Data Protection and the ability recover data is key to keeping your job and your company alive.
The demo setup thats is going to be used in this post are
- PROTECTDC01 Domain Controller in the PROTECT Forest
- PROTECTDC02 Domain Controller in the PROTECT Forest
- PROTECTDDPM01 Data Protection Manager Server in the PROTECT Forest
- FABRICDC01 Domain Controller in the FABRIC Forest
- FABRICDC02 Domain Controller in the FABRIC Forest
- FABRICHV01-04 Hyper-V HyperConverged Instal
- FABRICHVC01 Hyper-V Cluster with member FABRICHV01-04
- WORKLOAD01-05 Virtual Workload in the FABRIC Hyper-V Cluster
As this is a test enviroment everything are stuck on one box.
For the real world deployment the FABRIC and PROTECT domain must be seperated , the whole point in this post will be if you for some reason get compromised in your FABRIC domain , you will still have access to the PROTECT domain and maintain the ability to recover your data.
This also means that in a larger enviroment you can easier seperate the roles so one team wont have access to both source and target of backup data
We do in the example log in interative on the fabric domain , so if the host is compromised before agent install the protect domain is going down the same path , so there is still some work to be done but beats having everything in one domain.
On the PROTECT domain setup DNS forwarders to the FABRIC domain
And in Reverse to get name resolution up and running up between the two forests
Setting up the trust
Setting up the trust
for this test forest-wide is used , tighter security can be used with selective authentication
On the 4 Hyper-V Hosts we add the DPM account from the protect domain
We then add the DPM agent to all Hyper-V hosts and run the
SetDPMServer –dpmservername protectdpm01.protect.azurestack.coffee , this connects the Hyper-V host to the remote DPM server
On the data protection manager , we use Attach Agents
And we add the 4 Hyper-V hosts manually
And we now have all 4 servers
use credentials in the fabric domain or the dpm account to attach the agent
Create a protection group browse to the VM’s and add them
And we can now backup from a dedicated domain from the Fabric domain