish.The new certificate should now show under …Personal-Certificates.Obtain the thumbprint for the certificate. In the Certificates store double-click on the certificate. Select the Details tab and scroll down to the thumbprint. Click it, highlight and copy it. Paste the thumbprint into Notepad and remove any spaces.On the DPM server, create the following folder:C:\DPMCERTCreate a text/batch file with the following in it:Set-DPMCredentials –DPMServerName SRV-DPM-01 –Type certificate -Action configure –OutputFilePath C:\DPMCERT –Thumbprint <D9DKEE9E8KE8KDUUK> Syntax:Set-DPMCredentials [–DPMServerName <String>] [–Type <AuthenticationType>] [Action <Action>] [–OutputFilePath <String>] [–Thumbprint <String>] [–AuthCAThumbprint <String>] -Type—Indicates the type of authentication. Value: certificate.-Action—Specify whether you want to perform the command for the first time, or regenerate the credentials. Possible values: regenerate or configure.-OutputFilePath— Location of the output file used in Set-DPMServer on the protected computer.–Thumbprint—Copy from the Notepad file.-AuthCAThumbprint—Thumbprint of the CA in the trust chain of the certificate. Optional. If not specified, Root will be used.Open an Administrative PowerShell window.Change directory to:C:\Program Files\Microsoft Data Protection Manager\DPM\binRun the command or batch file created above.Set-DPMCredentials –DPMServerName SRV-DPM-01 –Type certificate -Action configure –OutputFilePath C:\DPMCERT –Thumbprint <D9DKEE9E8KE8KDUUK>Note this generates a metadata file (.bin) that is required at the time of each agent install in untrusted domain. Make sure that the C:\Temp or C:\DPMCERT folder exists before you run the command. Note that if the file is lost or deleted you can recreate it by running the script with the –action regenerate option.Copy the xxx.BIN file to the following folder on the target/protected computers (SRV-HYPER-01/SRV-HYPER-02):C:\DPMCERT\xxx.binNote this is a temporary location because the DPM agent is not installed yet. Therefore, the C:\Program Files\Microsoft Data Protection Manager\DPM\bin folder does not exist yet.Note the .BIN file retrieved from the DPM server will be copied to the C:\Program Files\Microsoft Data Protection Manager\DPM\bin folder on the computer you want to protect in the untrusted forest. You don’t have to do this, but if you don’t you’ll need to specify the full path of the file for the –DPMcredential parameter when you …Note this xxx.bin file will be used later.Finish.Install the DPM Protection Agents on the Protected SystemsIn this step, we will install the DPM agents on the Protected System. If protecting a VM on a standalone Hyper-V host, install the agent on the Hyper-V host. If protecting VMs in a Hyper-V cluster in the UNTRUSTED forest, install the agent on each of the nodes in the cluster.You can install protection agents manually and, in some circumstances, you must install the protection agent manually, for example, when the computer that you want to protect is behind a firewall, in a workgroup, or in a domain that does not have a two-way trust relationship with the domain that the DPM server is located in.You can manually install an agent on targeted computers first, and then attach the computers in DPM Administrator Console, or you can attach the targeted computers in DPM Administrator Console first, and then install protection agents on the targeted computers.If you attach a computer before you install an agent, the agent status for the computer on the Agents tab of the Management task area of DPM Administrator Console displays an error until you have installed the agent and then refreshed the computer in DPM Administrator Console.You can also use this procedure if you are installing the agent directly from the product DVD.NOTE in this scenario, we will install the protection agent now and attach it to the DPM server using a PowerShell script later.NOTE in the example below we are using DPM 2012 R2 UR10. The versions numbers will be different for other versions of DPM.Use the following procedure install the protection agent in the untrusted forest:From the DPM server in the TRUSTED forest, copy the DPM 2012 x agent file to the target system “C:\DPMAgent” folder:Note the agent files can be found on the DPM server at the following location:For x64-bit:D:\DPM2012\Microsoft System Center 2012\DPM\DPM\ProtectionAgents\RA\4.2.1205.0\amd64D:\DPM2012\Microsoft System Center 2012\DPM\DPM\Agents\RA\4.2.1473.0\amd64For x86-bitD:\DPM2012\Microsoft System Center 2012\DPM\DPM\ProtectionAgents\RA\4.2.1205.0\i386D:\DPM2012\Microsoft System Center 2012\DPM\DPM\Agents\RA\4.2.1473.0\i386Note to update the DPM Agent to 4.2.1473.0 manually:You need to first install the base DPM agent (4.2.1205.0) from under the C:\Program Files\Microsoft System Center 2012\DPM\DPM\ProtectionAgents\RA\4.2.1205.0folder.Then apply RUx from C:\Program Files\Microsoft System Center 2012\DPM\DPM\agents\RA\4.2.1473.0\folderInstall the DPM BASE Agent:To install the protection agent on the targeted computer, open an elevated Command Prompt window.Navigate to:C:\DPMAgent\ProtectionAgents\RA\4.2.1205.0 folderRun the following commands: DPMAgentInstaller_x64.exeOrDPMAgentInstaller_x86.exeOn the License Term page, agree and click Ok.The DPM agent is now installed.In the command prompt, Press Enter to close the command windows.Update the agent to 4.2.1473.0.Navigate to:C:\DPMAgent\agents\RA\4.2.1473.0\folderRun the following command:DPMAgentInstaller_KB3143871_AMD64.exeOn the License Term page, agree and click Ok.Finish.Set Hyper-V Cluster Node PermissionIn this step, we will set the Hyper-V cluster node computer accounts required permission in the Hyper-V host cluster in the UNTRUSTED forest. NOTE This step is only required if you’re protecting VMs in a Hyper-V cluster in an untrusted forest.In order to backup VMs in a cluster (on a CSV folder) in an untrusted forest, you must grant each computer node administrative privilege on all other nodes. You must add the machine accounts of all the nodes of the cluster to the local administrators group in all the nodes of the cluster.In a two node Hyper-V cluster with SRV-HYPER-01 and SRV-HYPER-02, you would do the following:Login to a Hyper-V node (SRV-HYPER-01) in the cluster in the untrusted forest.Add the following computer accounts to the local Administrator’s group:SRV-HYPER-02$Save the settings.Note I didn’t have to reboot the nodes for the change to take effect.Repeat the steps above on SRV-HYPER-IS02 and add:SRV-HYPER-01$Finish.Additional Notes:Note if you do not perform the steps above, VM in the cluster backups will fail. The Consistency Check on the DPM server will fail and you will receive the following error in the DPM job log:An unexpected error occurred while the job was running. (ID 104 Details: Access is denied (0x80070005))Configure the Certificate on the Protected ComputerIf you have not already, retrieve the .BIN file generated on the DPM server earlier and copied it to the location below on the computer you want to protect.C:\DPMCERTCopy the C:\DPMCERT\CertificateConfiguration_SRV-DPM-01.TRUSTED.local.BIN file to the following location on the protected server:C:\Program Files\Microsoft Data Protection Manager\DPM\binNote you don’t have to do this, but if you don’t you’ll need to specify the full path of the file for the –DPMcredential parameter when you …Generate a certificate from a CA for the protected computer, via web enrollment.From the protected computer, Launch the browser.Note if this is a Server, ensure that Internet Enhanced Security is turned off.Connect to connect to “Request a Certificate” and click Next.Click Advanced certificate required.Click Create and Submit a request to this CA.On the Web Access Confirmation box click Yes.On the Advanced Certificate Request page select:Certificate Template: DPM AUTHName: SRV-HYPER-01.UNTRUST.LOCALCreate New Key SetKey Usage: ExchangeNote this is not configurable. Key Size: 2048Select: Mark key as exportableFriendly Name: SRV-HYPER-01-DPMClick Submit.On the Web Access Confirmation box click Yes.Click on the “Install this Certificate” and the certificate will be installed. Note You will now see a message stating Your new certificate has been successfully installed.Close the browser window and open a new browser window.Once done, we need to open up an MMC and add the certificate snap-in for both current user and local computer. Remember that by default the certificate will be installed into the current user store.Export the certificate for the Computer StoreLaunch MMC and add the certificate storeMake sure it’s the Certificates – Current User Right-click the certificate (SRV-HYPER-01-DPM) and select All tasks-Export.On the Welcome page click Next.On the Export Private Key page, select:Yes, export the private key.Click Next.On the Export File Format page, select:Personal Information Exchange – PKCS #12 (.PFX)Include all certificates in the certification path if possible.Export all extended properties.Click Next.On the Security page, set a password for the file.<xxxxx>Click Next.On the File to Export page, type the path to the file:C:\DPMCERT\<SRV-HYPER-01>.pfxClick Save.Click Next.On the Completing the Certificate Export wizard page, click Finish.Import PFX file and Install the certificate into the Computer StoreOn the protected system in the untrusted forest/workgroup, open a administrative command prompt and type:CERTLMNavigate to Certificate – Local Computer-Personal.Right click Certificate and select All Task-Import.On the Welcome page click Next.On the File to Import page, browse to the certificate:C:\DPMCert\SRV-HYPER-01.pfxClick Open.Back on the File to Import page, click Next.On the Private key Protection page, Type the passwordSelect: Mark this key as exportable….Select: Include all extended propertiesClick Next.On the Certificate Store page, keep the default and click Next:Automatically, select the certificate store based on the type of certificate.On the Completing the certificate Import Wizard page, click Finish.Obtain the thumbprint for the certificate. In the Certificates store double-click on the certificate (. Select the Details tab and scroll down to the thumbprint. Click it, highlight and copy it. Paste the thumbprint into Notepad and remove any spaces.Note to configure the security accounts, permissions, and firewall exceptions necessary for the agent to communicate with a DPM server, Navigate to the C:\Program files\Microsoft Data Protection Manager\DPM\bin folder.Run Setdpmserver as follows run the following command:SetDpmServer.exe -DPMCredentials CertificateConfiguration_DPM01.TRUSTED.local.bin –OutputFilePath C:\DPMCERT –Thumbprint <D9DKEE9E8KE8KDUUK… >Note where -Thumbprint is the thumbprint obtain above.Note if using a batch file copy the batch file to the following location and run it: C:\Program files\Microsoft Data Protection Manager\DPM\binCopy the C:\DPMCERT\CertificateConfiguration_SRV-HYPER-01.UNTRUST.local.BIN file to the following location on the DPM server:C:\Windows\System32We suggest you copy it to the default location in which the Attach process will check for the file (Windows\System32) so you can just specify the filename instead of the full path when you run the Attach command.Finish.Attach the ComputerWe will now attach the protected computer in the workgroup or untrusted forest to the DPM server using the Attach-ProductionServerWithCertificate.ps1 PowerShell script.On the DPM Server, open a PowerShell command prompt with administrative permission.Navigate to C:\Program files\Microsoft Data Protection Manager\DPM\bin.Here you will find the Attach-ProductionServerWithCertificate.ps1 file.Run the following:Attach-ProductionServerWithCertificate.ps1 [-DPMServerName <String>] [-PSCredential <String>] [<CommonParameters>Example:Attach-ProductionServerWithCertificate.ps1 -DPMServerName SRV-DPM-01 –PSCredential CertificateConfiguration_SRV-HYPER-01.UNTRUST.local.binNote:-DPMServerName—Name of the DPM server-PSCredential—Name of the .bin file. If you placed it in the Windows\System32 folder you can specify the file name only. Be careful to specify the .bin file created on the protected server. If you specify the .bin file created on the DPM server, you’ll remove all the protected computers that are configured for certificate-based authenticationRepeat the above steps for remaining nodes in the cluster.Finish.Test Backing Up the VMsOpen the DPM console and navigate to the desired protection group.Expand the XXXX-Certificate entry and select the desired plete the remaining screen to start the VM back up. Confirm that the VM is completely backed up. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download