Automate Cloud Backup Integration In #DPM With #AzureBackup And #PowerShell @SCDPM @AzureBackup

6 min read

Introduction

Azure Backup is the Azure-based service you can use to back up (or protect) and restore your data in the Microsoft cloud. Azure Backup replaces your existing on-premises or off-site backup solution with a cloud-based solution that is reliable, secure, and cost-competitive. System Center Data Protection Manager (SC DPM) and Microsoft Azure Backup Server (MABS) can be integrated with Azure Backup service so you can protect your data in the cloud without worrying about Ransomware attack and data corruption.

For more information about Azure Backup, please check my recent published Whitepaper here.

Cloud Backup Integration Process

When you are planning to integrate System Center Data Protection Manager (SC DPM) and Microsoft Azure Backup Server (MABS) with Azure Backup, there are multiple steps involved such as:

  1. Having a healthy DPM environment.
  2. Create a new Recovery Services Vault in Azure.
  3. Set up the appropriate storage replication type (Geo-redundant / Locally-redundant).
  4. Download the latest Microsoft Azure Recovery Services (MARS) agent.
  5. Download Azure Recovery Vault Credentials file.
  6. Install Microsoft Azure Recovery Services (MARS) agent.
  7. Register DPM Server with Azure Backup Service.
  8. Configure DPM cloud settings such as (cloud recovery staging area directory, networking, and passphrase encryption key)
  9. Finally, keep the passphrase key safe and secure once it is set, because you will not be able to restore data from Azure without this passphrase.

So it’s a long process and time consuming especially if you have multiple DPM servers that you want to integrate with Azure Backup service.

Microsoft has a detailed document on how to prepare back up workloads to Azure with DPM, so if you are interested in the manual approach, please check the following guide.

In this blog post, I will share with you how to automate the entire Cloud Backup integration process in DPM and Azure Backup.

Automate Cloud Backup Integration

I was working lately on a PowerShell tool that will help me to automate the cloud backup integration process with Azure Backup. So instead of repeating the same steps above every time, I developed that tool to automate the entire process. When you run this tool on the DPM server, it will install the required PowerShell modules, then download the latest Microsoft Azure Recovery Services (MARS) agent, and then install it in silent mode if it’s not installed. You will be prompted to authenticate to Azure, the tool will create a new Recovery Services Vault and set it’s storage replication type. Then it will register DPM server with Azure Backup service for online protection, then configure DPM cloud settings, and finally store the Encryption Passphrase Key in Azure Key Vault.

You can run this tool as follows and watch it doing its magic:

.\Register-DPMCloud.ps1 -AzureSubscription "Subscription ABC" -ResourceGroupName "backup-dpm-rg" -KeyVault "BackupKeyVault" -StagingArea D: -StorageType LRS -Verbose

Open the Azure Portal and check your DPM server is registered successfully with Azure Backup service.

Browse to Azure Key Vaults and check the Passphrase Encryption Key is stored safely. Please remember that you will not be able to restore data from Azure without this passphrase key.

Finally, launch the DPM Administrator Console and you are good to go to start protecting your workloads to Azure Backup.

PowerShell Code

The complete script is detailed below to automate the entire cloud backup integration process:

<#
.SYNOPSIS
Register DPM in Azure Backup Service.

.DESCRIPTION
Automate Cloud Backup Integration With DPM and Azure Backup.

.NOTES
File Name : Register-DPMCloud.ps1
Author    : Charbel Nemnom
Version   : 1.0
Date      : 03-September-2018
Update    : 13-September-2018
Requires  : PowerShell Version 5.1 or later
Module    : AzureRM Version 6.8.1

.LINK
To provide feedback or for further assistance please visit:
https://charbelnemnom.com

.EXAMPLE
.\Register-DPMCloud.ps1 -AzureSubscription [Azure Subscription Name] -ResourceGroupName [Resource Group Name] -KeyVault [Azure Key Vault Name] -StagingArea [Volume] -StorageType [LRS/GRS] -Verbose
This example will install the required PowerShell modules, then download and install the latest Microsoft Azure Recovery Services (MARS) agent if it's not installed.
You will prompted to authenticate to Azure, the tool will create a new Recovery Services Vault and set it's storage replication type.
Then it will register DPM server with Azure Backup service for online protection, configure DPM cloud settings, and finally store the Encryption Passphrase Key in Azure Key Vault.

.EXAMPLE
.\Register-DPMCloud.ps1 -AzureSubscription "Subscription ABC" -ResourceGroupName "backup-dpm-rg" -KeyVault "BackupKeyVault" -StagingArea D: -StorageType LRS -Verbose
This example will install the required PowerShell modules, then download and install the latest Microsoft Azure Recovery Services (MARS) agent if it's not installed.
You will prompted to authenticate to Azure, the tool will create a new Recovery Services Vault and set it's storage replication type.
Then it will register DPM server with Azure Backup service for online protection, configure DPM cloud settings, and finally store the Encryption Passphrase Key in Azure Key Vault.
#>

[CmdletBinding()]
Param (
    [Parameter(Position=0, Mandatory=$true, HelpMessage = 'Please Provide Azure Subscription Name')]
    [Alias('AzureSub')]
    [String]$AzureSubscription,
    
    [Parameter(Position=1, Mandatory=$true, HelpMessage='Please Provide Azure Resource Group Name')]
    [Alias('AzureRG')]
    [String]$ResourceGroupName,

    [Parameter(Position=2, Mandatory=$true, HelpMessage='Please Specify Azure Key Vault Name')]
    [Alias('KeyVault')]
    [String]$BackupKeyVault,

    [Parameter(Position=3, Mandatory=$true, HelpMessage='Please Specify Cloud Recovery Staging Area Volume')]
    [Alias('Volume')]
    [String]$StagingArea,

    [Parameter(Position=4, Mandatory=$true, HelpMessage='Please Specify Storage Replication Type')]
    [ValidateSet("LRS", "GRS")]
    [String]$StorageType

)

Function Install-NuGet {
    Install-PackageProvider NuGet -Force -Confirm:$false -Verbose:$false    
}

Function Install-PowerShellGet {
    Set-PSRepository -Name PSGallery -InstallationPolicy Trusted -Verbose:$false
    Install-Module -Name PowerShellGet -Force -Confirm:$false -Verbose:$false
}

Function Install-AzureRM {
    Set-PSRepository -Name PSGallery -InstallationPolicy Trusted -Verbose:$false
    Install-Module -Name AzureRM -Force -Confirm:$false -Verbose:$false
}

Function Check_MARS_Installed ( $programName ) {
$Check = ((Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\") | `
Where-Object {$_.Name -like "*$programName*"}).Length -gt 0; return $Check}

#! Check volume drive letter
Try {
 $Vol =  ($StagingArea -replace (":|\\",''))
 $CheckVolume = Get-PSDrive -Name $Vol -ErrorAction Stop
 }
 Catch {
 Write-Warning -Message "No volume found for drive letter: `"$Vol`", Please specify a correct volume"
 Break
 }

#! Check NuGet Provider
Try {
    Import-PackageProvider -Name NuGet -ErrorAction Stop -Verbose:$false | Out-Null
    Write-Verbose "Importing NuGet Provider..."
    }
Catch {
    Write-Warning "NuGet Provider was not found..."
    Write-Verbose "Installing NuGet Package Provider..."
    Install-NuGet
}

#! Check PowerShellGet Module
Try {
    Import-Module -Name PowerShellGet -ErrorAction Stop -Verbose:$false | Out-Null
    Write-Verbose "Importing PowerShellGet Module..."
    }
Catch {
    Write-Warning "PowerShellGet Module was not found..."
    Write-Verbose "Installing the latest PowerShellGet Module..."
    Install-PowerShellGet
}

#! Check AzureRM PowerShell Module
Try {
    Import-Module -Name AzureRM -ErrorAction Stop -Verbose:$false | Out-Null
    Write-Verbose "Importing Azure RM PowerShell Module..."
    }
Catch {
    Write-Warning "Azure Resource Manager PowerShell Module was not found..."
    Write-Verbose "Installing Azure Resource Manager PowerShell Module..."
    Install-AzureRM
}

#! Check Azure Cloud Connection
Try {
    Write-Verbose "Connecting to Azure Cloud..."
    Login-AzureRmAccount -Environment AzureCloud -Subscription $AzureSubscription -ErrorAction Stop | Out-Null
  }
Catch {
    Write-Warning "Cannot connect to Azure environment. Please check your credentials. Exiting!"
    Break
}

#! Check C:\Temp directory if exists and create if not
$TempDir = "C:\Temp"
if (!(Get-Item $TempDir -ErrorAction SilentlyContinue)) {
        New-Item -ItemType Directory -Path $TempDir | Out-Null
}
 
#! Download the latest Microsoft Azure Recovery Services Agent (MARS)
Write-Verbose "Downloading Microsoft Azure Recovery Services Agent..."  
$URL = 'http://aka.ms/azurebackup_agent'
$wc = New-Object System.Net.WebClient
$wc.DownloadFile($url, $($TempDir  + "\MARSAgentInstaller.exe"))

# Installing MARS Agent in silent mode if it's not installed
$MARS = Check_MARS_Installed("Windows Azure Backup")
If (!$MARS) {Start-Process -FilePath $($TempDir + "\MARSAgentInstaller.exe") -ArgumentList "/q"}
While ($MARS -eq $false) {
Write-Verbose "Installing Microsoft Azure Recovery Services Agent in silent mode..."
$MARS = Check_MARS_Installed("Windows Azure Backup")
Sleep 10
} 

#! Creating a new Recovery Services Vault and configure it's storage type
Write-Verbose "Creating a new Recovery Services Vault named $env:ComputerName"
New-AzureRmRecoveryServicesVault -Name $env:ComputerName -ResourceGroupName $ResourceGroupName `
-Location (Get-AzureRmResourceGroup -Name $ResourceGroupName).location -Confirm:$false -Verbose:$false | Out-Null
Write-Verbose "Configuring Storage Replication Redundancy to $StorageType..."
$RSVault = Get-AzureRmRecoveryServicesVault -ResourceGroupName $ResourceGroupName
If ($StorageType -eq "LRS" ) {
Set-AzureRmRecoveryServicesBackupProperties -Vault $RSVault -BackupStorageRedundancy LocallyRedundant }

#! Downloading Recovery Vault Credentials file
Write-Verbose "Downloading Azure Recovery Vault Credentials file..."
$RSVaultFile = Get-AzureRmRecoveryServicesVaultSettingsFile -Backup -Vault $RSVault -Path $TempDir

#! Registering DPM with Azure Backup Service
Write-Verbose "Registering DPM with Azure Backup Service..."
Start-DPMCloudRegistration -DPMServerName $env:ComputerName -VaultCredentialsFilePath (Get-ChildItem -Path $TempDir -Filter *.VaultCredentials).FullName

#! Configuring DPM Initial Cloud Settings
Write-Verbose "Cloud Initial configuration settings..."
$Setting = Get-DPMCloudSubscriptionSetting -DPMServerName $env:ComputerName

#! Configure Staging Area
Write-Verbose "Configuring Cloud Recovery Staging Area directory..."
$Destination = "$(($Vol)+":\")"+"StagingArea"
if (!(Get-Item $TempDir -ErrorAction SilentlyContinue)) {
   $Destination = New-Item -Name "StagingArea" -Path $(($Vol)+":") -ItemType Directory -Force
   Set-DPMCloudSubscriptionSetting -DPMServerName $env:ComputerName -SubscriptionSetting $Setting -StagingAreaPath $Destination.FullName
}
Else {
Set-DPMCloudSubscriptionSetting -DPMServerName $env:ComputerName -SubscriptionSetting $Setting -StagingAreaPath $Destination
}

#! Configure Proxy Settings
Write-Verbose "Configure DPM cloud networking..."
Set-DPMCloudSubscriptionSetting -DPMServerName $env:ComputerName -SubscriptionSetting $Setting -NoProxy
Set-DPMCloudSubscriptionSetting -DPMServerName $env:ComputerName -SubscriptionSetting $setting -NoThrottle

#! Configure Encryption Settings
Write-Verbose "Configuring Encryption Passphrase Key..."
$Passphrase = (New-Guid).Guid
$EncryptionPassPhrase = ConvertTo-SecureString -string $Passphrase -AsPlainText -Force
Set-DPMCloudSubscriptionSetting -DPMServerName $env:ComputerName -SubscriptionSetting $setting -EncryptionPassphrase $EncryptionPassPhrase

#! Commit the changes
Set-DPMCloudSubscriptionSetting -DPMServerName $env:ComputerName -SubscriptionSetting $setting -Commit 

#! Add DPM Backup Encryption Key to Azure Key Vault
Try {
    Write-Verbose "Adding DPM Backup Encryption Key to Azure Key Vault"
    Set-AzureKeyVaultSecret -VaultName $BackupKeyVault -Name $env:ComputerName -SecretValue $EncryptionPassPhrase -ContentType "Passphrase Encryption Key" -ErrorAction Stop | Out-Null
}
Catch {
    Write-Warning "$_ Exiting!"
    Break
}

# Clean-up Temp Environment
Write-Verbose "Clean-up Temp Environment..."
Remove-Item -Path $TempDir -Recurse -Force

Roadmap

I am planning to improve this tool in the future. This is still version 1.0. If you have any feedback or changes that everyone should receive, please feel free to leave a comment below.

Until then… Stay protected and secure with DPM and Azure Backup.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

About Charbel Nemnom 569 Articles
Charbel Nemnom is a Cloud Architect, Swiss Certified ICT Security Expert, Microsoft Most Valuable Professional (MVP), and Microsoft Certified Trainer (MCT), totally fan of the latest's IT platform solutions, accomplished hands-on technical professional with over 17 years of broad IT Infrastructure experience serving on and guiding technical teams to optimize the performance of mission-critical enterprise systems. Excellent communicator is adept at identifying business needs and bridging the gap between functional groups and technology to foster targeted and innovative IT project development. Well respected by peers through demonstrating passion for technology and performance improvement. Extensive practical knowledge of complex systems builds, network design, business continuity, and cloud security.

Be the first to comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.