Secondary Protection and Exchange 2010 DAG Node Protection in System Center Data Protection Manager

Published Feb 15 2019 12:32 PM 155 Views
First published on TECHNET on May 09, 2012

Hi everyone, Andy Nadarewistsch here, and today I want to talk about secondary protection and Exchange 2010 DAG node protection in System Center Data Protection Manager 2010 (DPM). DPM allows for great flexibility when it comes to protecting Exchange DAGs (Database Availability Groups) but this can become confusing if there is not an understanding of how DPM sees nodes that belong to a DAG. That confusion can become compounded when introducing a secondary server. I hope to diffuse some of the confusion surrounding these scenarios and try not to confuse you in the process.

First, there are a few basic ground rules when talking about DPM protection for Exchange DAGs:

1. Only one node can be protected by an DPM server. For example, in a three node DAG, if DPM1 installs an agent on Node1, no other DPM server can install an agent on Node 1. However; any other DPM server can install agents on Node2 or Node3. In a second example; If DPM1 has agents on Node1 and Node2, then Node3 will be the only node that another DPM server can install an agent on.

2. DPM does not care if the mailbox database is active or passive.


  • Test = Exchange DAG name
  • 5438 = Node1
  • 54381 = Node2
  • 54382 = Node3
  • DPM1 = Primary DPM
  • DPM2 = Secondary DPM

Part 1: Agent installation and Protection group setup on the Primary (DPM1)

On initial agent install, DPM will detect if a member of the DAG is not selected. For this scenario, we do not want DPM1 to install agents on all nodes because DPM2 will have an agent installed on Node3 to protect Node3 directly. (See ground rule 1). Here I am explaining that only one agent from a DPM server can be installed on an Exchange node and in this test DPM1 will have agents installed on nodes1 and 2 and DPM will have an agent installed on node3.

The following alerts will show in the alerts tab:

“A protection agent is not installed on in server cluster. Protection may fail if a failover occurs to (ID 369)”

Below, DPM1 only sees the two nodes that have agents installed. The Exchange nodes will not show the Exchange mailbox databases, the DAG cluster name must be expanded.

Looking at the Exchange management console, MailboxDB02 has its active copy on Node1 and passive copy on Node2.

Node1 owns the active copy and Node3 owns the passive copy for DB03.

If the mailbox databases are expanded in DPM, the nodes they belong to are visible and selectable. Notice how MailboxDB02 sees two nodes but MailboxDB03 only sees Node1. This is because DPM1 does not have an agent installed on Node3 which owns the other copy of MailboxDB03.

NOTE MailboxDB01 at this point does not have any Exchange passive copies created.

NOTE If the passive copy of MailboxDB03 was on Node1, DPM would still see it. DPM does not care if the copy is active or passive (See ground rule 2).

If you activate the passive copy of MailboxDB02 on Node3, making the copy on Node1 passive, Node1 under MailboxDB02 is still visible and selectable for protection because again, DPM does not care which copy is active and which is passive.

Let’s add protection on the primary DPM server. A passive copy for MailboxDB01 has been added and MailboxDB03 has been moved from Node1 to Node2.

Notice that there are two nodes showing for MailboxDB01. A DPM copy backup for one of the MailboxDB01’s nodes can be created.

NOTE Ensure at least one full and one copy backup is selected.

Completed protection group setup:

Part 2: Introducing a secondary DPM Server, installing an agent in N ode3 from DPM2, and configuring protection

Again the warning that there are other nodes in the DAG that can be protected is raised.

In this scenario, DPM2 is installing an agent on Node3 directly. As long as there is a mailbox database on Node3, DPM2 will see that database and show the nodes DPM2 knows about for that database. Notice there is no MailboxDB01. This is because there are no copies of MailboxDB01 on Node3.

Now we are going to move a step further and see how DPM2 responds when it becomes secondary protection for DPM1 and is protecting Node3 directly at the same time. Until installing the DPM2 agent on DPM1, DPM2 will not be able to protect any Exchange resources on DPM1. DPM2 will be able to see the DAG because an agent is directly installed on Node3.

NOTE DPM must be at least on patch level 7706 for secondary protection of Exchange DAG to work properly.

After installing DPM2’s agent on DPM1, DPM2 sees both DPM1’s DAG selection list and its own DAG selection list. Notice how DPM1’s DAG selection list shows Node3. Being able to see and protect Node3 through DPM1’s selection list may throw you. DPM shows the node because DPM2 is protecting Node3 directly.

Let’s see how DPM2’s console responds if we remove the Node3 agent from DPM2.

There is no longer an option to select Node3 in the selection list. Moving on, let’s select 1 database from each set.

DPM handles the selection just fine. Please note that during the protection group setup, without a direct datasource being selected there was not a prompt for a full\copy backup. This is due to the protection group settings being configured on DPM1 in part 1.

Adding the agent for Node3 back on DPM2 for direct protection, we again see the option to protect it from either selection list.

Now, since Node3 is being configured for the first time, I do get the option for full or copy backup for all MailboxDB’s however; I have to be careful because as full copy backups have already been configured for MailboxDB01, 02, and 03, on DPM1 in part 1.

In this case I want to select all copy backups for the Mailbox databases.

After protection, notice both protection groups have nodes and mailbox databases selected.

If I modify the protection group, I can edit the datasources protected in their respective protection groups but not datasources protected in other protection groups. Only one datasource can be protected per protection group.

Well everyone, these were the most common scenarios that are seen from customers. Again, this can become complex and confusing but my hope is now you have a better understanding.

Additional DPM resources:

Andy Nadarewistsch | Senior Support Escalation Engineer

Get the latest System Center news on Facebook and Twitter :

App-V Team blog:
ConfigMgr Support Team blog:
DPM Team blog:
MED-V Team blog:
Orchestrator Support Team blog:
Operations Manager Team blog:
SCVMM Team blog:
Server App-V Team blog:
Service Manager Team blog:
System Center Essentials Team blog:
WSUS Support Team blog:

The Forefront Server Protection blog:
The Forefront Endpoint Security blog :
The Forefront Identity Manager blog :
The Forefront TMG blog:
The Forefront UAG blog:

Version history
Last update:
‎Mar 11 2019 09:17 AM
Updated by: