As of firmware version 4.4.2 and later, Tintri VMstore has been validated for use with Microsoft’s Data Protection Manager version 2016.
There isn’t a lot that’s needed to get DPM 2016 working against your Hyper-V VMs on your Tintri VMstore. We like simplicity. However, things are slightly different with DPM vs other data protection applications such as Veeam or Commvault. In the case of DPM 2016, the Hyper-V hosts themselves need a higher set of privileges when performing I/O against the storage. I’ll go into more detail below.
Simply grant the Hyper-V hosts the Super Admin role on the VMstore(s) and everything else is taken care of. We generally recommend creating an Active Directory group containing the Hyper-V host computer accounts, and then granting that group the Super Admin role. This makes ongoing management and auditing much more straightforward.
Above: An Active Directory group containing Hyper-V host computer objects.
Above: Granting the Hyper-V Hosts group Super Admin role on VMstore.
You may also want to purge cached tickets (these contain group membership information) on your Hyper-V hosts by running the following command:
klist -li 0x3e7 purge
The next time the Hyper-V tries to connect (such as DPM attempting a backup), it will request a new Kerberos ticket that has the updated group membership information.
What Does This Do?
In the case of products like Veeam, this step isn’t necessary. What is necessary in the Veeam case is to grant the Super Admin role to the service accounts that Veeam uses for VM I/O. So in a way, the process is the same, albeit with all of the Hyper-V computer accounts instead of one or two Active Directory service accounts.
The reason why this is required in both cases is that to perform backups and restores, the user (service account or Hyper-V host account) performing the backup needs to have SeBackupPrivilege and SeRestorePrivilege. The detail of these is discussed in this Microsoft TechNet article. By assigning the Super Admin role, these privileges are inherited by the Hyper-V host accounts used by DPM.
What About DPM 2012r2?
Unfortunately, Microsoft DPM 2012r2 makes an assumption that all SMB-protocol storage is a Windows Server and is running the DPM agent. This isn’t the case for third party storage vendors, so DPM 2012r2 currently won’t work. Should this limitation be removed by Microsoft in the future, it’s not difficult to imagine support for 2012r2 being validated too.