Automate Cloud Backup Integration In DPM With Azure Backup And PowerShell

Automate Cloud Backup Integration in DPM with Azure Backup

Categories Azure Backup | Microsoft Azure | by
6 Min. Read
Share this post:
Share on Bluesky Share on LinkedIn

Introduction

Azure Backup is the Azure-based service you can use to back up (or protect) and restore your data in the Microsoft cloud. Azure Backup replaces your existing on-premises or off-site backup solution with a cloud-based solution that is reliable, secure, and cost-competitive. System Center Data Protection Manager (SC DPM) and Microsoft Azure Backup Server (MABS) can be integrated with the Azure Backup service so you can protect your data in the cloud without worrying about Ransomware attacks and data corruption.

For more information about Azure Backup, please check my recently published Whitepaper here.

Cloud Backup Integration Process

When you are planning to integrate System Center Data Protection Manager (SC DPM) and Microsoft Azure Backup Server (MABS) with Azure Backup, there are multiple steps involved, such as:

  1. Having a healthy DPM environment.
  2. Create a new Recovery Services Vault in Azure.
  3. Set up the appropriate storage replication type (Geo-redundant / Locally-redundant).
  4. Download the latest Microsoft Azure Recovery Services (MARS) agent.
  5. Download the Azure Recovery Vault Credentials file.
  6. Install the Microsoft Azure Recovery Services (MARS) agent.
  7. Register the DPM Server with Azure Backup Service.
  8. Configure DPM cloud settings such as (cloud recovery staging area directory, networking, and passphrase encryption key).
  9. Finally, keep the passphrase key safe and secure once it is set, because you will not be able to restore data from Azure without this passphrase.

So it’s a long process and time-consuming, especially if you have multiple DPM servers that you want to integrate with the Azure Backup service.

Microsoft has a detailed document on how to prepare back up workloads to Azure with DPM, so if you are interested in the manual approach, please check the following guide.

In this blog post, I will share with you how to automate the entire Cloud Backup integration process in DPM and Azure Backup.

Automate Cloud Backup Integration

I was working lately on a PowerShell tool that will help me to automate the cloud backup integration process with Azure Backup. So, instead of repeating the same steps above every time, I developed that tool to automate the entire process. When you run this tool on the DPM server, it will install the required PowerShell modules, then download the latest Microsoft Azure Recovery Services (MARS) agent, and then install it in silent mode if it’s not installed.

You will be prompted to authenticate to Azure; the tool will create a new Recovery Services Vault and set its storage replication type. Then it will register the DPM server with the Azure Backup service for online protection, configure DPM cloud settings, and finally store the Encryption Passphrase Key in Azure Key Vault.

You can run this tool as follows and watch it doing its magic:

.\Register-DPMCloud.ps1 -AzureSubscription "Subscription-Id" `
  -ResourceGroupName "backup-dpm-rg" -KeyVault "BackupKeyVault" `
  -StagingArea D: -StorageType LRS -Verbose

Automate Cloud Backup Integration in DPM with Azure Backup 1

Open the Azure Portal and check your DPM server is registered successfully with Azure Backup service.

Automate Cloud Backup Integration in DPM with Azure Backup 2

Browse to Azure Key Vaults and check the Passphrase Encryption Key is stored safely. Please remember that you will not be able to restore data from Azure without this passphrase key.

Automate Cloud Backup Integration in DPM with Azure Backup 3

Finally, launch the DPM Administrator Console and you are good to go to start protecting your workloads to Azure Backup.

Automate Cloud Backup Integration in DPM with Azure Backup 4

PowerShell Code

The complete script is detailed below to automate the entire cloud backup integration process:

<#
.SYNOPSIS
Register DPM in Azure Backup Service.

.DESCRIPTION
Automate Cloud Backup Integration With DPM and Azure Backup.

.NOTES
File Name : Register-DPMCloud.ps1
Author    : Charbel Nemnom
Version   : 1.0
Date      : 03-September-2018
Update    : 13-September-2018
Requires  : PowerShell Version 5.1 or later
Module    : AzureRM Version 6.8.1

.LINK
To provide feedback or for further assistance please visit:

Cover Page



.EXAMPLE
.\Register-DPMCloud.ps1 -AzureSubscription [Azure Subscription Name] -ResourceGroupName [Resource Group Name] -KeyVault [Azure Key Vault Name] -StagingArea [Volume] -StorageType [LRS/GRS] -Verbose
This example will install the required PowerShell modules, then download and install the latest Microsoft Azure Recovery Services (MARS) agent if it's not installed.
You will prompted to authenticate to Azure, the tool will create a new Recovery Services Vault and set it's storage replication type.
Then it will register DPM server with Azure Backup service for online protection, configure DPM cloud settings, and finally store the Encryption Passphrase Key in Azure Key Vault.

.EXAMPLE
.\Register-DPMCloud.ps1 -AzureSubscription "Subscription ABC" -ResourceGroupName "backup-dpm-rg" -KeyVault "BackupKeyVault" -StagingArea D: -StorageType LRS -Verbose
This example will install the required PowerShell modules, then download and install the latest Microsoft Azure Recovery Services (MARS) agent if it's not installed.
You will prompted to authenticate to Azure, the tool will create a new Recovery Services Vault and set it's storage replication type.
Then it will register DPM server with Azure Backup service for online protection, configure DPM cloud settings, and finally store the Encryption Passphrase Key in Azure Key Vault.
#>

[CmdletBinding()]
Param (
    [Parameter(Position=0, Mandatory=$true, HelpMessage = 'Please Provide Azure Subscription Name')]
    [Alias('AzureSub')]
    [String]$AzureSubscription,
    
    [Parameter(Position=1, Mandatory=$true, HelpMessage='Please Provide Azure Resource Group Name')]
    [Alias('AzureRG')]
    [String]$ResourceGroupName,

    [Parameter(Position=2, Mandatory=$true, HelpMessage='Please Specify Azure Key Vault Name')]
    [Alias('KeyVault')]
    [String]$BackupKeyVault,

    [Parameter(Position=3, Mandatory=$true, HelpMessage='Please Specify Cloud Recovery Staging Area Volume')]
    [Alias('Volume')]
    [String]$StagingArea,

    [Parameter(Position=4, Mandatory=$true, HelpMessage='Please Specify Storage Replication Type')]
    [ValidateSet("LRS", "GRS")]
    [String]$StorageType

)

Function Install-NuGet {
    Install-PackageProvider NuGet -Force -Confirm:$false -Verbose:$false    
}

Function Install-PowerShellGet {
    Set-PSRepository -Name PSGallery -InstallationPolicy Trusted -Verbose:$false
    Install-Module -Name PowerShellGet -Force -Confirm:$false -Verbose:$false
}

Function Install-AzureRM {
    Set-PSRepository -Name PSGallery -InstallationPolicy Trusted -Verbose:$false
    Install-Module -Name AzureRM -Force -Confirm:$false -Verbose:$false
}

Function Check_MARS_Installed ( $programName ) {
$Check = ((Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\") | `
Where-Object {$_.Name -like "*$programName*"}).Length -gt 0; return $Check}

#! Check volume drive letter
Try {
 $Vol =  ($StagingArea -replace (":|\\",''))
 $CheckVolume = Get-PSDrive -Name $Vol -ErrorAction Stop
 }
 Catch {
 Write-Warning -Message "No volume found for drive letter: `"$Vol`", Please specify a correct volume"
 Break
 }

#! Check NuGet Provider
Try {
    Import-PackageProvider -Name NuGet -ErrorAction Stop -Verbose:$false | Out-Null
    Write-Verbose "Importing NuGet Provider..."
    }
Catch {
    Write-Warning "NuGet Provider was not found..."
    Write-Verbose "Installing NuGet Package Provider..."
    Install-NuGet
}

#! Check PowerShellGet Module
Try {
    Import-Module -Name PowerShellGet -ErrorAction Stop -Verbose:$false | Out-Null
    Write-Verbose "Importing PowerShellGet Module..."
    }
Catch {
    Write-Warning "PowerShellGet Module was not found..."
    Write-Verbose "Installing the latest PowerShellGet Module..."
    Install-PowerShellGet
}

#! Check AzureRM PowerShell Module
Try {
    Import-Module -Name AzureRM -ErrorAction Stop -Verbose:$false | Out-Null
    Write-Verbose "Importing Azure RM PowerShell Module..."
    }
Catch {
    Write-Warning "Azure Resource Manager PowerShell Module was not found..."
    Write-Verbose "Installing Azure Resource Manager PowerShell Module..."
    Install-AzureRM
}

#! Check Azure Cloud Connection
Try {
    Write-Verbose "Connecting to Azure Cloud..."
    Login-AzureRmAccount -Environment AzureCloud -Subscription $AzureSubscription -ErrorAction Stop | Out-Null
  }
Catch {
    Write-Warning "Cannot connect to Azure environment. Please check your credentials. Exiting!"
    Break
}

#! Check C:\Temp directory if exists and create if not
$TempDir = "C:\Temp"
if (!(Get-Item $TempDir -ErrorAction SilentlyContinue)) {
        New-Item -ItemType Directory -Path $TempDir | Out-Null
}
 
#! Download the latest Microsoft Azure Recovery Services Agent (MARS)
Write-Verbose "Downloading Microsoft Azure Recovery Services Agent..."  
$URL = 'http://aka.ms/azurebackup_agent'
$wc = New-Object System.Net.WebClient
$wc.DownloadFile($url, $($TempDir  + "\MARSAgentInstaller.exe"))

# Installing MARS Agent in silent mode if it's not installed
$MARS = Check_MARS_Installed("Windows Azure Backup")
If (!$MARS) {Start-Process -FilePath $($TempDir + "\MARSAgentInstaller.exe") -ArgumentList "/q"}
While ($MARS -eq $false) {
Write-Verbose "Installing Microsoft Azure Recovery Services Agent in silent mode..."
$MARS = Check_MARS_Installed("Windows Azure Backup")
Sleep 10
} 

#! Creating a new Recovery Services Vault and configure it's storage type
Write-Verbose "Creating a new Recovery Services Vault named $env:ComputerName"
New-AzureRmRecoveryServicesVault -Name $env:ComputerName -ResourceGroupName $ResourceGroupName `
-Location (Get-AzureRmResourceGroup -Name $ResourceGroupName).location -Confirm:$false -Verbose:$false | Out-Null
Write-Verbose "Configuring Storage Replication Redundancy to $StorageType..."
$RSVault = Get-AzureRmRecoveryServicesVault -ResourceGroupName $ResourceGroupName
If ($StorageType -eq "LRS" ) {
Set-AzureRmRecoveryServicesBackupProperties -Vault $RSVault -BackupStorageRedundancy LocallyRedundant }

#! Downloading Recovery Vault Credentials file
Write-Verbose "Downloading Azure Recovery Vault Credentials file..."
$RSVaultFile = Get-AzureRmRecoveryServicesVaultSettingsFile -Backup -Vault $RSVault -Path $TempDir

#! Registering DPM with Azure Backup Service
Write-Verbose "Registering DPM with Azure Backup Service..."
Start-DPMCloudRegistration -DPMServerName $env:ComputerName -VaultCredentialsFilePath (Get-ChildItem -Path $TempDir -Filter *.VaultCredentials).FullName

#! Configuring DPM Initial Cloud Settings
Write-Verbose "Cloud Initial configuration settings..."
$Setting = Get-DPMCloudSubscriptionSetting -DPMServerName $env:ComputerName

#! Configure Staging Area
Write-Verbose "Configuring Cloud Recovery Staging Area directory..."
$Destination = "$(($Vol)+":\")"+"StagingArea"
if (!(Get-Item $TempDir -ErrorAction SilentlyContinue)) {
   $Destination = New-Item -Name "StagingArea" -Path $(($Vol)+":") -ItemType Directory -Force
   Set-DPMCloudSubscriptionSetting -DPMServerName $env:ComputerName -SubscriptionSetting $Setting -StagingAreaPath $Destination.FullName
}
Else {
Set-DPMCloudSubscriptionSetting -DPMServerName $env:ComputerName -SubscriptionSetting $Setting -StagingAreaPath $Destination
}

#! Configure Proxy Settings
Write-Verbose "Configure DPM cloud networking..."
Set-DPMCloudSubscriptionSetting -DPMServerName $env:ComputerName -SubscriptionSetting $Setting -NoProxy
Set-DPMCloudSubscriptionSetting -DPMServerName $env:ComputerName -SubscriptionSetting $setting -NoThrottle

#! Configure Encryption Settings
Write-Verbose "Configuring Encryption Passphrase Key..."
$Passphrase = (New-Guid).Guid
$EncryptionPassPhrase = ConvertTo-SecureString -string $Passphrase -AsPlainText -Force
Set-DPMCloudSubscriptionSetting -DPMServerName $env:ComputerName -SubscriptionSetting $setting -EncryptionPassphrase $EncryptionPassPhrase

#! Commit the changes
Set-DPMCloudSubscriptionSetting -DPMServerName $env:ComputerName -SubscriptionSetting $setting -Commit 

#! Add DPM Backup Encryption Key to Azure Key Vault
Try {
    Write-Verbose "Adding DPM Backup Encryption Key to Azure Key Vault"
    Set-AzureKeyVaultSecret -VaultName $BackupKeyVault -Name $env:ComputerName -SecretValue $EncryptionPassPhrase -ContentType "Passphrase Encryption Key" -ErrorAction Stop | Out-Null
}
Catch {
    Write-Warning "$_ Exiting!"
    Break
}

# Clean-up Temp Environment
Write-Verbose "Clean-up Temp Environment..."
Remove-Item -Path $TempDir -Recurse -Force

Roadmap

I am planning to improve this tool in the future. This is still version 1.0. If you have any feedback or changes that everyone should receive, please feel free to leave a comment below.

Until then… Stay protected and secure with DPM and Azure Backup.

Do you want to learn more about Azure Backup and how to create a hybrid-cloud backup solution using SCDPM and Azure Backup Server? Make sure to check out my recently published book: Microsoft System Center Data Protection Manager Cookbook.

Remember, you can always support us in developing tools and creating content via Why Donate? – Charbelnemnom.com Cloud & Cybersecurity

__
Thank you for reading our blog.

Please let us know in the comments section below if you have any questions or feedback.

-Charbel Nemnom-

Previous

Getting Started With CloudBerry Explorer PRO For Microsoft Azure Blob Storage @CloudBerryLab

Protect Windows Servers With Azure Backup in Windows Admin Center @AzureBackup @ServerMgmt

Next

Let us know what you think, or ask a question...