2011 Microsoft DPM Meets BridgeSTOR Advanced Data Reduction and Security BridgeSTOR Deduplication, Compression, Thin Provisioning and Encryption Transform DPM from Good to Great BridgeSTOR, LLC 4/4/2011
Contents Overview... 2 Microsoft s System Center Data Protection Manager (DPM)... 2 How DPM Synchronizes and Protects Data... 3 DPM Storage... 3 Storage Pools... 3 Protection Groups... 3 Data Sources... 3 DPM Storage Capacity Requirements... 4 DPM Data at Rest Encryption... 4 DPM for Disaster Recovery... 4 Deduplicating DPM with DataDomain... 5 How BridgeSTOR Transforms DPM from a Good Product into a Great Product... 6 BridgeSTOR AOS for DPM Data Reduction Effectiveness... 7 Summary... 8 Page 1
Overview Thank you for downloading this white paper describing BridgeSTOR s approach to enhancing Microsoft s System Center Data Protection Manager (DPM 2010) with BridgeSTOR s Virtual Storage - Advanced Data Reduction, a feature that combines inline, block-level data deduplication, data compression and thin provisioning with strong data-at-rest encryption. Microsoft s System Center Data Protection Manager (DPM) Microsoft DPM delivers Continuous Data Protection services to Windows servers, workstations, PCs and laptops. For the IT shop with servers hosting Exchange, SharePoint, SQL, Hyper-V and other applications, as well as mobile users, DPM is a comprehensive data protection tool for Microsoft environments. DPM offers a wide range of platform support for Windows-based computers: Windows Server from 2003 through 2008 R2 Windows Server 2008 and Server 2008 R2 Windows Server 2008 and Server 2008 R2 with Hyper-V Hyper-V Server 2008 and 2008 R2 Protection of Live Migration-enabled servers running on CSV in Hyper-V R2 Essential Business Server 2008 and Small Business Server 2008 Windows Server 2003 and 2008-based file servers SQL Server 2000 through 2008 R2 Exchange Server 2003 through 2010 SharePoint Server 2003 through 2010 Dynamics AX 2009 SAP running on SQL Server Microsoft Virtual Server 2005 R2 Protection of Windows XP through Windows 7 Backup and recovery of online or offline laptops and PCs Page 2
How DPM Synchronizes and Protects Data DPM data synchronization occurs as frequently as every 15 minutes. For file system data, synchronization is a copy of all changed blocks since the last sync. For Exchange and SQL data, synchronization includes a copy of the logs generated since the last sync operation. DPM combines a snapshot-based, application-consistent backup process with the recovery granularity of Continuous Data Protection. This was done by integrating application logs into VSS snapshots that are taken every 15 minutes, thus enabling the ability to restore to the last 15 minute snapshot and then roll forward the application logs for an application consistent, zero data loss recovery for Exchange, SQL, and SharePoint data. DPM in the BridgeSTOR AOS for DPM Appliance manages the entire process and protected data from all sources is maintained on the appliance, acting as the primary DPM data store. DPM Storage Storage Pools A DPM storage pool is a set of disks or a RAID array on which the DPM server stores replicas, shadow copies, and transfer logs from servers protected using a Protection Group policy. DPM manages disk storage capacity by building protection groups in disk storage pools on the BridgeSTOR AOS for DPM Appliance. Protection Groups A DPM protection group is a set of user-defined policies for a collection of data sources that share the same protection configuration and schedule. Protection Groups in DPM 2010 allow the administrator to group together similar resources so that they can be protected in a similar way. For example, virtual machines in the same protection group use the same protection method and the same short- and long-term protection policies. The protection group defines the retention range, the synchronization frequency, the number of recovery points to be made available, the location of the protection data and other information that applies to the group. Data Sources A data source can be a Windows volume, folder, or share. Data sources within a protection group share the same desired protection characteristics and configuration Page 3
options such as disk allocations and replica creation method. Protection groups can contain data from different types of data sources allowing the administrator to combine file servers, virtual machines, file shares, Exchange and other servers in the same protection group. DPM Storage Capacity Requirements Microsoft offers DPM 2010 capacity calculators for Exchange, SharePoint and Hyper-V. The calculators can be found at: http://blogs.technet.com/b/dpm/archive/2010/09/02/new-dpm2010-storage-calculator-links-sep-2010.aspx If you are unfamiliar with Microsoft s expected DPM storage capacity requirements for these applications, the downloaded spreadsheets are instructive. Even though your requirements may be less than or greater than those used in the examples, it is safe to say that DPM can consume a great deal of storage capacity when protecting Microsoft application servers. DPM Data at Rest Encryption DPM does not support BitLocker volume encryption on either the protected servers or the DPM server itself. Nor does DPM support BitLocker full volume encryption. 1 Indeed, DPM does not provide protection against a security compromise arising from an intruder entering a computing facility and removing the disk drives from a DPM storage array or appliance where all your backup data is retained. Removable media (tape) encryption is supported by DPM, but requires that the administrator import the appropriate encryption certificate(s) and manage the certificate(s) through their life cycles. This task may prove daunting to the IT manager who is unfamiliar with the complexities of certificate-based encryption and encryption key management. DPM for Disaster Recovery System Center Data Protection Manager (DPM) 2010 enables you to protect your data sources on a secondary DPM server. The secondary DPM server is typically situated at a remote location as a backup to the primary DPM server for disaster recovery. A disaster can take the following forms: The primary DPM server and the protected computers are lost. 1 http://social.technet.microsoft.com/forums/en-us/dpmstorage/thread/3f4018d8-0e68-4841-9f83-7935bcfbabc8/ Page 4
Only the primary DPM server is lost. In the first case, having a secondary DPM server in a remote location enables the administrator to recover protected computers quickly. In the second case, the administrator can switch protection so that the secondary DPM server takes over as the primary DPM server for the protected computers until another computer can be set up as the primary DPM server. This final capability, included with DPM 2010, makes the product a comprehensive data protection solution that includes disaster recovery capabilities. Figure 1 illustrates a primary and DR site BridgeSTOR AOS for DPM Appliance configured to provide disaster recovery for an Enterprise. Figure 1. DPM Server to DPM Server Replication for Disaster Recovery Deduplicating DPM with DataDomain Although it does not address the issues of data security and encryption described above, some DPM users have attempted to tame DPM s storage appetite with deduplication notably from EMC/DataDomain. Data Domain devices do not present a block-level disk (required by DPM) without purchasing their Virtual Tape Library (VTL) add-on. Users claim that with some driver manipulation on the DPM server and configuration of the DataDomain, it will present storage space to the DPM server as a block-based Virtual Tape Library. Effective perhaps, but not inexpensive. Page 5
How BridgeSTOR Transforms DPM from a Good Product into a Great Product BridgeSTOR s in-line, block-based data deduplication and compression allows DPM administrators to fit more data or a larger number of recovery points into a small(er) amount of space. Not only that, BridgeSTOR s in-line, block-based Disk-on-Demand thin provisioning enables the DPM storage administrator to optimally provision storage capacity, eliminating the need to over-provision. Finally, BridgeSTOR s in-line, blockbased AES-256 encryption option supplies military-grade encryption and security for data at rest in the data center. BridgeSTOR s Virtual Storage Advanced Data Reduction (VS-ADR) uses a specialized ASIC that - for every 64KB block of data processed - simultaneously produces a SHA-1 hash for deduplication; compresses the block using elzs compression and encrypts the block using AES-256 encryption. Figure 2 illustrates a DPM Storage Pool containing four (4) Protection Groups. Protection Group #1 contains data from laptops and other mobile computing users; Protection Group #2 contains data from file servers; Protection Group #3 contains workstation data and Protection Group #4 holds Microsoft application data, including Exchange, SharePoint, SQL and data from other servers. Protection Group 1 DPM Storage Pool Laptop1 Laptop 2 Laptop 3 Laptop 4 Laptop 5 Laptop 6 Laptop 7 Laptop 8 Protection Group 2 File Server 1 File Server 2 File Server 3 File Server 4 File Server 5 File Server 6 File Server 7 File Server 8 Protection Group 3 Work Station 1 Workstation 2 Workstation 3 Work Station 4 Workstation 5 Protection Group 4 SharePoint Server SQL Server Exchange Server Application Server Figure 2. DPM Storage Pool with Four (4) Protection Groups Page 6
When reducing the size of data, the BridgeSTOR AOS for DPM VS-ADR compresses all blocks in 64KB increments, both blocks that are duplicates and those that are unique. Blocks within Protection Groups are deduplicated at the 64KB block level as well, so in Protection Group 1, for example, all laptop data is deduplicated against every other laptop. Deduplication also occurs across Protection Groups 2 4 as well, meaning that the data from each file server is deduplicated against the data from every other file server; the data from each work station is deduplicated against the data from every other work station; and the data from every application server is deduplicated against the data from every other application server. And, in addition to deduplicating within Protection Groups, the BridgeSTOR AOS for DPM also deduplicates across Protection Groups. This means if a 64KB block from any laptop is the same as any 64KB block on any file server, workstation or application server, those blocks will be deduplicated. All data is compressed and all blocks are encrypted (at the administrator s option). You may be surprised at how much duplicate data exists when an Enterprise s storage blocks are examined and deduplicated in this way. Using a BridgeSTOR AOS for DPM Appliance brings true global deduplication to Windows data protection environments. BridgeSTOR AOS for DPM Data Reduction Effectiveness Figure 3 illustrates the data (and capacity) reduction experienced by a BridgeSTOR customer. This customer is in the semiconductor business in the Bay Area and uses DPM to protect data produced and used by Exchange, SharePoint and Hyper-V servers. The illustration shows a 90 percent reduction in DPM capacity requirements made possible by the BridgeSTOR AOS for DPM. Without BridgeSTOR, this customer would be storing about 4TB of DPM data. With BridgeSTOR, the required capacity dropped to just 400GB representing a 90 percent reduction in disk capacity along with similar reductions in power and cooling requirements. Page 7
Physical capacity Up to 90% capacity reduction Virtual capacity 0 1000 2000 3000 4000 5000 Exchange Sharepoint SharePoint Hyper-v Hyper-V Figure 3. BridgeSTOR AOS for DPM Data Reduction Effectiveness Summary BridgeSTOR s AOS for DPM Appliance fundamentally alters the value proposition of Microsoft s System Center Data Protection Manager. By non-disruptively multiplying DPM capacity effectiveness through deduplication, compression and thin provisioning, huge capacity savings are achievable. By adding strong data encryption, the BridgeSTOR appliance helps you sleep more soundly at night knowing your sensitive data won t walk out the door and be used for the wrong purpose. With an MSRP under $25,000 for a virtual (redundant) capacity of up to 100TB, the BridgeSTOR AOS for DPM Appliance is an affordable and simple to deploy addition to most Microsoft server, workstation, PC and laptop data protection strategies. Copyright 2011 BridgeSTOR, LLC, Poway, CA USA. All rights reserved. All features and specifications are subject to change without notice. The BridgeSTOR software logotype is a trademark of BridgeSTOR, LLC. Microsoft, Windows and System Center Data Protection Manager are registered trademarks of the Microsoft Corporation in the United States and other countries. All other brands, product names, company names, trade names, trademarks and service marks used are the property of their respective holders. Page 8