Make a backup consumes a lot of bandwidth especially when Bare-Metal protection is used. This is why dedicated network are used to avoid network congestion on the production network. Data Protection Manager is able to use a dedicated network to make backups. But it is little touchy because DPM needs DNS resolution of servers on the dedicated network. Usually on production environments there are at least:
- A production network with DNS zone. This DNS zone is used by Active Directory for production purposes;
- A private dedicated network for backup without DNS.
It is not recommended to register IP belonging to dedicated backup network in the production DNS zone because these IPs are not always reachable from outside. So there are two solutions: use host file on DPM (beurkkkk) or use DNS. I have chosen to use DNS with a new primary zone.
To use a dedicated network for Data Protection Manager, there are four steps:
- Create a backup DNS zone;
- Configure backup NIC on Domain Controller;
- Configure backup NIC on member servers;
- Configure DPM to use backup network.
For my example, I have these networks:
- Production network: 10.10.0.0/24
- Backup network: 10.10.1.0/24
Create a backup DNS zone
First of all, I create a backup DNS zone which I call backup.net. So I open a DNS console on a domain controller (dnsmgmt.msc) and I create a primary zone. Right click on the Forward Lookup Zone and select New Zone.
On the New Zone Wizard welcome screen, click on Next.
Create a Primary zone and to follow best practices, tick the Store the zone in Active Directory option.
Select the replication scope. On my side I choose to replicate on all DNS servers running on domain controllers in this domain.
Specify a Zone name. On my side I call my DNS zone backup.net.
Next configure the dynamic update. To follow best practices I choose Allow only secure dynamic updates.
To finish creating zone, click on Finish.
Once your DNS zone is created, you should have it in Forward Lookup Zones in your DNS console.
Once the zone is created, I recommend you to check listener on DNS service. So in the DNS console, right click on the server name and select properties.
Make sure that the DNS Service listens on your backup network. If you make a change, don’t forget to restart the DNS service.
Configure backup NIC on Domain Controllers
Once the zone is created and the DNS service listens on your backup network, it is time to register your domain controllers in this zone. For that, open network connection configuration, right click on your backup NIC and select properties.
Edit Internet Protocol Version 4 (TVP/IPv4) properties and click on advanced.
Regarding domain controller I have this IP configuration:
- VMADS01: 10.10.1.5/24
- VMADS02: 10.10.1.4/24
To follow best practices, on VMADS01 primary DNS is 10.10.1.4 and secondary DNS is 127.0.0.1 On VMADS02, the primary DNS is 10.10.1.4 and secondary DNS is 127.0.0.1. In this way, DNS resolution is crossed.
So on VMADS01 the configuration is like below screenshot:
On VMADS02 the configuration is like below screenshot:
You can use this Powershell script to configure your DNS settings as above:
Set-DnsClientServerAddress -InterfaceAlias "BackupNet" -ServerAddresses ("10.10.1.4","127.0.0.1") Set-DnsClient –InterfaceAlias "BackupNet" -ConnectionSpecificSuffix "backup.net" –RegisterThisConnectionsAddress $true –UseSuffixWhenRegistering $true
Once the configuration is applied, don’t forget to run ipconfig /registerdns
So in my DNS zone, I have my two domain controllers registered automatically.
Configure Backup NIC on member servers
Now I apply the same configuration on member servers except that I set the primary DNS server to 10.10.1.4 and secondary DNS server to 10.10.1.5.
Set-DnsClientServerAddress -InterfaceAlias "BackupNet" -ServerAddresses ("10.10.1.4","10.10.1.5") Set-DnsClient –InterfaceAlias "BackupNet" -ConnectionSpecificSuffix "backup.net" –RegisterThisConnectionsAddress $true –UseSuffixWhenRegistering $true
Once the configuration is applied, I run ipconfig /registerdns and all my servers are registered automatically in backup.net zone.
N.B: For IP Pool users on Virtual Machine Manager, you can make the configuration in VMM. Just configure the DNS and the specific connection suffix. However a Run Once script will be needed to tick the Use this connection’s DNS suffix in DNS registration option. You can use the Set-DNSClient powershell command like the script described above.
Configure DPM backup network
On DPM server, open a DPM Management shell. I will use the <verb>-DPMBackupNetworkAddress command to view and edit the networks used by Data Protection Manager. So First, I run Get-DPMBackupNetworkAddress to view backup network settings:
So as you can see in the above screenshot, no backup network is set on my DPM configuration. So I launch the below powershell command:
Add-DPMBackupNetworkAddress –DPMServerName VMDPM01.home.net –Address 10.10.1.0/24 –SequenceNumber 1
This command adds the 10.10.1.0/24 network as a first backup network in DPM. If DPM is able to resolve name on this network, it will use this network. The SequenceNumber is the priority of the network using.
Now I run again the Get-DPMBackupNetworkAddress and as you can see below, I have one backup network.
If you want to add your production network as a fallback network for backup, you can add another network with a SequenceNumber greater than 1.
To finish the configuration, restart the DPM service.
Now I run a Virtual Machine backup and that’s work J.
Why are my hosts registering in the primary DNS zone AND the backup zone?? I want the hosts in my backup subnet to register with the backup zone but NOT my primary AD zone.
Hi,
It is because you left the “register in DNS” checkbox in the backup network adapter. You have to disable the checkbox and register manually the DNS entry manually.
Ok… you’ve basically just confirmed my suspicion then… this doesn’t work as advertised (or Microsoft doesn’t understand how people might want to use this).
To me, my expectation would be that if I enter in the DNS connection specific DNS suffix, and choose “register this connection in DNS” it SHOULD register in DNS ONLY for the DNS suffix on that connection.
The fact that it registers the connection specific DNS suffix in both the primary and secondary DNS zones that I’m using seems like a bug/flaw/oversight.
The part that doesn’t make sense is that the reverse IS NOT true… my primary DNS connection suffix (domain.internal) doesnt end up registering in the secondary DNS zone (backupsubnet.internal)… So, it seems like there must be some way to prevent it from happening, because it works one way but not the other.
If I have to do all of this work, and then also manually create and maintain A records, I’m starting to see why a lot/many/most people are just using HOST files (which also makes me cringe).
Overall, both options feel like a bit of a “hack”… Microsoft in 2017 should have the ability to choose a secondary network in DPM easily (like we do with Live Migration in Cluster services). “Faking” the IP address with a HOST file or DNS seems like more of a work-around than a feature.
Thanks for your input though! I’m not sure which choice I’m going to end up going with… neither one seems very appealing to be honest 🙂
Thank you so much For such informative information.Dedicated server hosting is a hosting solution whereby customers. visit – https://www.serverwala.org/
Where does this new DNS zone come into play? Where does that get used and why?
If the goal is to have backup traffic use a specific network, you configure DPM with the IP range and that’s it. The NICs on the backup network should register in DNS no different from the other nics. You are now using the specified network … which was the goal.
Thank for the article. How do DPM and protected member servers that are on home.net production domain resolve to backup.net backup network? After configuring the above DPM network the back is still going through home.net production network as Hyper-V host is in home.net domain and VM backup is using home.net production network. How do we fix it?
Hello,
I created another DNS lookup zone. In this way, servers were able to resolve to backup.net
What is the purpose of adding the backup.net dns zone when you are not using it?
You are registering your 10.10.1.x addresses into your home.net zone with these instructions. And that will get DPM working on a backup network. But In doing this, if your 10.10.1.x addresses are not resolvable from some of your workstations, you’ll see delays as dns resolution on your workstations fail over to the 10.10.0.x addresses, or worse network communication issues.
Just add your 10.10.1.x addresses directly into home.net zone. Since it is all you are doing here.
You have to create a seperate zone to specify a different name in DPM. If you register everything in home.net, DPM can use 10.10.0.x or 10.10.1.X IP address.