Please provide feedback about Workgroup/Untrusted domain production 
server protection using DPM 2010 RC. This feature supports backup of 
machines within your intranet which includes:
1.	Workgroup machines
2.	Machines in untrusted domains within your intranet

Supported Scenarios
..    Files
..    System state
..    SQL Server
..    Exchange Server
..    Hyper-V
..    Small Business Server

Unsupported Scenarios:
..    Clustered servers (except for Exchange Server 2010)
..    Mirrored servers
..    Microsoft SharePoint
..    Laptop
..    System protection (BMR)
..    End-user recovery
..    DPM Disaster recovery

Please note that in this release, this feature has been built for backing up 
machines within your intranet environment and we do not support backup of 
machines outside your intranet which includes:
1.    Protection any machine that is directly internet facing (has a public 
IP or is exposed via a NAT to the internet) or in a DMZ- this should not be 
backed up to a corp net DPM.
2.    Protection of two production servers which do not trust each other 
should be done on different DPM servers and not onto the same DPM server.

We are looking for enabling some of these un supported 
features/configurations in future releases.

Please download the RC (release candidate) build of DPM 2010 from the 
following location and provide feedback to us on how you like this feature.
http://connect.microsoft.com/site840/Downloads/DownloadDetails.aspx?DownloadID=26452

Thanks,
Praveen D [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights. 

Hi Praveen,

So far I must say that setting up protection of machines in workgroups and 
in untrusted domains is a breeze and seems to work very well... Well done to 
all the guys.

My one concern at the moment is your statement about what is unsupported.  
When you say that MS will not support protection of machines outside the 
intranet, what exactly do you mean?  For example, if I have a DPM server 
protecting machines in my DMZ and machines inside the intranet, will 
everything be supported apart from the DMZ protected or will support lost for 
the everything on the DPM server?  

I'm asking about this as I know many people were looking forward to this 
feature because they wanted to protect their DMZ machines.

A bit more clarification around what will and wont be supported would be 
great !

Thanks.
-- 
David Allen
MVP - System Center Operations Manager
http://www.scdpmonline.org
http://wmug.co.uk/blogs/aquilaweb


"Praveen D [MSFT]" wrote:

> 
>        Please provide feedback about Workgroup/Untrusted domain production 
> server protection using DPM 2010 RC. This feature supports backup of 
> machines within your intranet which includes:
> 1.	Workgroup machines
> 2.	Machines in untrusted domains within your intranet
> 
> Supported Scenarios
> ..    Files
> ..    System state
> ..    SQL Server
> ..    Exchange Server
> ..    Hyper-V
> ..    Small Business Server
> 
> Unsupported Scenarios:
> ..    Clustered servers (except for Exchange Server 2010)
> ..    Mirrored servers
> ..    Microsoft SharePoint
> ..    Laptop
> ..    System protection (BMR)
> ..    End-user recovery
> ..    DPM Disaster recovery
> 
> Please note that in this release, this feature has been built for backing up 
> machines within your intranet environment and we do not support backup of 
> machines outside your intranet which includes:
> 1.    Protection any machine that is directly internet facing (has a public 
> IP or is exposed via a NAT to the internet) or in a DMZ- this should not be 
> backed up to a corp net DPM.
> 2.    Protection of two production servers which do not trust each other 
> should be done on different DPM servers and not onto the same DPM server.
> 
> We are looking for enabling some of these un supported 
> features/configurations in future releases.
> 
> Please download the RC (release candidate) build of DPM 2010 from the 
> following location and provide feedback to us on how you like this feature.
> http://connect.microsoft.com/site840/Downloads/DownloadDetails.aspx?DownloadID=26452
> 
> Thanks,
> Praveen D [MSFT]
> This posting is provided "AS IS" with no warranties, and confers no rights. 
> 
> .
> 

        Thanks for asking for the clarification. In this case support will 
be lost for everything on that DPM server. Its better to isolate protection 
of production server at different security levels by different DPM servers.

Thanks,
Praveen D [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

"David Allen" <bigdavid141@hotmail.com> wrote in message 
news:AFAF9784-FAA3-4F74-901A-81B5B323CAE1@microsoft.com...
> Hi Praveen,
>
> So far I must say that setting up protection of machines in workgroups and
> in untrusted domains is a breeze and seems to work very well... Well done 
> to
> all the guys.
>
> My one concern at the moment is your statement about what is unsupported.
> When you say that MS will not support protection of machines outside the
> intranet, what exactly do you mean?  For example, if I have a DPM server
> protecting machines in my DMZ and machines inside the intranet, will
> everything be supported apart from the DMZ protected or will support lost 
> for
> the everything on the DPM server?
>
> I'm asking about this as I know many people were looking forward to this
> feature because they wanted to protect their DMZ machines.
>
> A bit more clarification around what will and wont be supported would be
> great !
>
> Thanks.
> -- 
> David Allen
> MVP - System Center Operations Manager
> http://www.scdpmonline.org
> http://wmug.co.uk/blogs/aquilaweb
>
>
> "Praveen D [MSFT]" wrote:
>
>>
>>        Please provide feedback about Workgroup/Untrusted domain 
>> production
>> server protection using DPM 2010 RC. This feature supports backup of
>> machines within your intranet which includes:
>> 1. Workgroup machines
>> 2. Machines in untrusted domains within your intranet
>>
>> Supported Scenarios
>> ..    Files
>> ..    System state
>> ..    SQL Server
>> ..    Exchange Server
>> ..    Hyper-V
>> ..    Small Business Server
>>
>> Unsupported Scenarios:
>> ..    Clustered servers (except for Exchange Server 2010)
>> ..    Mirrored servers
>> ..    Microsoft SharePoint
>> ..    Laptop
>> ..    System protection (BMR)
>> ..    End-user recovery
>> ..    DPM Disaster recovery
>>
>> Please note that in this release, this feature has been built for backing 
>> up
>> machines within your intranet environment and we do not support backup of
>> machines outside your intranet which includes:
>> 1.    Protection any machine that is directly internet facing (has a 
>> public
>> IP or is exposed via a NAT to the internet) or in a DMZ- this should not 
>> be
>> backed up to a corp net DPM.
>> 2.    Protection of two production servers which do not trust each other
>> should be done on different DPM servers and not onto the same DPM server.
>>
>> We are looking for enabling some of these un supported
>> features/configurations in future releases.
>>
>> Please download the RC (release candidate) build of DPM 2010 from the
>> following location and provide feedback to us on how you like this 
>> feature.
>> http://connect.microsoft.com/site840/Downloads/DownloadDetails.aspx?DownloadID=26452
>>
>> Thanks,
>> Praveen D [MSFT]
>> This posting is provided "AS IS" with no warranties, and confers no 
>> rights.
>>
>> .
>> 

Here are the steps to try this scenario:

Installing Agents on Workgroup/untrusted domain Computers
You can install a DPM protection agent on a computer using 
DPMAgentinstaller.exe (DPMAgentInstall_X64.exe) from the DPM setup DVD.
After installing the agent, you need to run SetDpmServer and specify the 
local user credentials which would be used for authentication. A local user 
account will be created and the DPM protection agent would be configured to 
use this account for authentication.

Syntax: SetDpmServer.exe -dpmServerName <serverName> -isNonDomainServer 
[-userName <userName> [-productionServerDnsSuffix <DnsSuffix>]]

-dpmServerName - Name of the DPM server.
This should be a FQDN of the DPM server if DPM server and protected computer 
are accessible to each other using FQDNs.
NETBIOS of the DPM server if DPM server and protected computer are 
accessible to each other using NETBIOS names.

-isNonDomainServer - Specifies whether this server is in a workgroup or an 
untrusted domain.

-userName - Creates an NT user account with the specified username for this 
server to communicate with DPM server. This option should be used along 
with -IsNonDomainServer.

-productionServerDnsSuffix Optional - In case there are multiple DNS 
suffixes configured for this server, ProductionServerDnsSuffix represents 
the DNS suffix which DPM server will use to communicate with this server.

Attaching a Workgroup Computer to the DPM Server
The steps to attach a workgroup computer using DPM Administrator Console are 
as follows.
1.	Start the Protection Agent Installation Wizard from the DPM Administrator 
Console.
2.	Select Attach radio button.
3.	Select Computer in workgroup or Untrusted domain radio button and click 
Next
4.	Enter the computer name, user name and password for the computer you want 
to attach to. This should be the same as the login credentials specified 
during agent installation on that computer. Click Next.
5.	Review the information on the Summary page and click Install if the 
information is correct.
Click Close once attach is done.

You can attach a workgroup computer using DPM Management shell using 
Attach-NonDomainServer script.
Attach-NonDomainServer.ps1 -DPMServername [Name of DPM server] -PSName 
[Protected computer] -Username [Admin username on protected 
computer] -Password [Password]

-dpmServerName - Name of the DPM server.

-PSName Protected Computer Name
This should be a FQDN of the Protected Computer Name if DPM server and 
protected computer are accessible to each other using FQDNs.
NETBIOS of the Protected Computer Name if DPM server and protected computer 
are accessible to each other using NETBIOS names.

-userName - Creates an NT user account with the specified username for this 
server to communicate with DPM server.

-password - Password is same as given in the above setdpmserver command run 
on the Protected Computer Server.

This script registers the specified workgroup server to be protected with 
this DPM computer, creates a local user account using the specified 
credentials and configures DPM to use these credentials to authenticate to 
the workgroup server.

Note: DPM agent must be installed and SetDpmServer.exe must be run on the 
workgroup computer, before attaching the workgroup computer to DPM server 
using the DPM Administrator Console or Management shell.


Thanks,
Praveen D [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

"Praveen D [MSFT]" <praveend@microsoft.com> wrote in message 
news:OhxvgWjqKHA.5116@TK2MSFTNGP04.phx.gbl...
>
>       Please provide feedback about Workgroup/Untrusted domain production 
> server protection using DPM 2010 RC. This feature supports backup of 
> machines within your intranet which includes:
> 1. Workgroup machines
> 2. Machines in untrusted domains within your intranet
>
> Supported Scenarios
> .    Files
> .    System state
> .    SQL Server
> .    Exchange Server
> .    Hyper-V
> .    Small Business Server
>
> Unsupported Scenarios:
> .    Clustered servers (except for Exchange Server 2010)
> .    Mirrored servers
> .    Microsoft SharePoint
> .    Laptop
> .    System protection (BMR)
> .    End-user recovery
> .    DPM Disaster recovery
>
> Please note that in this release, this feature has been built for backing 
> up machines within your intranet environment and we do not support backup 
> of machines outside your intranet which includes:
> 1.    Protection any machine that is directly internet facing (has a 
> public IP or is exposed via a NAT to the internet) or in a DMZ- this 
> should not be backed up to a corp net DPM.
> 2.    Protection of two production servers which do not trust each other 
> should be done on different DPM servers and not onto the same DPM server.
>
> We are looking for enabling some of these un supported 
> features/configurations in future releases.
>
> Please download the RC (release candidate) build of DPM 2010 from the 
> following location and provide feedback to us on how you like this 
> feature.
> http://connect.microsoft.com/site840/Downloads/DownloadDetails.aspx?DownloadID=26452
>
> Thanks,
> Praveen D [MSFT]
> This posting is provided "AS IS" with no warranties, and confers no 
> rights. 

Hi Praveen,

Is there also a (unsupported) way to protect a MS cluster 2003 and 2008 (with SQL instances 2005 and higher and file shares)in a untrusted domain?
I noticed from this article it isn`t (yet).But i like to know when it will be and if there are workarounds.
Other then trusted the domain (not an option) and adding a DPM server to the untrusted domain.

The error we now get is that "no agent on cluster node"

Thanks!
Martijn H

        Thanks for showing interest in un-trusted domain protection. 
Currently there is no workaround possible that allows cluster resources 
protection present on an un-trusted domain machines. You might want to 
work-around as you said deploying DPM in clustered machines domain and then 
protect remaining individual machines as standalone un-trusted domain 
machines.

Thanks,
Praveen D [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

"MartijnH" <user@msgroups.net/> wrote in message 
news:Oy3NdAVtKHA.4220@TK2MSFTNGP05.phx.gbl...
> Hi Praveen,
>
> Is there also a (unsupported) way to protect a MS cluster 2003 and 2008 
> (with SQL instances 2005 and higher and file shares)in a untrusted domain?
> I noticed from this article it isn`t (yet).But i like to know when it will 
> be and if there are workarounds.
> Other then trusted the domain (not an option) and adding a DPM server to 
> the untrusted domain.
>
> The error we now get is that "no agent on cluster node"
>
> Thanks!
> Martijn H
>
>
>
>
> ---
> frmsrcurl: 
> http://msgroups.net/microsoft.public.dataprotectionmanager/Please-provide-feedback-about-Workgroup-Untrusted-domain 

Hi Praveen,

Thanks for the answer even  when it`s a disappointing answer.Because this means we need extra licenses/resources etc..also not an option.
What`s the roadmap on this feature?